[Full-disclosure] [SECURITY] [DSA 1792-1] New drupal6 packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1792-1secur...@debian.org http://www.debian.org/security/ Noah Meyerhans May 06, 2009http://www.debian.org/security/faq - Package: drupal6 Vulnerability : multiple Problem type : remote Debian-specific: no Debian Bug : 526378 Multiple vulnerabilities have been discovered in drupal, a web content management system. pod.Edge discovered a cross-site scripting vulnerability due that can be triggered when some browsers interpret UTF-8 strings as UTF-7 if they appear before the generated HTML document defines its Content-Type. This allows a malicious user to execute arbitrary javascript in the context of the web site if they're allowed to post content. Moritz Naumann discovered an information disclosure vulnerability. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a cross-site request forgery attack against the submitted form. For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny1. The old stable distribution (etch) does not contain drupal and is not affected. For the unstable distribution (sid), these problems have been fixed in version 6.11-1 We recommend that you upgrade your drupal6 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1.dsc Size/MD5 checksum: 1124 bedc53674c2746aa0172ba085ee49cf7 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1.diff.gz Size/MD5 checksum:19809 907241818d13cff27fd8eb8487002ad6 Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb Size/MD5 checksum: 1083398 0f30de9089c576ecdb85acf8e71e87a3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKAbI8YrVLjBFATsMRAqhzAJoCMY3Y8IiuvCrIjqZIwY8n/x9NewCgisaL ji5qVBsBZ6frrXsksydMf2o= =yG9u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1790-1] New xpdf packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1790-1 secur...@debian.org http://www.debian.org/security/ Noah Meyerhans May 05, 2009 http://www.debian.org/security/faq - Package: xpdf Vulnerability : multiple Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2009-0146 CVE-2009-0147 CVE-2009-0165 CVE-2009-0166 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 Debian Bug : 524809 Several vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0146 Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. CVE-2009-0147 Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. CVE-2009-0165 Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." CVE-2009-0166 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. CVE-2009-0799 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. CVE-2009-0800 Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1179 Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1180 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. CVE-2009-1181 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. CVE-2009-1182 Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1183 The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. For the old stable distribution (etch), these problems have been fixed in version 3.01-9.1+etch6. For the stable distribution (lenny), these problems have been fixed in version 3.02-1.4+lenny1. For the unstable distribution (sid), these problems will be fixed in a forthcoming version. We recommend that you upgrade your xpdf packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipse
[Full-disclosure] [SECURITY] [DSA 1756-1] New xulrunner packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1756-1secur...@debian.org http://www.debian.org/security/ Noah Meyerhans March 29, 2009 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : multiple Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-1169 CVE-2009-1044 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1169 Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. CVE-2009-1044 Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer. Note that after installing these updates, you will need to restart any packages using xulrunner, typically iceweasel or epiphany. For the stable distribution (lenny), these problems have been fixed in version 1.9.0.7-0lenny2. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. For the unstable distribution (sid), these problems have been fixed in version 1.9.0.8-1 We recommend that you upgrade your xulrunner package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.7-0lenny2.dsc Size/MD5 checksum: 1777 be107e8cce28d09395d6c2b0e2880e0b http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.7.orig.tar.gz Size/MD5 checksum: 43683292 f49b66c10e021debdfd9cd3705847d9b http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.7-0lenny2.diff.gz Size/MD5 checksum: 115665 4886b961a24c13d9017e8f261b7a4ad4 Architecture independent packages: http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.7-0lenny2_all.deb Size/MD5 checksum: 1480030 