[Full-disclosure] [SECURITY] [DSA 2206-1] New mahara packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2206-1secur...@debian.org http://www.debian.org/security/ Martin Schulze March 29th, 2011http://www.debian.org/security/faq - -- Package: mahara Vulnerability : several CVE IDs: CVE-2011-0439 CVE-2011-0440 Debian-specific: no Two security vulnerabilities have been discovered in Mahara, a fully featured electronic portfolio, weblog, resume builder and social networking system: CVE-2011-0439 A security review commissioned by a Mahara user discovered that Mahara processes unsanitized input which can lead to cross-site scripting (XSS). CVE-2011-0440 Mahara Developers discovered that Mahara doesn't check the session key under certain circumstances which can be exploited as cross-site request forgery (CSRF) and can lead to the deletion of blogs. For the old stable distribution (lenny) these problems have been fixed in version 1.0.4-4+lenny8. For the stable distribution (squeeze) these problems have been fixed in version 1.2.6-2+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 1.2.7. We recommend that you upgrade your mahara package. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNklbuW5ql+IAeqTIRAhZRAJ0cCEjrrHQLSCpRkSFmzaPxIQTSYACgkbgO Q39fgM7gZJVNSLXVFU2k2wA= =io3e -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2151-1secur...@debian.org http://www.debian.org/security/ Martin Schulze January 26th, 2011 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research (VSR), Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager() function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem() function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. For the stable distribution (lenny) these problems have been fixed in version 2.4.1+dfsg-1+lenny11. For the upcoming stable distribution (squeeze) these problems have been fixed in version 3.2.1-11+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 3.2.1-11+squeeze1. For the experimental distribution these problems have been fixed in version 3.3.0~rc3-1. We recommend that you upgrade your OpenOffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNQEkOW5ql+IAeqTIRAp9GAJ0WTb4z3fzW9x3TK3aux2v/zWtIPQCfRdzx +AX/hG1qBThFdf0f6k2SiMQ= =O7sd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2054-2] New bind9 packages fix cache poisoning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2054-2secur...@debian.org http://www.debian.org/security/ Martin Schulze June 15th, 2010 http://www.debian.org/security/faq - -- Package: bind9 Vulnerability : DNS cache poisoning Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382 This update restores the PID file location for bind to the location before the last security update. For reference, here is the original advisory text that explains the security problems fixed: Several cache-poisoning vulnerabilities have been discovered in BIND. These vulnerabilities are apply only if DNSSEC validation is enabled and trust anchors have been installed, which is not the default. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0097 BIND does not properly validate DNSSEC NSEC records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. CVE-2010-0290 When processing crafted responses containing CNAME or DNAME records, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. CVE-2010-0382 When processing certain responses containing out-of-bailiwick data, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. In addition, this update introduce a more conservative query behavior in the presence of repeated DNSSEC validation failures, addressing the roll over and die phenomenon. The new version also supports the cryptographic algorithm used by the upcoming signed ICANN DNS root (RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence algorithm used by some signed top-level domains. This update is based on a new upstream version of BIND 9, 9.6-ESV-R1. Because of the scope of changes, extra care is recommended when installing the update. Due to ABI changes, new Debian packages are included, and the update has to be installed using apt-get dist-upgrade (or an equivalent aptitude command). For the stable distribution (lenny), these problems have been fixed in version 1:9.6.ESV.R1+dfsg-0+lenny2. The unstable distribution is not affected by the wrong PID file location. We recommend that you upgrade your bind9 packages. Upgrade Instructions - wget url will flenny the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.dsc Size/MD5 checksum: 1794 b5951765a8e4aa8bcab2348f1ffa657d http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.diff.gz Size/MD5 checksum:45913 dd84c3e333a9ed52eb716faecf65f180 http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg.orig.tar.gz Size/MD5 checksum: 5132628 5ac7e5eadd45b234ce17b3b731dacc3a Architecture independent components: http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.6.ESV.R1+dfsg-0+lenny2_all.deb Size/MD5 checksum: 282072 8d6a3f9f97202d085d1302769aa452da Alpha architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 292140 8e10a8574edd7034941feee2edc03a31 http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum:64240 ee27fa0b5251fea1d502d75a3513a3a6 http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 115318 52148b7b9069b8954fb8bb04ce5455ad http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 154542 a190316dcddbeb6973951b38ba2f7ee6 http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb Size/MD5 checksum: 1737448 ff983f8040060267746caf063ff0a8fa http://security.debian.org/pool/updates/main/b/bind9/libbind9-40_9.5.1.dfsg.P3-1+lenny1_alpha.deb
[Full-disclosure] [SECURITY] [DSA 1724-1] New moodle packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1724-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 13th, 2009 http://www.debian.org/security/faq - -- Package: moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-0500 CVE-2009-0502 CVE-2008-5153 Debian Bug : 514284 Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0500 It was discovered that the information stored in the log tables was not properly sanitized, which could allow attackers to inject arbitrary web code. CVE-2009-0502 It was discovered that certain input via the Login as function was not properly sanitised leading to the injection of arbitrary web script. CVE-2008-5153 Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update. For the stable distribution (etch) these problems have been fixed in version 1.6.3-2+etch2. For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. We recommend that you upgrade your moodle package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.dsc Size/MD5 checksum: 793 b86fd980d09fc1f54744962d765a17d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2.diff.gz Size/MD5 checksum:25398 60b9bf677040fbd71e7951deaa8b91d7 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3.orig.tar.gz Size/MD5 checksum: 7465709 2f9f3fcf83ab0f18c409f3a48e07eae2 Architecture independent components: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.6.3-2+etch2_all.deb Size/MD5 checksum: 6582298 7a90893e954672f33e129aa4d7ca5aa3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJldoJW5ql+IAeqTIRAqgIAJ0dhSgFQxBDCq0PoSav/LyyCmtaYQCgj+Ln r8qoVwy7k6F60fJPA1DAKYE= =GzCu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1689-1] New proftpd-dfsg packages fix Cross-Site Request Forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1689-1secur...@debian.org http://www.debian.org/security/ Martin Schulze December 21st, 2008 http://www.debian.org/security/faq - -- Package: proftpd-dfsg Vulnerability : missing input validation Problem type : remote Debian-specific: no CVE ID : CVE-2008-4242 Debian Bug : 502674 BugTraq ID : 31289 Maksymilian Arciemowicz of securityreason.com reported that ProFTPD is vulnerable to cross-site request forgery (CSRF) attacks and executes arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. For the stable distribution (etch) this problem has been fixed in version 1.3.0-19etch2 and in version 1.3.1-15~bpo40+1 for backports. For the testing (lenny) and unstable (sid) distributions this problem has been fixed in version 1.3.1-15. We recommend that you upgrade your proftpd-dfsg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch2.dsc Size/MD5 checksum: 944 609e4ce00fbd5064cbf939ce8f867782 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch2.diff.gz Size/MD5 checksum: 180899 b0b18721ebf58fb77026c0bf4f3d9be2 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0.orig.tar.gz Size/MD5 checksum: 1751265 b857aaf750244106d1991bcb3c48f4a0 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.0-19etch2_all.deb Size/MD5 checksum: 493380 0267b116876ee92f620641d58d993841 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-19etch2_all.deb Size/MD5 checksum: 162716 8fd092997183b78a7088fd1532f89849 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-19etch2_all.deb Size/MD5 checksum: 162722 7bb678b16043c24020f76783d38e15e6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-19etch2_all.deb Size/MD5 checksum: 162722 c649d5a0b0f32137849c2afa5cb132ed Alpha architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_alpha.deb Size/MD5 checksum: 997344 c69dfa653681879af1857f90897079fe AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_amd64.deb Size/MD5 checksum: 854758 5d51e69ebbda89a96ccb3fcda3513803 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_arm.deb Size/MD5 checksum: 794910 5c0d8a2c1aa18b40348d3d7b5a7e0408 HP Precision architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_hppa.deb Size/MD5 checksum: 933032 949a306ac2046a27bff7f3797f9bfff5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_i386.deb Size/MD5 checksum: 798104 4fe16756d76c8cdb2b3c41f8ad92fd4f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_ia64.deb Size/MD5 checksum: 1188066 9291c65580b50a7c478829e3307e11b7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_mips.deb Size/MD5 checksum: 870756 06570fae0e9a8ba786b56464512f5451 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_mipsel.deb Size/MD5 checksum: 855034 e7ae30d19a1806c69dc0d6afad5c59ef PowerPC architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_powerpc.deb Size/MD5 checksum: 885996 a5a81e9d5b86dda6462a7024f69aeac8 IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch2_s390.deb Size/MD5 checksum: 853294 460507c587a7165dfd00d5776af70c60 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0
[Full-disclosure] [SECURITY] [DSA 1677-1] New CUPS packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1677-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 2nd, 2008 http://www.debian.org/security/faq - -- Package: cupsys Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2008-5286 Debian Bug : 507183 An integer overflow has been discovered in the image validation code of cupsys, the Common UNIX Printing System. An attacker could trigger this bug by supplying a malicious graphic that could lead to the execution of arbitrary code. For the stable distribution (etch) this problem has been fixed in version 1.2.7-4etch6. For testing distribution (lenny) this issue will be fixed soon. For the unstable distribution (sid) this problem has been fixed in version 1.3.8-1lenny4. We recommend that you upgrade your cupsys packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6.dsc Size/MD5 checksum: 1092 a7198b7e0d7724a972d4027e805b1387 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6.diff.gz Size/MD5 checksum: 108940 1321ea49cfa8c06d619759acb00b0b2e http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 Architecture independent components: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch6_all.deb Size/MD5 checksum: 917900 4abe699f9d2a8f866b1e323934c6172a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch6_all.deb Size/MD5 checksum:46256 9e98540d35e8a7aef76a1042cc4befe4 Alpha architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 1614646 18542415a7a35563aacf6baccc2c474c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_alpha.deb Size/MD5 checksum:39316 641f1871ea3d1e61a56dc009b2e58652 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_alpha.deb Size/MD5 checksum:85894 99a322067e2207a67afc55dccd5d63b4 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 1092462 e2c0dd66dc9d52d41b7e179fa83908ab http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_alpha.deb Size/MD5 checksum:95658 51c76b87321a3c01dfe996fabad2de88 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_alpha.deb Size/MD5 checksum:72682 751a0c814ae40bf75b0494dafd19bd8e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 175346 f8701aeb6bc3670c3f1e60cc80c4ded7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 183712 42dc520b09c22f1d25b7ff1e6d7574bb AMD64 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 1576182 fe94635e099af684c654fb6468522f21 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_amd64.deb Size/MD5 checksum:36342 3e5954fdc1c572e86f2eeef93c1f466f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_amd64.deb Size/MD5 checksum:80704 9a21d4104655094da5f2ff3a4c019a08 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 1087506 cd83b8b030a4c972b1b3fa396114d9e9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_amd64.deb Size/MD5 checksum:86360 aeed41809da68dc26e7c586e87878c45 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_amd64.deb Size/MD5 checksum:53008 9f8e3453367ef72e6ef6f00dc6baf624 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 162608 a768dc52659411be6fd46b38df61d69b http
[Full-disclosure] [SECURITY] [DSA 1661-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1661-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 29th, 2008 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2008-2237 CVE-2008-2238 Several vulnerabilities have been discovered in the OpenOffice.org office suite: CVE-2008-2237 The SureRun Security team discovered a bug in the WMF file parser that can be triggered by manipulated WMF files and can lead to heap overflows and arbitrary code execution. CVE-2008-2238 An anonymous researcher working with the iDefense discovered a bug in the EMF file parser that can be triggered by manipulated EMF files and can lead to heap overflows and arbitrary code execution. For the stable distribution (etch) these problems have been fixed in version 2.0.4.dfsg.2-7etch6. For the unstable distribution (sid) these problems have been fixed in version 2.4.1-12. For the experimental distribution these problems have been fixed in version 3.0.0~rc3-1. We recommend that you upgrade your OpenOffice.org package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-7etch6.dsc Size/MD5 checksum: 7250 f4f4de8e20c042084e99857478263f98 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-7etch6.diff.gz Size/MD5 checksum: 76919756 5be45e9198948abe84325d9b6dc5a3a1 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2.orig.tar.gz Size/MD5 checksum: 232674922 2f1a5d92188639d3634bd6d1b1c29038 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/broffice.org_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 475824 2e557668dfe736f9a81b8f55b7dae23e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-common_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 27190074 24f455d5e1eb68d5dc202b323beb5d03 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev-doc_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 5553420 4f8b529afe806a5944a1ed8dfc35a81f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dtd-officedocument1.0_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 253618 084b50c33027f00b700617e01d75956d http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-filter-mobiledev_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 310412 1994317cfe10c4723604c8b1d708f2e3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-cs_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 11870536 c4f313b500fbf264fcf462f807039d6d http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-da_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 11812004 0c455516cc2d6b35e18e8897738486ae http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-de_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 12667534 1b352d977566737094b8a87debc473d4 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-dz_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 15030182 d70043fcfeb893a899b410776e142830 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-en-gb_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 11359080 425bc302001a1c0ebe41fabd029917eb http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-en-us_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 11317436 ab66935ed29a79669bfb335484b9f909 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-en_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 215700 d5254e111acceac3f07d5ec9347a9ec7 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-es_2.0.4.dfsg.2-7etch6_all.deb Size/MD5 checksum: 12053756 10b15f3bf97d242a2ce9b28fa8640050 http
[Full-disclosure] [SECURITY] [DSA 1492-2] New wml packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1492-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 27th, 2008http://www.debian.org/security/faq - -- Package: wml Vulnerability : insecure temporary files Problem type : local Debian-specific: no CVE IDs: CVE-2008-0665 CVE-2008-0666 Debian Bugs: 463907 471345 The security update DSA 1492-1 fixed the security problem below but introduced a new problem by not removing temporary directories in the ipp backend. This update corrects this. For completeness here is the original advisory text: Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to local denial of service by overwriting files. The old stable distribution (sarge) is not affected. For the stable distribution (etch) this problem has been fixed in version 2.0.11-1etch2. For the unstable distribution (sid) this problem has been fixed in version 2.0.11ds1-0.2. We recommend that you upgrade your wml package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2.dsc Size/MD5 checksum: 1034 e6602892619c273d2e94d2e811401ca0 http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2.diff.gz Size/MD5 checksum:24315 3d027bd58657f599554d621c9c0eb257 http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11.orig.tar.gz Size/MD5 checksum: 3115230 a26feebf4e59e9a6940f54c69dde05b5 Alpha architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_alpha.deb Size/MD5 checksum: 453964 95f766197c061dbc17e81f307554eb8d AMD64 architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_amd64.deb Size/MD5 checksum: 452754 87f0ad5e46d380520b3daa4ee97c8dd8 ARM architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_arm.deb Size/MD5 checksum: 453460 6e395efde4baa113a94347bc5482a70e HP Precision architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_hppa.deb Size/MD5 checksum: 456420 25728b4b43a367b108136d55ae846036 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_i386.deb Size/MD5 checksum: 450732 6726783fb47c1513b2d026c606808a0d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_ia64.deb Size/MD5 checksum: 458526 451f91b95e0ef8c097e52af6ebbd2387 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_mips.deb Size/MD5 checksum: 450890 05c89260e5912c5c899c12f77f41d2a6 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_mipsel.deb Size/MD5 checksum: 449482 01684fe1e0d0b999d95c5d217680d457 PowerPC architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_powerpc.deb Size/MD5 checksum: 452704 6019492c2607cacbbdf23e0021b94b4c IBM S/390 architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_s390.deb Size/MD5 checksum: 451168 9afba51d12248c36561cd0dd4ace714c Sun Sparc architecture: http://security.debian.org/pool/updates/main/w/wml/wml_2.0.11-1etch2_sparc.deb Size/MD5 checksum: 450886 2f0e262e57451321cb5c0adf0543d787 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIFDgVW5ql+IAeqTIRAnOJAJ9bFsy+ogQhDeo5OwZ+tiI4CLoiTQCfTSx3 nh+cDxdoHIJXuhS1UnUlWjI= =Wf2y -END PGP SIGNATURE
[Full-disclosure] [SECURITY] [DSA 1547-1] New OpenOffice.org packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1547-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 17th, 2008http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2007-5745 CVE-2007-5746 CVE-2007-5747 CVE-2008-0320 Several security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5745, CVE-2007-5747 Several bugs have been discovered in the way OpenOffice.org parses Quattro Pro files that may lead to a overflow in the heap potentially leading to the execution of arbitrary code. CVE-2007-5746 Specially crafted EMF files can trigger a buffer overflow in the heap that may lead to the execution of arbitrary code. CVE-2008-0320 A bug has been discovered in the processing of OLE files that can cause a buffer overflow in the heap potentially leading to the execution of arbitrary code. Recently reported problems in the ICU library are fixed in separate libicu packages with DSA 1511 against which OpenOffice.org is linked. For the old stable distribution (sarge) these problems have been fixed in version 1.1.3-9sarge9. For the stable distribution (etch) these problems have been fixed in version 2.0.4.dfsg.2-7etch5. For the testing (lenny) and unstable (sid) distributions these problems have been fixed in version 2.4.0~ooh680m5-1. We recommend that you upgrade your openoffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge9.dsc Size/MD5 checksum: 2878 8b2bf5fad94194078687afd08a774051 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge9.diff.gz Size/MD5 checksum: 4663713 95fc9e73f779d582edd4df28c5bdc265 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge9_all.deb Size/MD5 checksum: 2648250 4c65359ce6ee948e155c3200435e3882 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge9_all.deb Size/MD5 checksum: 2700940 f0f7cd9f4e836f69cb01d9b414a7dd8f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge9_all.deb Size/MD5 checksum: 2697858 8f73d02ce7e1801f9c50e7625324b780 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge9_all.deb Size/MD5 checksum: 3607590 f50b4014d8141f064b281b0cb8d9c115 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge9_all.deb Size/MD5 checksum: 2664720 61b0feccf81710f128111fe1caab6773 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge9_all.deb Size/MD5 checksum: 3604230 bb6543e7dfd37b8b6751eb199450cae2 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge9_all.deb Size/MD5 checksum: 3491518 cd0c55f2d047f03e1ca1b4167fea7f0e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge9_all.deb Size/MD5 checksum: 2746570 6cd2c910bd469e26d7fcb37dff4512f5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge9_all.deb Size/MD5 checksum: 3558088 9b1510871540ac5dcc350ea0ad4b3a6b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge9_all.deb Size/MD5 checksum: 3598796 d0ea026676b3084deb1fc3a77c687e53 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge9_all.deb Size/MD5 checksum: 2650338 c3db9bce36a17a0776381942063e4ea4 http://security.debian.org/pool/updates/main
[Full-disclosure] [SECURITY] [DSA 1421-1] New wesnoth packages fix arbitrary file disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1421-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 6th, 2007 http://www.debian.org/security/faq - -- Package: wesnoth Vulnerability : directory traversal Problem type : remote Debian-specific: no CVE ID : CVE-2007-5742 A vulnerability has been discovered in Battle for Wesnoth that allows remote attackers to read arbitrary files the user running the client has access to on the machine running the game client. For the old stable distribution (sarge) this problem has been fixed in version 0.9.0-7. For the stable distribution (etch) this problem has been fixed in version 1.2-3. For the stable backports distribution (etch-backports) this problem has been fixed in version 1.2.8-1~bpo40+1. For the unstable distribution (sid) this problem has been fixed in version 1.2.8-1. For the experimental distribution this problem has been fixed in version 1.3.12-1. We recommend that you upgrade your wesnoth package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7.dsc Size/MD5 checksum: 850 7a32bba9f1bc498c9f18d7f0b4e8bcc5 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7.diff.gz Size/MD5 checksum:35737 e48f022ba672f368468bd0963777177d http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0.orig.tar.gz Size/MD5 checksum: 36051074 8dd59719631e0e6329a0a25e1dcbf302 Architecture independent components: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_0.9.0-7_all.deb Size/MD5 checksum: 14743278 e5fa396da0eb9fedf05e80481cf3a121 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_0.9.0-7_all.deb Size/MD5 checksum: 681980 39ba40eb63b14b756c8c847627ae070e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_0.9.0-7_all.deb Size/MD5 checksum: 4373916 9e71e1b72c91d74e743e5935bd8fcf6f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_0.9.0-7_all.deb Size/MD5 checksum: 9936932 fe113db1873e90f3be255d52d9a64a93 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-sotbe_0.9.0-7_all.deb Size/MD5 checksum: 1844840 f3addc9fa6529f2e01074f3505042055 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tdh_0.9.0-7_all.deb Size/MD5 checksum:66066 1324d16d02fd1e3c7f8daebba19846e7 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_0.9.0-7_all.deb Size/MD5 checksum: 1717880 3ff81c9b863d6c7f74a96da7faab214b Alpha architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_alpha.deb Size/MD5 checksum: 1901112 ecbcc158dd9c11092d3301fb5dd70976 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_alpha.deb Size/MD5 checksum: 1518470 2e5466d1cdcee2e44dee0f1318c90b92 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_alpha.deb Size/MD5 checksum: 229504 161b50a0069154365d734d99be7fb2f9 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_amd64.deb Size/MD5 checksum: 1521710 d867d3b826ab7ff3538b1a882fbd641f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_amd64.deb Size/MD5 checksum: 1210116 b72031667aa5538b05dfb6346e4c618a http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_amd64.deb Size/MD5 checksum: 197722 fc421baa70d0a903e2252fa384703efc ARM architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-7_arm.deb Size/MD5 checksum: 2608206 023976bd45032204350012bdf078c1b1 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-7_arm.deb Size/MD5 checksum: 2031774 d1c5f2a67b980e31ebabed6fabde5959 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-7_arm.deb Size/MD5 checksum: 261158 41291940ea8a5fb2e8dced11e92b7b97 HP Precision architecture: http://security.debian.org/pool/updates/main/w/wesnoth
[Full-disclosure] [SECURITY] [DSA 1419-1] New OpenOffice.org packages fix arbitrary Java code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1419-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 5th, 2007 http://www.debian.org/security/faq - -- Package: openoffice.org, hsqldb Vulnerability : programming error Problem type : local (remote) Debian-specific: no CVE ID : CVE-2007-4575 A vulnerability has been discovered in HSQLDB, the default database engine shipped with OpenOffice.org. This could result in the execution of arbitrary Java code embedded in a OpenOffice.org database document with the user's privilege. This update requires an update of both openoffice.org and hsqldb. The old stable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 2.0.4.dfsg.2-7etch4 of OpenOffice.org and in version 1.8.0.7-1etch1 of hsqldb. For the unstable distribution (sid) this problem has been fixed in version 2.3.1-1 of OpenOffice.org and in version 1.8.0.9-2 of hsqldb. For the experimental distribution this problem has been fixed in version 2.3.1~rc1-1 of OpenOffice.org and in version 1.8.0.9-1 of hsqldb. We recommend that you upgrade your OpenOffice.org and hsqldb packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-7etch4.dsc Size/MD5 checksum: 7250 c0c7456adb826a4660ef196e56857e1a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-7etch4.diff.gz Size/MD5 checksum: 76905774 526d19410c8e68e5b502083ba0273ed0 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2.orig.tar.gz Size/MD5 checksum: 232674922 2f1a5d92188639d3634bd6d1b1c29038 http://security.debian.org/pool/updates/main/h/hsqldb/hsqldb_1.8.0.7-1etch1.dsc Size/MD5 checksum: 674 e5de2bc9c738f592280016f45b6e0a62 http://security.debian.org/pool/updates/main/h/hsqldb/hsqldb_1.8.0.7-1etch1.diff.gz Size/MD5 checksum:11725 73eb16347408015a941c7b1cadfa03ab http://security.debian.org/pool/updates/main/h/hsqldb/hsqldb_1.8.0.7.orig.tar.gz Size/MD5 checksum: 2051414 316a2dc3b8fef1bee991d16e2cc7341b Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/broffice.org_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 460082 588f72e30a23aed6e6d39a702f03cb6c http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-common_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 27205088 631950c338bdab6d5faf19bb2c8dcf3d http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev-doc_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 5548668 28928f1dcb395068a4aaea6e10ce9a3e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dtd-officedocument1.0_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 251200 b4f9523577015c61a7162d81697461be http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-filter-mobiledev_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 309916 e47c5505bd4e828daf4fb8747e93b39b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-cs_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 11858192 68b5e0dc2956f9e8f4d1345c6d03c387 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-da_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 11820014 4ff40c414696ef0d3c36c288ffcab333 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-de_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 12648152 2f5a8c5cbe70c83ac24b024f2334ac31 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-dz_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 15040732 708ca942c4b83ef61d226a37fb86a0e3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-en-gb_2.0.4.dfsg.2-7etch4_all.deb Size/MD5 checksum: 11370746 f074b4b06bdcc13f4eb01eb4f4d2a32a http://security.debian.org/pool/updates/main/o/openoffice.org
[Full-disclosure] [SECURITY] [DSA 1386-1] New wesnoth packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1386-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 15th, 2007 http://www.debian.org/security/faq - -- Package: wesnoth Vulnerability : progrmaming error Problem type : remote Debian-specific: no CVE ID : CVE-2007-3917 A problem has been discovered in the processing of chat messages. Overly long messages are truncated by the server to a fixed length, without paying attention to the multibyte characters. This leads to invalid UTF-8 on clients and causes an uncaught exception. Note that both wesnoth and the wesnoth server are affected. For the old stable distribution (sarge) this problem has been fixed in version 0.9.0-6 and in version 1.2.7-1~bpo31+1 of sarge-backports. For the stable distribution (etch) this problem has been fixed in version 1.2-2 and in version 1.2.7-1~bpo40+1 of etch-backports. For the unstable distribution (sid) this problem has been fixed in version 1.2.7-1. Packages for the oldstable mips architecture will be added to the archive later. We recommend that you upgrade your wesnoth packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6.dsc Size/MD5 checksum: 850 86291ea2c7a18b90f85eb39b53f7ca70 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6.diff.gz Size/MD5 checksum:35409 ece9ff9a4cf64ed981a53021194dc204 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0.orig.tar.gz Size/MD5 checksum: 36051074 8dd59719631e0e6329a0a25e1dcbf302 Architecture independent components: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_0.9.0-6_all.deb Size/MD5 checksum: 14752878 ebb6d4c489fb2d407bd86420e27c8dd5 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_0.9.0-6_all.deb Size/MD5 checksum: 681962 0b79cab0648b8724af0009c31c8cf7ad http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_0.9.0-6_all.deb Size/MD5 checksum: 4373962 d7b166b55e9acd60c01ad236499b98ff http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_0.9.0-6_all.deb Size/MD5 checksum: 9936830 7ebc2d096866786625189ea20ea66c46 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-sotbe_0.9.0-6_all.deb Size/MD5 checksum: 1844794 dbf5d86593828a3e6519b442fd0ffd57 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tdh_0.9.0-6_all.deb Size/MD5 checksum:66000 b59719ef1470afa2048a9211cf7fc136 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_0.9.0-6_all.deb Size/MD5 checksum: 1717942 7b91a835e816b3b56030f200ecde0b96 Alpha architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6_alpha.deb Size/MD5 checksum: 1901144 b8cff98e1a1bdbd5bab93c0e9a414116 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-6_alpha.deb Size/MD5 checksum: 1518366 2b96bd84f4b327f54a6630218070a916 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-6_alpha.deb Size/MD5 checksum: 229474 065684977aebda989fa5bc47acf06a22 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6_amd64.deb Size/MD5 checksum: 1521520 bc72757fa955b6abdbab1fdd0471a503 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-6_amd64.deb Size/MD5 checksum: 1209900 2f9b55c89ea8b102ce347c1169c154f7 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-6_amd64.deb Size/MD5 checksum: 197616 fc19ba05943d2e5dca1386c39b70075a ARM architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6_arm.deb Size/MD5 checksum: 2608368 17708b565e206b6e636f71be9a137ee4 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-6_arm.deb Size/MD5 checksum: 2031758 a9381b3845b6a305716781cf9e3adf8f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-6_arm.deb Size/MD5 checksum: 261258
[Full-disclosure] [SECURITY] [DSA 1386-2] New wesnoth packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1386-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 15th, 2007 http://www.debian.org/security/faq - -- Package: wesnoth Vulnerability : progrmaming error Problem type : remote Debian-specific: no CVE ID : CVE-2007-3917 A problem has been discovered in the processing of chat messages. Overly long messages are truncated by the server to a fixed length, without paying attention to the multibyte characters. This leads to invalid UTF-8 on clients and causes an uncaught exception. Note that both wesnoth and the wesnoth server are affected. Note: This advisory only updates the MD5 sums for the stable distribution. For the old stable distribution (sarge) this problem has been fixed in version 0.9.0-6 and in version 1.2.7-1~bpo31+1 of sarge-backports. For the stable distribution (etch) this problem has been fixed in version 1.2-2 and in version 1.2.7-1~bpo40+1 of etch-backports. For the unstable distribution (sid) this problem has been fixed in version 1.2.7-1. Packages for the oldstable mips architecture will be added to the archive later. We recommend that you upgrade your wesnoth packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6.dsc Size/MD5 checksum: 850 86291ea2c7a18b90f85eb39b53f7ca70 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6.diff.gz Size/MD5 checksum:35409 ece9ff9a4cf64ed981a53021194dc204 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0.orig.tar.gz Size/MD5 checksum: 36051074 8dd59719631e0e6329a0a25e1dcbf302 Architecture independent components: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_0.9.0-6_all.deb Size/MD5 checksum: 14752878 ebb6d4c489fb2d407bd86420e27c8dd5 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_0.9.0-6_all.deb Size/MD5 checksum: 681962 0b79cab0648b8724af0009c31c8cf7ad http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_0.9.0-6_all.deb Size/MD5 checksum: 4373962 d7b166b55e9acd60c01ad236499b98ff http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_0.9.0-6_all.deb Size/MD5 checksum: 9936830 7ebc2d096866786625189ea20ea66c46 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-sotbe_0.9.0-6_all.deb Size/MD5 checksum: 1844794 dbf5d86593828a3e6519b442fd0ffd57 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tdh_0.9.0-6_all.deb Size/MD5 checksum:66000 b59719ef1470afa2048a9211cf7fc136 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_0.9.0-6_all.deb Size/MD5 checksum: 1717942 7b91a835e816b3b56030f200ecde0b96 Alpha architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6_alpha.deb Size/MD5 checksum: 1901144 b8cff98e1a1bdbd5bab93c0e9a414116 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-6_alpha.deb Size/MD5 checksum: 1518366 2b96bd84f4b327f54a6630218070a916 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-6_alpha.deb Size/MD5 checksum: 229474 065684977aebda989fa5bc47acf06a22 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6_amd64.deb Size/MD5 checksum: 1521520 bc72757fa955b6abdbab1fdd0471a503 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-6_amd64.deb Size/MD5 checksum: 1209900 2f9b55c89ea8b102ce347c1169c154f7 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_0.9.0-6_amd64.deb Size/MD5 checksum: 197616 fc19ba05943d2e5dca1386c39b70075a ARM architecture: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_0.9.0-6_arm.deb Size/MD5 checksum: 2608368 17708b565e206b6e636f71be9a137ee4 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_0.9.0-6_arm.deb Size/MD5 checksum: 2031758 a9381b3845b6a305716781cf9e3adf8f http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth
[Full-disclosure] [SECURITY] [DSA 1375-1] New OpenOffice.org packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1375-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 17th, 2007http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2007-2834 A heap overflow vulnerability has been discovered in the TIFF parsing code of the OpenOffice.org suite. The parser uses untrusted values from the TIFF file to calculate the number of bytes of memory to allocate. A specially crafted TIFF image could trigger an integer overflow and subsequently a buffer overflow that could cause the execution of arbitrary code. For the old stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge8. For the stable distribution (etch) this problem has been fixed in version 2.0.4.dfsg.2-7etch2. For the unstable distribution (sid) this problem has been fixed in version 2.2.1-9. For the experimental distribution (sid) this problem has been fixed in version 2.3.0~src680m224-1. We recommend that you upgrade your openoffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge8.dsc Size/MD5 checksum: 2878 9c31601926b8ddc7f06a0c58159eeb03 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge8.diff.gz Size/MD5 checksum: 4632139 9ae242bbbf6b852403ce12a4eeb1ceab http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2649162 3d3751fe53371a3d1fd3fc1fde23787a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2696862 bede6b5df8f3f57f1bb13974a4d13dab http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2694288 ab33f242138904559a8ca38c47696b1a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge8_all.deb Size/MD5 checksum: 3588688 0db831ea84f839696348c95f6fbfd04f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2665440 92908da0696bd52959aa834310685f33 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge8_all.deb Size/MD5 checksum: 3584426 c2a422efbbf91d5ea1839149dff73a49 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge8_all.deb Size/MD5 checksum: 3455744 4949b6e92adc58e5b7c277b4aeb93b05 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2744376 5817d2f7eca5932156f71e21a795f456 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge8_all.deb Size/MD5 checksum: 3527534 acaae7e04e57af77cafdb1f29577dc90 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge8_all.deb Size/MD5 checksum: 3564508 67d6f2b7bfb16dfb46e1abe340d5f895 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2646854 eea0ced6a89beed3fd7fe570f57d88d8 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2671096 3dc5be77a468939f36f7d4baeb2c8b7b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge8_all.deb Size/MD5 checksum: 2676380 4a1e550f841eaf793673aaf3a6bd163e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge8_all.deb Size/MD5 checksum: 3496440
[Full-disclosure] [SECURITY] [DSA 1340-1] New ClamAV packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1340-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 24th, 2007 http://www.debian.org/security/faq - -- Package: clamav Vulnerability : null pointer dereference Problem type : local (remote) Debian-specific: no CVE ID : CVE-2007-3725 A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. We are currently unable to provide fixed packages for the MIPS architectures. Those packages will be installed in the security archive when they become available. The old stable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 0.90.1-3etch4. For the unstable distribution (sid) this problem has been fixed in version 0.91-1. We recommend that you upgrade your clamav packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch4.dsc Size/MD5 checksum: 886 4322482c1fb82b108aa43cb9db54efd1 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch4.diff.gz Size/MD5 checksum: 201403 a5c2bfc45cc81fd1f85c3bfca605c2eb http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1.orig.tar.gz Size/MD5 checksum: 11643310 cd11c05b5476262eaea4fa3bd7dc25bf Architecture independent components: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1-3etch4_all.deb Size/MD5 checksum: 201448 cf1df37f823c25b62bb341da58b13cb9 http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1-3etch4_all.deb Size/MD5 checksum: 1003244 fda3003977260e1b5cea1547167d492c http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1-3etch4_all.deb Size/MD5 checksum: 157626 548abf569b73b094e3807888f2f5038d Alpha architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 863288 10878c8e050e17086aeea82678293c08 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 184482 cc5eca7ca9f6c3d7c9cb64557b975d8b http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 644222 71b240e73b41ea5a62a2e481c3ed3147 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 9303578 91aa4799771e9f6a366a84f8be4a0154 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 179638 16cb1cdf55b0f6cc983ef3c224b6ad42 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 510846 dfd5016fdaa269c808d1585eeb29b682 http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch4_alpha.deb Size/MD5 checksum: 406172 76b0ab23e443a074b089e23f63c1b996 AMD64 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch4_amd64.deb Size/MD5 checksum: 856292 ae79ee69acb68b7edc2938e74df07572 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch4_amd64.deb Size/MD5 checksum: 178250 919ffe6a6d8f087f7c64f561de240dcb http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch4_amd64.deb Size/MD5 checksum: 637868 96df7a341a13a1dcfa3726da88270285 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch4_amd64.deb Size/MD5 checksum: 9301706 97194c4ceb5cc69c897becba8509f5c6 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch4_amd64.deb Size/MD5 checksum: 176744 e9870bb2dbb4cae1415e7da8043f6d83 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch4_amd64.deb Size/MD5 checksum: 386328 cb0f86bd159db1925ec39157c345f20e http://security.debian.org/pool/updates
[Full-disclosure] [SECURITY] [DSA 1307-1] New OpenOffice.org packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1307-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 12th, 2007 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : heap overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2007-0245 John Heasman discovered a heap overflow in the routines of OpenOffice.org that parse RTF files. A specially crafted RTF file could cause the filter to overwrite data on the heap, which may lead to the execution of arbitrary code. For the old stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge7. For the stable distribution (etch) this problem has been fixed in version 2.0.4.dfsg.2-7etch1. For the unstable distribution (sid) this problem has been fixed in version 2.2.1~rc1-1. We recommend that you upgrade your openoffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge7.dsc Size/MD5 checksum: 2878 27e84e7773bda00d323a6d2aca93bdbe http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge7.diff.gz Size/MD5 checksum: 4630899 15eb02856514149200f6bd22f435ff6f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2649148 fdb1efe024490e652c08d021ed6378a3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2696792 c3ebd8e617675941dd8279cb56bcc6f1 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2694248 a3143cd96d3bb7d55286d27569268b0e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge7_all.deb Size/MD5 checksum: 3588640 d2e1c9899ec7278c56fcb04b123e79a5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2665380 771f3794ad91846e3e6cbf073bde56c4 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge7_all.deb Size/MD5 checksum: 3584384 45669252e33b4232e411908e250040e3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge7_all.deb Size/MD5 checksum: 3455672 81b57392196c9e1e71f95576e95164de http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2744364 26440d508c13a811d148a86779b0f548 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge7_all.deb Size/MD5 checksum: 3527522 85d88675fcc692c06973a57eddb0372e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge7_all.deb Size/MD5 checksum: 3564438 489d0222398e86efa9943f18f427 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2646800 26587de9977da8583b3daadfe28ab17f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2671052 67d25803fe6a70c18cbd67d482cd4ea6 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2676302 c114964364799048961a5097d4a2decc http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge7_all.deb Size/MD5 checksum: 3496398 6ad9ebf314a3a06ff65996e79bdc27a3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge7_all.deb Size/MD5 checksum: 2659730 af44a990b567174e09c38643f3a7993f http://security.debian.org/pool/updates/main
[Full-disclosure] [SECURITY] [DSA 1293-1] New quagga packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1293-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 17th, 2007 http://www.debian.org/security/faq - -- Package: quagga Vulnerability : out of boundary read Problem type : remote Debian-specific: no CVE ID : CVE-2007-1995 BugTraq ID : 23417 Debian Bug : 418323 Paul Jakma discovered that specially crafted UPDATE messages can trigger an out of boundary read that can result in a system crash of quagga, the BGP/OSPF/RIP routing daemon. For the old stable distribution (sarge) this problem has been fixed in version 0.98.3-7.4. For the stable distribution (etch) this problem has been fixed in version 0.99.5-5etch2. For the unstable distribution (sid) this problem has been fixed in version 0.99.6-5. We recommend that you upgrade your quagga package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4.dsc Size/MD5 checksum: 1017 668014e3d7bde772eac63fc2809538c8 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4.diff.gz Size/MD5 checksum:45503 ce79e6a7a23c57551af673936957b520 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e Architecture independent components: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.4_all.deb Size/MD5 checksum: 488726 9176bb6c2d44c83c6b0235fe2d787c24 Alpha architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_alpha.deb Size/MD5 checksum: 1613754 754e865cef5379625e6ac77fc03a1175 AMD64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_amd64.deb Size/MD5 checksum: 1413316 5aa1b7a4d2a9a262d89e6ff050b61140 ARM architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_arm.deb Size/MD5 checksum: 1290700 071171571b6afb1937cfe6d535a571dc HP Precision architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_hppa.deb Size/MD5 checksum: 1447856 c4137c1ad75efb58c080a96aa9c0699e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_i386.deb Size/MD5 checksum: 1193528 52640ebe894244e34b98b43150028c01 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_ia64.deb Size/MD5 checksum: 1829130 27191432085ad6ebff2160874aa06826 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_m68k.deb Size/MD5 checksum: 116 c2f78f24982732c9804de4297c4c2672 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_mips.deb Size/MD5 checksum: 1353040 6ceb137f2908165b4d1420f56b8be65b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_mipsel.deb Size/MD5 checksum: 1355964 a1685523eede48afe70b1861a6b38038 PowerPC architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_powerpc.deb Size/MD5 checksum: 1317034 2d80694cf741a3ed85617dbf4e7b4776 IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_s390.deb Size/MD5 checksum: 1401630 458f1f892e6ed57677971334589ecc45 Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_sparc.deb Size/MD5 checksum: 1287812 e92233bfc759de15910da4241e27ebd1 Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2.dsc Size/MD5 checksum: 762 667f0d6ae4984aa499d912b12d9146b9 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2.diff.gz Size/MD5 checksum:33122 ac7da5cf6b143338aef2b8c6da3b2b3a http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5.orig.tar.gz
[Full-disclosure] [SECURITY] [DSA 1270-2] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1270-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 28th, 2007http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2007-0002 CVE-2007-0238 CVE-2007-0239 Several security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-0002 iDefense reported several integer overflow bugs in libwpd, a library for handling WordPerfect documents that is included in OpenOffice.org. Attackers are able to exploit these with carefully crafted WordPerfect files that could cause an application linked with libwpd to crash or possibly execute arbitrary code. CVE-2007-0238 Next Generation Security discovered that the StarCalc parser in OpenOffice.org contains an easily exploitable stack overflow that could be used exploited by a specially crafted document to execute arbitrary code. CVE-2007-0239 It has been reported that OpenOffice.org does not escape shell meta characters and is hence vulnerable to execute arbitrary shell commands via a specially crafted document after the user clicked to a prepared link. This updated advisory only provides packages for the upcoming etch release alias Debian GNU/Linux 4.0. For the stable distribution (sarge) these problems have been fixed in version 1.1.3-9sarge6. For the testing distribution (etch) these problems have been fixed in version 2.0.4.dfsg.2-5etch1. For the unstable distribution (sid) these problems have been fixed in version 2.0.4.dfsg.2-6. We recommend that you upgrade your OpenOffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-5etch1.dsc Size/MD5 checksum: 7250 cc3669fa2466b3c39204b5dffc8569cf http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-5etch1.diff.gz Size/MD5 checksum: 76805007 7f650a2f88eace1388a5b2ccc08a5a01 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2.orig.tar.gz Size/MD5 checksum: 232674922 2f1a5d92188639d3634bd6d1b1c29038 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/broffice.org_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 497312 20161eb974d83eccf15afe55449a563f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-common_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 27087286 aa22685899a79a5331ef64a8231d2bdd http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev-doc_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 5102250 255d82d115878e5b4fca5c772fc9f073 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dtd-officedocument1.0_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 251444 5db905f725cd28b3b24ec23f6f403e97 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-filter-mobiledev_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 310176 5f32c47e856f6cc53d36a74e5243b8c1 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-cs_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 11534984 04d9fc0b4bc003d7e1170b46be800361 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-da_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 11476690 965f816e03639c65eb4b48b6c3e5ca87 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-de_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 12261362 3fa450bf1aa6553b2e358e91f104d8b5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-dz_2.0.4.dfsg.2-5etch1_all.deb Size/MD5 checksum: 14524472 69411da5041a21bfd23692a2d9be9538 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-help-en-gb_2.0.4.dfsg.2
[Full-disclosure] [SECURITY] [DSA 1270-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1270-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 20th, 2007http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2007-0002 CVE-2007-0238 CVE-2007-0239 Several security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-0002 iDefense reported several integer overflow bugs in libwpd, a library for handling WordPerfect documents that is included in OpenOffice.org. Attackers are able to exploit these with carefully crafted WordPerfect files that could cause an application linked with libwpd to crash or possibly execute arbitrary code. CVE-2007-0238 Next Generation Security discovered that the StarCalc parser in OpenOffice.org contains an easily exploitable stack overflow that could be used exploited by a specially crafted document to execute arbitrary code. CVE-2007-0239 It has been reported that OpenOffice.org does not escape shell meta characters and is hence vulnerable to execute arbitrary shell commands via a specially crafted document after the user clicked to a prepared link. For the stable distribution (sarge) these problems have been fixed in version 1.1.3-9sarge6. For the testing distribution (etch) these problems have been fixed in version 2.0.4.dfsg.2-6. For the unstable distribution (sid) these problems have been fixed in version 2.0.4.dfsg.2-6. We recommend that you upgrade your OpenOffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge6.dsc Size/MD5 checksum: 2878 6c4447f2bdd8cde4e10556eacb9aef80 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge6.diff.gz Size/MD5 checksum: 4630152 e9d9ee838f73572836b059f8033bdb35 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge6_all.deb Size/MD5 checksum: 2648700 9dedff380f535381ca48fc23da8c74ae http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge6_all.deb Size/MD5 checksum: 2696106 2eebd4484da0e9a4dcbde3b01e309ba7 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge6_all.deb Size/MD5 checksum: 2692842 e2f0cce7f7ca75c26a55b2615a0d32a2 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge6_all.deb Size/MD5 checksum: 3587952 02a0dcfd7d36cea6433365e4c9acd00f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge6_all.deb Size/MD5 checksum: 2664822 176c3bd0b24dc4a0700d558e7df15ddd http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge6_all.deb Size/MD5 checksum: 3584442 b7a8d9b8b21a152537ef71d3dce56d54 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge6_all.deb Size/MD5 checksum: 3455220 214fd0769fb967b22521b244a5f8e412 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge6_all.deb Size/MD5 checksum: 2742946 04c91de4bb5b2b6d453ede296693889a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge6_all.deb Size/MD5 checksum: 3527040 738553a6850160b374d36b7a83f79370 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge6_all.deb Size/MD5 checksum: 3563372 db130e40120c69626e950063eee07a3d http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge6_all.deb
[Full-disclosure] [SECURITY] [DSA 1269-1] New lookup-el packages fix insecure temporary file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1269-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 18th, 2007http://www.debian.org/security/faq - -- Package: lookup-el Vulnerability : insecure temporary file Problem type : local Debian-specific: no CVE ID : CVE-2007-0237 Tatsuya Kinoshita discovered that Lookup, a search interface to electronic dictionaries on emacsen, creates a temporary file in an insecure fashion when the ndeb-binary feature is used, which allows a local attacker to craft a symlink attack to overwrite arbitrary files. For the stable distribution (sarge) this problem has been fixed in version 1.4-3sarge1. For the testing distribution (etch) this problem has been fixed in version 1.4-5. For the unstable distribution (sid) this problem has been fixed in version 1.4-5. We recommend that you upgrade your lookup-el package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4-3sarge1.dsc Size/MD5 checksum: 585 2daf45b112f1b688658faf610308962e http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4-3sarge1.diff.gz Size/MD5 checksum: 7115 f27e58e4ea0df6b08e808624a8fcb4e2 http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4.orig.tar.gz Size/MD5 checksum: 349751 05d12aa8921969b449a6f2a47bb00247 Architecture independent components: http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4-3sarge1_all.deb Size/MD5 checksum: 228002 30c9393256c1029e3742892e3bc16a6f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF/Xj0W5ql+IAeqTIRAofWAJ4m3KwS80yMHa+SdKSWRF9bK3A/IwCeKebE 0IJmw3+CLfosO3982ZdVry4= =czbW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1268-1] New libwpd packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1268-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 17th, 2007http://www.debian.org/security/faq - -- Package: libwpd Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2007-0002 iDefense reported several integer overflow bugs in libwpd, a library for handling WordPerfect documents. Attackers were able to exploit these with carefully crafted Word Perfect files that could cause an application linked with libwpd to crash or possibly execute arbitrary. For the stable distribution (sarge) these problems have been fixed in version 0.8.1-1sarge1. For the testing distribution (etch) these problems have been fixed in version 0.8.7-6. For the unstable distribution (sid) these problems have been fixed in version 0.8.7-6. We recommend that you upgrade your libwpd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libw/libwpd/libwpd_0.8.1-1sarge1.dsc Size/MD5 checksum: 771 3f766aab2c2c0ff76feb561e51e17350 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd_0.8.1-1sarge1.diff.gz Size/MD5 checksum:12523 9cd210c306a22900d77afbc3e62b3557 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd_0.8.1.orig.tar.gz Size/MD5 checksum: 487187 75eabcc479c23461715ee58813c4b9b5 Architecture independent components: http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-doc_0.8.1-1sarge1_all.deb Size/MD5 checksum: 523184 0c9bfe4ac1b79688d408b1685246138e Alpha architecture: http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_alpha.deb Size/MD5 checksum:10200 8457ae23ea4638ecbf774198676e62b6 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_alpha.deb Size/MD5 checksum:25800 94c9d4fd23fdac66ddf368e74761690e http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_alpha.deb Size/MD5 checksum: 148594 8af570673eddd1d436eb0befb40b5ef9 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_alpha.deb Size/MD5 checksum: 286542 b7aae6d0dc6f3f3618e2613d3136c456 AMD64 architecture: http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_amd64.deb Size/MD5 checksum: 9998 076ff186f2150afd40318ac9b0764cfe http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_amd64.deb Size/MD5 checksum:24214 1c75a6141ca3e9b5c9247cad1994a814 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_amd64.deb Size/MD5 checksum: 137528 c804cc0ebc56eae0b4af35aac2b8dce2 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_amd64.deb Size/MD5 checksum: 231074 785d0bbf7fc34e7a592843145d55520f ARM architecture: http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_arm.deb Size/MD5 checksum: 9872 502b16e468b369c865f68036651f25c8 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_arm.deb Size/MD5 checksum:21736 3c8862d95e911fa3e96527def67271a9 http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_arm.deb Size/MD5 checksum: 134440 cae03d0c40607eb2e09abe3a7aafdc9f http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_arm.deb Size/MD5 checksum: 233142 9c9bf1780e7337a6e3c68ed2fcecf052 HP Precision architecture: http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_hppa.deb Size/MD5 checksum:11058 cc181a60e7d528ca531b2967bebd29ff http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_hppa.deb Size/MD5 checksum:29762 236721a143d8514e1d961c1570664a0f http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_hppa.deb Size/MD5 checksum: 174812 9531c09294d4450e77dc0052a5b6cb04 http
[Full-disclosure] [SECURITY] [DSA 1265-1] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1265-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 10th, 2007http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-6497 CVE-2006-6498 CVE-2006-6499 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CVE-2006-6505 CERT advisories: VU#263412 VU#405092 VU#427972 VU#428500 VU#447772 VU#606260 VU#887332 BugTraq ID : 21668 Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-6497 Several vulnerabilities in the layout engine allow remote attackers to cause a denial of service and possibly permit them to execute arbitrary code. [MFSA 2006-68] CVE-2006-6498 Several vulnerabilities in the JavaScript engine allow remote attackers to cause a denial of service and possibly permit them to execute arbitrary code. [MFSA 2006-68] CVE-2006-6499 A bug in the js_dtoa function allows remote attackers to cause a denial of service. [MFSA 2006-68] CVE-2006-6501 shutdown discovered a vulnerability that allows remote attackers to gain privileges and install malicious code via the watch JavaScript function. [MFSA 2006-70] CVE-2006-6502 Steven Michaud discovered a programming bug that allows remote attackers to cause a denial of service. [MFSA 2006-71] CVE-2006-6503 moz_bug_r_a4 reported that the src attribute of an IMG element could be used to inject JavaScript code. [MFSA 2006-72] CVE-2006-6505 Georgi Guninski discovered several heap-based buffer overflows that allow remote attackers to execute arbitrary code. [MFSA 2006-74] For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge10. For the unstable distribution (sid) these problems have been fixed in version 1.0.7-1 of iceape. We recommend that you upgrade your Mozilla and Iceape packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge10.dsc Size/MD5 checksum: 1125 7bbb0352ba3ac9f97a6349dc5b30830e http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge10.diff.gz Size/MD5 checksum: 610517 a93a7496c1ee1336de1eabb4ace10a40 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 172736 2b766929fd8fc52fd2dba54550db816e http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 149964 a182e1466f9656f71d16ff2d7ab2571b http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 189726 7343cb0178402a4aeb3054e80f0b2d9b http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 858650 6ca44187faea0d75dc0c868658e7282d http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 1030 f2a4a8b7f0dd9ab8b9a80ec1bd7a9a72 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 11535592 2eb72b02028260bb60aa77c17fe657bb http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 403522 fe42c78ec1ee7e2292bb03904b3a2471 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 158336 e08a92e6530f91204f71d9067f426ff2 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge10_alpha.deb Size/MD5 checksum: 3611380 0a3282afa4806af2be0c170052f3c7d0 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8
[Full-disclosure] [SECURITY] [DSA 1258-1] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1258-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 7th, 2007 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-6497 CVE-2006-6498 CVE-2006-6499 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CERT advisories: VU#263412 VU#405092 VU#427972 VU#428500 VU#447772 VU#606260 BugTraq ID : 21668 Debian Bug : Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-6497 Several vulnerabilities in the layout engine allow remote attackers to cause a denial of service and possibly permit them to execute arbitrary code. [MFSA 2006-68] CVE-2006-6498 Several vulnerabilities in the JavaScript engine allow remote attackers to cause a denial of service and possibly permit them to execute arbitrary code. [MFSA 2006-68] CVE-2006-6499 A bug in the js_dtoa function allows remote attackers to cause a denial of service. [MFSA 2006-68] CVE-2006-6501 shutdown discovered a vulnerability that allows remote attackers to gain privileges and install malicious code via the watch JavaScript function. [MFSA 2006-70] CVE-2006-6502 Steven Michaud discovered a programming bug that allows remote attackers to cause a denial of service. [MFSA 2006-71] CVE-2006-6503 moz_bug_r_a4 reported that the src attribute of an IMG element could be used to inject JavaScript code. [MFSA 2006-72] For the stable distribution (sarge) these problems have been fixed in version 1.0.2-2.sarge1.0.8e.2. For the testing (etch) and unstable (sid) distribution these problems have been fixed in version 1.5.0.9.dfsg1-1 of icedove. We recommend that you upgrade your Mozilla Thunderbird and Icedove packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2.dsc Size/MD5 checksum: 1003 98589a4dcffac076c95e1d3aa3aebadf http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2.diff.gz Size/MD5 checksum: 565274 897aa9e909e426a86d23314b34979440 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_alpha.deb Size/MD5 checksum: 12887452 7fae4782cf5821d6d95ccde5d6649ccb http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_alpha.deb Size/MD5 checksum: 3519306 849e410705ca14e5f295b345083f70f0 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_alpha.deb Size/MD5 checksum: 154092 e3018444e2cb9d14f95c79c77a854281 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_alpha.deb Size/MD5 checksum:35098 153cb6752ca559a48eda9f330137a11a http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_alpha.deb Size/MD5 checksum:91436 362b189e0b8020bc4a1d97c78e8d83ab AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_amd64.deb Size/MD5 checksum: 12273698 114e74f8fa22b052605343d805363a0a http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_amd64.deb Size/MD5 checksum: 3285226 00c01353f18b817960c1bb69e4d8184c http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_amd64.deb Size/MD5 checksum: 152186
[Full-disclosure] [SECURITY] [DSA 1252-1] New vlc packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1252-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 27th, 2007 http://www.debian.org/security/faq - -- Package: vlc Vulnerability : format string Problem type : remote Debian-specific: no CVE ID : CVE-2007-0017 BugTraq ID : 21852 Debian Bug : 405425 Kevin Finisterre discovered several format string problems in vlc, a multimedia player and streamer, that could lead to the execution of arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 0.8.1.svn20050314-1sarge2. For the testing distribution (etch) this problem has been fixed in version 0.8.6-svn20061012.debian-3. For the unstable distribution (sid) this problem has been fixed in version 0.8.6.a.debian-1. We recommend that you upgrade your vlc packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge2.dsc Size/MD5 checksum: 1916 a8b1c32a0625845da8b035402064351b http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge2.diff.gz Size/MD5 checksum: 1419 c1573565b4f6c5f5bc4fb0da0ef82c4e http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314.orig.tar.gz Size/MD5 checksum: 9746520 51ecfbb072315eacf7fcaf250c26f5cb Alpha architecture: http://security.debian.org/pool/updates/main/v/vlc/gnome-vlc_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 1266 8853851e2a72e05384aea403f5cf6653 http://security.debian.org/pool/updates/main/v/vlc/gvlc_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 1274 4a46132a0350ab64988cfeee2e359346 http://security.debian.org/pool/updates/main/v/vlc/kvlc_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 974 35919aaa5c074c71b261368fa4996927 http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 1107280 336cc4b04aafb0cf6be225d95ffdaa4a http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 730874 4ff2fa4db4cedc2f342e4a0f04c4c26e http://security.debian.org/pool/updates/main/v/vlc/qvlc_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 962 428c0ba457c883671dcabc9765bc42c2 http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 6379564 385093ea2365451403b2e8bbbcfb3099 http://security.debian.org/pool/updates/main/v/vlc/vlc-alsa_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 876 6c9c610fc76e692259658679b005458e http://security.debian.org/pool/updates/main/v/vlc/vlc-esd_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 874 b6ac4991d587f1a75ad5da839c10adcc http://security.debian.org/pool/updates/main/v/vlc/vlc-ggi_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 874 25f8ee175b94ca36ada42fd4ea88a76e http://security.debian.org/pool/updates/main/v/vlc/vlc-gnome_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 874 f8558d4538e52c175d754ef1e573ae11 http://security.debian.org/pool/updates/main/v/vlc/vlc-gtk_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 864 e4edea539c49dde353c12af6ab20c2ab http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-alsa_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum:8 b0ba0c37b27492f6e5e29d0363144184 http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 4412 c3f0276fabcd203688028603649c1e38 http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 4540 143e1946a241e84aaa369294f168d9cb http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.1.svn20050314-1sarge2_alpha.deb Size/MD5 checksum: 7280 f27e05eb9ab28bf186e21752252e458c http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.1.svn20050314-1sarge2_alpha.deb
[Full-disclosure] [SECURITY] [DSA 1253-1] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1253-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 27th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-6497 CVE-2006-6498 CVE-2006-6499 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CERT advisories: VU#263412 VU#405092 VU#427972 VU#428500 VU#447772 VU#606260 BugTraq ID : 21668 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-6497 Several vulnerabilities in the layout engine allow remote attackers to cause a denial of service and possibly permit them to execute arbitrary code. [MFSA 2006-68] CVE-2006-6498 Several vulnerabilities in the JavaScript engine allow remote attackers to cause a denial of service and possibly permit them to execute arbitrary code. [MFSA 2006-68] CVE-2006-6499 A bug in the js_dtoa function allows remote attackers to cause a denial of service. [MFSA 2006-68] CVE-2006-6501 shutdown discovered a vulnerability that allows remote attackers to gain privileges and install malicious code via the watch JavaScript function. [MFSA 2006-70] CVE-2006-6502 Steven Michaud discovered a programming bug that allows remote attackers to cause a denial of service. [MFSA 2006-71] CVE-2006-6503 moz_bug_r_a4 reported that the src attribute of an IMG element could be used to inject JavaScript code. [MFSA 2006-72] For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge15. For the testing and unstable distribution (sid and etch) these problems have been fixed in version 2.0.0.1+dfsg-2 of iceweasel. We recommend that you upgrade your firefox and iceweasel packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15.dsc Size/MD5 checksum: 1003 7a91bbe0e74f171d77a4ca269dbdc478 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15.diff.gz Size/MD5 checksum: 474490 e2c0763d61d113df926c1c227456bbd9 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15_alpha.deb Size/MD5 checksum: 11220962 3c4c671efcb89c479d60de7a1a865066 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge15_alpha.deb Size/MD5 checksum: 172362 154963378cd94acb45e1ec5466ca4e26 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge15_alpha.deb Size/MD5 checksum:63256 b03373f5d1cbeef3fec78c9c35901a49 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15_amd64.deb Size/MD5 checksum: 9426720 53465fbeaae00e568a11fc98071e2599 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge15_amd64.deb Size/MD5 checksum: 166126 676db838b32395439ccb0ad94c5cb6c5 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge15_amd64.deb Size/MD5 checksum:61698 9d62947f05f67824f6acdbb6849d8443 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15_arm.deb Size/MD5 checksum: 8242282 db2f7d98470eabe0df22a7798b0ba917 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge15_arm.deb Size/MD5 checksum: 157606 2ecff3c59b30d58d324c2181b8c9664e http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge15_arm.deb Size/MD5