c12b4d6d534c0f12ec8e19760ca52a9b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum:69048 cbcfc3f9addacdd2a6641980876910f1 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 7725982 c5075bc0634cb5b2cfc8b64649f9511e http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 3587626 1ce3de601c764c9bfb0c3998566f2baa http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 887434 d373f8ed294bc6184a188bc820e04d6b http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 220394 8ac87390e12115281d335b8773fb5733 http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 152152 76761d21f53d017af1ff349e528664ea http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 372048 ba88e43241ab33621169f2e352bdf634 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.7-0lenny2_amd64.deb Size/MD5 checksum: 50084206 d44a3028e5049f2b8051a5f6ed632fe6 http://security.debian.org/pool
[Full-disclosure] [SECURITY] [DSA 1576-2] New openssh packages fix predictable randomness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1576-2 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 16, 2008 http://www.debian.org/security/faq - Package: openssh Vulnerability : predictable random number generator Problem type : remote Debian-specific: yes CVE Id(s) : CVE-2008-0166 Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as "no-port-forwarding" or forced commands) were ignored by the new ssh-vulnkey tool introduced in openssh 1:4.3p2-9etch1 (see DSA 1576-1). This could cause some compromised keys not to be listed in ssh-vulnkey's output. This update also adds more information to ssh-vulnkey's manual page. For the stable distribution (etch), this problem has been fixed in version 1:4.3p2-9etch2 We recommend that you upgrade your openssh (1:4.3p2-9etch2) package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.dsc Size/MD5 checksum: 1010 7bcad5f65ff1722db7c431d3a25e8578 http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz Size/MD5 checksum: 920186 239fc801443acaffd4c1f111948ee69c http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.diff.gz Size/MD5 checksum: 276621 27984546be5ba87687ae6e7e5df36578 Architecture independent packages: http://security.debian.org/pool/updates/main/o/openssh/ssh-krb5_4.3p2-9etch2_all.deb Size/MD5 checksum:92022 1cd59a62eb401f21421f13a6caf3d509 http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch2_all.deb Size/MD5 checksum: 1052 b096153814cc8949820d9958f8b81a00 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_alpha.deb Size/MD5 checksum: 100498 2fa04ed9e0ee9625f28964938cc19b64 http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_alpha.deb Size/MD5 checksum: 782726 0c48b38fc56cdaedb3d4a1eab9ecd25d http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_alpha.udeb Size/MD5 checksum: 213728 ff4b07cb720fb26210c3a49213737168 http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_alpha.deb Size/MD5 checksum: 266510 113583573c885f7baa40b9a78933c6aa http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_alpha.udeb Size/MD5 checksum: 198498 6dd01cb3b4fe5cf3726142f429281187 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_amd64.deb Size/MD5 checksum: 100106 b4dc14aee0a9c94d96e3b392a2dd61e8 http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_amd64.deb Size/MD5 checksum: 711910 dc68b26b2810e7f47e3fa419c262bc07 http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_amd64.deb Size/MD5 checksum: 245522 b02dc226eb5aae330b08429a17f0eef6 http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_amd64.udeb Size/MD5 checksum: 183854 fa96f8d05d380a6053672de0a6bd30c1 http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_amd64.udeb Size/MD5 checksum: 171334 b2eafdc135649523828db8416f22617d arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_arm.deb Size/MD5 checksum: 218980 6065fa1195e74549c7dd66fbe2b41718 http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_arm.deb Size/MD5 checksum:99668 c6260735e7d50c21e19d01702b4e45bb http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_arm.deb Size/MD5 checksum: 650608 42d8f87667ffd3fdccb26ec5c8d775ac http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_arm.udeb Size/MD5 checksum: 171666 4bc55e6d06de4f0bda2771ad78770d27 http://security.debian.org/pool/updates/ma