[Full-disclosure] [SECURITY] [DSA 1246-1] New OpenOffice.org packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1246-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 8th, 2007 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-5870 Debian Bug : 405679 405986 John Heasman from Next Generation Security Software discovered a heap overflow in the handling of Windows Metafiles in OpenOffice.org, the free office suite, which could lead to a denial of service and potentially execution of arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge4. For the unstable distribution (sid) this problem has been fixed in version 2.0.4-1. We recommend that you upgrade your openofffice.org package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge4.dsc Size/MD5 checksum: 2878 3adfe8b09c20248767fe9d995b3f184c http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge4.diff.gz Size/MD5 checksum: 4623655 108120f3b365317fa9c47b25a5445fce http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2647376 8704f95d7e844e302abcae4d403f7818 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2694806 89cc4671d9d38ff05e5a361a06e02098 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2690164 45db102838292106429d06f2c9d4a77f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3586142 03e0e6ba4d7abc4954fb7ffe4e04ced6 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2662654 ff77cf34ec2cfc0d8deaa49edf5ed00f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3581922 7f69ac15b11613a649a2a08ff1501fd8 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3453208 fcd76abbb9df7cd707e36903e9db1f17 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2741468 ab08c03a0f0d78c3db9c99bd80fe12f1 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3525792 12c71a26f9512295ab442fb63e8711a3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3560792 9965231fb1b0c3956ddb09255b91c86b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2645014 baa0a0c809a740273d8dfd87b946d81b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2667748 740c781dd55cad46fdc52c1926d5854e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2673164 f8b2c8d335490dcaaf3f1bcb63eb72ec http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3494058 674365c474453cf6590a82c2b2d3d631 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2657584 7ce93bcb8f34a3f05f7560b5631a5ed8 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-he_1.1.3
[Full-disclosure] [SECURITY] [DSA 1229-1] New Asterisk packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1229-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 6th, 2006 http://www.debian.org/security/faq - -- Package: asterisk Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-5444 CERT advisory : VU#521252 BugTraq ID : 20617 Adam Boileau discovered an integer overflow in the Skinny channel driver in Asterisk, an Open Source Private Branch Exchange or telephone system, as used by Cisco SCCP phones, which allows remote attackers to execute arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.0.7.dfsg.1-2sarge4. For the unstable distribution (sid) this problem has been fixed in version 1.2.13~dfsg-1. We recommend that you upgrade your asterisk packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.dsc Size/MD5 checksum: 1259 2441c1ccc8467ecefc45b58711b9602f http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4.diff.gz Size/MD5 checksum:70588 17c8aaae715230d9ea8d0485eb7cfe95 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz Size/MD5 checksum: 2929488 0d0f718ccd7a06ab998c3f637df294c0 Architecture independent components: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum:61616 84dd16720f492033c5c034b69f033f7f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum:83382 0fda6ac9d47e7d5bcd9786c7ab17ebd5 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 1577766 a5ddadc5ba22723d32a74a2bc4fb9dfc http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum: 1180298 bf9fae8e20a5e299d1c24e5fce59ee96 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb Size/MD5 checksum:28378 eb425bfc6db224dd17346c0a03f06853 Alpha architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum: 1477714 2835395f4796f717330ec4bc6decca4e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum:31406 03e9021f5867a19500fadd3e27563e47 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_alpha.deb Size/MD5 checksum:21444 06a45fc8f1407adfdcaf1453e1cd0874 AMD64 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum: 138 73a991fc324d71d53a375dd81b9eb8e2 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum:30832 21bde76d77e7948ec115c0752e025353 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_amd64.deb Size/MD5 checksum:21444 c426ea519c9a806039aec64fc58083fc ARM architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum: 1262870 4e73f23ddaadabb52c1f06b37e1c520e http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum:29544 7d7f780f79006309910f2f6a66e06818 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge4_arm.deb Size/MD5 checksum:21444 e50e31d85cc4835fc0023b02d4a19b39 HP Precision architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge4_hppa.deb Size/MD5 checksum: 1448202 32dd05dd323f87a5e2af536e49985faa http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_hppa.deb
[Full-disclosure] [SECURITY] [DSA 1227-1] New Mozilla Thunderbird packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1227-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 4th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs: 19678 20957 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich Kühn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 shutdown discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current icedove package 1.5.0.8. We recommend that you upgrade your mozilla-thunderbird package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1.dsc Size/MD5 checksum: 1003 6c5f746adeacacdf3127e17cb2aa8bee http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1.diff.gz Size/MD5 checksum: 529889 28823ccf3573c2dd660fd9d9e3e22b09 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 12856976 84bc9994e2d58b31b25e2bd069d1def3 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 3280854 caa0d6f973d08d3f2b35e52254b00c2d http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum: 152698 d9fdc6a19105ddd536acd60a8ee2ab37 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum:34122 cafae516210656d77a176415fb8db6f4 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8d.1_alpha.deb Size/MD5 checksum:90116 699b3712455d642e224b54c926328a4c AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 12259294 289d4d588a4c47385220edb78c04afae http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 3282040 f4c6b066917601dad180472abf540098 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8d.1_amd64.deb Size/MD5 checksum: 151728 58934099903d70e9299390ea13f59df5 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird
[Full-disclosure] [SECURITY] [DSA 1224-1] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1224-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 3rd, 2006 http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs: 19678 20957 Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich Kühn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 shutdown discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge8. We recommend that you upgrade your mozilla package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8.dsc Size/MD5 checksum: 1124 a6f4c7ddbcb0d9126d4e0a81fda4059a http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8.diff.gz Size/MD5 checksum: 574770 77a056d9582389d1a31de1136dd7a0a2 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 168064 33104218442c9bd7b113df794afdefe0 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 148564 be8d4aeb7da1d0a7e7524096cefee038 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 184948 f831a7dd089c599c695ab540720be912 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 858396 bd636d8d59d54016d4051ae37fbf0455 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 1034 bb3c11032fe99445e2831485155f9bec http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 11494648 a1029b5935bf687048b0a8156fb3910c http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 403290 ade408aef33a53453263a2a83cf96524 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 158332 ccdc52d9b79b5359e18ef4f8e39ae068 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 3358886 c86ce3ccec680c80730cf046560d1cc8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 122288 91187d98388e73f4ca5aa93314a23d78 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 204152 405074b924c7ec7450da6cc623a2d6f9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_alpha.deb Size/MD5 checksum: 1937184
[Full-disclosure] [SECURITY] [DSA 1225-2] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1225-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 3rd, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs: 19678 20957 This update covers packages for the little endian MIPS architecture missing in the original advisory. Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich Kühn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 shutdown discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current iceweasel package 2.0+dfsg-1. We recommend that you upgrade your mozilla-firefox package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.dsc Size/MD5 checksum: 1003 4a8d05c1e9563e6066ca838e7c0b2f53 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.diff.gz Size/MD5 checksum: 450265 46d4bedf12a1e0c92a275ae012d92b5a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_mipsel.deb Size/MD5 checksum: 9820186 7823ac933179f566597b7bd4e3810fcb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_mipsel.deb Size/MD5 checksum: 158272 950a04ca3dfd4870b30d5d8c6ae536ee http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_mipsel.deb Size/MD5 checksum:58218 0dad036900c189fc233a5fe25c2edd3a These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcy0VW5ql+IAeqTIRAgxMAKC0SdOsZeB/nY4PZL+cqJJFJkhPQgCgo2DD Bl3uw4f40sxNi3ss3FrgBPY= =OMQR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1221-1] New libgsf packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1221-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 30th, 2006 http://www.debian.org/security/faq - -- Package: libgsf Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no infamous41md discovered a heap buffer overflow vulnerability in libgsf, a GNOME library for reading and writing structured file formats, which could lead to the execution of arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.11.1-1sarge1 For the unstable distribution (sid) this problem has been fixed in version 1.14.2-1 We recommend that you upgrade your libgsf packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libg/libgsf/libgsf_1.11.1-1sarge1.dsc Size/MD5 checksum: 837 bc96a9630b2605bdd8091a0f3f934f09 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf_1.11.1-1sarge1.diff.gz Size/MD5 checksum: 7678 23aa764ba57e0ec811916b78bf986917 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf_1.11.1.orig.tar.gz Size/MD5 checksum: 572284 d3260e0411c3a972c4f5bf3f2d1fbdf3 Alpha architecture: http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1_1.11.1-1sarge1_alpha.deb Size/MD5 checksum: 107854 37c60803868436da0effcaaac0eb3261 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1-dbg_1.11.1-1sarge1_alpha.deb Size/MD5 checksum:84542 869400c0b10cab3e7a1e353091c15138 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1-dev_1.11.1-1sarge1_alpha.deb Size/MD5 checksum: 211104 d80136fdc38edad9f97f2fc335a13c87 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1_1.11.1-1sarge1_alpha.deb Size/MD5 checksum:42524 3c201fc969af6fc144ddfa9d308ca7d9 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1-dbg_1.11.1-1sarge1_alpha.deb Size/MD5 checksum:10796 56f4a381eaadbc54ad5da1515fc02a28 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1-dev_1.11.1-1sarge1_alpha.deb Size/MD5 checksum:50690 a134d813591188748c8237b76ca07eff AMD64 architecture: http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1_1.11.1-1sarge1_amd64.deb Size/MD5 checksum:95598 741f5e3cf1276c57a862c6c32989bf45 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1-dbg_1.11.1-1sarge1_amd64.deb Size/MD5 checksum:72884 f1440dcac0f635ef12ecaf9321e19741 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1-dev_1.11.1-1sarge1_amd64.deb Size/MD5 checksum: 172702 751adb98ffb3ae93b849c56bdfda3e35 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1_1.11.1-1sarge1_amd64.deb Size/MD5 checksum:41496 5d8b547d18ec67bc74e577341e9127fe http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1-dbg_1.11.1-1sarge1_amd64.deb Size/MD5 checksum:10274 c974e8cf41208991a4994274aed34cf4 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1-dev_1.11.1-1sarge1_amd64.deb Size/MD5 checksum:47474 36ccd40752ff3e33d220494388e82ba3 ARM architecture: http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1_1.11.1-1sarge1_arm.deb Size/MD5 checksum:92054 81c8e51b0f1a565c2c7975ca00c54aef http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1-dbg_1.11.1-1sarge1_arm.deb Size/MD5 checksum:71122 4983eeffaa1ef96a18eabbb6eff072d6 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-1-dev_1.11.1-1sarge1_arm.deb Size/MD5 checksum: 171650 addecc2d0f2e2e9b9e0973af85e4d6d5 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1_1.11.1-1sarge1_arm.deb Size/MD5 checksum:41006 7631c2c831ccb352ee3eaafa1ae08501 http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1-dbg_1.11.1-1sarge1_arm.deb Size/MD5 checksum: 9650 0bef0c46800914370452657c52827a7b http://security.debian.org/pool/updates/main/libg/libgsf/libgsf-gnome-1
[Full-disclosure] [SECURITY] [DSA 1210-1] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1210-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 14th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4571 BugTraq ID : 20042 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2788 Fernando Ribeiro discovered that a vulnerability in the getRawDER functionallows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code. CVE-2006-4340 Daniel Bleichenbacher recently described an implementation error in RSA signature verification that cause the application to incorrectly trust SSL certificates. CVE-2006-4565, CVE-2006-4566 Priit Laes reported that that a JavaScript regular expression can trigger a heap-based buffer overflow which allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2006-4568 A vulnerability has been discovered that allows remote attackers to bypass the security model and inject content into the sub-frame of another site. CVE-2006-4571 Multiple unspecified vulnerabilities in Firefox, Thunderbird and SeaMonkey allow remote attackers to cause a denial of service, corrupt memory, and possibly execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge12. For the unstable distribution (sid) these problems have been fixed in version 1.5.dfsg+1.5.0.7-1 of firefox. We recommend that you upgrade your Mozilla Firefox package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12.dsc Size/MD5 checksum: 1003 751f0df80be8491ac3b24e902da6e3cb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12.diff.gz Size/MD5 checksum: 441420 8b1078ef98ff79137869c932999d3957 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_alpha.deb Size/MD5 checksum: 11181154 771ba85fbf21e6419d87820fc6f19a9a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_alpha.deb Size/MD5 checksum: 170352 f2c75d2fb5ab8684a20ba6fc08585cdb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_alpha.deb Size/MD5 checksum:62166 79fd193ea817fc1f466a57e4a37d74fa AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_amd64.deb Size/MD5 checksum: 9411492 3c3704ef1014e0d9dc38ece9d16a36d4 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_amd64.deb Size/MD5 checksum: 165132 54e7468747e04dc1449faa8ff9c123b4 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_amd64.deb Size/MD5 checksum:60700 a8ac42c24a29be9b260a0ec426b83f1c ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_arm.deb Size/MD5 checksum: 8232340 0d9f98d7a3bc7bcef0d759b98061c79b http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_arm.deb Size/MD5 checksum: 156586 7b74819b6afa58f7c485fb581ace3501 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_arm.deb Size/MD5 checksum:55998 08e378fe351fc437422ea242ff83a60c HP Precision
[Full-disclosure] [SECURITY] [DSA 1192-1] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1192-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 6th, 2006 http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571 BugTraq ID : 20042 Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2788 Fernando Ribeiro discovered that a vulnerability in the getRawDER functionallows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code. CVE-2006-4340 Daniel Bleichenbacher recently described an implementation error in RSA signature verification that cause the application to incorrectly trust SSL certificates. CVE-2006-4565, CVE-2006-4566 Priit Laes reported that that a JavaScript regular expression can trigger a heap-based buffer overflow which allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2006-4568 A vulnerability has been discovered that allows remote attackers to bypass the security model and inject content into the sub-frame of another site. CVE-2006-4570 Georgi Guninski demonstrated that even with JavaScript disabled in mail (the default) an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded. CVE-2006-4571 Multiple unspecified vulnerabilities in Firefox, Thunderbird and SeaMonkey allow remote attackers to cause a denial of service, corrupt memory, and possibly execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge7.3.1. We recommend that you upgrade your Mozilla package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.3.1.dsc Size/MD5 checksum: 1131 d15b48d8e6d5bb470cffefdb98fd8c58 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.3.1.diff.gz Size/MD5 checksum: 565099 9539b911c438e419cee16fdce5ccebb1 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 168064 ebdd93280990a822fe619b20d2c5651b http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 147992 527d6cfc2f148b2b57a5710e927d2f7d http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 184944 6b61d08d769e011cbd2c90e8fb45c13b http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 857794 f734aa2ccf548cd02f29c41af248191b http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 1038 03fa5f515ce9cf9ee8b6909112e67241 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 11492210 6370fe9a4502211f03d1c556db10a9a9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 403278 be6c2e243d2690311b9ebd3f39d0699d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 158336 6e0d851b64e2eef0a971ec836bf1d8be http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 3358952 739167a1d53ef3fea8d48ac68a0ff985 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge7.3.1_alpha.deb Size/MD5 checksum: 122296 6fdf00b74974a4e264d5ad8cc211d10a http
[Full-disclosure] [SECURITY] [DSA 1191-1] New Mozilla Thunderbird packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1191-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 5th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571 BugTraq ID : 20042 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2788 Fernando Ribeiro discovered that a vulnerability in the getRawDER functionallows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code. CVE-2006-4340 Daniel Bleichenbacher recently described an implementation error in RSA signature verification that cause the application to incorrectly trust SSL certificates. CVE-2006-4565, CVE-2006-4566 Priit Laes reported that that a JavaScript regular expression can trigger a heap-based buffer overflow which allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2006-4568 A vulnerability has been discovered that allows remote attackers to bypass the security model and inject content into the sub-frame of another site. CVE-2006-4570 Georgi Guninski demonstrated that even with JavaScript disabled in mail (the default) an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded. CVE-2006-4571 Multiple unspecified vulnerabilities in Firefox, Thunderbird and SeaMonkey allow remote attackers to cause a denial of service, corrupt memory, and possibly execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 1.0.2-2.sarge1.0.8c.1. For the unstable distribution (sid) these problems have been fixed in version 1.5.0.7-1. We recommend that you upgrade your Mozilla Thunderbird packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1.dsc Size/MD5 checksum: 1003 d7261fba347b9876e873f1d424e60190 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1.diff.gz Size/MD5 checksum: 519315 066ed351050722c36274e3e837fd174f http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1_alpha.deb Size/MD5 checksum: 12855288 285e55a20445ea5dffe79de01baf788c http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8c.1_alpha.deb Size/MD5 checksum: 3280106 0206d9fe08e3da2d4bf919c6b2b54ec7 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8c.1_alpha.deb Size/MD5 checksum: 152092 c5c984f0f11f94cb263f5bbef367de09 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8c.1_alpha.deb Size/MD5 checksum:33520 ed7e6d825f630da666e07914527f2c75 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8c.1_alpha.deb Size/MD5 checksum:89492 1e9ed565915dc4327e444ad999cc5daa AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1_amd64.deb Size/MD5 checksum: 12258904 f40f86252184ce7360b2b9d1e58cef8f http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8c.1_amd64.deb Size/MD5 checksum: 3281164 e4e2160d22d4721508f1762804b3b18b http://security.debian.org/pool/updates/main/m/mozilla
[Full-disclosure] [SECURITY] [DSA 1188-1] New mailman packages fix several problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1188-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 4th, 2006 http://www.debian.org/security/faq - -- Package: mailman Vulnerability : format string Problem type : remote Debian-specific: no CVE IDs: CVE-2006-3636 CVE-2006-4624 BugTraq ID : 19831 Several security related problems have been discovered in mailman, the web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-3636 Moritz Naumann discovered several cross-site scripting problems that could allow remote attackers to inject arbitrary web script or HTML. CVE-2006-4624 Moritz Naumann discovered that a remote attacker can inject arbitrary strings into the logfile. For the stable distribution (sarge) this problem has been fixed in version 2.1.5-8sarge5. For the unstable distribution (sid) this problem has been fixed in version 2.1.8-3. We recommend that you upgrade your mailman package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5.dsc Size/MD5 checksum: 816 3f2cd37005f340202f0c7660d8c91196 http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5.diff.gz Size/MD5 checksum: 122128 292c5264aeffbd2079b5a3257b165de0 http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5.orig.tar.gz Size/MD5 checksum: 5745912 f5f56f04747cd4aff67427e7a45631af Alpha architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_alpha.deb Size/MD5 checksum: 6612236 6e98b9f63c0eb5168902fb863167a197 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_amd64.deb Size/MD5 checksum: 6611036 3ca3419b399ec2a8a9a398e81d744d07 ARM architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_arm.deb Size/MD5 checksum: 6610764 e2d64ba3fe9dc2883d48cbcfcb016bbe HP Precision architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_hppa.deb Size/MD5 checksum: 6617802 14f8c5db2d8e38c470e3375a7e2102bb Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_i386.deb Size/MD5 checksum: 6606630 112c41dadf9efdf4823ad5c32180fe0e Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_ia64.deb Size/MD5 checksum: 6612188 d6a6b7fd9613f4d7a7ac6b5940f9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_m68k.deb Size/MD5 checksum: 6617856 ebe2b791034f4d08461b2d2c6d60f37d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_mips.deb Size/MD5 checksum: 6661270 2412e64f5406bc1e84d3e64fc9e5a9fc Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_mipsel.deb Size/MD5 checksum: 6652256 816264d9b311c02fc99d68dd62604cef PowerPC architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_powerpc.deb Size/MD5 checksum: 6618128 6c5974478f4b877ddd47c115d66075f1 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_s390.deb Size/MD5 checksum: 6617184 6977902eb91d3eab34141d0de34f0323 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_sparc.deb Size/MD5 checksum: 6616594 3847454bf1b64d728f7e6bcaf57dea89 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show
[Full-disclosure] [SECURITY] [DSA 1184-2] New Linux 2.6.8 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1184-2[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier September 26th, 2006http://www.debian.org/security/faq - -- Package: kernel-source-2.6.8 Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2004-2660 CVE-2005-4798 CVE-2006-1052 CVE-2006-1343 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-2444 CVE-2006-2446 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468 CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4535 CERT advisory : VU#681569 BugTraq IDs: 17203 17830 18081 18099 18101 18105 18847 19033 19396 19562 19615 19666 20087 This advisory covers the S/390 components of the recent security update for the Linux 2.6.8 kernel that was missing due to technical problems. For reference below please see the original advisory text. Several security related problems have been discovered in the Linux kernel which may lead to a denial of service or even the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2004-2660 Toshihiro Iwamoto discovered a memory leak in the handling of direct I/O writes that allows local users to cause a denial of service. CVE-2005-4798 A buffer overflow in NFS readlink handling allows a malicious remote server to cause a denial of service. CVE-2006-1052 Stephen Smalley discovered a bug in the SELinux ptrace handling that allows local users with ptrace permissions to change the tracer SID to the SID of another process. CVE-2006-1343 Pavel Kankovsky discovered an information leak in the getsockopt system call which can be exploited by a local program to leak potentially sensitive memory to userspace. CVE-2006-1528 Douglas Gilbert reported a bug in the sg driver that allows local users to cause a denial of service by performing direct I/O transfers from the sg driver to memory mapped I/O space. CVE-2006-1855 Mattia Belletti noticed that certain debugging code left in the process management code could be exploited by a local attacker to cause a denial of service. CVE-2006-1856 Kostik Belousov discovered a missing LSM file_permission check in the readv and writev functions which might allow attackers to bypass intended access restrictions. CVE-2006-2444 Patrick McHardy discovered a bug in the SNMP NAT helper that allows remote attackers to cause a denial of service. CVE-2006-2446 A race condition in the socket buffer handling allows remote attackers to cause a denial of service. CVE-2006-2935 Diego Calleja Garcia discovered a buffer overflow in the DVD handling code that could be exploited by a specially crafted DVD or USB storage device to execute arbitrary code. CVE-2006-2936 A bug in the serial USB driver has been discovered that could be exploited by a custom made USB serial adapter to consume arbitrary amounts of memory. CVE-2006-3468 James McKenzie discovered a denial of service vulnerability in the NFS driver. When exporting an ext3 file system over NFS, a remote attacker could exploit this to trigger a file system panic by sending a specially crafted UDP packet. CVE-2006-3745 Wei Wang discovered a bug in the SCTP implementation that allows local users to cause a denial of service and possibly gain root privileges. CVE-2006-4093 Olof Johansson discovered that the kernel did not disable the HID0 bit on PowerPC 970 processors which could be exploited by a local attacker to cause a denial of service. CVE-2006-4145 A bug in the Universal Disk Format (UDF) filesystem driver could be exploited by a local user to cause a denial of service. CVE-2006-4535 David Miller reported a problem with the fix for CVE-2006-3745 that allows local users to crash the system using via an SCTP socket with a certain SO_LINGER value. The following matrix explains which kernel version for which architecture fixes the problem mentioned above: stable (sarge) Source 2.6.8-16sarge5 Alpha architecture 2.6.8-16sarge5 AMD64 architecture 2.6.8-16sarge5 HP Precision architecture2.6.8-6sarge5 Intel IA-32 architecture 2.6.8-16sarge5 Intel IA-64 architecture 2.6.8-14sarge5 Motorola 680x0 architecture 2.6.8-4sarge5 PowerPC architecture 2.6.8-12sarge5 IBM S/3902.6.8-5sarge5 Sun Sparc architecture 2.6.8-15sarge5 FAI
[Full-disclosure] [SECURITY] [DSA 1183-1] New Linux 2.4.27 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1183-1[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier September 25th, 2006http://www.debian.org/security/faq - -- Package: kernel-source-2.4.27 Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2005-4798 CVE-2006-2935 CVE-2006-1528 CVE-2006-2444 CVE-2006-2446 CVE-2006-3745 CVE-2006-4535 CERT advisory : VU#681569 BugTraq IDs: 18081 18101 18847 19666 20087 Several security related problems have been discovered in the Linux kernel which may lead to a denial of service or even the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-4798 A buffer overflow in NFS readlink handling allows a malicious remote server to cause a denial of service. CVE-2006-2935 Diego Calleja Garcia discovered a buffer overflow in the DVD handling code that could be exploited by a specially crafted DVD or USB storage device to execute arbitrary code. CVE-2006-1528 A bug in the SCSI driver allows a local user to cause a denial of service. CVE-2006-2444 Patrick McHardy discovered a bug in the SNMP NAT helper that allows remote attackers to cause a denial of service. CVE-2006-2446 A race condition in the socket buffer handling allows remote attackers to cause a denial of service. CVE-2006-3745 Wei Wang discovered a bug in the SCTP implementation that allows local users to cause a denial of service and possibly gain root privileges. CVE-2006-4535 David Miller reported a problem with the fix for CVE-2006-3745 that allows local users to crash the system using via an SCTP socket with a certain SO_LINGER value. The following matrix explains which kernel version for which architecture fixes the problem mentioned above: stable (sarge) Source 2.4.27-10sarge4 Alpha architecture 2.4.27-10sarge4 ARM architecture 2.4.27-2sarge4 Intel IA-32 architecture 2.4.27-10sarge4 Intel IA-64 architecture 2.4.27-10sarge4 Motorola 680x0 architecture 2.4.27-3sarge4 MIPS architectures 2.4.27-10.sarge4.040815-1 PowerPC architecture 2.4.27-10sarge4 IBM S/3902.4.27-2sarge4 Sun Sparc architecture 2.4.27-9sarge4 FAI 1.9.1sarge4 mindi-kernel 2.4.27-2sarge3 kernel-image-speakup-i3862.4.27-1.1sarge3 systemimager 3.2.3-6sarge3 For the unstable distribution (sid) these problems won't be fixed anymore in the 2.4 kernel series. We recommend that you upgrade your kernel package and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10sarge4.dsc Size/MD5 checksum: 900 0a2336025f8cbcfc621ba50b9660a7bf http://security.debian.org/pool/updates/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10sarge4.diff.gz Size/MD5 checksum: 748331 b5b22b68654428a9da5b966b913c752a http://security.debian.org/pool/updates/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27.orig.tar.gz Size/MD5 checksum: 38470181 56df34508cdc47a53d15bc02ffe4f42d http://security.debian.org/pool/updates/main/k/kernel-image-2.4.27-alpha/kernel-image-2.4.27-alpha_2.4.27-10sarge4.dsc Size/MD5 checksum: 831 88a98b9f6aa9ebd3cdfe4978f4ee56da http://security.debian.org/pool/updates/main/k/kernel-image-2.4.27-alpha/kernel-image-2.4.27-alpha_2.4.27-10sarge4.tar.gz Size/MD5 checksum:31842 6ab91f91278a604a4916a2b31905d515 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.27-arm/kernel-image-2.4.27-arm_2.4.27-2sarge4.dsc Size/MD5 checksum: 840 cd0d106949bcd9a40dcdc4d2a4d862d2
[Full-disclosure] [SECURITY] [DSA 1184-1] New Linux 2.6.8 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1184-1[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier September 25th, 2006http://www.debian.org/security/faq - -- Package: kernel-source-2.6.8 Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2004-2660 CVE-2005-4798 CVE-2006-1052 CVE-2006-1343 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-2444 CVE-2006-2446 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468 CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4535 CERT advisory : VU#681569 BugTraq IDs: 17203 17830 18081 18099 18101 18105 18847 19033 19396 19562 19615 19666 20087 Several security related problems have been discovered in the Linux kernel which may lead to a denial of service or even the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2004-2660 Toshihiro Iwamoto discovered a memory leak in the handling of direct I/O writes that allows local users to cause a denial of service. CVE-2005-4798 A buffer overflow in NFS readlink handling allows a malicious remote server to cause a denial of service. CVE-2006-1052 Stephen Smalley discovered a bug in the SELinux ptrace handling that allows local users with ptrace permissions to change the tracer SID to the SID of another process. CVE-2006-1343 Pavel Kankovsky discovered an information leak in the getsockopt system call which can be exploited by a local program to leak potentially sensitive memory to userspace. CVE-2006-1528 Douglas Gilbert reported a bug in the sg driver that allows local users to cause a denial of service by performing direct I/O transfers from the sg driver to memory mapped I/O space. CVE-2006-1855 Mattia Belletti noticed that certain debugging code left in the process management code could be exploited by a local attacker to cause a denial of service. CVE-2006-1856 Kostik Belousov discovered a missing LSM file_permission check in the readv and writev functions which might allow attackers to bypass intended access restrictions. CVE-2006-2444 Patrick McHardy discovered a bug in the SNMP NAT helper that allows remote attackers to cause a denial of service. CVE-2006-2446 A race condition in the socket buffer handling allows remote attackers to cause a denial of service. CVE-2006-2935 Diego Calleja Garcia discovered a buffer overflow in the DVD handling code that could be exploited by a specially crafted DVD or USB storage device to execute arbitrary code. CVE-2006-2936 A bug in the serial USB driver has been discovered that could be exploited by a custom made USB serial adapter to consume arbitrary amounts of memory. CVE-2006-3468 James McKenzie discovered a denial of service vulnerability in the NFS driver. When exporting an ext3 file system over NFS, a remote attacker could exploit this to trigger a file system panic by sending a specially crafted UDP packet. CVE-2006-3745 Wei Wang discovered a bug in the SCTP implementation that allows local users to cause a denial of service and possibly gain root privileges. CVE-2006-4093 Olof Johansson discovered that the kernel did not disable the HID0 bit on PowerPC 970 processors which could be exploited by a local attacker to cause a denial of service. CVE-2006-4145 A bug in the Universal Disk Format (UDF) filesystem driver could be exploited by a local user to cause a denial of service. CVE-2006-4535 David Miller reported a problem with the fix for CVE-2006-3745 that allows local users to crash the system using via an SCTP socket with a certain SO_LINGER value. The following matrix explains which kernel version for which architecture fixes the problem mentioned above: stable (sarge) Source 2.6.8-16sarge5 Alpha architecture 2.6.8-16sarge5 AMD64 architecture 2.6.8-16sarge5 HP Precision architecture2.6.8-6sarge5 Intel IA-32 architecture 2.6.8-16sarge5 Intel IA-64 architecture 2.6.8-14sarge5 Motorola 680x0 architecture 2.6.8-4sarge5 PowerPC architecture 2.6.8-12sarge5 IBM S/3902.6.8-5sarge5 Sun Sparc architecture 2.6.8-15sarge5 FAI 1.9.1sarge4 Due to some internal problems kernel packages for the S/390 are missing and will be provided later. For the unstable distribution (sid) these problems have been fixed
[Full-disclosure] [SECURITY] [DSA 1179-1] New alsaplayer packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1179-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 19th, 2006http://www.debian.org/security/faq - -- Package: alsaplayer Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-4089 Luigi Auriemma discovered several buffer overflows in alsaplayer, a PCM player designed for ALSA, that can lead to a crash of the application and maybe worse outcome. For the stable distribution (sarge) these problems have been fixed in version 0.99.76-0.3sarge1. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your alsaplayer package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-0.3sarge1.dsc Size/MD5 checksum: 1141 eff945b0eaa70c5106bb55a84293d21b http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-0.3sarge1.diff.gz Size/MD5 checksum:71698 da1c186e90ee418b1e11d5cfee54442f http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76.orig.tar.gz Size/MD5 checksum: 795398 ff78654c9ab74d14ad218dfb226db0a4 Alpha architecture: http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 1008 3886803356b57c4a4fcc9dacd72d5a85 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 5348 0738a0a097a5012b0f0300d62f076528 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 168008 4dc1223ca76ab4cd3f2c9f35b941d637 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 5082 e138067311a19470e9f0f832394d4638 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 3624 ffb6e02fbc95e13af2e31a20d3ca6f45 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum:88066 4a1dd2f2481a0a0eaede9776c6ff12f1 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 7198 f97aadb32fd02c5d75cedcc2ee9a698f http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 5458 236b5537e1af870f4af3db7738188955 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 3732 4e06f3e9f039755a54ae69f647f3c183 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 6182 2b9cf67b6da2d2a43cea040e78028e91 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum: 5848 f67527cf5e2506748bb3729d82e40e7b http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum:47602 fceb03b849ec3e2c22d7930cf047aa48 http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-0.3sarge1_alpha.deb Size/MD5 checksum:30170 a452343680a0e555023d75c44fb1f7de AMD64 architecture: http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-0.3sarge1_amd64.deb Size/MD5 checksum: 1006 ed7aeaceaf35dc175c45f1e777e642b2 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-0.3sarge1_amd64.deb Size/MD5 checksum: 4936 a422777c2693a404343ea2f7c34922a2 http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-0.3sarge1_amd64.deb Size/MD5 checksum: 152068 ebccc24f0f4958a28fe9639152e4ddfb http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-0.3sarge1_amd64.deb Size/MD5 checksum: 4852
[Full-disclosure] [SECURITY] [DSA 1180-1] New bomberclone packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1180-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 19th, 2006http://www.debian.org/security/faq - -- Package: bomberclone Vulnerability : programming error Problem type : remote Debian-specific: no CVE IDs: CVE-2006-4005 CVE-2006-4006 Debian Bug : 382082 Luigi Auriemma discovered two security related bugs in bomberclone, a free Bomberman clone. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4005 The program copies remotely provided data uncheced which could lead to a denial of service via an application crash. CVE-2006-4006 Bomberclone uses remotely provided data as length argument which can lead to the disclosure of private information. For the stable distribution (sarge) these problems have been fixed in version 0.11.5-1sarge2. For the unstable distribution (sid) these problems have been fixed in version 0.11.7-0.1. We recommend that you upgrade your bomberclone package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2.dsc Size/MD5 checksum: 667 cbe987c986795ab58a76f94b5ef1a395 http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2.diff.gz Size/MD5 checksum:11557 ec74e1af39d5d4d5d5d78f1e1d8b4410 http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5.orig.tar.gz Size/MD5 checksum: 7985803 cd2834d68980dd506038db44728cd2b1 Architecture independent components: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone-data_0.11.5-1sarge2_all.deb Size/MD5 checksum: 7587084 a3b3e8deed12d2fb4e275c48d304ceda Alpha architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_alpha.deb Size/MD5 checksum: 128488 fa2c38b47778b1666fcee067f7a2dfdd AMD64 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_amd64.deb Size/MD5 checksum: 114760 3d8f3238a6951b39e572ec951da3abba ARM architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_arm.deb Size/MD5 checksum: 117442 2bec60a3ab8dec06a3deee97874cbcd3 HP Precision architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_hppa.deb Size/MD5 checksum: 107862 e4848473c0a9bf764b7ff19f6ddcc305 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_i386.deb Size/MD5 checksum:95814 0544b1852ecc1b7d334ab83903d10340 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_ia64.deb Size/MD5 checksum: 172144 85c23254eea91bfa9fe472605dbacc7a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_m68k.deb Size/MD5 checksum:94674 cedaf30749af327b464a6b0db49a7f7f Big endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_mips.deb Size/MD5 checksum: 116342 115f0bf0336382545678bcad2915c7ac Little endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_mipsel.deb Size/MD5 checksum: 116170 84781360ddd8060764beaa275a4aeef8 PowerPC architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_powerpc.deb Size/MD5 checksum: 102100 3c7fae1231944d6f389ceb35708d4da2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_s390.deb Size/MD5 checksum: 113362 9a218180b3c4b4dad8098b736f55787d Sun Sparc architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge2_sparc.deb Size/MD5 checksum: 103214 e8c96a3aa5633fd269d6b589ce9827dd These files will probably be moved into the stable
[Full-disclosure] [SECURITY] [DSA 1177-1] New usermin packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1177-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 15th, 2006http://www.debian.org/security/faq - -- Package: usermin Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-4246 CERT advisory : BugTraq ID : Debian Bug : 374609 Hendrik Weimer discovered that it is possible for a normal user to disable the login shell of the root account via usermin, a web-based administration tool. For the stable distribution (sarge) this problem has been fixed in version 1.110-3.1. In the upstream distribution this problem is fixed in version 1.220. We recommend that you upgrade your usermin package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/u/usermin/usermin_1.110-3.1.dsc Size/MD5 checksum: 1079 1b5ab754b82a6ff0abc0d2fc125c920a http://security.debian.org/pool/updates/main/u/usermin/usermin_1.110-3.1.diff.gz Size/MD5 checksum:20131 d1582cca3bbe1a376cb16591b550a241 http://security.debian.org/pool/updates/main/u/usermin/usermin_1.110.orig.tar.gz Size/MD5 checksum: 1791868 cf214bb9927bd230a148ea3077bd8919 Architecture independent components: http://security.debian.org/pool/updates/main/u/usermin/usermin-at_1.110-3.1_all.deb Size/MD5 checksum:21654 7709317a8e5182ed0f9f76b942cc608a http://security.debian.org/pool/updates/main/u/usermin/usermin-changepass_1.110-3.1_all.deb Size/MD5 checksum:18924 cbaad0cc1daf80efbdb6eacc20829e99 http://security.debian.org/pool/updates/main/u/usermin/usermin-chfn_1.110-3.1_all.deb Size/MD5 checksum:13858 72ae504bded25ed8b8ecfe3cb6708168 http://security.debian.org/pool/updates/main/u/usermin/usermin-commands_1.110-3.1_all.deb Size/MD5 checksum:27728 4b80b6d368265d43139f2a7a800a9a0b http://security.debian.org/pool/updates/main/u/usermin/usermin-cron_1.110-3.1_all.deb Size/MD5 checksum:62618 864bfdf0f00b1d0585c20aa7d02ee504 http://security.debian.org/pool/updates/main/u/usermin/usermin-cshrc_1.110-3.1_all.deb Size/MD5 checksum: 8930 4247520dc9a76a9957c08b4777e8ace9 http://security.debian.org/pool/updates/main/u/usermin/usermin-fetchmail_1.110-3.1_all.deb Size/MD5 checksum:36392 b2bbc376806f1a95d812bfb8da0e8106 http://security.debian.org/pool/updates/main/u/usermin/usermin-forward_1.110-3.1_all.deb Size/MD5 checksum:28648 011e7762a8c9fd8fb6b111b0a2e99807 http://security.debian.org/pool/updates/main/u/usermin/usermin-gnupg_1.110-3.1_all.deb Size/MD5 checksum:32508 cb67585370a7b1926d288abab8a19f9a http://security.debian.org/pool/updates/main/u/usermin/usermin-htaccess_1.110-3.1_all.deb Size/MD5 checksum: 276924 a70ac23b2e452687690098dc5e668c6c http://security.debian.org/pool/updates/main/u/usermin/usermin-htpasswd_1.110-3.1_all.deb Size/MD5 checksum:20516 878b90afd7460d3123f9f0edc61fbd30 http://security.debian.org/pool/updates/main/u/usermin/usermin-mailbox_1.110-3.1_all.deb Size/MD5 checksum: 174834 c9ca85c93dfe181bef26bb2048ad0f3d http://security.debian.org/pool/updates/main/u/usermin/usermin-man_1.110-3.1_all.deb Size/MD5 checksum:36290 74f1413927a5ea8869b2690f6385b5ef http://security.debian.org/pool/updates/main/u/usermin/usermin-mysql_1.110-3.1_all.deb Size/MD5 checksum: 148702 2cf835a9bcf9218cf896081329441a83 http://security.debian.org/pool/updates/main/u/usermin/usermin-plan_1.110-3.1_all.deb Size/MD5 checksum:10648 083c5307a16e0caa709b8b717862b7c6 http://security.debian.org/pool/updates/main/u/usermin/usermin-postgresql_1.110-3.1_all.deb Size/MD5 checksum: 121962 7c006c458d54d851e0515c55df176e97 http://security.debian.org/pool/updates/main/u/usermin/usermin-proc_1.110-3.1_all.deb Size/MD5 checksum:77788 ca0c4b1ec4f1c5267135a2fc136c602a http://security.debian.org/pool/updates/main/u/usermin/usermin-procmail_1.110-3.1_all.deb Size/MD5 checksum:26816 cc7649ba038e6101e9b687949e8ba6b4 http://security.debian.org/pool/updates/main/u/usermin
[Full-disclosure] [SECURITY] [DSA 1160-2] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1160-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 15th, 2006http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004 BugTraq IDs: 18228 19181 The latest security updates of Mozilla introduced a regression that led to a disfunctional attachment panel which warrants a correction to fix this issue. For reference please find below the original advisory text: Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. The last bit of this problem will be corrected with the next update. You can prevent any trouble by disabling Javascript. [MFSA-2006-32] CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3810 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML. [MFSA-2006-54] For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge7.2.2. For the unstable distribution (sid) these problems won't be fixed since its end of lifetime has been reached and the package will soon be removed. We recommend that you upgrade your mozilla package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2.dsc Size/MD5 checksum: 1131 bb39933b4dcb63f6f986f0da3ab9461e http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2.diff.gz Size/MD5 checksum: 532293 5a86930497b980b25e7f8e5cd6305ad0 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 168074 553ba25202552c16c02cfdcf94bbc1c4 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 147582 e953bc1da64aaab9b50ef2bd357279b8 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 184944 18bfed4502c3e8a50cac55bd69cf6f20 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 857148 c9f560d4ad706a1e50dbd2db21978427 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 1042 9de55ee42dcc1c484a801623ac29c80d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 11484766 4b31f8553a2ee93057858b35cdc522d9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 403274 da75d1e0207b660ae42d7d1eb0b99617 http://security.debian.org/pool/updates
[Full-disclosure] [SECURITY] [DSA 1161-2] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1161-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 13th, 2006http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3811 CERT advisories: VU#655892 VU#687396 VU#876420 BugTraq ID : 19181 The latest security updates of Mozilla Firefox introduced a regression that led to a disfunctional attachment panel which warrants a correction to fix this issue. For reference please find below the original advisory text: Several security related problems have been discovered in Mozilla and derived products like Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3811 Multiple vulnerabilities allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. [MFSA-2006-55] For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge11. For the unstable distribution (sid) these problems have been fixed in version 1.5.dfsg+1.5.0.5-1. We recommend that you upgrade your mozilla-firefox package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge11.dsc Size/MD5 checksum: 1003 fcb7947248bc53a236134e59a7e9673a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge11.diff.gz Size/MD5 checksum: 419204 417893bc76c1a0f772e6c6eff7571c98 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge11_alpha.deb Size/MD5 checksum: 11176846 0f8f7a2dfe4758092806312b92c0fa16 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge11_alpha.deb Size/MD5 checksum: 169842 7bc6af501357d15416aa39a731ad84a7 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge11_alpha.deb Size/MD5 checksum:61674 6746719356df15955ad4cadfee8a44ae AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge11_amd64.deb Size/MD5 checksum: 9405320 6cb1704571922ccc445aa3b54cfee6b1 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge11_amd64.deb Size/MD5 checksum: 164636 81725e9973607ef36dd732a2e7ef40a1 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge11_amd64.deb Size/MD5 checksum:60204 2eb1e134427f4f4dc94233c42aadc295 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge11_arm.deb Size/MD5 checksum: 8228072 fd099e40cc4ab7475f9b9ee5edbaf224 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge11_arm.deb Size/MD5 checksum: 156064 10ce619e39bc6b2731114786e1cb9c93 http://security.debian.org/pool
[Full-disclosure] [SECURITY] [DSA 1175-1] New isakmpd packages fix replay protection bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1175-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans September 13th, 2006http://www.debian.org/security/faq - -- Package: isakmpd Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-4436 BugTraq ID : 19712 Debian Bug : 385894 A flaw has been found in isakmpd, OpenBSD's implementation of the Internet Key Exchange protocol, that caused Security Associations to be created with a replay window of 0 when isakmpd was acting as the responder during SA negotiation. This could allow an attacker to re-inject sniffed IPsec packets, which would not be checked against the replay counter. For the stable distribution (sarge) this problem has been fixed in version 20041012-1sarge1 For the unstable distribution (sid) this problem has been fixed in version 20041012-4 We recommend that you upgrade your isakmpd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1.dsc Size/MD5 checksum: 661 35e8865c2759c66f01c0563a4bdfc124 http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1.diff.gz Size/MD5 checksum:68877 90e47af5080893c9ccf7d38aebef6760 http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012.orig.tar.gz Size/MD5 checksum: 373941 e6d25a9e232fb186e1a48dc06453bd57 Alpha architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_alpha.deb Size/MD5 checksum: 708414 e6894a5a6c7a4586f2c22d28cd0a8f84 AMD64 architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_amd64.deb Size/MD5 checksum: 544652 43df55b5251b4cbb2bf3c4fe3528827f ARM architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_arm.deb Size/MD5 checksum: 473492 92e5b4ae0fbbb14104d39fe0b1a24597 HP Precision architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_hppa.deb Size/MD5 checksum: 535124 d97d6a0357c332c72a8ac313a7f1c301 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_i386.deb Size/MD5 checksum: 497670 0a58ae7ef43c38853a58d430389d1840 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_ia64.deb Size/MD5 checksum: 786026 f8e473ef442260b13076aa6add875c99 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_m68k.deb Size/MD5 checksum: 421268 3f57254cfdded5e2615f4c3b277133e9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_mips.deb Size/MD5 checksum: 568914 cf14999a58edbb20545d8a63f7311f87 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_mipsel.deb Size/MD5 checksum: 567060 38fca5d17f6be2c843f92aed15ac3830 PowerPC architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_powerpc.deb Size/MD5 checksum: 555978 f3786f6d0f4e556587b372a753184cca IBM S/390 architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_s390.deb Size/MD5 checksum: 548240 e9cbc0d97b19aac56686d7384de1c219 Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/isakmpd/isakmpd_20041012-1sarge1_sparc.deb Size/MD5 checksum: 514166 7318cf5d5f419d5d00b45faf6d5bc3e1 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version:
[Full-disclosure] [SECURITY] [DSA 1172-1] New bind9 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1172-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 9th, 2006 http://www.debian.org/security/faq - -- Package: bind9 Vulnerability : programming error Problem type : remote Debian-specific: no CVE IDs: CVE-2006-4095 CVE-2006-4096 CERT advisories: VU#697164 VU#915404 Two vulnerabilities have been discovered in BIND9, the Berkeley Internet Name Domain server. The first relates to SIG query processing and the second relates to a condition that can trigger an INSIST failure, both lead to a denial of service. For the stable distribution (sarge) these problems have been fixed in version 9.2.4-1sarge1. For the unstable distribution (sid) these problems have been fixed in version 9.3.2-P1-1. We recommend that you upgrade your bind9 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge1.dsc Size/MD5 checksum: 742 1c1f68802373715b71c85df3a4e42959 http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge1.diff.gz Size/MD5 checksum:91537 dccd8daf65751535821c1d5feb007782 http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4.orig.tar.gz Size/MD5 checksum: 4564219 2ccbddbab59aedd6b8711b628b5472bd Architecture independent components: http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.2.4-1sarge1_all.deb Size/MD5 checksum: 156816 df36851fe572ba9372f51c42225434e8 Alpha architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge1_alpha.deb Size/MD5 checksum: 305112 61371171ccd4ba38bfd0bf0e92fdc1bc http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.2.4-1sarge1_alpha.deb Size/MD5 checksum:96806 587a9b04649003552b1b3d4de7c938a6 http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.2.4-1sarge1_alpha.deb Size/MD5 checksum: 168936 1a7ebf17e2b71e10104b5e323688498b http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.2.4-1sarge1_alpha.deb Size/MD5 checksum: 1309800 7565a3f67b7b22b2cf6426efce3be207 http://security.debian.org/pool/updates/main/b/bind9/libdns16_9.2.4-1sarge1_alpha.deb Size/MD5 checksum: 519302 2e99a2893f81b3d0eeebfad42dff59a3 http://security.debian.org/pool/updates/main/b/bind9/libisc7_9.2.4-1sarge1_alpha.deb Size/MD5 checksum: 173920 852323c0e170684e091895fbd8fa4e43 http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.2.4-1sarge1_alpha.deb Size/MD5 checksum:79482 b91d6515f44dc7220b394aba313d8080 http://security.debian.org/pool/updates/main/b/bind9/libisccfg0_9.2.4-1sarge1_alpha.deb Size/MD5 checksum:94638 75fb4d0cf1d8ad68be72d35869d01611 http://security.debian.org/pool/updates/main/b/bind9/liblwres1_9.2.4-1sarge1_alpha.deb Size/MD5 checksum:96896 f0813560bc29e33e3c978e638ff36aed http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.2.4-1sarge1_alpha.deb Size/MD5 checksum: 199618 9b21ac7cc73e1dfa19e19b0bdb166e2d AMD64 architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge1_amd64.deb Size/MD5 checksum: 288376 f3b1989849c7e8f37415ce88b4c78817 http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.2.4-1sarge1_amd64.deb Size/MD5 checksum:95816 1f3b433f75f3f7d1162e98359246f4f0 http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.2.4-1sarge1_amd64.deb Size/MD5 checksum: 165024 1029eff494a101fabd6da81d348976b7 http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.2.4-1sarge1_amd64.deb Size/MD5 checksum: 1010682 efa161275e41f67c4057e384a10cda94 http://security.debian.org/pool/updates/main/b/bind9/libdns16_9.2.4-1sarge1_amd64.deb Size/MD5 checksum: 487228 4c7c3f659d8bee778c994b0e6f52dd8d http://security.debian.org/pool/updates/main/b/bind9/libisc7_9.2.4-1sarge1_amd64.deb Size/MD5 checksum: 164478 efb21ce2f3cccbf9f7316473dbb1a688 http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.2.4-1sarge1_amd64.deb Size/MD5
[Full-disclosure] [SECURITY] [DSA 1159-2] New Mozilla Thunderbird packages fix several problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1159-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 8th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004 BugTraq IDs: 18228 19181 The latest security updates of Mozilla Thunderbird introduced a regression that led to a disfunctional attachment panel which warrants a correction to fix this issue. For reference please find below the original advisory text: Several security related problems have been discovered in Mozilla and derived products such as Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. The last bit of this problem will be corrected with the next update. You can prevent any trouble by disabling Javascript. [MFSA-2006-32] CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3810 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML. [MFSA-2006-54] For the stable distribution (sarge) these problems have been fixed in version 1.0.2-2.sarge1.0.8b.2. For the unstable distribution (sid) these problems have been fixed in version 1.5.0.5-1. We recommend that you upgrade your mozilla-thunderbird package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.dsc Size/MD5 checksum: 1003 359853df29b29253164e9aef34d18066 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2.diff.gz Size/MD5 checksum: 486593 3759fe23473ecb6cee532cb47cdd4e63 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum: 12849016 fdf32dcb741195378d9079231aba21cd http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum: 3279426 879ae924d100517f98ee7f39a84e1bb2 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum: 151696 dd6911608eb54bebc7fbcdb58e5d63bb http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum:33138 9581f8f0be21162692672e55d5f00640 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.2_alpha.deb Size/MD5 checksum:89106 06a2f4752c619fb6a80d15d8fd1741de AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2
[Full-disclosure] [SECURITY] [DSA 1169-1] New MySQL 4.1 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1169-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 5th, 2006 http://www.debian.org/security/faq - -- Package: mysql-dfsg-4.1 Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-4226 CVE-2006-4380 BugTraq ID : 19559 Several local vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4226 Michal Prokopiuk discovered that remote authenticated users are permitted to create and access a database if the lowercase spelling is the same as one they have been granted access to. CVE-2006-4380 Beat Vontobel discovered that certain queries replicated to a slave could crash the client and thus terminate the replication. For the stable distribution (sarge) these problems have been fixed in version 4.1.11a-4sarge7. Version 4.0 is not affected by these problems. For the unstable distribution (sid) these problems have been fixed in version 5.0.24-3. The replication problem only exists in version 4.1. We recommend that you upgrade your mysql-server-4.1 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge7.dsc Size/MD5 checksum: 1029 f78ce0ba986d5447bb8f97615a256d34 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge7.diff.gz Size/MD5 checksum: 171446 886a2834418b0dbf73f0a24601d6614b http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge7_all.deb Size/MD5 checksum:36734 693a8ef06aa29be6cad675de2a6a7f58 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 1591008 095cb0959a26aa12ba1098ec1527f2f6 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 7965692 2b360e6ce8675de52bf8ac0388b67e88 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 1001216 935a4004111792c92283169faaf27a2b http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_alpha.deb Size/MD5 checksum: 17487402 37fd9a23880da7f6c9d01f582de30b2a AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 1452264 613001b313f49f98b3642fdbb1cefd47 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 5552006 e07c66d2d0775fabe1873b63326f91ce http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 849788 d2ac22320d4990db02c7ef669801f8a9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_amd64.deb Size/MD5 checksum: 14711714 ff7e791223a16ea3db62bebb6111 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 1389010 e78ef65cabee94c4bb980ddba4858101 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 5559036 05d9e88ab7b202066bde6412faa5610e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 837066 2ce1305c8ec4cc9f13180b9643060b5e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge7_arm.deb Size/MD5 checksum: 14558032 394408c010fecbd7dd56c189a707c9dc HP Precision
[Full-disclosure] [SECURITY] [DSA 1165-1] New capi4hylafax packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1165-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 1st, 2006 http://www.debian.org/security/faq - -- Package: capi4hylafax Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2006-3126 Lionel Elie Mamane discovered a security vulnerability in capi4hylafax, tools for faxing over a CAPI 2.0 device, that allows remote attackers to execute arbitrary commands on the fax receiving system. For the stable distribution (sarge) this problem has been fixed in version 01.02.03-10sarge2. For the unstable distribution (sid) this problem has been fixed in version 01.03.00.99.svn.300-3. We recommend that you upgrade your capi4hylafax package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2.dsc Size/MD5 checksum: 700 ed2b42302da19f397f54be5b6ab2c70d http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2.diff.gz Size/MD5 checksum: 233973 cb882036840592b6365e890ba2bef034 http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03.orig.tar.gz Size/MD5 checksum: 400508 8236290d6b880ee7d5e2fe970648ad6f Alpha architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_alpha.deb Size/MD5 checksum: 269704 e89fb2126460ebf99fabd817ccc135e1 AMD64 architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_amd64.deb Size/MD5 checksum: 205810 4fbbb15d7c0b8fa9548f669756b04c36 ARM architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_arm.deb Size/MD5 checksum: 210290 5c6e249abe28be123f35321175c0caea Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_i386.deb Size/MD5 checksum: 202278 829c7e7f7aa7b51ea52aba913b84f6e9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_ia64.deb Size/MD5 checksum: 341896 020682a6d4bb63d083a05d961bddaaa8 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_m68k.deb Size/MD5 checksum: 183464 42cddb1cc2295fd753b50a0f49e9a3f4 PowerPC architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_powerpc.deb Size/MD5 checksum: 213034 6ccc6390878b66462fc4b4c501521025 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/capi4hylafax/capi4hylafax_01.02.03-10sarge2_sparc.deb Size/MD5 checksum: 206634 6d82ddf94cd42c355bc125d1d542a1e9 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE+C/wW5ql+IAeqTIRAkIZAJ4mfhKYxOX8EOA1VvW4jsfiFwbRxACfe87y /Kh03ZBkuNBfo8Vjk3yE+/c= =1aMB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1162-1] New libmusicbrainz packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1162-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 30th, 2006 http://www.debian.org/security/faq - -- Package: libmusicbrainz-2.0, libmusicbrainz-2.1 Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE ID : CVE-2006-4197 BugTraq ID : 19508 Debian Bug : 383030 Luigi Auriemma discovered several buffer overflows in libmusicbrainz, a CD index library, that allow remote attackers to cause a denial of service or execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 2.0.2-10sarge1 and 2.1.1-3sarge1. For the unstable distribution (sid) these problems have been fixed in version 2.1.4-1. We recommend that you upgrade your libmusicbrainz packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/libmusicbrainz-2.0_2.0.2-10sarge1.diff.gz Size/MD5 checksum: 168247 b58a52a9461807e4b8ba7e999ab55bd0 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.1/libmusicbrainz-2.1_2.1.1-3sarge1.diff.gz Size/MD5 checksum: 4387 338be74d83828d003745167f65065080 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/libmusicbrainz-2.0_2.0.2.orig.tar.gz Size/MD5 checksum: 583123 28226090a5bf5bc844634e1d4faf6334 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.1/libmusicbrainz-2.1_2.1.1-3sarge1.dsc Size/MD5 checksum: 712 f40fe796858992908d8c9a2254111a22 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.1/libmusicbrainz-2.1_2.1.1.orig.tar.gz Size/MD5 checksum: 528162 4f753d93a85cf413e00f1394b8cbd269 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/libmusicbrainz-2.0_2.0.2-10sarge1.dsc Size/MD5 checksum: 805 29c7f0dc846b801f01f9bb3381ea1f34 Alpha architecture: http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/python2.2-musicbrainz_2.0.2-10sarge1_alpha.deb Size/MD5 checksum:23984 a481e01bb30933b41410822356343e75 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.1/libmusicbrainz4-dev_2.1.1-3sarge1_alpha.deb Size/MD5 checksum: 155482 ae7526d2f724bfca20891fb2b08d05fe http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/python2.3-musicbrainz_2.0.2-10sarge1_alpha.deb Size/MD5 checksum:24016 544e21bdc17518f2c89c2dd8fcce8221 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/libmusicbrainz2_2.0.2-10sarge1_alpha.deb Size/MD5 checksum: 123686 d956c735abd512f17fd90f42a00858fa http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/python2.1-musicbrainz_2.0.2-10sarge1_alpha.deb Size/MD5 checksum:23848 cc3cc2e376cb46a4f056b9640b3a53b8 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.1/libmusicbrainz4_2.1.1-3sarge1_alpha.deb Size/MD5 checksum:89370 db2ca98dcaf749c3515a0e9f31ead00d http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/libmusicbrainz2-dev_2.0.2-10sarge1_alpha.deb Size/MD5 checksum: 207602 4dd8aa2842f090985611f17994da75ac http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/python-musicbrainz_2.0.2-10sarge1_alpha.deb Size/MD5 checksum: 4780 c88c851864d979d29d21de148b28d136 AMD64 architecture: http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/libmusicbrainz2-dev_2.0.2-10sarge1_amd64.deb Size/MD5 checksum: 151400 cf5f994d240d0ea005d702b79afa3c2a http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.1/libmusicbrainz4_2.1.1-3sarge1_amd64.deb Size/MD5 checksum:80102 1a84d550a88cad4619a4c48b0a92a362 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/python2.3-musicbrainz_2.0.2-10sarge1_amd64.deb Size/MD5 checksum:23636 1bb091b8c621d83a85fe70de1d558001 http://security.debian.org/pool/updates/main/libm/libmusicbrainz-2.0/python-musicbrainz_2.0.2-10sarge1_amd64.deb Size/MD5 checksum: 4782 efb3896318b6b6c068a9cf70f5e70724
[Full-disclosure] [SECURITY] [DSA 1163-1] New gtetrinet packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1163-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 30th, 2006 http://www.debian.org/security/faq - -- Package: gtetrinet Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-3125 Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remove server to execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 0.7.8-1sarge2. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your gtetrinet package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2.dsc Size/MD5 checksum: 1458 f0e79e08b32da17b7fec81953058bfd6 http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2.diff.gz Size/MD5 checksum: 6536 8e5ec47971abaefe25c81eddbd08df03 http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8.orig.tar.gz Size/MD5 checksum: 513790 bff5b52ead863ac2ac859880abbab2c4 Alpha architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_alpha.deb Size/MD5 checksum: 305500 ada4429dedbe5c2a6481e2a0a7c2b8aa AMD64 architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_amd64.deb Size/MD5 checksum: 295034 657a0a323a479444ed04becdd494726d ARM architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_arm.deb Size/MD5 checksum: 289166 7fceb7b8fd84d2e4e479e1ea74bf Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_i386.deb Size/MD5 checksum: 291430 8e395773c184dfdb379342fc3805e9ce Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_ia64.deb Size/MD5 checksum: 316198 76659d5ee5072dfb30c58d9967239936 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_hppa.deb Size/MD5 checksum: 297686 c55008b4d7d679311a41a331cd3fc437 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_m68k.deb Size/MD5 checksum: 284212 9b70187f40dac186929be12f38c900dc Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_mips.deb Size/MD5 checksum: 291736 9a30091ac2ab35a65bb4f0689dca0705 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_mipsel.deb Size/MD5 checksum: 290484 1fc68ebb2e3ea41326500e6394c41a6e PowerPC architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_powerpc.deb Size/MD5 checksum: 293458 8b005ce2049acc89205c9aa74dd3fc4f IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_s390.deb Size/MD5 checksum: 295194 2fc0597edcad6cc1af5d7b08c734ae08 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gtetrinet/gtetrinet_0.7.8-1sarge2_sparc.deb Size/MD5 checksum: 289322 e944d44ed1aa2e9ae32d9d8571affd33 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE9aDTW5ql+IAeqTIRAsueAKCY2HDPMsy7JRPI6QsBZBEJDDoD0QCfblE2 jQ1NIFLKDlHpIpdBCxxa3RE= =WMbc -END PGP SIGNATURE
[Full-disclosure] [SECURITY] [DSA 1164-1] New sendmail packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1164-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans August 31st, 2006 http://www.debian.org/security/faq - -- Package: sendmail Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-4434 BugTraq ID : 19714 Debian Bug : 385054 A programming error has been discovered in sendmail, an alternative mail transport agent for Debian, that could allow a remote attacker to crash the sendmail process by sending a specially crafted email message. Please note that in order to install this update you also need libsasl2 library from proposed updates as outlined in DSA 1155-2. For the stable distribution (sarge) this problem has been fixed in version 8.13.3-3sarge3 For the unstable distribution (sid) this problem has been fixed in version 8.13.8-1 We recommend that you upgrade your sendmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3.dsc Size/MD5 checksum: 911 89bbdc6b7a1d33146d978408ac7feee2 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3.diff.gz Size/MD5 checksum: 385075 a1408b377f382dacfc7d87ef880af60b http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4.orig.tar.gz Size/MD5 checksum: 1968047 d80dc659df96c63d227ed80c0c71b708 Architecture independent components: http://security.debian.org/pool/updates/main/s/sendmail/sendmail-base_8.13.4-3sarge3_all.deb Size/MD5 checksum: 340668 0fd9a5ace798e807cbc60b7a31919a28 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-cf_8.13.4-3sarge3_all.deb Size/MD5 checksum: 279382 1e8db425833f332fa8a525dc107e4614 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.13.4-3sarge3_all.deb Size/MD5 checksum: 692570 b07b9cfd99ee3bfe38feb62ec408d494 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3_all.deb Size/MD5 checksum: 192242 ce9a17d66058281af9d69563e11c910c Alpha architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_alpha.deb Size/MD5 checksum: 319082 223ecb915309c2f467fee4dc70dbb29a http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_alpha.deb Size/MD5 checksum: 215652 ed63343a42038fdbf292d20e582a9fa3 http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_alpha.deb Size/MD5 checksum: 228890 8d087fceb3d923f4892d550419fe6f88 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_alpha.deb Size/MD5 checksum: 953980 f50d2db2a52e150ec7466750a5e44bc5 http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_alpha.deb Size/MD5 checksum: 198182 af2d885e481c00326b2353a071df40b9 AMD64 architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_amd64.deb Size/MD5 checksum: 296634 6bd8032a3c89d24f918c544ec87794cc http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_amd64.deb Size/MD5 checksum: 213268 41723080176c78d5f2cf1d5764bba131 http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_amd64.deb Size/MD5 checksum: 225344 27729b95e621ad6fc194e45c845268c7 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_amd64.deb Size/MD5 checksum: 851254 4928097e8c69f01e33d29bd0e371e796 http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_amd64.deb Size/MD5 checksum: 197736 f5e2dde229ccd6457323c6d7dc746420 ARM architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_arm.deb Size/MD5 checksum: 291974 abf756019dd7a2f75b3bc5c6fc858ec0 http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_arm.deb Size/MD5 checksum: 211618 bc7b0597b85aeedbd891d1782aea9b0f