[Full-disclosure] [SECURITY] [DSA 1554-1] New roundup packages fix cross-site scripting vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1554-1 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans April 22, 2008http://www.debian.org/security/faq - Package: roundup Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1474 Debian Bug : 472643 Roundup, an issue tracking system, fails to properly escape HTML input, allowing an attacker to inject client-side code (typically JavaScript) into a document that may be viewed in the victim's browser. For the stable distribution (etch), this problem has been fixed in version 1.2.1-5+etch1. We recommend that you upgrade your roundup packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1-5+etch1.dsc Size/MD5 checksum: 690 2bf102c80abab65bf5b7d8804a29bc4d http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1.orig.tar.gz Size/MD5 checksum: 1058595 38de336cf23d0dc20df17695b7c72806 http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1-5+etch1.diff.gz Size/MD5 checksum:25739 61583ff7c94651b7380794b421fcc521 Architecture independent packages: http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1-5+etch1_all.deb Size/MD5 checksum: 1003008 00f33566e9993e7aaa37f6b99c3d186e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIDllQYrVLjBFATsMRAnXfAJ4g4ZRSQc2T4Fjb25xpN3ikCPsV8gCgis6U cbDJ3mFpcu7cM6XxPQ1Z+lI= =D5K5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1530-1] New cupsys packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1530-1 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans March 25, 2008http://www.debian.org/security/faq - Package: cupsys Vulnerability : multiple Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0047 CVE-2008-0882 Debian Bug : 472105 467653 Several local/remote vulnerabilities have been discovered in cupsys, the Common Unix Printing System. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0047 Heap-based buffer overflow in CUPS, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions. CVE-2008-0882 Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch3 We recommend that you upgrade your cupsys packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - --- Stable updates are available for alpha, amd64, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch3.diff.gz Size/MD5 checksum: 104776 b684811e24921a7574798108ac6988d7 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch3.dsc Size/MD5 checksum: 1084 0276f8e59e00181d39d204a28494d18c http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch3_all.deb Size/MD5 checksum: 927322 65b1ff3cb7b8bbbe3b334ee43875aac4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch3_all.deb Size/MD5 checksum:45654 0b4ce3e9c2af460c5b694b906f450b12 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch3_alpha.deb Size/MD5 checksum: 1097006 45800a6b2c1dd7068843ade84480259d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch3_alpha.deb Size/MD5 checksum:39262 4f645e43611b07348ad50e4da57d http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch3_alpha.deb Size/MD5 checksum: 174890 9affa7a1f2dc6548fcffb9a456181a3a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch3_alpha.deb Size/MD5 checksum:86292 23431d4bfae9599caba759d4b0a3a8c0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch3_alpha.deb Size/MD5 checksum:94814 6be946280a3c9fadfd070f7284255df0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch3_alpha.deb Size/MD5 checksum: 1609104 ecdd9f65f8799605a1efeac0d4eae774 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch3_alpha.deb Size/MD5 checksum: 184372 7720c886672d63cdeb501314beacc4b5 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch3_alpha.deb Size/MD5 checksum:72428 2b4ed65a0a33b7cf32756c2b0cd925de amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch3_amd64.deb Size/MD5 checksum:52858 badd0d21043714aa2c612b45323890a1 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch3_amd64.deb Size/MD5 checksum: 1574654 cf1c04e898f7380fdd338ecafb69185e http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch3_amd64.deb Size/MD5 checksum:85652 24c3d3e054306785ccc958f1894a2b18 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch3_amd64.deb Size/MD5 checksum: 142534 7ad95206e0e450f8df27c9d858809ddb http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch3_amd64.deb
[Full-disclosure] [SECURITY] [DSA 1524-1] New krb5 packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1524-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans March 18, 2008 http://www.debian.org/security/faq - Package: krb5 Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0062 CVE-2008-0063 CVE-2008-0947 Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network. CVE-2008-0062 An unauthenticated remote attacker may cause a krb4-enabled KDC to crash, expose information, or execute arbitrary code. Successful exploitation of this vulnerability could compromise the Kerberos key database and host security on the KDC host. CVE-2008-0063 An unauthenticated remote attacker may cause a krb4-enabled KDC to expose information. It is theoretically possible for the exposed information to include secret key data on some platforms. CVE-2008-0947 An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. In versions of MIT Kerberos shipped by Debian, this bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. For the stable distribution (etch), these problems have been fixed in version 1.4.4-7etch5. For the old stable distribution (sarge), these