[Full-disclosure] [SECURITY] [DSA 1161-1] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1161-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 29th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3811 CERT advisories: VU#655892 VU#687396 VU#876420 BugTraq ID : 19181 Several security related problems have been discovered in Mozilla and derived products like Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3811 Multiple vulnerabilities allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. [MFSA-2006-55] For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge10. For the unstable distribution (sid) these problems have been fixed in version 1.5.dfsg+1.5.0.5-1. We recommend that you upgrade your mozilla-firefox package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge10.dsc Size/MD5 checksum: 1003 09583ca7a6bd470e092c5226528ae80c http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge10.diff.gz Size/MD5 checksum: 419119 3618884176a92d3ac97022e074188e77 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge10_alpha.deb Size/MD5 checksum: 11176644 0b0ab73f6c4deebad034c9c5f604d3a0 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge10_alpha.deb Size/MD5 checksum: 169796 fbfddc6581dd0c7389a6445ecb0ec3f9 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge10_alpha.deb Size/MD5 checksum:61598 b07ab088199007de44282145a7721fc3 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge10_amd64.deb Size/MD5 checksum: 9405310 33590c4e5998a0b7fa9a26b281e7da3c http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge10_amd64.deb Size/MD5 checksum: 164566 aceef401edf65c2633f27aad978396dc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge10_amd64.deb Size/MD5 checksum:60122 d5250c9fb83f1b7c67123a1bf2191840 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge10_arm.deb Size/MD5 checksum: 8228178 aed4e4dbbeefc391454e3f7aebc63a15 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge10_arm.deb Size/MD5 checksum: 156018 440374f401628e71f4f01057e0418c2c http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge10_arm.deb Size/MD5 checksum:55444 02d92e0752b89ff7b049252b6c327300 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4
[Full-disclosure] [SECURITY] [DSA 1160-1] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1160-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 29th, 2006 http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004 BugTraq IDs: 18228 19181 Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. The last bit of this problem will be corrected with the next update. You can prevent any trouble by disabling Javascript. [MFSA-2006-32] CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3810 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML. [MFSA-2006-54] For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge7.2.1. For the unstable distribution (sid) these problems won't be fixed since its end of lifetime has been reached and the package will soon be removed. We recommend that you upgrade your mozilla package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.1.dsc Size/MD5 checksum: 1131 2bd30d0e1391b9705d1c8bcdcb9aa3e8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.1.diff.gz Size/MD5 checksum: 531386 81427d72e82e1117623773ef1d9e0d92 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 168074 eac003641c1939a8b4bef7497c374ba6 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 147532 e0a6fb3ce5c6de10c698cff9b80cc117 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 184942 223249982ca92e440245a6bb9d75d533 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 857098 8b0e75af2905326a5d9e67be91c9aac8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 1040 66b38827a857248465f223152b80f204 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 11484928 d27d68018193d11fe6781e41feb81678 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 403300 153ac5f793787cefc5ae5678ef844e4b http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 158344 245e5dd64c3c328b5c02408e244db629 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge7.2.1_alpha.deb Size/MD5 checksum: 3358858
[Full-disclosure] [SECURITY] [DSA 1159-1] New Mozilla Thunderbird packages fix several problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1159-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 28th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004 BugTraq IDs: 18228 19181 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. The last bit of this problem will be corrected with the next update. You can prevent any trouble by disabling Javascript. [MFSA-2006-32] CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3810 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML. [MFSA-2006-54] For the stable distribution (sarge) these problems have been fixed in version 1.0.2-2.sarge1.0.8b.1. For the unstable distribution (sid) these problems have been fixed in version 1.5.0.5-1. We recommend that you upgrade your mozilla-thunderbird package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.1.dsc Size/MD5 checksum: 1003 04d64af96e791f70b148b47369e78fa8 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.1.diff.gz Size/MD5 checksum: 485519 ee4edfac117a53c5af08ed97fe85fe55 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz Size/MD5 checksum: 33288906 806175393a226670aa66060452d31df4 Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.1_alpha.deb Size/MD5 checksum: 12848642 4c5bcb9649ff7eec7d4ad6409fccfbce http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.1_alpha.deb Size/MD5 checksum: 3279330 5de619881da404d6846a64e1ab100198 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8b.1_alpha.deb Size/MD5 checksum: 151606 aca457a945d7a89cc5ad25952db6d32b http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8b.1_alpha.deb Size/MD5 checksum:33038 f219f0a68ebce04be1a448d582330e36 http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8b.1_alpha.deb Size/MD5 checksum:88998 349021463f3a1fca2c269044cf3e66ca AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.8b.1_amd64.deb Size/MD5 checksum: 12255144 bacce34b5bc0e00ae8dfdcb6db7effee http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8b.1_amd64.deb Size/MD5 checksum: 3280524 68041a19610600cd691914971d72e915
[Full-disclosure] [SECURITY] [DSA 1155-1] New sendmail packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1155-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 24th, 2006 http://www.debian.org/security/faq - -- Package: sendmail Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-1173 CERT advisory : VU#146718 BugTraq ID : 18433 Debian Bug : 373801 380258 Frank Sheiness discovered that a MIME conversion routine in sendmail, a powerful, efficient, and scalable mail transport agent, could be tricked by a specially crafted mail to perform an endless recursion. For the stable distribution (sarge) this problem has been fixed in version 8.13.4-3sarge2. For the unstable distribution (sid) this problem has been fixed in version 8.13.7-1. We recommend that you upgrade your sendmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge2.dsc Size/MD5 checksum: 910 960ea60c4191d0dffc223bc87bdc8b60 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge2.diff.gz Size/MD5 checksum: 384830 5746beee4bf07d3ed740f4835bc7fa36 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4.orig.tar.gz Size/MD5 checksum: 1968047 d80dc659df96c63d227ed80c0c71b708 Architecture independent components: http://security.debian.org/pool/updates/main/s/sendmail/sendmail-base_8.13.4-3sarge2_all.deb Size/MD5 checksum: 342338 33201cb38ffe42ee9f13e7cfd534cd77 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-cf_8.13.4-3sarge2_all.deb Size/MD5 checksum: 280724 fc323a1ae0ba4207bf485d0950838126 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.13.4-3sarge2_all.deb Size/MD5 checksum: 815978 b96cb196d23aa2f66dba83a3f4220fe6 http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge2_all.deb Size/MD5 checksum: 193664 014094391c524db1f1eae96f6c7bae22 Alpha architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_alpha.deb Size/MD5 checksum: 319036 3f4eb80c71a8bc63b7dc74af4d330e39 http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_alpha.deb Size/MD5 checksum: 215600 5f2a9cbb0a24465ed648926037038edd http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_alpha.deb Size/MD5 checksum: 228830 e8d15c3f6d26ca8d908e42b07bc7042f http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_alpha.deb Size/MD5 checksum: 953944 46d247fc609bbb701634f51173d04a33 http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_alpha.deb Size/MD5 checksum: 198126 f8cce9c9d0f6b8a393e70f37b4078769 AMD64 architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_amd64.deb Size/MD5 checksum: 296580 dbb1c9930fdd39d78f00165ab3bd4103 http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_amd64.deb Size/MD5 checksum: 213218 5bf6afa8b44b7a85a639809c82294635 http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_amd64.deb Size/MD5 checksum: 225286 f0eb29825d98fae3ae47aca60cc25d59 http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_amd64.deb Size/MD5 checksum: 851166 2ab733eb6108e0cb75f461ee855f602a http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_amd64.deb Size/MD5 checksum: 197680 edb148b36ded61b6bd0615d120508605 ARM architecture: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_arm.deb Size/MD5 checksum: 291930 5e7634c0a8733b0bce07d65e73a4ef16 http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_arm.deb Size/MD5 checksum: 211570 6b4962041621b2dda3d2201f7107a8d3 http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_arm.deb Size/MD5 checksum: 223674
[Full-disclosure] [SECURITY] [DSA 1155-2] New sendmail packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1155-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 24th, 2006 http://www.debian.org/security/faq - -- Package: sendmail Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-1173 CERT advisory : VU#146718 BugTraq ID : 18433 Debian Bug : 373801 380258 It turned out that the sendmail binary depends on libsasl2 (= 2.1.19.dfsg1) which is neither available in the stable nor in the the security archive. This version is scheduled for the inclusion in the next update of the stable release, though. You'll have to download the referenced file for your architecture from below and install it with dpkg -i. As an alternative, temporarily adding the following line to /etc/apt/sources.list will mitigate the problem as well: deb http://ftp.debian.de/debian stable-proposed-updates main Here is the original security advisory for completeness: Frank Sheiness discovered that a MIME conversion routine in sendmail, a powerful, efficient, and scalable mail transport agent, could be tricked by a specially crafted mail to perform an endless recursion. For the stable distribution (sarge) this problem has been fixed in version 8.13.4-3sarge2. For the unstable distribution (sid) this problem has been fixed in version 8.13.7-1. We recommend that you upgrade your sendmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.19.dfsg1-0sarge2.diff.gz Size/MD5 checksum:31919 f7042b666907ca4294018bc764edce96 http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.19.dfsg1-0sarge2.dsc Size/MD5 checksum: 1131 aca52362519bd66cda473678eaf2130f http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.19.dfsg1.orig.tar.gz Size/MD5 checksum: 1576960 f2fa0ce4d8b3dc37ca71fb5b5d57cd8b Alpha architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_alpha.deb Size/MD5 checksum: 277878 30d488b82d54f006662f52609da94f0a HP Precision architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_hppa.deb Size/MD5 checksum: 273306 46dec2833097a7006953004c712208f6 ARM architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_arm.deb Size/MD5 checksum: 260076 17cbbf95b9ba82428fce3721d8904fab Intel IA-32 architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_i386.deb Size/MD5 checksum: 258784 2f307e6af80a02a3e559020a31f00c94 Motorola 680x0 architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_m68k.deb Size/MD5 checksum: 253302 27e9e53ad9f430d5d731236f0fb7c5ca Big endian MIPS architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_mips.deb Size/MD5 checksum: 260866 8109e94b29d2f6a5cb1bedd0ce729ae9 Little endian MIPS architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_mipsel.deb Size/MD5 checksum: 261078 2e6cd2f4f8e8fa7cb6863e6378cf77e9 PowerPC architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_powerpc.deb Size/MD5 checksum: 268388 d3f233ab1a90934e6578b5ccebd5543b Sun Sparc architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_sparc.deb Size/MD5 checksum: 257648 06552692dcf73bd6db29ca5e12ea90bf IBM S/390 architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_s390.deb Size/MD5 checksum: 265332 586764113955d451c9ae16e404c7ea37 Intel IA-64 architecture: http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_ia64.deb Size/MD5 checksum: 297874 1b2e9357178ead1e33616513c8402080 These files will probably be moved into the stable distribution on its next update
[Full-disclosure] [SECURITY] [DSA 1152-1] New trac packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1152-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 18th, 2006 http://www.debian.org/security/faq - -- Package: trac Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2006-3695 Felix Wiemann discovered that trac, an enhanced Wiki and issue tracking system for software development projects, can be used to disclose arbitrary local files. To fix this problem, python-docutils needs to be updated as well. For the stable distribution (sarge) this problem has been fixed in version 0.8.1-3sarge5 of trac and version 0.3.7-2sarge1 of python-docutils. For the unstable distribution (sid) this problem has been fixed in version 0.9.6-1. We recommend that you upgrade your trac and python-docutils packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.dsc Size/MD5 checksum: 777 34aa13e1031f1aa26b9dee81a589c5ea http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.diff.gz Size/MD5 checksum:30438 52144273352f410be37bcedf90241a54 http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7.orig.tar.gz Size/MD5 checksum: 679649 e0713c07d766cec04b7a36047dac558c http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.dsc Size/MD5 checksum: 656 9294e113a8875efb049442aac4a0f378 http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.diff.gz Size/MD5 checksum:13250 e00671c1f4203a5c93fba3f686a7dc1b http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz Size/MD5 checksum: 236791 1b6c44fae90c760074762b73cdc88c8d Architecture independent components: http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1_all.deb Size/MD5 checksum: 614676 859beee07adfd84da242a5c47f1209fe http://security.debian.org/pool/updates/main/p/python-docutils/python-roman_0.3.7-2sarge1_all.deb Size/MD5 checksum: 9942 3547f270109d5827073ba964f32863b8 http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-difflib_0.3.7-2sarge1_all.deb Size/MD5 checksum:21000 8e265bcf42aa1a01c694bacc62010692 http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-textwrap_0.3.7-2sarge1_all.deb Size/MD5 checksum: 9616 0a2c510802b0f97fc0289e1b968e3da1 http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-docutils_0.3.7-2sarge1_all.deb Size/MD5 checksum: 4120 2ffb02ad0c4f8640a85f61182cd2a4d5 http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-textwrap_0.3.7-2sarge1_all.deb Size/MD5 checksum: 9614 d4f027f3eb69b465518ecc332fd1a0b6 http://security.debian.org/pool/updates/main/p/python-docutils/python2.3-docutils_0.3.7-2sarge1_all.deb Size/MD5 checksum: 4096 2824761a0ee91eee5bd6b09046962f01 http://security.debian.org/pool/updates/main/p/python-docutils/python2.4-docutils_0.3.7-2sarge1_all.deb Size/MD5 checksum: 4096 101eff5703e7627f83e2548ba0c9f1cb http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5_all.deb Size/MD5 checksum: 198722 243326446e719c452efdda55bd976159 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE5YYgW5ql+IAeqTIRAoYTAJ9gSb3/x841JW8r2BD+t70N+mIIgwCgmnLP bn0JOQ+noKe90oOHXeiILFE= =0yxZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure
[Full-disclosure] [SECURITY] [DSA 1153-1] New ClamAV packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1153-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 18th, 2006 http://www.debian.org/security/faq - -- Package: clamav Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-4018 BugTraq ID : 19381 Damian Put discovered a heap overflow vulneravility in the UPX unpacker of the ClamAV anti-virus toolkit which could allow remote attackers to execute arbitrary code or cause denial of service. For the stable distribution (sarge) this problem has been fixed in version 0.84-2.sarge.10. For the stable distribution (sarge) this problem has been fixed in version 0.88.4-0volatile1 in the volatile archive. For the unstable distribution (sid) this problem has been fixed in version 0.88.4-2. We recommend that you upgrade your clamav packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10.dsc Size/MD5 checksum: 874 579ac9552dbc0075d4d087042c231804 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10.diff.gz Size/MD5 checksum: 176298 01bb523d1fd48f70a3277e12b965d426 http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c Architecture independent components: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.10_all.deb Size/MD5 checksum: 154834 aa3600fb1bccc896debdf371c6b94979 http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.10_all.deb Size/MD5 checksum: 694360 6cd87074ba63f69e7cf065af1665839f http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.10_all.deb Size/MD5 checksum: 123846 317f7c5a1fcba2c7502a7011edf07640 Alpha architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_alpha.deb Size/MD5 checksum:74756 ee20948ad40b44d08ea016becd29c59d http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_alpha.deb Size/MD5 checksum:48832 1f24a23e371f0c7cec48123dbc62d87f http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_alpha.deb Size/MD5 checksum: 2176454 f76987654e839526da6d30ef50678fee http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_alpha.deb Size/MD5 checksum:42108 ca5ad43ec67d02f425db4cde24ea359c http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_alpha.deb Size/MD5 checksum: 255698 b0c02ebb16c838039d25c837887e2b20 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_alpha.deb Size/MD5 checksum: 285520 b7e6deae0b3f715ce64bd450fa1bed55 AMD64 architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_amd64.deb Size/MD5 checksum:68854 eeca1c599d8423fedbd7458c2823e675 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_amd64.deb Size/MD5 checksum:44190 a9ffbdbf3145ed7ee1b09f754f6f1cba http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_amd64.deb Size/MD5 checksum: 2173266 b2bbfd444309513e0fbb0ffae9f7ca6f http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_amd64.deb Size/MD5 checksum:39992 c69a8afe5eb511d6d8fda40f4430acc4 http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_amd64.deb Size/MD5 checksum: 176430 114e0b901947b5c05e14863372b20371 http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_amd64.deb Size/MD5 checksum: 259648 34f48f60ab045c94bccdb2ef545c58bf ARM architecture: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_arm.deb Size/MD5 checksum:63940 0149c2854989385bc91dd7f3857c22de http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_arm.deb
[Full-disclosure] [SECURITY] [DSA 1151-1] New heartbeat packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1151-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 15th, 2006 http://www.debian.org/security/faq - -- Package: heartbeat Vulnerability : out-of-bounds read Problem type : remote Debian-specific: no CVE ID : CVE-2006-3121 Yan Rong Ge discovered out-of-boundary memory access in heartbeat, the subsystem for High-Availability Linux. This could be used by a remote attacker to cause a denial of service. For the stable distribution (sarge) this problem has been fixed in version 1.2.3-9sarge6. For the unstable distribution (sid) this problem has been fixed in version 1.2.4-14 and heartbeat-2 2.0.6-2. We recommend that you upgrade your heartbeat packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge6.dsc Size/MD5 checksum: 881 d083828302c007e3f48d23c00b971c4a http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge6.diff.gz Size/MD5 checksum: 272913 34f413808e51132452d097a4439c427b http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3.orig.tar.gz Size/MD5 checksum: 1772513 9fd126e5dff51cc8c1eee223c252a4af Architecture independent components: http://security.debian.org/pool/updates/main/h/heartbeat/ldirectord_1.2.3-9sarge6_all.deb Size/MD5 checksum:45592 c3a399270f0058e117a45d0de5a8a4d8 Alpha architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge6_alpha.deb Size/MD5 checksum: 574520 d195b85287c1fb7da669425b7b39257e http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat-dev_1.2.3-9sarge6_alpha.deb Size/MD5 checksum: 150886 f9bf2b4ad7dfb76ec7a4596beb5d1469 http://security.debian.org/pool/updates/main/h/heartbeat/libpils-dev_1.2.3-9sarge6_alpha.deb Size/MD5 checksum:71162 96345eb81faf3fe5bd4277052be2c0f0 http://security.debian.org/pool/updates/main/h/heartbeat/libpils0_1.2.3-9sarge6_alpha.deb Size/MD5 checksum:54188 9e2c557050aa18440b4913ec34906aba http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_1.2.3-9sarge6_alpha.deb Size/MD5 checksum:31346 377df9bb5df6f3cacb74b7c1671b7be2 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_1.2.3-9sarge6_alpha.deb Size/MD5 checksum:94380 9d03b1b411072b410327045060c7a56b http://security.debian.org/pool/updates/main/h/heartbeat/stonith_1.2.3-9sarge6_alpha.deb Size/MD5 checksum:31808 4bfb4c6237b41a03e795258702b35825 AMD64 architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge6_amd64.deb Size/MD5 checksum: 531482 fd87fc8f357157fa31e62b5fb008dbb8 http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat-dev_1.2.3-9sarge6_amd64.deb Size/MD5 checksum: 126342 90642418d9d22026f49bc093998c0485 http://security.debian.org/pool/updates/main/h/heartbeat/libpils-dev_1.2.3-9sarge6_amd64.deb Size/MD5 checksum:61970 f4105bf377ade8b92964608cd5dfefe8 http://security.debian.org/pool/updates/main/h/heartbeat/libpils0_1.2.3-9sarge6_amd64.deb Size/MD5 checksum:52664 8af92202a899dc12877dbfa293166e4b http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_1.2.3-9sarge6_amd64.deb Size/MD5 checksum:30182 f1f0b78a04840285cef5cbe17e05fef7 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_1.2.3-9sarge6_amd64.deb Size/MD5 checksum:89204 310ae86ee33e1073374fb4793414e42f http://security.debian.org/pool/updates/main/h/heartbeat/stonith_1.2.3-9sarge6_amd64.deb Size/MD5 checksum:31214 d9de528bb5eed624ffe662293998adaa ARM architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge6_arm.deb Size/MD5 checksum: 498570 736f6ac4023d1305cd425873ef3ca883 http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat-dev_1.2.3-9sarge6_arm.deb Size/MD5 checksum: 123844 4ba7d987dc59211a092e43ab46f17852 http://security.debian.org/pool/updates
[Full-disclosure] [SECURITY] [DSA 1146-1] New krb5 packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1146-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 9th, 2006http://www.debian.org/security/faq - -- Package: krb5 Vulnerability : programming error Problem type : local Debian-specific: no CVE IDs: CVE-2006-3083 CVE-2006-3084 CERT advisories: VU#580124 VU#401660 In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and seteuid() are not always checked for success and which may fail with some PAM configurations. A local user could exploit one of these vulnerabilities to result in privilege escalation. No exploit code is known to exist at this time. For the stable distribution (sarge) these problems have been fixed in version 1.3.6-2sarge3. For the unstable distribution (sid) these problems have been fixed in version 1.4.3-9. We recommend that you upgrade your krb5 packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge3.dsc Size/MD5 checksum: 782 df8c8142c32fb06bcf09d5c44d4f9ea1 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge3.diff.gz Size/MD5 checksum: 663073 2e75d18a0b91e88b3df87439d981438a http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz Size/MD5 checksum: 6526510 7974d0fc413802712998d5fc5eec2919 Architecture independent components: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge3_all.deb Size/MD5 checksum: 718328 f2595b87eb8731af975215775c44e00b Alpha architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 113770 53afa9353cfd612c1a4ce697390f1ff1 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 246936 bbfa0e6c00e69cf2df0d6957bdcc185f http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge3_alpha.deb Size/MD5 checksum:62396 d13ec27eb3be9b7c210887519e5c1ce3 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 136856 303321f333c9835dbef85cf4b222da73 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge3_alpha.deb Size/MD5 checksum:89594 27eb1a246db85bbe41280ba0b558429b http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge3_alpha.deb Size/MD5 checksum:71766 b7ecdfdeee2a15d2694cea550c172897 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 145408 fef89723c90a38d76429f00802b39619 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 200660 6801613fb91bc9e655ca301d48782f69 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 861152 aad361c2f76f13fc3d7c857831f7524a http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge3_alpha.deb Size/MD5 checksum: 422316 ab1c2ea1a3c4da8e4a53caf9e59e0725 AMD64 architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge3_amd64.deb Size/MD5 checksum: 104030 42f5d96cd63367c8641177d5f087c0cd http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge3_amd64.deb Size/MD5 checksum: 216384 9e52260fcac54a436280ea705a772fca http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge3_amd64.deb Size/MD5 checksum:56438 abca496cfe9100f2e98787baf7cb9596 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge3_amd64.deb Size/MD5 checksum: 124162 d19d239b1435c4d61532b05a3ccec5ff http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge3_amd64.deb Size/MD5 checksum:82198 01f9adf1df2dfec4705e195bfb987809 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge3_amd64.deb Size/MD5 checksum:62948
[Full-disclosure] [SECURITY] [DSA 1149-1] New ncompress packages fix potential code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1149-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 10th, 2006 http://www.debian.org/security/faq - -- Package: ncompress Vulnerability : buffer underflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-1168 Tavis Ormandy from the Google Security Team discovered a missing boundary check in ncompress, the original Lempel-Ziv compress and uncompress programs, which allows a specially crafted datastream to underflow a buffer with attacker controlled data. For the stable distribution (sarge) this problem has been fixed in version 4.2.4-15sarge2. For the unstable distribution (sid) this problem has been fixed in version 4.2.4-15sarge2. We recommend that you upgrade your ncompress package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2.dsc Size/MD5 checksum: 591 8fa14e666180e8a37491dcd33114dbff http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2.diff.gz Size/MD5 checksum: 8124 1b7aa0d3079f334202df5d1c77e0f9bf http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4.orig.tar.gz Size/MD5 checksum:31765 7ef0d51aee53b6cd5c6aefe637491281 Alpha architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_alpha.deb Size/MD5 checksum:24370 72b955790079338f98afd62c49644897 AMD64 architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_amd64.deb Size/MD5 checksum:22924 58d6732c316a9317171c97e74e2cbe44 ARM architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_arm.deb Size/MD5 checksum:22522 3ec1cfdab5e4811ca5246a11b94b244d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_i386.deb Size/MD5 checksum:22158 a875189b26255c72ad2ec532c23eef05 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_ia64.deb Size/MD5 checksum:26442 ef71240d1b7b4a699b5f817a46f7ead9 HP Precision architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_hppa.deb Size/MD5 checksum:24484 51c63bab7d53aa3392e268aec4d271ab Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_m68k.deb Size/MD5 checksum:21536 2cf5bbb67a3f32db857c75a2d352f47a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_mips.deb Size/MD5 checksum:23878 a71db49787837da587552030045c73c1 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_mipsel.deb Size/MD5 checksum:23822 22ad68863b79b4bdf5302141be22deb6 PowerPC architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_powerpc.deb Size/MD5 checksum:22912 bafe112da108e4b66d64342b55ac4a47 IBM S/390 architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_s390.deb Size/MD5 checksum:22958 a8f180c5182ab1040746e66dfa99a6e1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/n/ncompress/ncompress_4.2.4-15sarge2_sparc.deb Size/MD5 checksum:22532 db6aed643f82c6a0c0bdfded603d97be These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE2sUbW5ql+IAeqTIRAtWPAJ9uT1SODfKinzWORoDT4L+Y5o+P6ACfTdce
[Full-disclosure] [SECURITY] [DSA 1143-1] New dhcp packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1143-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 4th, 2006http://www.debian.org/security/faq - -- Package: dhcp Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-3122 Debian Bug : 380273 Justin Winschief and Andrew Steets discovered a bug in dhcp, the DHCP server for automatic IP address assignment, which causes the server to unexpectedly exit. For the stable distribution (sarge) this problem has been fixed in version 2.0pl5-19.1sarge2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your dhcp package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2.dsc Size/MD5 checksum: 687 f73fef2e9996c07f813e8b44cf058fed http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2.diff.gz Size/MD5 checksum:86660 931619c25909dde0f8278502d089a509 http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5.orig.tar.gz Size/MD5 checksum: 294909 ab22f363a7aff924e2cc9d1019a21498 Alpha architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2_alpha.deb Size/MD5 checksum: 123178 1d36fdc0bdee24e63ddd68290de55d42 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge2_alpha.deb Size/MD5 checksum: 115486 bf17b3f6d1d23a4f24f63dc8dee47c4f http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge2_alpha.deb Size/MD5 checksum:80526 c23b5a983212426881e79e42abb08103 AMD64 architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2_amd64.deb Size/MD5 checksum: 116010 53d3be3b942892ff1a0cc641152a7c0b http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge2_amd64.deb Size/MD5 checksum: 108676 99eaef8f0c56b81b28e09bf2040dbfe5 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge2_amd64.deb Size/MD5 checksum:75952 170a4701d80b295679e605cfc56fb955 ARM architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2_arm.deb Size/MD5 checksum: 114428 e220cadbd5250f55e7a88a8df95ea487 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge2_arm.deb Size/MD5 checksum: 107212 3a73115a056708b9a6190cbda179ce18 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge2_arm.deb Size/MD5 checksum:74422 fdfdb05b69c11736c16a6aea1d8c0aa4 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2_i386.deb Size/MD5 checksum: 109440 ca711b93042d11f8b5c853c3f648242a http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge2_i386.deb Size/MD5 checksum: 102220 558d78e22d1f4f909b718c46baa09cc4 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge2_i386.deb Size/MD5 checksum:71330 6d5c42ff7f481df025b687b3969a6c25 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2_ia64.deb Size/MD5 checksum: 144842 fe2d7f0eb45fba721e616f25dcdf29bb http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge2_ia64.deb Size/MD5 checksum: 136910 2ab43f384602792ae905ed00ee0b3465 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge2_ia64.deb Size/MD5 checksum:92922 c87307ed1d553b3309c9d8f5b9a71783 HP Precision architecture: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge2_hppa.deb Size/MD5 checksum: 116134 49852e02e42adb6ad7acdee24c31 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge2_hppa.deb Size/MD5 checksum: 109042 6c117a4f8bb1cb0cf74f3e92baaf20e1 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge2_hppa.deb Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1140-1] New GnuPG packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1140-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 3rd, 2006http://www.debian.org/security/faq - -- Package: gnupg Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-3746 BugTraq ID : 19110 Debian Bug : 381204 Evgeny Legerov discovered that overly large comments can crash gnupg, the GNU privacy guard - a free PGP replacement. For the stable distribution (sarge) this problem has been fixed in version 1.4.1-1.sarge5. For the unstable distribution (sid) this problem has been fixed in version 1.4.5-1. We recommend that you upgrade your gnupg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5.dsc Size/MD5 checksum: 680 3ca752cd4daad97be9a5c39c8946529f http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5.diff.gz Size/MD5 checksum:20602 60b0f10cc733d5db834cc938ea64c9c6 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_alpha.deb Size/MD5 checksum: 2155966 7247aeac9ee92201dd653d72250b6635 AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_amd64.deb Size/MD5 checksum: 1963522 090bc4edbbcff55a42e0f0e150bebe1c ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_arm.deb Size/MD5 checksum: 1899504 3d5a8c67821576dcb96db83439689693 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_i386.deb Size/MD5 checksum: 1908672 27f9a0178ae75e60f4190f7cc1b648b2 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_ia64.deb Size/MD5 checksum: 2325364 7cb958f11cf26f2606a8630b0837302b HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_hppa.deb Size/MD5 checksum: 2004276 0a18314991ba8b9df2197dc59fa9fc9b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_m68k.deb Size/MD5 checksum: 1811104 3d34a165f7e7b9b7f7762ea3f098436a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_mips.deb Size/MD5 checksum: 2000886 fd5a35eea245eed1d8e867c2dab420fe Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_mipsel.deb Size/MD5 checksum: 2007526 a7d376140cc177b7365b8931e443b511 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_powerpc.deb Size/MD5 checksum: 1957954 405cd2998ce0d4e4867a2b781d023db5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_s390.deb Size/MD5 checksum: 1967138 4e863993101250029ce2f276a83c964b Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge5_sparc.deb Size/MD5 checksum: 1897516 bce716a627c062c3ca034d8d49c24b58 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFE0jkdW5ql+IAeqTIRAoTxAJ0Zs2nLB4X3MMPdkDg/KT5UWEE5WACeIr81 o446xzQ7vYxzuJiC+Bg1isc= =tgaH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored
[Full-disclosure] [SECURITY] [DSA 1141-1] New GnuPG2 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1141-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 4th, 2006http://www.debian.org/security/faq - -- Package: gnupg2 Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-3746 BugTraq ID : 19110 Debian Bug : 381204 Evgeny Legerov discovered that overly large comments can crash gnupg, the GNU privacy guard - a free PGP replacement, which is also present in the development branch. For the stable distribution (sarge) this problem has been fixed in version 1.9.15-6sarge2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your gnupg2 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2.dsc Size/MD5 checksum: 854 2c392bb08b77bcb9995be4fbf2c58283 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2.diff.gz Size/MD5 checksum: 1860310 f465fe72762f514831d87583ca399bd5 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15.orig.tar.gz Size/MD5 checksum: 5454978 ee3885e2c74a9c1ae539d6f12091c30b Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge2_alpha.deb Size/MD5 checksum: 112370 a119a0b8c191e3689d42c9a213dd4f76 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2_alpha.deb Size/MD5 checksum: 886302 4c5c70dd431e4ccc591a87d068ac9553 http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge2_alpha.deb Size/MD5 checksum: 453490 eec6ae4af73ba7a7ccef13d4e36b003e AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge2_amd64.deb Size/MD5 checksum:98516 fa8437eba6bda3ad2162d43a30195c8e http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2_amd64.deb Size/MD5 checksum: 774640 30b1e6d048ba60c0e073c0c180bc686b http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge2_amd64.deb Size/MD5 checksum: 385744 72d4e6b41160959caec8301b23032897 ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge2_arm.deb Size/MD5 checksum:87376 ea0c54b9a3556192db52aa1178866d96 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2_arm.deb Size/MD5 checksum: 712774 9b7ba34e952f1b860bafeaeba2178c82 http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge2_arm.deb Size/MD5 checksum: 339734 78250a052bd3784f942045470fa118aa Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge2_i386.deb Size/MD5 checksum:90114 918515e91219ed74277a53abdfafe943 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2_i386.deb Size/MD5 checksum: 731710 253c2259991935b0318465e6b9eb8219 http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge2_i386.deb Size/MD5 checksum: 351978 67b70918cb89760a02e53a5776ad39b6 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge2_ia64.deb Size/MD5 checksum: 130350 b00f67ed9488c494e38b2e4e29266174 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2_ia64.deb Size/MD5 checksum: 1026420 5a988d46cbf0a5934cf348d731ca1a15 http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge2_ia64.deb Size/MD5 checksum: 539966 515877cf2dd350361ff10a0c58ea11a9 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge2_hppa.deb Size/MD5 checksum: 100620 f5f9366786672079f327f365385425f4 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge2_hppa.deb Size/MD5 checksum: 794818 dcbed566a023e7e67e00898c07af70af http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge2_hppa.deb Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1142-1] New freeciv packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1142-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 4th, 2006http://www.debian.org/security/faq - -- Package: freeciv Vulnerability : missing bouncary checks Problem type : remote Debian-specific: no CVE ID : CVE-2006-3913 BugTraq ID : 19117 Debian Bug : 381378 Luigi Auriemma discovered missing boundary checks in freeciv, a clone of the well known Civilisation game, which can be exploited by remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 2.0.1-1sarge2. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your freeciv package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge2.dsc Size/MD5 checksum: 997 18498d24b54250ab8af555d1d37a58f8 http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge2.diff.gz Size/MD5 checksum:45177 f4ec2a9e5c535f8575f82da1acb31786 http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1.orig.tar.gz Size/MD5 checksum: 11086541 2deea98d258138325f590ec52d530a96 Architecture independent components: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-data_2.0.1-1sarge2_all.deb Size/MD5 checksum: 3843642 7549950e9a2603c30dea3996d90a501b http://security.debian.org/pool/updates/main/f/freeciv/freeciv-gtk_2.0.1-1sarge2_all.deb Size/MD5 checksum:11486 2eb9487aa46c184425c2ee753aeea408 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-xaw3d_2.0.1-1sarge2_all.deb Size/MD5 checksum:11488 b76ae39e8da49198ea7b4f22fc4d4d61 http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge2_all.deb Size/MD5 checksum:11476 313b69df56d17e4b4ce355828a4931bc Alpha architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge2_alpha.deb Size/MD5 checksum: 590380 3a46c7102fb7720c6b22c9260bd6e0e0 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge2_alpha.deb Size/MD5 checksum: 514700 a61852b93a19a6081529c52592a2c01d http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge2_alpha.deb Size/MD5 checksum: 591250 6489e88abf589ae4c551197f00ed2a76 AMD64 architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge2_amd64.deb Size/MD5 checksum: 476452 88e8b7db6194537fa688d17942bcdae2 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge2_amd64.deb Size/MD5 checksum: 409102 c0f9a3698267f94f2549844c039cb28e http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge2_amd64.deb Size/MD5 checksum: 465952 17f7e28d44dd3e92419fd3c7b421581c ARM architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge2_arm.deb Size/MD5 checksum: 423188 b18cb6fa46ab087b9f40192262864d6a http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge2_arm.deb Size/MD5 checksum: 361720 38d5539132b1353c9936a8712ff02a52 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge2_arm.deb Size/MD5 checksum: 419792 7c93feca1fe53d90b021322c7682d111 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge2_i386.deb Size/MD5 checksum: 440948 3702e9ac054ba9ec5a92447622bc01ac http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge2_i386.deb Size/MD5 checksum: 366832 7a3ec68f830307fb2cba056fa32e370b http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge2_i386.deb Size/MD5 checksum: 430298 981b279b36cabff252e6a91d22573bb4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv
[Full-disclosure] [SECURITY] [DSA 1135-1] New libtunepimp packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1135-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 2nd, 2006http://www.debian.org/security/faq - -- Package: libtunepimp Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-3600 BugTraq ID : 18961 Debian Bug : 378091 Kevin Kofler discovered several stack-based buffer overflows in the LookupTRM::lookup function in libtunepimp, a MusicBrainz tagging library, which allows remote attacers to cause a denial of service or execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 0.3.0-3sarge2. For the unstable distribution (sid) these problems have been fixed in version 0.4.2-4. We recommend that you upgrade your libtunepimp packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp_0.3.0-3sarge2.dsc Size/MD5 checksum: 1030 9a4920fa648987c785ca7a90389e26d2 http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp_0.3.0-3sarge2.diff.gz Size/MD5 checksum: 6370 7398c09a7d071ae47a47d8cf439f98f4 http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp_0.3.0.orig.tar.gz Size/MD5 checksum: 524889 f1f506914150c4917ec730f847ad4709 Alpha architecture: http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp-bin_0.3.0-3sarge2_alpha.deb Size/MD5 checksum:24890 2978735432d84c89ae7298388469f45b http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp-perl_0.3.0-3sarge2_alpha.deb Size/MD5 checksum:69628 caebe7ed98abb9434b8271a6a60bbcf3 http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp2_0.3.0-3sarge2_alpha.deb Size/MD5 checksum: 183756 59e0e4beba76a472ab2871ff560e43db http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp2-dev_0.3.0-3sarge2_alpha.deb Size/MD5 checksum: 400968 14a5497f7e5a29c7428051f9ac1197db http://security.debian.org/pool/updates/main/libt/libtunepimp/python-tunepimp_0.3.0-3sarge2_alpha.deb Size/MD5 checksum: 7514 ed92833051c36f1834d4c2e8431a995b http://security.debian.org/pool/updates/main/libt/libtunepimp/python2.2-tunepimp_0.3.0-3sarge2_alpha.deb Size/MD5 checksum:36986 3f20bf702c8afd5c515caedb3577d7c4 http://security.debian.org/pool/updates/main/libt/libtunepimp/python2.3-tunepimp_0.3.0-3sarge2_alpha.deb Size/MD5 checksum:37012 b397a318bf98a9b8a66e92d813ec1417 AMD64 architecture: http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp-bin_0.3.0-3sarge2_amd64.deb Size/MD5 checksum:22574 ab767e6a192e3435808cdc3c0f2eba10 http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp-perl_0.3.0-3sarge2_amd64.deb Size/MD5 checksum:64662 2b13c0f10121799469f5918b9457816c http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp2_0.3.0-3sarge2_amd64.deb Size/MD5 checksum: 167846 c8a9826ed526df5f0b3db91671e86ff8 http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp2-dev_0.3.0-3sarge2_amd64.deb Size/MD5 checksum: 309342 989a04b1b26449ccef4534d3b573da3f http://security.debian.org/pool/updates/main/libt/libtunepimp/python-tunepimp_0.3.0-3sarge2_amd64.deb Size/MD5 checksum: 7062 3f59546ad6171eb57027961425008dda http://security.debian.org/pool/updates/main/libt/libtunepimp/python2.2-tunepimp_0.3.0-3sarge2_amd64.deb Size/MD5 checksum:35350 85910d25472fd6cd765c5ec70eaec73a http://security.debian.org/pool/updates/main/libt/libtunepimp/python2.3-tunepimp_0.3.0-3sarge2_amd64.deb Size/MD5 checksum:35350 ac75587d5816b4b7f4a8c297960c58de ARM architecture: http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp-bin_0.3.0-3sarge2_arm.deb Size/MD5 checksum:21328 f0edf637f04bc0569f7d817f7ac4c15f http://security.debian.org/pool/updates/main/libt/libtunepimp/libtunepimp-perl_0.3.0-3sarge2_arm.deb Size/MD5 checksum:60078
[Full-disclosure] [SECURITY] [DSA 1136-1] New gpdf packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1136-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 2nd, 2006http://www.debian.org/security/faq - -- Package: gpdf Vulnerability : wrong input sanitising Problem type : local (remote) Debian-specific: no CVE ID : CVE-2005-2097 BugTraq ID : 14529 Debian Bug : 334454 infamous41md and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which are also present in gpdf, the viewer with Gtk bindings, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 2.8.2-1.2sarge5. For the unstable distribution (sid) these problems have been fixed in version 2.10.0-4. We recommend that you upgrade your gpdf package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5.dsc Size/MD5 checksum: 1663 d7cd341afa44a55b1d6b6e177506df73 http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5.diff.gz Size/MD5 checksum:37001 4c0f08229d68b89376f1dafbd2785602 http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2.orig.tar.gz Size/MD5 checksum: 1245535 5ceb66aa95e51c4e1d6e10cb29560ff9 Alpha architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_alpha.deb Size/MD5 checksum: 868192 a1165a52e231ad0d7288956259f6dac1 AMD64 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_amd64.deb Size/MD5 checksum: 795826 b77396935f929046e71688cf6c803718 ARM architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_arm.deb Size/MD5 checksum: 781744 4bd8fcb7aa0e8d8073f9c834f492273e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_i386.deb Size/MD5 checksum: 782022 6e3c2f14a9f79a0fa8d6c7146329cf55 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_ia64.deb Size/MD5 checksum: 958464 f60ab132197b6451be37e95c7b0802f6 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_hppa.deb Size/MD5 checksum: 859960 52fc5ab1c1c7b0a337093196d08076af Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_m68k.deb Size/MD5 checksum: 746044 07af12e76e683943d028347673b325dc Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_mips.deb Size/MD5 checksum: 818708 789e70f91a8b43909790389833f5c2f9 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_mipsel.deb Size/MD5 checksum: 811194 6f27ce39b1d79d49992ae66e6fc45b13 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_powerpc.deb Size/MD5 checksum: 799932 f7f6e5df3d35a4e24ef714a02300bb89 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_s390.deb Size/MD5 checksum: 776202 0c511feed7677d69e5e9b901239c25e0 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gpdf/gpdf_2.8.2-1.2sarge5_sparc.deb Size/MD5 checksum: 763980 90c9205b4bc9b61b46d8d46c09e74b83 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFE0NFDW5ql+IAeqTIRAgiMAKCwmRMFU8xGjhI4x1PIdheeLKxFAQCgs3pU rbZd04m1abOmaJXU6vDNBgg= =pThg
[Full-disclosure] [SECURITY] [DSA 1130-1] New sitebar packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1130-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 30th, 2006 http://www.debian.org/security/faq - -- Package: sitebar Vulnerability : missing input validation Problem type : remote Debian-specific: no CVE ID : CVE-2006-3320 BugTraq ID : 18680 Debian Bug : 377299 A a cross-site scripting vulnerability has been discovered in sitebar, a web based bookmark manager written in PHP, which allows remote attackers to inject arbitrary web script or HTML. For the stable distribution (sarge) this problem has been fixed in version 3.2.6-7.1. For the unstable distribution (sid) this problem has been fixed in version 3.3.8-1.1. We recommend that you upgrade your sitebar package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6-7.1.dsc Size/MD5 checksum: 567 af6299567258255742c9289ead8618e4 http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6-7.1.diff.gz Size/MD5 checksum: 9214 2309667ac14ea821c7a1ba14b8a59916 http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6.orig.tar.gz Size/MD5 checksum: 52 a86243f7a70a1a9ac80342fbcca14297 Architecture independent components: http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6-7.1_all.deb Size/MD5 checksum: 339760 98d388ce2b2c8d746d333f6286e22c0b These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEz2z0W5ql+IAeqTIRAnRrAJ9IALHV10MpVab3Fflkmfx82mfCngCeLHCd oXpZb7Bj2WJkHIec2iIadfs= =2c7k -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1134-1] New Mozilla Thunderbird packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1134-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze August 2nd, 2006http://www.debian.org/security/faq - -- Package: mozilla-thunderbird Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-1942 CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CERT advisories: VU#237257 VU#243153 VU#421529 VU#466673 VU#575969 BugTraq ID : 18228 Several security related problems have been discovered in Mozilla which are also present in Mozilla Thunderbird. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-1942 Eric Foley discovered that a user can be tricked to expose a local file to a remote attacker by displaying a local file as image in connection with other vulnerabilities. [MFSA-2006-39] CVE-2006-2775 XUL attributes are associated with the wrong URL under certain circumstances, which might allow remote attackers to bypass restrictions. [MFSA-2006-35] CVE-2006-2776 Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged user interface code, and moz_bug_r_a4 demonstrated that the higher privilege level could be passed along to the content-defined attack code. [MFSA-2006-37] CVE-2006-2777 A vulnerability allows remote attackers to execute arbitrary code and create notifications that are executed in a privileged context. [MFSA-2006-43] CVE-2006-2778 Mikolaj Habryn a buffer overflow in the crypto.signText function that allows remote attackers to execute arbitrary code via certain optional Certificate Authority name arguments. [MFSA-2006-38] CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. This problem has only partially been corrected. [MFSA-2006-32] CVE-2006-2780 An integer overflow allows remote attackers to cause a denial of service and may permit the execution of arbitrary code. [MFSA-2006-32] CVE-2006-2781 Masatoshi Kimura discovered a double-free vulnerability that allows remote attackers to cause a denial of service and possibly execute arbitrary code via a VCard. [MFSA-2006-40] CVE-2006-2782 Chuck McAuley discovered that a text input box can be pre-filled with a filename and then turned into a file-upload control, allowing a malicious website to steal any local file whose name they can guess. [MFSA-2006-41, MFSA-2006-23, CVE-2006-1729] CVE-2006-2783 Masatoshi Kimura discovered that the Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page, which allows remote attackers to conduct cross-site scripting (XSS) attacks. [MFSA-2006-42] CVE-2006-2784 Paul Nickerson discovered that the fix for CAN-2005-0752 can be bypassed using nested javascript: URLs, allowing the attacker to execute privileged code. [MFSA-2005-34, MFSA-2006-36] CVE-2006-2785 Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose View Image from the context menu then he could get JavaScript to run. [MFSA-2006-34] CVE-2006-2786 Kazuho Oku discovered that Mozilla's lenient handling of HTTP header syntax may allow remote attackers to trick the browser to interpret certain responses as if they were responses from two different sites. [MFSA-2006-33] CVE-2006-2787 The Mozilla researcher moz_bug_r_a4 discovered that JavaScript run via EvalInSandbox can escape the sandbox and gain elevated privilege. [MFSA-2006-31] For the stable distribution (sarge) these problems have been fixed in version 1.0.2-2.sarge1.0.8a. For the unstable distribution (sid) these problems have been fixed in version 1.5.0.4-1 and xulrunner 1.5.0.4-1 for galeon and epiphany. We recommend that you upgrade your Mozilla Thunderbird packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use
[Full-disclosure] [SECURITY] [DSA 1128-1] New heartbeat packages fix local denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1128-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 28th, 2006 http://www.debian.org/security/faq - -- Package: heartbeat Vulnerability : permission error Problem type : local Debian-specific: no CVE ID : CVE-2006-3815 Yan Rong Ge discovered that wrong permissions on a shared memory page in heartbeat, the subsystem for High-Availability Linux could be exploited by a local attacker to cause a denial of service. For the stable distribution (sarge) this problem has been fixed in version 1.2.3-9sarge5. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your heartbeat packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge5.dsc Size/MD5 checksum: 881 e2316605a229d2010d73f5a6010cd6aa http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge5.diff.gz Size/MD5 checksum: 272592 192d3f12c3760f390f1e6c8a3dba468b http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3.orig.tar.gz Size/MD5 checksum: 1772513 9fd126e5dff51cc8c1eee223c252a4af Architecture independent components: http://security.debian.org/pool/updates/main/h/heartbeat/ldirectord_1.2.3-9sarge5_all.deb Size/MD5 checksum:45524 7d2337e5b9688348a3138eba7e59e205 Alpha architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge5_alpha.deb Size/MD5 checksum: 574460 9847e433ad0571780e0cc5e816b47e2a http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat-dev_1.2.3-9sarge5_alpha.deb Size/MD5 checksum: 150810 01833ce04b35dda6c00378f4f562c0a1 http://security.debian.org/pool/updates/main/h/heartbeat/libpils-dev_1.2.3-9sarge5_alpha.deb Size/MD5 checksum:71086 d4215fb2936d0fb00c7795bb3b15f3f2 http://security.debian.org/pool/updates/main/h/heartbeat/libpils0_1.2.3-9sarge5_alpha.deb Size/MD5 checksum:54118 3728d492248c4466325307599e7dff4d http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_1.2.3-9sarge5_alpha.deb Size/MD5 checksum:31278 94d4e6361b439de7c31c24e437db32c5 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_1.2.3-9sarge5_alpha.deb Size/MD5 checksum:94306 8db0b3e8359f591d41fb9e93f45c79d1 http://security.debian.org/pool/updates/main/h/heartbeat/stonith_1.2.3-9sarge5_alpha.deb Size/MD5 checksum:31736 a7dc6201195edf8fb02149bc4082 AMD64 architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge5_amd64.deb Size/MD5 checksum: 531406 8ed054c572a31b95cb0244bdb52d8a9e http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat-dev_1.2.3-9sarge5_amd64.deb Size/MD5 checksum: 126298 1cba6c5a3e1f30454774f25a0c64ad1b http://security.debian.org/pool/updates/main/h/heartbeat/libpils-dev_1.2.3-9sarge5_amd64.deb Size/MD5 checksum:61920 8db8ad7a24c1d1d61c2f0f7394022e28 http://security.debian.org/pool/updates/main/h/heartbeat/libpils0_1.2.3-9sarge5_amd64.deb Size/MD5 checksum:52610 31bc190e7467287595e869c3f18bf52b http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_1.2.3-9sarge5_amd64.deb Size/MD5 checksum:30124 09089f6d255cbde687038b769d2fecce http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_1.2.3-9sarge5_amd64.deb Size/MD5 checksum:89148 6311c04b2d921525936174618470903e http://security.debian.org/pool/updates/main/h/heartbeat/stonith_1.2.3-9sarge5_amd64.deb Size/MD5 checksum:31160 14cda7586145fa6f96a233c355f88f69 ARM architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_1.2.3-9sarge5_arm.deb Size/MD5 checksum: 498476 4369ea208be3d589ec2e316685620986 http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat-dev_1.2.3-9sarge5_arm.deb Size/MD5 checksum: 123784 dccd3509cc873ce72485570228d2a6d9 http://security.debian.org/pool/updates/main/h/heartbeat/libpils
[Full-disclosure] [SECURITY] [DSA 1129-1] New osiris packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1129-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 28th, 2006 http://www.debian.org/security/faq - -- Package: orisis Vulnerability : format string Problem type : remote Debian-specific: no CVE ID : CVE-2006-3120 Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project have found several format string security bugs in osiris, a network-wide system integrity monitor control interface. A remote attacker could exploit them and cause a denial of service or execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 4.0.6-1sarge1. For the unstable distribution (sid) these problems have been fixed in version 4.2.0-2. We recommend that you upgrade your osiris packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1.dsc Size/MD5 checksum: 601 f8e62dca889eac05f3c2f1cf6541bea2 http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1.diff.gz Size/MD5 checksum:63328 905cddf6a6635ed215fff6f6055ad0a1 http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6.orig.tar.gz Size/MD5 checksum: 1882069 c23180e5e44aa4303531e0b9d9308c80 Alpha architecture: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1_alpha.deb Size/MD5 checksum: 522620 c0253943d34023c1dc631c537a1ca06d http://security.debian.org/pool/updates/main/o/osiris/osirisd_4.0.6-1sarge1_alpha.deb Size/MD5 checksum:78458 5f28cff0c30e6cd07f372856eef76383 http://security.debian.org/pool/updates/main/o/osiris/osirismd_4.0.6-1sarge1_alpha.deb Size/MD5 checksum: 539096 6c355764d7de45c5265c6b9cddc46508 AMD64 architecture: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1_amd64.deb Size/MD5 checksum: 410616 74844c2b8a8065c3b83514e48d491181 http://security.debian.org/pool/updates/main/o/osiris/osirisd_4.0.6-1sarge1_amd64.deb Size/MD5 checksum:64558 0a7fa1f9e50b9e0b741e632aff27d94b http://security.debian.org/pool/updates/main/o/osiris/osirismd_4.0.6-1sarge1_amd64.deb Size/MD5 checksum: 420262 efa9f94c1800311f8681f1a22e910f9e ARM architecture: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1_arm.deb Size/MD5 checksum: 384090 474cc45ff970747ce6f12de47101f69b http://security.debian.org/pool/updates/main/o/osiris/osirisd_4.0.6-1sarge1_arm.deb Size/MD5 checksum:56660 4367a40e684927aea76a8e76817e6bba http://security.debian.org/pool/updates/main/o/osiris/osirismd_4.0.6-1sarge1_arm.deb Size/MD5 checksum: 393078 0f3a51cfc73a6f44257430381408483b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1_i386.deb Size/MD5 checksum: 396662 94deb49a7491d638dee18d95fa60381f http://security.debian.org/pool/updates/main/o/osiris/osirisd_4.0.6-1sarge1_i386.deb Size/MD5 checksum:58538 740f1e83f63affb4ae27b27c2bd6428b http://security.debian.org/pool/updates/main/o/osiris/osirismd_4.0.6-1sarge1_i386.deb Size/MD5 checksum: 408590 2cd01c3b1951b1d8abc6309bfa128ce7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1_ia64.deb Size/MD5 checksum: 657728 89bdbc95d1d29e26db6b51e42ad5c18c http://security.debian.org/pool/updates/main/o/osiris/osirisd_4.0.6-1sarge1_ia64.deb Size/MD5 checksum:86950 e9b05c215d1bcb091a5b46e262d9ca8b http://security.debian.org/pool/updates/main/o/osiris/osirismd_4.0.6-1sarge1_ia64.deb Size/MD5 checksum: 672224 333c52a972189d3bf4675454e9ec9129 HP Precision architecture: http://security.debian.org/pool/updates/main/o/osiris/osiris_4.0.6-1sarge1_hppa.deb Size/MD5 checksum: 440916 91c3cec29a7b3996787915cb4bf593e8 http://security.debian.org/pool/updates/main/o/osiris/osirisd_4.0.6-1sarge1_hppa.deb Size/MD5 checksum:63742 cec522bf491f0e391b1dcae6ac0e8a47 http://security.debian.org/pool/updates/main/o/osiris
[Full-disclosure] [SECURITY] [DSA 1126-1] New Asterisk packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1126-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 27th, 2006 http://www.debian.org/security/faq - -- Package: asterisk Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-2898 BugTraq ID : 18295 A problem has been discovered in the IAX2 channel driver of Asterisk, an Open Source Private Branch Exchange and telephony toolkit, which may allow a remote to cause au crash of the Asterisk server. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 1.0.7.dfsg.1-2sarge3. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your asterisk packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3.dsc Size/MD5 checksum: 1259 cee8373afe6f44b36ea61e04d63b67ca http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3.diff.gz Size/MD5 checksum:70172 5510f5699aee64b06f8d8db4e62ca275 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz Size/MD5 checksum: 2929488 0d0f718ccd7a06ab998c3f637df294c0 Architecture independent components: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge3_all.deb Size/MD5 checksum:61532 58e631534a5c34740dce182177a3e16b http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge3_all.deb Size/MD5 checksum:83300 92e5c344ae1022fbb8264dfeda02d2c2 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge3_all.deb Size/MD5 checksum: 1577638 796103a2c2152b1da96ee557845c4ea0 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge3_all.deb Size/MD5 checksum: 1180198 3ffd1657b6ae3824d849107288bfd393 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge3_all.deb Size/MD5 checksum:28290 bd1dca8dcf7dbe19614415d83454534b Alpha architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_alpha.deb Size/MD5 checksum: 1477586 e6f5a94ca3b89eb61f2b7cba32532b0f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_alpha.deb Size/MD5 checksum:31326 76c73e029c258daab79db1c3e2fe87f9 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_alpha.deb Size/MD5 checksum:21354 4f86990f289a85e40b07b83a1bfbbaeb AMD64 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_amd64.deb Size/MD5 checksum: 1333258 39d6b98db096bcf6fa4db45bc578450a http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_amd64.deb Size/MD5 checksum:30738 1b542c9cf1701f3c74250135989a53fc http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_amd64.deb Size/MD5 checksum:21348 162f687406dd17fba17f059310e9669b ARM architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_arm.deb Size/MD5 checksum: 1262736 d88b5f4a1d7a1429f8ffd48da9f46816 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_arm.deb Size/MD5 checksum:29466 d24a9a1f6f57b1b1b4f5eb3ecb44a70f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_arm.deb Size/MD5 checksum:21356 440be66143a663f0698e0236fd92e164 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_i386.deb Size/MD5 checksum: 1171422 49ba67f54d8a1bdd331e5f383a0c260f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_i386.deb Size/MD5
[Full-disclosure] [SECURITY] [DSA 1122-1] New Net::Server packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1122-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 24th, 2005 http://www.debian.org/security/faq - -- Package: libnet-server-perl Vulnerability : format string Problem type : remote Debian-specific: no CVE ID : CVE-2005-1127 Debian Bug : 378640 Peter Bieringer discovered that the log function in the Net::Server Perl module, an extensible, general perl server engine, is not safe against format string exploits. The old stable distribution (woody) does not contain this package. For the stable distribution (sarge) this problem has been fixed in version 0.87-3sarge1. For the unstable distribution (sid) this problem has been fixed in version 0.89-1. We recommend that you upgrade your libnet-server-perl package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libn/libnet-server-perl/libnet-server-perl_0.87-3sarge1.dsc Size/MD5 checksum: 692 9790e3935bc81150adb54a5d5a3fa692 http://security.debian.org/pool/updates/main/libn/libnet-server-perl/libnet-server-perl_0.87-3sarge1.diff.gz Size/MD5 checksum: 8220 59438319c03603473e174c61009b0d7c http://security.debian.org/pool/updates/main/libn/libnet-server-perl/libnet-server-perl_0.87.orig.tar.gz Size/MD5 checksum:69235 0b8553db414dac4c43b9f9282f8e149c Architecture independent components: http://security.debian.org/pool/updates/main/libn/libnet-server-perl/libnet-server-perl_0.87-3sarge1_all.deb Size/MD5 checksum: 126808 5f8a62959bae9000ec8e64a23263d072 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFExOJbW5ql+IAeqTIRAiy2AJ9Xbi7cRq7+VtTl1sZYnzKR5yMdlQCgrwGe RRVbqy68ksVHqr9tF6vf1ig= =9BkT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1120-1] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1120-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 23rd, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-1942 CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CERT advisories: VU#237257 VU#243153 VU#421529 VU#466673 VU#575969 BugTraq ID : 18228 Several security related problems have been discovered in Mozilla. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-1942 Eric Foley discovered that a user can be tricked to expose a local file to a remote attacker by displaying a local file as image in connection with other vulnerabilities. [MFSA-2006-39] CVE-2006-2775 XUL attributes are associated with the wrong URL under certain circumstances, which might allow remote attackers to bypass restrictions. [MFSA-2006-35] CVE-2006-2776 Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged user interface code, and moz_bug_r_a4 demonstrated that the higher privilege level could be passed along to the content-defined attack code. [MFSA-2006-37] CVE-2006-2777 A vulnerability allows remote attackers to execute arbitrary code and create notifications that are executed in a privileged context. [MFSA-2006-43] CVE-2006-2778 Mikolaj Habryn a buffer overflow in the crypto.signText function that allows remote attackers to execute arbitrary code via certain optional Certificate Authority name arguments. [MFSA-2006-38] CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. This problem has only partially been corrected. [MFSA-2006-32] CVE-2006-2780 An integer overflow allows remote attackers to cause a denial of service and may permit the execution of arbitrary code. [MFSA-2006-32] CVE-2006-2782 Chuck McAuley discovered that a text input box can be pre-filled with a filename and then turned into a file-upload control, allowing a malicious website to steal any local file whose name they can guess. [MFSA-2006-41, MFSA-2006-23, CVE-2006-1729] CVE-2006-2783 Masatoshi Kimura discovered that the Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page, which allows remote attackers to conduct cross-site scripting (XSS) attacks. [MFSA-2006-42] CVE-2006-2784 Paul Nickerson discovered that the fix for CAN-2005-0752 can be bypassed using nested javascript: URLs, allowing the attacker to execute privileged code. [MFSA-2005-34, MFSA-2006-36] CVE-2006-2785 Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose View Image from the context menu then he could get JavaScript to run. [MFSA-2006-34] CVE-2006-2786 Kazuho Oku discovered that Mozilla's lenient handling of HTTP header syntax may allow remote attackers to trick the browser to interpret certain responses as if they were responses from two different sites. [MFSA-2006-33] CVE-2006-2787 The Mozilla researcher moz_bug_r_a4 discovered that JavaScript run via EvalInSandbox can escape the sandbox and gain elevated privilege. [MFSA-2006-31] For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge9. For the unstable distribution (sid) these problems have been fixed in version 1.5.dfsg+1.5.0.4-1. We recommend that you upgrade your Mozilla Firefox packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9.dsc Size/MD5 checksum: 1001
[Full-disclosure] [SECURITY] [DSA 1118-1] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1118-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 22nd, 2006 http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-1942 CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CERT advisories: VU#237257 VU#243153 VU#421529 VU#466673 VU#575969 BugTraq ID : 18228 Several security related problems have been discovered in Mozilla. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-1942 Eric Foley discovered that a user can be tricked to expose a local file to a remote attacker by displaying a local file as image in connection with other vulnerabilities. [MFSA-2006-39] CVE-2006-2775 XUL attributes are associated with the wrong URL under certain circumstances, which might allow remote attackers to bypass restrictions. [MFSA-2006-35] CVE-2006-2776 Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged user interface code, and moz_bug_r_a4 demonstrated that the higher privilege level could be passed along to the content-defined attack code. [MFSA-2006-37] CVE-2006-2777 A vulnerability allows remote attackers to execute arbitrary code and create notifications that are executed in a privileged context. [MFSA-2006-43] CVE-2006-2778 Mikolaj Habryn a buffer overflow in the crypto.signText function that allows remote attackers to execute arbitrary code via certain optional Certificate Authority name arguments. [MFSA-2006-38] CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. This problem has only partially been corrected. [MFSA-2006-32] CVE-2006-2780 An integer overflow allows remote attackers to cause a denial of service and may permit the execution of arbitrary code. [MFSA-2006-32] CVE-2006-2781 Masatoshi Kimura discovered a double-free vulnerability that allows remote attackers to cause a denial of service and possibly execute arbitrary code via a VCard. [MFSA-2006-40] CVE-2006-2782 Chuck McAuley discovered that a text input box can be pre-filled with a filename and then turned into a file-upload control, allowing a malicious website to steal any local file whose name they can guess. [MFSA-2006-41, MFSA-2006-23, CVE-2006-1729] CVE-2006-2783 Masatoshi Kimura discovered that the Unicode Byte-order-Mark (BOM) is stripped from UTF-8 pages during the conversion to Unicode before the parser sees the web page, which allows remote attackers to conduct cross-site scripting (XSS) attacks. [MFSA-2006-42] CVE-2006-2784 Paul Nickerson discovered that the fix for CAN-2005-0752 can be bypassed using nested javascript: URLs, allowing the attacker to execute privileged code. [MFSA-2005-34, MFSA-2006-36] CVE-2006-2785 Paul Nickerson demonstrated that if an attacker could convince a user to right-click on a broken image and choose View Image from the context menu then he could get JavaScript to run. [MFSA-2006-34] CVE-2006-2786 Kazuho Oku discovered that Mozilla's lenient handling of HTTP header syntax may allow remote attackers to trick the browser to interpret certain responses as if they were responses from two different sites. [MFSA-2006-33] CVE-2006-2787 The Mozilla researcher moz_bug_r_a4 discovered that JavaScript run via EvalInSandbox can escape the sandbox and gain elevated privilege. [MFSA-2006-31] For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge7.1 For the unstable distribution (sid) these problems have been fixed in version 1.7.13-0.3. We recommend that you upgrade your Mozilla packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge
[Full-disclosure] [SECURITY] [DSA 1119-1] New hiki packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1119-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 22nd, 2006 http://www.debian.org/security/faq - -- Package: hiki Vulnerability : design flaw Problem type : remote Debian-specific: no CVE ID : CVE-2006-3379 BugTraq ID : 18785 Debian Bug : 378059 Akira Tanaka discovered a vulnerability in Hiki Wiki, a Wiki engine written in Ruby that allows remote attackers to cause a denial of service via high CPU consumption using by performing a diff between large and specially crafted Wiki pages. For the stable distribution (sarge) this problem has been fixed in version 0.6.5-2. For the unstable distribution (sid) this problem has been fixed in version 0.8.6-1. We recommend that you upgrade your hiki package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/hiki/hiki_0.6.5-2.dsc Size/MD5 checksum: 561 fa72e16d4c5eb8108ccd603b3396bd76 http://security.debian.org/pool/updates/main/h/hiki/hiki_0.6.5-2.diff.gz Size/MD5 checksum: 1573 46c81d7c9e5f52115df2fd91b6cc0bf4 http://security.debian.org/pool/updates/main/h/hiki/hiki_0.6.5.orig.tar.gz Size/MD5 checksum: 143468 11c97fe604d70fc42f6c198ec64018e9 Architecture independent components: http://security.debian.org/pool/updates/main/h/hiki/hiki_0.6.5-2_all.deb Size/MD5 checksum: 108780 b1e689405cc70854ad77f5be95a86606 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEwkZEW5ql+IAeqTIRArxBAJ9kAbxVSVXoT7BR+/2F/fvCJzZDFACgpEIt V0PTCC5iMeTDBhKpW8fkNqk= =Kv7d -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1114-1] New hashcash packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1114-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 21st, 2006 http://www.debian.org/security/faq - -- Package: hashcash Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-3251 BugTraq ID : 18659 Debian Bug : 376444 Andreas Seltenreich discovered a buffer overflow in hashcash, a postage payment scheme for email that is based on hash calculations, which could allow attackers to execute arbitrary code via specially crafted entries. For the stable distribution (sarge) this problem has been fixed in version 1.17-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 1.21-1. We recommend that you upgrade your hashcash package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1.dsc Size/MD5 checksum: 571 0e6e1272eaec884fa66ae84e962f51cc http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1.diff.gz Size/MD5 checksum: 3604 bb43fcc72e1c40cfd7e8a337902c7c89 http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17.orig.tar.gz Size/MD5 checksum: 185522 9e5a8a35941c0cdccac93f41bd943593 Alpha architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_alpha.deb Size/MD5 checksum: 168504 b0ee6dc37c1fbcc9d9084cecfbb9f5e6 AMD64 architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_amd64.deb Size/MD5 checksum: 131586 34e12310aa9e4c8016df21af7c5ee4f0 ARM architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_arm.deb Size/MD5 checksum: 129036 8ef6ad2e6f6ce729893381aa72a6af77 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_i386.deb Size/MD5 checksum: 125388 f478094512ce7fbcc0ea7f43c7942cda Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_ia64.deb Size/MD5 checksum: 180272 aa2465a8d3209bc7f60966c8077fba2f HP Precision architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_hppa.deb Size/MD5 checksum: 148194 2bf6d28a30e6f287b9f92ff7aad958db Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_m68k.deb Size/MD5 checksum: 113598 09d1c3002b95945e66464de441bd6875 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_mips.deb Size/MD5 checksum: 153776 fbd29b41912a027feec7cf0c10c858c9 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_mipsel.deb Size/MD5 checksum: 153382 2d231cd9aecdd9751c0dc1981c77b652 PowerPC architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_powerpc.deb Size/MD5 checksum: 140396 1e2bf003d9165dc91558d9a4109c48b3 IBM S/390 architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_s390.deb Size/MD5 checksum: 139680 57adea417e98c12c7e1512b00e40148c Sun Sparc architecture: http://security.debian.org/pool/updates/main/h/hashcash/hashcash_1.17-1sarge1_sparc.deb Size/MD5 checksum: 156978 1fd5a5647dfb17bb223b783561f1e95e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEwHcHW5ql+IAeqTIRAmqLAJ49YWqUmYOxF2a8CX9QBl18h6VUqACgiCop zgROFIHhcFSw5m6XcPv13Qg= =y65P -END PGP SIGNATURE
[Full-disclosure] [SECURITY] [DSA 1115-1] New GnuPG2 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1115-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 21st, 2006 http://www.debian.org/security/faq - -- Package: gnupg2 Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-3082 Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free PGP replacement contains an integer overflow that can cause a segmentation fault and possibly overwrite memory via a large user ID strings. For the stable distribution (sarge) this problem has been fixed in version 1.4.1-1.sarge4 of GnuPG and in version 1.9.15-6sarge1 of GnuPG2. For the unstable distribution (sid) this problem has been fixed in version 1.4.3-2 of GnuPG, a fix for GnuPG2 is pending. We recommend that you upgrade your gnupg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1.dsc Size/MD5 checksum: 854 d7f54b50b8c569566cfe0b865ec20323 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1.diff.gz Size/MD5 checksum: 1859944 fbb56cbacfb82fb546bed3dd2944 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15.orig.tar.gz Size/MD5 checksum: 5454978 ee3885e2c74a9c1ae539d6f12091c30b Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge1_alpha.deb Size/MD5 checksum: 112318 e806b0cedb8ed0914e6e035d042acdd0 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1_alpha.deb Size/MD5 checksum: 886212 1763f96899b22f286232871b9b085ed6 http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge1_alpha.deb Size/MD5 checksum: 453430 6dfaaea879aa17fc0dd623889a983507 AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge1_amd64.deb Size/MD5 checksum:98464 cafa5d36dbcb21d795b6372c8293d6f8 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1_amd64.deb Size/MD5 checksum: 774560 96bf1b958e560fe17d632c26c38d9efc http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge1_amd64.deb Size/MD5 checksum: 385700 4b2b4ddc50eaf51b5701d7d47e1c9b3c ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge1_arm.deb Size/MD5 checksum:87318 d72f15b0cef0d127af34819d3ca5f14a http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1_arm.deb Size/MD5 checksum: 712814 22e92a7324e81906493140954172d5bf http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge1_arm.deb Size/MD5 checksum: 339666 1d23cfebbe8e6c7396aeff77eb9c8820 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge1_i386.deb Size/MD5 checksum:90042 0e930e3cdcb129f1a442299f4d0540e3 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1_i386.deb Size/MD5 checksum: 731422 9a9f643a1dbc83c6b3f3dd9bfffe0a52 http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge1_i386.deb Size/MD5 checksum: 351906 8282625e16ac625f67e38f39ff107652 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge1_ia64.deb Size/MD5 checksum: 130298 2eedf4cf8372007857433ca639524d9b http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1_ia64.deb Size/MD5 checksum: 1026226 e782e4b34a5b92e8096d2654b2cc5a4c http://security.debian.org/pool/updates/main/g/gnupg2/gpgsm_1.9.15-6sarge1_ia64.deb Size/MD5 checksum: 539910 20467693f439c077a70084dc3a97013c HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg2/gnupg-agent_1.9.15-6sarge1_hppa.deb Size/MD5 checksum: 100568 8196f49a542cafff2df799dcf01aec82 http://security.debian.org/pool/updates/main/g/gnupg2/gnupg2_1.9.15-6sarge1_hppa.deb Size/MD5 checksum: 794658 51ccc9c508247dd4f420f6cf6573aac2 http
[Full-disclosure] [SECURITY] [DSA 1106-1] New ppp packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1106-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 10th, 2006 http://www.debian.org/security/faq - -- Package: ppp Vulnerability : programming error Problem type : local Debian-specific: no CVE ID : CVE-2006-2194 Marcus Meissner discovered that the winbind plugin in pppd does not check whether a setuid() call has been successful when trying to drop privileges, which may fail with some PAM configurations. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.4.3-20050321+2sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.4.4rel-1. We recommend that you upgrade your ppp package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1.dsc Size/MD5 checksum: 633 1b8f1f8da7cf7b56c2c6e13e2072167d http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1.diff.gz Size/MD5 checksum:83359 1fd6996f800c3d323b159ca5ab587712 http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3.orig.tar.gz Size/MD5 checksum: 697459 0537b03fb51cbb847290abdbb765cb93 Architecture independent components: http://security.debian.org/pool/updates/main/p/ppp/ppp-dev_2.4.3-20050321+2sarge1_all.deb Size/MD5 checksum:32072 77bab82e596987e60908f19c27bceeb6 Alpha architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_alpha.deb Size/MD5 checksum: 393308 5f90be499af49912e7074c26979037db AMD64 architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_amd64.deb Size/MD5 checksum: 346172 ae546c9f5f4f0bc2fdebab8858c93731 ARM architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_arm.deb Size/MD5 checksum: 326134 aab781148123790027eb4bf114cc8df9 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_i386.deb Size/MD5 checksum: 324274 759537119b8680ed4e27ae09a52a65aa Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_ia64.deb Size/MD5 checksum: 437432 8a0acb4779046622af9c27a6307fa305 HP Precision architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_hppa.deb Size/MD5 checksum: 357572 5c415d1e9a6e31fdb01b2eb7f8f1065f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_m68k.deb Size/MD5 checksum: 305432 4e7f194f247899a3d20280eca53e41ba Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_mips.deb Size/MD5 checksum: 348852 aca3c70a1be8c013a48e6d939ebe036a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_mipsel.deb Size/MD5 checksum: 351084 7cd743087a4155ff0d9e8085cbee7dbf PowerPC architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_powerpc.deb Size/MD5 checksum: 351188 60f69689787965812f891df34371600a IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_s390.deb Size/MD5 checksum: 343302 65648a90f1ab9abb71121ceeb9bb98a5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_sparc.deb Size/MD5 checksum: 329684 1df0e5a6621da5344bdb91a1fd4eef3e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org
[Full-disclosure] [SECURITY] [DSA 1107-1] New GnuPG packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1107-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 10th, 2006 http://www.debian.org/security/faq - -- Package: gnupg Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-3082 Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free PGP replacement contains an integer overflow that can cause a segmentation fault and possibly overwrite memory via a large user ID strings. For the old stable distribution (woody) this problem has been fixed in version 1.0.6-4woody6. For the stable distribution (sarge) this problem has been fixed in version 1.4.1-1.sarge4. For the unstable distribution (sid) this problem has been fixed in version 1.4.3-2. We recommend that you upgrade your gnupg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6.dsc Size/MD5 checksum: 577 40a60f7ff8a7c36e4ffb308caa350e70 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6.diff.gz Size/MD5 checksum: 8597 add04b0a8c391de7134cca7c943d15d9 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6.orig.tar.gz Size/MD5 checksum: 1941676 7c319a9e5e70ad9bc3bf0d7b5008a508 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_alpha.deb Size/MD5 checksum: 1151184 3c46ca0e7a42f819619ba2a021a38eb9 ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_arm.deb Size/MD5 checksum: 987554 843109424859d6a1006898419d6d642e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_i386.deb Size/MD5 checksum: 966904 8ffd681040a2d466389f058e25ae29ae Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_ia64.deb Size/MD5 checksum: 1272488 5dcf85dd73bd2015438fd995a16762e5 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_hppa.deb Size/MD5 checksum: 1060316 22496f4150fd2334f7504deff0c474a1 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_m68k.deb Size/MD5 checksum: 942994 bc7eede5abdcbe721ff81a5e242ebfb6 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_mips.deb Size/MD5 checksum: 1036510 5e5824568a6a4b50851513c27db5a139 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_mipsel.deb Size/MD5 checksum: 1036966 792c1f9b0f61349001a789b08bf862d8 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_powerpc.deb Size/MD5 checksum: 1010208 6f1b3a058b7afab16a35ccba4d6b107e IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_s390.deb Size/MD5 checksum: 1002808 80b5ca38f239a23c8e2119b39966279b Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_sparc.deb Size/MD5 checksum: 1003856 aa89804a111cdbede9845a8eb179f9d2 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4.dsc Size/MD5 checksum: 680 006a79b9793ba193aa227850c11984dd http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4.diff.gz Size/MD5 checksum:20197 488b0289778532beb0608b8dca7982a7 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_alpha.deb Size/MD5 checksum: 2155794 cb1d024d2cae8c132bafe3422a2d1b3e AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_amd64.deb Size/MD5
[Full-disclosure] [SECURITY] [DSA 1105-1] New xine-lib packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1105-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 7th, 2006 http://www.debian.org/security/faq - -- Package: xine-lib Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-2802 BugTraq ID : 18187 Debian Bug : 369876 Federico L. Bossi Bonin discovered a buffer overflow in the HTTP Plugin in xine-lib, the xine video/media player library, taht could allow a remote attacker to cause a denial of service. For the old stable distribution (woody) this problem has been fixed in version 0.9.8-2woody5. For the stable distribution (sarge) this problem has been fixed in version 1.0.1-1sarge3. For the unstable distribution (sid) this problem has been fixed in version 1.1.1-2. We recommend that you upgrade your libxine packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8-2woody5.dsc Size/MD5 checksum: 761 113ef134a39e2f37bc6395dc2e43b538 http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8-2woody5.diff.gz Size/MD5 checksum: 2339 194c32b8c93f5e85c873454412f63552 http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8.orig.tar.gz Size/MD5 checksum: 1766178 d8fc9b30e15b50af8ab7552bbda7aeda Alpha architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_alpha.deb Size/MD5 checksum: 261022 3314df47933eadc0af5b5cf4a36afdfe http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_alpha.deb Size/MD5 checksum: 816024 897664eee06d09f43375f5320be1f17b ARM architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_arm.deb Size/MD5 checksum: 302960 9dee75c3d13aabb5e83978e0d75ec4ce http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_arm.deb Size/MD5 checksum: 671494 dafc6c14181802dd56c887583bbf5140 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_i386.deb Size/MD5 checksum: 260788 3a98e4d713d1c341fe69a717c8de0072 http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_i386.deb Size/MD5 checksum: 807996 1dd6e453aa93c420a145dd5397ee99bd Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_ia64.deb Size/MD5 checksum: 260864 46ae5bb7b3256421dd7291e7c8898369 http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_ia64.deb Size/MD5 checksum: 953654 887b267a44c50e00f8bf9e2190852ca8 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_hppa.deb Size/MD5 checksum: 260968 aa1ee745d7c5c6b9a8271c64f0a587a0 http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_hppa.deb Size/MD5 checksum: 846792 60ed39365a0c67db2d4fba67d2ba1583 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_m68k.deb Size/MD5 checksum: 292718 2a87b508bcc610a01abf8c9c3773d40d http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_m68k.deb Size/MD5 checksum: 617706 67075fef400071473fa948e5dd89b8fc Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_mips.deb Size/MD5 checksum: 299478 5b0c49b3745472f71725dd052b60d712 http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_mips.deb Size/MD5 checksum: 653086 0044bef2d6ebeb01385d1a20a716046a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_mipsel.deb Size/MD5 checksum: 299568 79851707d297d94d74b613d5abaa6b3a http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_mipsel.deb Size/MD5 checksum: 655030 0868f2d006c6b5282c8880a8460fed77
[Full-disclosure] [SECURITY] [DSA 1104-2] New OpenOffice.org packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1104-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 6th, 2006 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-3117 Loading malformed XML documents can cause buffer overflows in OpenOffice.org, a free office suite, and cause a denial of service or execute arbitrary code. It turned out that the correction in DSA 1104-1 was not sufficient, hence, another update. The old stable distribution (woody) does not contain OpenOffice.org packages. For the stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge3. For the unstable distribution (sid) this problem has been fixed in version 2.0.3-1. We recommend that you upgrade your OpenOffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3.dsc Size/MD5 checksum: 2878 d4c38e6f466931c04bba4d2cea73a3e5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3.diff.gz Size/MD5 checksum: 4625079 30b33df9655dda05a892d32db462aa92 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2648380 f6ac339b028343125144673bc2a7c1ed http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2695816 0d1711358eb05ee82d65c00f06e7fbaf http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2692590 1b7bd179a49d6b97b976ca3a1354c0f5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge3_all.deb Size/MD5 checksum: 3587658 b66df13ff4fc5d639e922aebaa050ac1 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2664526 fbd308813c7f8e24b542b436f2cee8e7 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge3_all.deb Size/MD5 checksum: 3584150 c56619c9d118293e6985a5af571fb319 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge3_all.deb Size/MD5 checksum: 3454910 3e8f6928f1bc2c90a457dbee15b16bf4 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2742650 caa4e264e4b82688db86b4819a1a013a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge3_all.deb Size/MD5 checksum: 3526732 b21221309f66f41fd17d8b1515b607a6 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge3_all.deb Size/MD5 checksum: 3563116 24df087401b004b1afb0dd45bdc563be http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2646256 eb6915efbba41167d528cb4975cbb241 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2670092 adab178e6c264d2cb09af0d4f09ba0f9 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2674922 7058d664951875ce398dc989b85b7294 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge3_all.deb Size/MD5 checksum: 3495804 d57a92a46ab0209939460431ed32a664 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge3_all.deb Size/MD5 checksum: 2658900 2a8ea6deb45a39a182e21c71b54d1d35 http://security.debian.org/pool/updates/main/o
[Full-disclosure] [SECURITY] [DSA 1104-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1104-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 30th, 2006 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 Several vulnerabilities have been discovered in OpenOffice.org, a free office suite. The Common Vulnerabilities and Exposures Project identifies the following problems: CVE-2006-2198 It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction. CVE-2006-2199 It is possible to evade the Java sandbox with specially crafted Java applets. CVE-2006-3117 Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code. This update has the Mozilla component disabled, so that the Mozilla/LDAP adressbook feature won't work anymore. It didn't work on anything else than i386 on sarge either. The old stable distribution (woody) does not contain OpenOffice.org packages. For the stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge2. For the unstable distribution (sid) this problem has been fixed in version 2.0.3-1. We recommend that you upgrade your OpenOffice.org packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge2.dsc Size/MD5 checksum: 2878 c29af36cea3d6f22c13f00dbe8247322 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge2.diff.gz Size/MD5 checksum: 4627106 93c4a9d88d0a115df537a3d61cca82b9 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2648322 4f7714aad4409e00e14ce332e486662e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2695762 4141052d3207816b5368408da9b15975 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2692534 b4ccab7fbac287c3e217abd35763c63d http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge2_all.deb Size/MD5 checksum: 3587602 f0e95ccc9b8d7b355584a8bc052e5686 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2664462 1c4c270ce73b183f56adb7e7b6ab79ab http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge2_all.deb Size/MD5 checksum: 3584076 ad6d82e05d64ed9e0e5bfa9fdb8ea1a3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge2_all.deb Size/MD5 checksum: 3454874 6cc643abc1a34367f357b01979a9e74e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2742632 e21a6035232fe123b92da0e1a8b4ad6a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge2_all.deb Size/MD5 checksum: 3526678 1dca9def45f48a04b58a1c8794280dfd http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge2_all.deb Size/MD5 checksum: 3563056 da70a829bcdf5357b1a9fb0d0c024f58 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2646184 822b4acde201446a26ac6632688bbad9 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge2_all.deb Size/MD5 checksum: 2670064 ad10df5ab47cd27da0249e03c472a042 http://security.debian.org
[Full-disclosure] [SECURITY] [DSA 1096-1] New webcalendar packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1096-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 13th, 2006 http://www.debian.org/security/faq - -- Package: webcalendar Vulnerability : uninitialised variable Problem type : remote Debian-specific: no CVE ID : CVE-2006-2762 A vulnerability has been discovered in webcalendar, a PHP-based multi-user calendar, that allows a remote attacker to execute arbitrary PHP code when register_globals is turned on. The old stable distribution (woody) does not contain a webcalendar package. For the stable distribution (sarge) this problem has been fixed in version 0.9.45-4sarge5. For the unstable distribution (sid) this problem has been fixed in version 1.0.4-1 We recommend that you upgrade your webcalendar package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5.dsc Size/MD5 checksum: 608 216c1f9f764169fa877f1717f37dd73a http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5.diff.gz Size/MD5 checksum:12569 3a996902a10791fe764548728885d812 http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz Size/MD5 checksum: 612360 a6a66dc54cd293429b604fe6da7633a6 Architecture independent components: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge5_all.deb Size/MD5 checksum: 629442 f918fe96d26d5cbfa99efe2b2e938d2f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEjk90W5ql+IAeqTIRArYKAKCJic+8h2YdllXcH8xtJPmj2xMyGwCglQXg owYhn8S6C9P4sO5vbiIh2/w= =Y3y5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1095-1] New freetype packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1095-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 10th, 2006 http://www.debian.org/security/faq - -- Package: freetype Vulnerability : integer overflows Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CERT advisory : BugTraq ID : 18034 Debian Bug : Several problems have been discovered in the FreeType 2 font engine. The Common vulnerabilities and Exposures project identifies the following problems: CVE-2006-0747 Several integer underflows have been discovered which could allow remote attackers to cause a denial of service. CVE-2006-1861 Chris Evans discovered several integer overflows that lead to a denial of service or could possibly even lead to the execution of arbitrary code. CVE-2006-2493 Several more integer overflows have been discovered which could possibly lead to the execution of arbitrary code. CVE-2006-2661 A null pointer dereference could cause a denial of service. For the old stable distribution (woody) these problems have been fixed in version 2.0.9-1woody1. For the stable distribution (sarge) these problems have been fixed in version 2.1.7-2.5. For the unstable distribution (sid) these problems will be fixed soon We recommend that you upgrade your libfreetype packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/f/freetype/freetype_2.0.9-1woody1.dsc Size/MD5 checksum: 672 e9f338a6cc7d4f8924ec9df3dd14035a http://security.debian.org/pool/updates/main/f/freetype/freetype_2.0.9-1woody1.diff.gz Size/MD5 checksum:17441 8313446b932167b006e7b039c6890821 http://security.debian.org/pool/updates/main/f/freetype/freetype_2.0.9.orig.tar.gz Size/MD5 checksum: 908842 102e1d651fd6404e656e3d1d8a36a4a0 Alpha architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_alpha.deb Size/MD5 checksum:72438 81cf505ba02eb5167141388fedd84177 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_alpha.deb Size/MD5 checksum: 244742 599b407104960c51a32c75782ccc6bcb http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_alpha.deb Size/MD5 checksum: 598368 f5bb8504b2d91b0af7cd878f661520d4 ARM architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_arm.deb Size/MD5 checksum:38802 0890e233c07cfa17fcf4de4e312ee0cb http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_arm.deb Size/MD5 checksum: 211736 c071143fd0bcbba47e3be584dd52c9b5 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_arm.deb Size/MD5 checksum: 565936 3ea6b5786fdc1b74c8ce501a83f87b56 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_i386.deb Size/MD5 checksum:37128 55f75b5277bc86e66167bd92019d0dc0 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_i386.deb Size/MD5 checksum: 208990 c59dc78191132dcc3db2ad6e529ed872 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_i386.deb Size/MD5 checksum: 541294 028c883672af3f15cdea4595e124d12d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_ia64.deb Size/MD5 checksum:91606 34dd0d964ef7f5471a9d8aca9204eae6 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.0.9-1woody1_ia64.deb Size/MD5 checksum: 314490 f277129e151512f5f40f7dac92bd70ca http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.0.9-1woody1_ia64.deb Size/MD5 checksum: 661156 2da5eeaec642e9ad417f05d556042654 HP Precision architecture: http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.0.9-1woody1_hppa.deb Size/MD5 checksum:65954 01f070e5a891f294673ecc02746e2a3e
[Full-disclosure] [SECURITY] [DSA 1091-1] New TIFF packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1091-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 8th, 2006 http://www.debian.org/security/faq - -- Package: tiff Vulnerability : buffer overflows Problem type : none or remote Debian-specific: no CVE ID : CVE-2006-2656 CVE-2006-2193 Debian Bug : 369819 Several problems have been discovered in the TIFF library. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2006-2193 SuSE discovered a buffer overflow in the conversion of TIFF files into PDF documents which could be exploited when tiff2pdf is used e.g. in a printer filter. CVE-2006-2656 The tiffsplit command from the TIFF library contains a buffer overflow in the commandline handling which could be exploited when the program is executed automatically on unknown filenames. For the old stable distribution (woody) this problem has been fixed in version 3.5.5-7woody2. For the stable distribution (sarge) this problem has been fixed in version 3.7.2-5. For the unstable distribution (sid) this problem has been fixed in version 3.8.2-4. We recommend that you upgrade your tiff packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7woody2.dsc Size/MD5 checksum: 635 63c05c844a00a57f87f1804dc668ccbf http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7woody2.diff.gz Size/MD5 checksum:38682 5905ba8ea39b409b4aa2893b697f35bc http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8 Alpha architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_alpha.deb Size/MD5 checksum: 141478 2e995b46f312ecf35858f06e50c2ae2e http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_alpha.deb Size/MD5 checksum: 106182 c383b1a1f292525e60efa68750bda5ae http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_alpha.deb Size/MD5 checksum: 423868 da0015dd297de4f4128488fca92c3a88 ARM architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_arm.deb Size/MD5 checksum: 117012 fe039271e5e9a94f56a2ca4c8a38a373 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_arm.deb Size/MD5 checksum:91610 d52006c179bfc3a13a779dfab1afa8fd http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_arm.deb Size/MD5 checksum: 404850 69dd0252a4e15f0bc84ddb0d53ce5c96 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_i386.deb Size/MD5 checksum: 112058 cc978252d32d2e853ed08a655940b15b http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_i386.deb Size/MD5 checksum:82070 22733411e25f7fac444f148dcfb685a7 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_i386.deb Size/MD5 checksum: 387442 dc8f36b0bfed0cc69d53c14f6b6e2fd4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_ia64.deb Size/MD5 checksum: 158834 dda97df687d64fef045e7dd425a9b01e http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_ia64.deb Size/MD5 checksum: 136678 e43c8ca8bcbdb54d09cee79f7c2f5665 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_ia64.deb Size/MD5 checksum: 447048 100db6566cc42766d93fd67913834096 HP Precision architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_hppa.deb Size/MD5 checksum: 128284 43c94055d54efb3d3d0708f527617ca8 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_hppa.deb Size/MD5 checksum: 107708 089f41dfe3629250ddc02cbe1c76c649 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_hppa.deb Size/MD5 checksum: 420730
[Full-disclosure] [SECURITY] [DSA 1092-1] New MySQL 4.1 packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1092-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 8th, 2006 http://www.debian.org/security/faq - -- Package: mysql-dfsg-4.1 Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-2753 BugTraq ID : 18219 Josh Berkus and Tom Lane discovered that MySQL 4.1, a popular SQL database, incorrectly parses astring escaped with mysql_real_escape() which could lead to SQL injection. This problem does only exist in versions 4.1 and 5.0. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 4.1.11a-4sarge4. For the unstable distribution (sid) this problem has been fixed in version 5.0.21-4. Version 4.0 in the stable distribution (sarge) is also not affected by this problem. We recommend that you upgrade your mysql packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge4.dsc Size/MD5 checksum: 1021 af71d3e6da11441dfd8ed93c20ca8729 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge4.diff.gz Size/MD5 checksum: 167558 438fd6709d74cb614901d0ea9a965745 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz Size/MD5 checksum: 15771855 3c0582606a8903e758c2014c2481c7c3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge4_all.deb Size/MD5 checksum:36302 abaa8025885618451c598493b41d10bb Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_alpha.deb Size/MD5 checksum: 1590578 754d9c9d253ba8488ee66efc92dcb1ca http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_alpha.deb Size/MD5 checksum: 7965338 b623f43445b37b8af9f91c09ed31d4ae http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_alpha.deb Size/MD5 checksum: 1000754 32ed105998bb4a23d52d861fac54e840 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_alpha.deb Size/MD5 checksum: 17488018 d3cda036d9920c18de5849ab3dc024c8 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_amd64.deb Size/MD5 checksum: 1451828 06f3945b95051a12f9f155a268094dcf http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_amd64.deb Size/MD5 checksum: 5551444 3663f19adb6b38a61682619ef19cfbc8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_amd64.deb Size/MD5 checksum: 849336 42c8d15b1329e901a845dc74626a0f3e http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_amd64.deb Size/MD5 checksum: 14711198 aa976778d4cfdbfaab96fe4bcbeb8cb5 ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_arm.deb Size/MD5 checksum: 1388714 4786d6136ff3d5d9d4258754eb64b356 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_arm.deb Size/MD5 checksum: 5558586 796c478d90a750e0a577434512fdaeb6 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_arm.deb Size/MD5 checksum: 836542 d62795e99b44d319626c15446c962d44 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_arm.deb Size/MD5 checksum: 14557476 ac7a7d39805b00b27872cdc339f688d5 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_i386.deb Size/MD5 checksum: 1417826 f8d012cb6a85554c0d94bfcac7f78791 http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14
[Full-disclosure] [SECURITY] [DSA 1093-1] New xine-ui packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1093-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 8th, 2006 http://www.debian.org/security/faq - -- Package: xine-ui Vulnerability : format string Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-2230 Several format string vulnerabilities have been discovered in xine-ui, the user interface of the xine video player, which may cause a denial of service. The old stable distribution (woody) is not affected by these problems. For the stable distribution (sarge) these problems have been fixed in version 0.99.3-1sarge1. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your xine-ui package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1.dsc Size/MD5 checksum: 746 527be88be68d5710bf5e0a5b09ffc839 http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1.diff.gz Size/MD5 checksum: 1288 64415eeb7634cc0dca6d7a44e7a8f404 http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3.orig.tar.gz Size/MD5 checksum: 2610080 aa7805a93e511e3d67dc1bf09a71fcdd Alpha architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_alpha.deb Size/MD5 checksum: 1877496 56392abc6057d656c041bfbad49976ad AMD64 architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_amd64.deb Size/MD5 checksum: 1766792 b093fcc76082ac6e95518f2ec9a27bd9 ARM architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_arm.deb Size/MD5 checksum: 1711066 856ce425a4db60d0d043b95ad0a7ec18 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_i386.deb Size/MD5 checksum: 1731748 5f971967308012850fecd3c9362cec9b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_ia64.deb Size/MD5 checksum: 2041594 6f37253dad654f31f5bd12c2109e5726 HP Precision architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_hppa.deb Size/MD5 checksum: 1682926 1ac6f7faa43469e805c01be3d8756a2b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_m68k.deb Size/MD5 checksum: 1588564 baea2fa096194f491dcf2438cfa489c7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_mips.deb Size/MD5 checksum: 1762350 fbbaa304745c86021a0ffe463530a573 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_mipsel.deb Size/MD5 checksum: 1762594 6399a62f5e919c04333a2c5533e64cc0 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_powerpc.deb Size/MD5 checksum: 1776176 387dfa9a66f0fa3e26e9d26b5cc3aed0 IBM S/390 architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_s390.deb Size/MD5 checksum: 1742376 b41686f1d871c498d6f4185736317ff2 Sun Sparc architecture: http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_sparc.deb Size/MD5 checksum: 1761044 f37b88d9d0a99ee2a6be783e403d634c These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEiFuZW5ql+IAeqTIRAsHoAJwOG55xMoMf0JNrQTSU4/uNdfVEVgCfeLsx zfvwQpHmp7D9/42WzafrNjU= =Ac3t -END PGP SIGNATURE
[Full-disclosure] [SECURITY] [DSA 1090-1] New spamassassin packages fix remote command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1090-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 6th, 2006 http://www.debian.org/security/faq - -- Package: spamassassin Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-2447 A vulnerability has been discoverd in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the -v / --vpopmail switch, and with the -P / --paranoid switch which is not the default setting on Debian. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 3.0.3-2sarge1. For the volatile archive for the stable distribution (sarge) this problem has been fixed in version 3.1.0a-0volatile3. For the unstable distribution (sid) this problem has been fixed in version 3.1.3-1. We recommend that you upgrade your spamd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3-2sarge1.dsc Size/MD5 checksum: 788 f9cce6d19fd73d0d62561a14672e9564 http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3-2sarge1.diff.gz Size/MD5 checksum:45414 8804e76766eefa4324509b94dc005afa http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3.orig.tar.gz Size/MD5 checksum: 999558 ca96f23cd1eb7d663ab55db98ef8090c Architecture independent components: http://security.debian.org/pool/updates/main/s/spamassassin/spamassassin_3.0.3-2sarge1_all.deb Size/MD5 checksum: 769158 c4f10367da201b11d09a1c15da946f3b Alpha architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_alpha.deb Size/MD5 checksum:61720 3415e7c2962d21b897c6301c8ce88d8c AMD64 architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_amd64.deb Size/MD5 checksum:59700 4ee41384f107a46440c74bd2c6ff3cd4 ARM architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_arm.deb Size/MD5 checksum:58494 909e85063300d2ddfc38270e19f39b9c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_i386.deb Size/MD5 checksum:57626 adb71b8190e535646d936333da1180ca Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_ia64.deb Size/MD5 checksum:65166 63435fc25e69eb3dcbdd95b9f682fbe5 HP Precision architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_hppa.deb Size/MD5 checksum:60366 7eb8b16a9701e96f2298cb0506bc2aa9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_m68k.deb Size/MD5 checksum:57672 66ca12aa5edec5380b6d8eb959fab045 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_mips.deb Size/MD5 checksum:60362 98cf7bd2a3db3fa65b9f6ded3891a695 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_mipsel.deb Size/MD5 checksum:60354 47bc85b216aad03d54f2a7a342cef760 PowerPC architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_powerpc.deb Size/MD5 checksum:60730 c408427db34e9d38c982190c8e8ff8d5 IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_s390.deb Size/MD5 checksum:59574 b3fc066015148c10ad11d4055a1a2289 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/spamassassin/spamc_3.0.3-2sarge1_sparc.deb Size/MD5 checksum:58492 a20e3d4ed9fd9a9d013f380e0f4b3c33 These files will probably be moved into the stable distribution
[Full-disclosure] [SECURITY] [DSA 1087-1] New PostgreSQL packages fix encoding vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1087-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 3rd, 2006 http://www.debian.org/security/faq - -- Package: postgresql Vulnerability : programming error Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2313 CVE-2006-2314 Several encoding problems have been discovered in PostgreSQL, a popular SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-2313 Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data which could allow an attacker to inject arbitrary SQL commands. CVE-2006-2314 A similar problem exists in client-side encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the backslash character. An attacker could supply a specially crafted byte sequence that is able to inject arbitrary SQL commands. This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings. psycopg and python-pgsql use the old encoding for binary data and may have to be updated. The old stable distribution (woody) is affected by these problems but we're unable to correct the package. For the stable distribution (sarge) these problems have been fixed in version 7.4.7-6sarge2. For the unstable distribution (sid) these problems have been fixed in version 7.4.13-1. We recommend that you upgrade your postgresql packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2.dsc Size/MD5 checksum: 985 78d63a976c27999c86bbd57f70eae80d http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2.diff.gz Size/MD5 checksum: 189611 577fb231aac4f86692e935b6a30eb1f4 http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7.orig.tar.gz Size/MD5 checksum: 9952102 d193c58aef02a745e8657c48038587ac Architecture independent components: http://security.debian.org/pool/updates/main/p/postgresql/postgresql-doc_7.4.7-6sarge2_all.deb Size/MD5 checksum: 2266882 86068a0b0bd5f3353746555933d29317 Alpha architecture: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 239980 bb173b640c9f206c320d20b554d724fa http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 104826 0d4a8d8aea91799bc70617f9e47b5b29 http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl_7.4.7-6sarge2_alpha.deb Size/MD5 checksum:82408 f4a3dad48412573e5b993c4d9e7400f1 http://security.debian.org/pool/updates/main/p/postgresql/libpgtcl-dev_7.4.7-6sarge2_alpha.deb Size/MD5 checksum:61972 7cc403fea81613636d180358568638ca http://security.debian.org/pool/updates/main/p/postgresql/libpq3_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 139496 bede365b3e3505f79cb734747744fd5e http://security.debian.org/pool/updates/main/p/postgresql/postgresql_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 4153162 86740fcfb886861702c8bccbcfb7a8be http://security.debian.org/pool/updates/main/p/postgresql/postgresql-client_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 614270 16108bc1a5cc9d7d51337597e2f5090c http://security.debian.org/pool/updates/main/p/postgresql/postgresql-contrib_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 701704 de550242e2d5cbbf0d9c24aad75a4977 http://security.debian.org/pool/updates/main/p/postgresql/postgresql-dev_7.4.7-6sarge2_alpha.deb Size/MD5 checksum: 546150 d9c95cc8ac6e21509b13640d0589c46c AMD64 architecture: http://security.debian.org/pool/updates/main/p/postgresql/libecpg-dev_7.4.7-6sarge2_amd64.deb Size/MD5 checksum: 210208 602e081a5b8ef164d0d7114cfbb002e2 http://security.debian.org/pool/updates/main/p/postgresql/libecpg4_7.4.7-6sarge2_amd64.deb Size/MD5 checksum:96442
[Full-disclosure] [SECURITY] [DSA 1088-1] New centericq packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1088-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 3rd, 2006 http://www.debian.org/security/faq - -- Package: centericq Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2005-3863 BugTraq ID : 15600 Debian Bug : 340959 Mehdi Oudad and Kevin Fernandez discovered a buffer overflow in the ktools library which is used in centericq, a text-mode multi-protocol instant messenger client, which may lead local or remote attackers to execute arbitrary code. For the old stable distribution (woody) this problem has been fixed in version 4.5.1-1.1woody2. For the stable distribution (sarge) this problem has been fixed in version 4.20.0-1sarge4. For the unstable distribution (sid) this problem has been fixed in version 4.21.0-6. We recommend that you upgrade your centericq package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2.dsc Size/MD5 checksum: 603 792e9548d8f6d540c26fa0fdbdd1df57 http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2.diff.gz Size/MD5 checksum: 3827 dc51504b36a05b003de1d22c2c879223 http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1.orig.tar.gz Size/MD5 checksum: 680625 e50121ea43a54140939b7bec8efdefe0 Alpha architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_alpha.deb Size/MD5 checksum: 868742 1e533bd67111dbaca069ec6a7e9122ec ARM architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_arm.deb Size/MD5 checksum: 809068 400376da91c99a970032220e39de0c73 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_i386.deb Size/MD5 checksum: 648950 4b30966a06e54085bbb8db33f03beeca Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_ia64.deb Size/MD5 checksum: 930922 f8aaa7129fb4ffc5de2468662166db5f HP Precision architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_hppa.deb Size/MD5 checksum: 821294 79ffab208975e12fb264cbb4ef36c6b3 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_m68k.deb Size/MD5 checksum: 612174 969fff39d5249b24d5c711cc312a92d4 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_mips.deb Size/MD5 checksum: 649086 11f73ccf6f59687b0e9f4eb2d939fc93 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_mipsel.deb Size/MD5 checksum: 634462 2a54c83a7a9f5a47495e7d608d2705bd PowerPC architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_powerpc.deb Size/MD5 checksum: 633210 21767275a156aa5309d2febe03e395db IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_s390.deb Size/MD5 checksum: 534764 483dda7f47f832ef50ae50a721164e62 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.5.1-1.1woody2_sparc.deb Size/MD5 checksum: 617338 12554ee66d37458909aea51e0b18 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge4.dsc Size/MD5 checksum: 851 347a8183b403014c403f1757f353e436 http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge4.diff.gz Size/MD5 checksum: 106308 ee5a0e2b155ab6ee35c7be04941cb574 http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0.orig.tar.gz Size/MD5 checksum: 1796894 874165f4fbd40e3be677bdd1696cee9d Alpha architecture: http://security.debian.org/pool/updates/main
[Full-disclosure] [SECURITY] [DSA 1089-1] New freeradius packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1089-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 3rd, 2006 http://www.debian.org/security/faq - -- Package: freeradius Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2005-4744 CVE-2006-1354 BugTraq IDs: 17171 17293 Debian Bug : 359042 Several problems have been discovered in freeradius, a high-performance and highly configurable RADIUS server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-4744 SuSE researchers have discovered several off-by-one errors may allow remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2006-1354 Due to insufficient input validation it is possible for a remote attacker to bypass authentication or cause a denial of service. The old stable distribution (woody) does not contain this package. For the stable distribution (sarge) this problem has been fixed in version 1.0.2-4sarge1. For the unstable distribution (sid) this problem has been fixed in version 1.1.0-1.2. We recommend that you upgrade your freeradius package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1.dsc Size/MD5 checksum: 897 56748d8bbc17aa4e7393b990eb74b3eb http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1.diff.gz Size/MD5 checksum:15630 20c245bcb697ed963fa5599fd64412fd http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2.orig.tar.gz Size/MD5 checksum: 1931715 422a004f2354b2a7364f5b683891a26a Architecture independent components: http://security.debian.org/pool/updates/main/f/freeradius/freeradius-dialupadmin_1.0.2-4sarge1_all.deb Size/MD5 checksum: 111708 ad56d19ec032f33dc7c80816176fdb33 Alpha architecture: http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_alpha.deb Size/MD5 checksum: 2234836 a9bfbf394a28e96c3a548f4c9cc6daf1 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_alpha.deb Size/MD5 checksum:54158 01356bafaa902def24608e4ff0f5234f http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_alpha.deb Size/MD5 checksum:54986 bee15f15d005285f827766f996c60ce4 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_alpha.deb Size/MD5 checksum: 107460 56d7d0ee92185d08baac041d5997849f http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_alpha.deb Size/MD5 checksum:55930 f9b5543a03e90b5dff4657eb74c17e1d AMD64 architecture: http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_amd64.deb Size/MD5 checksum: 1961200 87bf5381e4746425397e6315811aa202 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_amd64.deb Size/MD5 checksum:53024 c61df3f04a0f4022edf411bd98416ba6 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_amd64.deb Size/MD5 checksum:53786 e21e4a4f2073dd8ed6eb123432b45360 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-ldap_1.0.2-4sarge1_amd64.deb Size/MD5 checksum:99594 5090d67f5a4da97b097656608a570ba6 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-mysql_1.0.2-4sarge1_amd64.deb Size/MD5 checksum:54750 0431a87e678e805a6ef551dd8e5307aa ARM architecture: http://security.debian.org/pool/updates/main/f/freeradius/freeradius_1.0.2-4sarge1_arm.deb Size/MD5 checksum: 2034200 a78f3ddf85f1e71c32e9b86e8e85 http://security.debian.org/pool/updates/main/f/freeradius/freeradius-iodbc_1.0.2-4sarge1_arm.deb Size/MD5 checksum:51194 7238cf725afbcaf03efab289cc6bd11b http://security.debian.org/pool/updates/main/f/freeradius/freeradius-krb5_1.0.2-4sarge1_arm.deb Size/MD5 checksum:52600 9f16d186efe2c9ee581516d9263acd33 http://security.debian.org
[Full-disclosure] [SECURITY] [DSA 1086-1] New xmcd packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1086-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 2nd, 2006 http://www.debian.org/security/faq - -- Package: xmcd Vulnerability : design flaw Problem type : local Debian-specific: no CVE ID : CVE-2006-2542 Debian Bug : 366816 The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1. For the old stable distribution (woody) this problem has been fixed in version 2.6-14woody1. For the stable distribution (sarge) this problem has been fixed in version 2.6-17sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.6-18. We recommend that you upgrade your xmcd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.dsc Size/MD5 checksum: 619 42038224877b80e57969e82e14a6ee5a http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.diff.gz Size/MD5 checksum:19169 3144b9f7dc78b1a0a668eff06ded3b08 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f Alpha architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_alpha.deb Size/MD5 checksum:65648 d4beba33b15cdef57c315666e9dbeaf3 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_alpha.deb Size/MD5 checksum: 458520 da2013cefff5009ed770397ea7cf23fe ARM architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_arm.deb Size/MD5 checksum:60464 2a9f06c9a2f888ea56ac62bdfe2eb05e http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_arm.deb Size/MD5 checksum: 378038 932f832766a947aac29d9b40f2f8a026 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_i386.deb Size/MD5 checksum:58970 506435aef6b9a12c0715e73dea67eefd http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_i386.deb Size/MD5 checksum: 324960 2eba0f70812dada62ec2fb3f3b054318 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_ia64.deb Size/MD5 checksum:66140 6d3eff9fdf1d9c6052c9554bc4dd584a http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_ia64.deb Size/MD5 checksum: 543700 dce5ff73c754b4425fe642117a52f5fa HP Precision architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_hppa.deb Size/MD5 checksum:60954 f48d59a10a2891bdb1842da42fe0b0f4 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_hppa.deb Size/MD5 checksum: 406294 2b12245768fce9c5f57cc4a8818ea1be Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_m68k.deb Size/MD5 checksum:58890 ce57236e978ed6310d23cf1cfede3224 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_m68k.deb Size/MD5 checksum: 309832 0de1924af1c4981505849da8e6b8c7af Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mips.deb Size/MD5 checksum:61476 8a4dcea7adbfb4a1c3294a2622e05d15 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mips.deb Size/MD5 checksum: 377170 91d622c19970fe0dcda24f63e85c7350 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mipsel.deb Size/MD5 checksum:61436 27eaa3e4c2365f2e4b49c526acc3df00 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mipsel.deb Size/MD5 checksum: 378122 c9b63596911f83c72a4c9b7fbd01abf0 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_powerpc.deb Size/MD5 checksum:60998 74e9b62e02f69db4dfedab57100904dd http://security.debian.org/pool/updates/main/x
[Full-disclosure] [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1085-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 1st, 2006 http://www.debian.org/security/faq - -- Package: lynx-ssl Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2004-1617 CAN-2005-3120 BugTraq ID : 11443 Debian Bug : 296340 Several vulnerabilities have been discoverd in lynx, the popular text-mode WWW browser. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: CVE-2004-1617 Michal Zalewski discovered that lynx is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. CAN-2005-3120 Ulf Härnhammar discovered a buffer overflow that can be remotely exploited. During the handling of Asian characters when connecting to an NNTP server lynx can be tricked to write past the boundary of a buffer which can lead to the execution of arbitrary code. For the old stable distribution (woody) these problems have been fixed in version 2.8.5-2.5woody1. For the stable distribution (sarge) these problems have been fixed in version 2.8.6-9sarge1. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your lynx-cur package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1.dsc Size/MD5 checksum: 640 e6f29a507e298508f72eb24c21b1bdde http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1.diff.gz Size/MD5 checksum: 634446 19fad72695b064d6a6e893bb1ea1006f http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5.orig.tar.gz Size/MD5 checksum: 2557113 81764528e685747ec00e7e23f18fd6d3 Architecture independent components: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur-wrapper_2.8.5-2.5woody1_all.deb Size/MD5 checksum: 161086 eec2317cf887d4d8762866c26b6783ad Alpha architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_alpha.deb Size/MD5 checksum: 1419168 50e1763a404316ec33802c77f55180ee ARM architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_arm.deb Size/MD5 checksum: 1292792 e922a7feefe43f2e0bff7713ed292403 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_i386.deb Size/MD5 checksum: 1252720 667586b0cb239a23efaa03a45e44ba41 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_ia64.deb Size/MD5 checksum: 1573108 88a04e9032f61055812cbbdc5b66ebcc HP Precision architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_hppa.deb Size/MD5 checksum: 1361852 2cf253de737b654ee1cce1b13b43639a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_m68k.deb Size/MD5 checksum: 1212894 07b758555efaeff043595c2338dece95 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_mips.deb Size/MD5 checksum: 1314946 b737ed585f45a69a19f2f5314509918b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_mipsel.deb Size/MD5 checksum: 1310968 a82a5f1be84d27067c9b63b8af540dd6 PowerPC architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_powerpc.deb Size/MD5 checksum: 1299254 a5498c2256c092e2a8ebef012df0f4b2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_s390.deb Size/MD5 checksum: 1271028 44125629519a455e212ae5397071e7bd Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lynx-cur/lynx-cur_2.8.5-2.5woody1_sparc.deb Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1083-1] New motor packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1083-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 31st, 2006 http://www.debian.org/security/faq - -- Package: motor Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2005-3863 Debian Bug : 368400 Mehdi Oudad and Kevin Fernandez discovered a buffer overflow in the ktools library which is used in motor, an integrated development environment for C, C++ and Java, which may lead local attackers to execute arbitrary code. For the old stable distribution (woody) this problem has been fixed in version 3.2.2-2woody1. For the stable distribution (sarge) this problem has been fixed in version 3.4.0-2sarge1. For the unstable distribution (sid) this problem has been fixed in version 3.4.0-6. We recommend that you upgrade your motor package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1.dsc Size/MD5 checksum: 636 932fa3ce87130b09e516ca4419cdd0da http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1.diff.gz Size/MD5 checksum: 3462 babba5e4b1c2e695836582ce15954812 http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2.orig.tar.gz Size/MD5 checksum: 454423 2ba1c22fb3c76209be185b4cbb7a2bfb Alpha architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_alpha.deb Size/MD5 checksum: 738572 19d012b605af9df5be7920c2d1c14c2b ARM architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_arm.deb Size/MD5 checksum: 653042 d3d0f37780f1fdf1e9a01b0cd804829e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_i386.deb Size/MD5 checksum: 549282 522c5ac389fad6cc3fb6b350022b3446 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_ia64.deb Size/MD5 checksum: 795334 5a7504789d50cdf37581d068df336955 HP Precision architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_hppa.deb Size/MD5 checksum: 662582 7d53430905f547c2634186a462ce415a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_m68k.deb Size/MD5 checksum: 517012 5c91f1cd222e656baf4310d42144feb9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_mips.deb Size/MD5 checksum: 529124 d9a7e82738c9ed4eab95de37e7359316 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_mipsel.deb Size/MD5 checksum: 521888 8de2e1c0ccbf511f67b337344e9348c8 PowerPC architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_powerpc.deb Size/MD5 checksum: 543442 61e434e789e18e8b239fa982812e8ad1 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_s390.deb Size/MD5 checksum: 465874 d08b495f50fb4edfdfd8ea84c3c35ee9 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1_sparc.deb Size/MD5 checksum: 527592 aaf50e919624329bc2c7f53fdb37bb30 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/motor/motor_3.4.0-2sarge1.dsc Size/MD5 checksum: 815 5d26d9fb0c432aa7ea49a22558ee41b4 http://security.debian.org/pool/updates/main/m/motor/motor_3.4.0-2sarge1.diff.gz Size/MD5 checksum:20178 3edb3f737d0d6c9d29ff6bfc8bebf8ae http://security.debian.org/pool/updates/main/m/motor/motor_3.4.0.orig.tar.gz Size/MD5 checksum: 572571 c9ff6aade7105a90df11ccfd51592bec Architecture independent components: http://security.debian.org/pool/updates/main/m/motor/motor-common_3.4.0-2sarge1_all.deb Size/MD5 checksum: 180060 e10533391309045ebc5c8c6240a66390 Alpha architecture: http://security.debian.org/pool/updates/main/m/motor
[Full-disclosure] [SECURITY] [DSA 1079-1] New MySQL 4.0 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1079-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 29th, 2006 http://www.debian.org/security/faq - -- Package: mysql-dfsg Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518 CERT advisory : VU#602457 BugTraq IDs: 16850 17780 Debian Bugs: 366044 366049 366163 Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems: CVE-2006-0903 Improper handling of SQL queries containing the NULL character allow local users to bypass logging mechanisms. CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed: woodysargesid mysql3.23.49-8.15n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3 We recommend that you upgrade your mysql packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.dsc Size/MD5 checksum: 966 42f14bb83f832f0f88bdabb317f62df8 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz Size/MD5 checksum:98938 9aaf7d794c14faa63a05d7630f683383 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz Size/MD5 checksum: 9923794 aed8f335795a359f32492159e3edfaa3 Architecture independent components: http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-common_4.0.24-10sarge2_all.deb Size/MD5 checksum:34566 f4aa726f5f9ec79e42799a40faabcf17 Alpha architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 356730 97904c2a773bc61c643e4dce283a2862 http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 4533478 8edafbc553d062864c4bb17cbca3211b http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 520712 5883aef348e2eb1321b21051cdd604be http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_alpha.deb Size/MD5 checksum: 4890620 824e4c4c078ef73612fccbea7e209651 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 309490 c7943142f1f618987c87073c5893174e http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 3182676 e62cc19620500c5430447978b7e645c6 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 434022 55e3f43e8ac136951fc1b679df820cd1 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_amd64.deb Size/MD5 checksum: 3878414 5ab561357abca1720b9942c9f8e78a4e ARM architecture: http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_arm.deb Size/MD5 checksum: 288180 6869739c00a8151a181ec8cfffe1ec70 http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb Size/MD5 checksum: 2848430 945158edc0fba528a04f98170fe55921 http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_arm.deb Size/MD5 checksum: 414176
[Full-disclosure] [SECURITY] [DSA 1081-1] New libextractor packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1081-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 29th, 2006 http://www.debian.org/security/faq - -- Package: libextractor Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-2458 BugTraq ID : 18021 Luigi Auriemma discovered a buffer overflow in the processing of ASF files in libextractor, a library to extract arbitrary meta-data from files., which can lead to the execution of arbitrary code. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 0.4.2-2sarge5. For the unstable distribution (sid) this problem has been fixed in version 0.5.14-1. We recommend that you upgrade your libextractor packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge5.dsc Size/MD5 checksum: 778 c3215a74f69c129ed235db8b5fe178e6 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge5.diff.gz Size/MD5 checksum: 7079 d2037e9f74bef85bf4a73f852ddfafad http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2.orig.tar.gz Size/MD5 checksum: 5887095 d99e1b13a017d39700e376a0edbf7ba2 Alpha architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_alpha.deb Size/MD5 checksum:19598 815bb87bcc9d5e143513c8adff67b338 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_alpha.deb Size/MD5 checksum: 5804952 22c415c2aee20ed8007a2d0662bebad6 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_alpha.deb Size/MD5 checksum:19384 2f3a45d22e6a52721ed57543f199313f AMD64 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_amd64.deb Size/MD5 checksum:18270 1a47010ad219b069f264a8024fd72aed http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_amd64.deb Size/MD5 checksum: 5641542 efb4ac008ec794d8d17d1eb214ad3542 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_amd64.deb Size/MD5 checksum:17548 d6763b38aca5065486aa3c45f49dd2e0 ARM architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_arm.deb Size/MD5 checksum:17648 7e52bda1ca202ea165cf305092d063f7 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_arm.deb Size/MD5 checksum: 5710838 71d5589d4a0c3815a0b24474fb44af68 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_arm.deb Size/MD5 checksum:16964 0bc00d8fa937e1958c4db72f01566732 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_i386.deb Size/MD5 checksum:17788 09bb0f12aa606fb48b7574305ccd8abc http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_i386.deb Size/MD5 checksum: 5713332 234c03f92ed071fdc69844e04523514c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_i386.deb Size/MD5 checksum:16706 5c5744dc49991cf0789a33f8a43557e1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_ia64.deb Size/MD5 checksum:20578 ade1344228270f2a2faede7e2507913c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_ia64.deb Size/MD5 checksum: 5905588 d1d4a949aecc95d5a3715a5e1bcc4b70 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_ia64.deb Size/MD5 checksum:19328 6aa6ab7c949e0dd8771b8961f97fbe4b HP Precision architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2
[Full-disclosure] [SECURITY] [DSA 1078-1] New tiff packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1078-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 27th, 2006http://www.debian.org/security/faq - -- Package: tiff Vulnerability : out-of-bounds read Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-2120 BugTraq ID : 17809 Debian Bug : 366588 Andrey Kiselev discovered a problem in the TIFF library that may allow an attacker with a specially crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values to crash the library and hence the surrounding application. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 3.7.2-4. The unstable distribution (sid) is not affected by this problem. We recommend that you upgrade your tiff packages and restart the programs using it. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-4.dsc Size/MD5 checksum: 736 e0021d24806e337d1fbb1f07de784ba2 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-4.diff.gz Size/MD5 checksum:11234 cca061e95cccee07e8536d0c019e466c http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz Size/MD5 checksum: 1252995 221679f6d5c15670b3c242cbfff79a00 Alpha architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_alpha.deb Size/MD5 checksum:46854 d9bfc8b23ef18313f418a6428a997ab3 http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_alpha.deb Size/MD5 checksum: 243572 cfc1c2e69fd26f6fd00e80fc2060e214 http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_alpha.deb Size/MD5 checksum: 478314 f169fa8a48b6e88fc0caea7d55fdcf04 http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_alpha.deb Size/MD5 checksum: 309820 ff5d90bfd292db105f8613d618124084 http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_alpha.deb Size/MD5 checksum:40962 d5a3d88cb65ccde5243a576de9f32801 AMD64 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_amd64.deb Size/MD5 checksum:45776 3dcbd8b4f6738375e596faf777a4f824 http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_amd64.deb Size/MD5 checksum: 217792 ed3b23887f2406380aecf5c87f0ca471 http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_amd64.deb Size/MD5 checksum: 459322 1b5e6430f73c9862a6771a5f48fe82f8 http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_amd64.deb Size/MD5 checksum: 266904 814c8a97e386f73def4ed6612e2dbbf6 http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_amd64.deb Size/MD5 checksum:40548 8bd17da7fc319403082125b6b16d8e05 ARM architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_arm.deb Size/MD5 checksum:45296 db835b005471c02c8e70f9307f575799 http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_arm.deb Size/MD5 checksum: 208400 c257593052a9b59bf4a8ce0f002c7648 http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_arm.deb Size/MD5 checksum: 453488 32f3da61807b63176b0867b196c8e737 http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_arm.deb Size/MD5 checksum: 265160 1be7d1c3ad694b68d29fa545e901b56e http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_arm.deb Size/MD5 checksum:40030 7c9131c151c161977d1b7fa5976e691e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_i386.deb Size/MD5 checksum:45132 1fc191c2b6c8439a5d4679790770191b http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_i386.deb Size/MD5 checksum: 206130 7f5797ca49fe57dd94b5a1f017e40665 http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_i386.deb Size/MD5 checksum: 452520
[Full-disclosure] [SECURITY] [DSA 1075-1] New awstats packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1075-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 26th, 2006 http://www.debian.org/security/faq - -- Package: awstats Vulnerability : programming error Problem type : remote Debian-specific: no Debian Bug : 365910 Hendrik Weimer discovered that awstats can execute arbitrary commands under the user id the web-server runs when users are allowed to supply arbitrary configuration files. Even though, this bug was referenced in DSA 1058 accidently, it was not fixed yet. The new default behaviour is not ao accept arbitrary configuration directories from the user. This can be overwritten by the AWSTATS_ENABLE_CONFIG_DIR environment variable when users are to be trusted. The old stable distribution (woody) does not seem to be affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 6.4-1sarge3. For the unstable distribution (sid) this problem has been fixed in version 6.5-2. We recommend that you upgrade your awstats package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge3.dsc Size/MD5 checksum: 589 c89ec8be4c06c290950e1da615b4e215 http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge3.diff.gz Size/MD5 checksum:19145 fb59598c0a1ddd970c48bed857c0b364 http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4.orig.tar.gz Size/MD5 checksum: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1 Architecture independent components: http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge3_all.deb Size/MD5 checksum: 728706 395a9e5acb69dcc50da9cf88ed9a89da These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEdr68W5ql+IAeqTIRAsirAKC8AhDQD/wLtBFt8crQ9gKryFmAlgCgmL37 BNdO6srzkyTcLgvNPoreoig= =Hbqh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1076-1] New lynx packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1076-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 26th, 2006 http://www.debian.org/security/faq - -- Package: lynx Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2004-1617 BugTraq ID : 11443 Debian Bug : 296340 Michal Zalewski discovered that lynx, the popular text-mode WWW Browser, is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. For the old stable distribution (woody) this problem has been fixed in version 2.8.4.1b-3.4. For the stable distribution (sarge) this problem has been fixed in version 2.8.5-2sarge2. For the unstable distribution (sid) this problem has been fixed in version 2.8.5-2sarge2. We recommend that you upgrade your lynx package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4.dsc Size/MD5 checksum: 581 a9853909c61c5ef2fcc8868599f9b875 http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4.diff.gz Size/MD5 checksum:16334 74bce8912c28f979c33055a012cf29d6 http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b.orig.tar.gz Size/MD5 checksum: 2557510 053a10f76b871e3944c11c7776da7f7a Alpha architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_alpha.deb Size/MD5 checksum: 1610344 3e1ec04a0c6532506519e8051a0067b6 ARM architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_arm.deb Size/MD5 checksum: 1487906 a06ad20f4d8a0ce1cc0d59a0dfa24e9b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_i386.deb Size/MD5 checksum: 1444914 cb6449afd1e3029d06606bf823e0f064 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_ia64.deb Size/MD5 checksum: 1762966 cb0b05d5cb148372fd2cd3d2e99843cc HP Precision architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_hppa.deb Size/MD5 checksum: 1555454 79392b2914654a7d4519247d9584e816 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_m68k.deb Size/MD5 checksum: 1405980 1df4dff2fc4191ee512811e0ac42c361 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_mips.deb Size/MD5 checksum: 1508022 d5b58fc5611b1ea1d37bc5a1034478f1 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_mipsel.deb Size/MD5 checksum: 1504120 1078ef11583d9664fecd2d9d5712ecad PowerPC architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_powerpc.deb Size/MD5 checksum: 1491256 2967d2f0c3a722b4b42a2b06510aabcc IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_s390.deb Size/MD5 checksum: 1463536 5a5692d6d572ef301d052e7e8c62d004 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_sparc.deb Size/MD5 checksum: 1492926 6bb21df62a773736a1f694cedacea3de Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2.dsc Size/MD5 checksum: 616 241c00a777c333b7270d8dbdaa4ad210 http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2.diff.gz Size/MD5 checksum:17357 22b394977569bbeda207bfb5bcb42175 http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5 checksum: 2984352 5f516a10596bd52c677f9bfd9579bc28 Alpha architecture: http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_alpha.deb Size/MD5 checksum: 1994618 4a23d6234470f59a47100bcd13d18a51 AMD64 architecture: http://security.debian.org/pool/updates/main/l/lynx