problems have been fixed in version krb5 1.3.6-2sarge6. We recommend that you upgrade your krb5 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz Size/MD5 checksum: 6526510 7974d0fc413802712998d5fc5eec2919 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge6.diff.gz Size/MD5 checksum: 673705 93382126a3c73ac44ed7daa7d85f166d http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge6.dsc Size/MD5 checksum: 782 0391aaf485ef1636ef18c6ba183c3fbe Architecture independent packages: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge6_all.deb Size/MD5 checksum: 718916 ca2fb37b53a19207f1e1f1de90c4c1f3 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 137834 d43e9d3f3ef65fe8c8cbbb7b5dcbd144 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 177730 947fb82dd795f9272935ea4cb027e543 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 124864 4f1d0aa9d18013023f4a9f2b9a10db65 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 104886 15037693de0d9dc27460d713b547872a http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_amd64.deb Size/MD5 checksum:63606 c4cfe2b01bfe0b579b216210817c4fa3 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 369420 c8d1eaf98400880ff82f727fe20f90cd http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_amd64.deb Size/MD5 checksum:82806 30230dfe2605b88fdeac8811d408acdb http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_amd64.deb Size/MD5 checksum:57048 741292984684fddae11e130dcd388161 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 652378 d8f3493f4354e0b3717ffc72d6592b88 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 216990 0df13c59411cf57b86bd94e250cf458e arm architecture (ARM) http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 115684
[Full-disclosure] [SECURITY] [DSA 1509-1] New koffice packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1509-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans February 25, 2008 http://www.debian.org/security/faq - Package: koffice Vulnerability : several Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 Debian Bug : 450631 Several vulnerabilities have been discovered in xpdf code that is embedded in koffice, an integrated office suite for KDE. These flaws could allow an attacker to execute arbitrary code by inducing the user to import a specially crafted PDF document. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-4352 Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. CVE-2007-5392 Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow. CVE-2007-5393 Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. For the stable distribution (etch), these problems have been fixed in version 1:1.6.1-2etch2. Updates for the old stable distribution (sarge), will be made available as soon as possible. We recommend that you upgrade your koffice package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1.orig.tar.gz Size/MD5 checksum: 63070725 46ac2a71f5826a6ed149a62d501dacec http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2.diff.gz Size/MD5 checksum: 500546 d9591206e1c6f8dec3804bd4735e259a http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2.dsc Size/MD5 checksum: 1472 736540e8fe6563095b48f21d18a51278 Architecture independent packages: http://security.debian.org/pool/updates/main/k/koffice/koffice-data_1.6.1-2etch2_all.deb Size/MD5 checksum: 749032 0070f9b3ad6664ea51a18cddd19890f4 http://security.debian.org/pool/updates/main/k/koffice/kword-data_1.6.1-2etch2_all.deb Size/MD5 checksum: 1820806 52946ab23d6f2443b3fbcbf420283f80 http://security.debian.org/pool/updates/main/k/koffice/kivio-data_1.6.1-2etch2_all.deb Size/MD5 checksum: 696918 9c21ffc9c5a101b9c884d4e122986232 http://security.debian.org/pool/updates/main/k/koffice/koffice-doc_1.6.1-2etch2_all.deb Size/MD5 checksum: 94848460 124080b3f3548c6edff3241e715c116a http://security.debian.org/pool/updates/main/k/koffice/koffice-doc-html_1.6.1-2etch2_all.deb Size/MD5 checksum: 542886 ab52f6d59b90cd88d31a0b4b9b36a5bb http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2_all.deb Size/MD5 checksum:24280 aa214d2491c38aa98e3dee0a3af08548 http://security.debian.org/pool/updates/main/k/koffice/kpresenter-data_1.6.1-2etch2_all.deb Size/MD5 checksum: 1914106 d84bbcdc8136aefbf9b412371c27d298 http://security.debian.org/pool/updates/main/k/koffice/krita-data_1.6.1-2etch2_all.deb Size/MD5 checksum: 28338316 8a589f8081107f31b35539d2cc79d117 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_alpha.deb Size/MD5 checksum: 57350998 b89d47b71105fab810c0869d70f96b3d http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_alpha.deb Size/MD5 checksum: 2992258 aad9b8c77ee89ff592e51dcfd6a6948c http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_alpha.deb Size/MD5 checksum: 3685928 0ab1141150a33e1d27becb2403acb8fe http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_alpha.deb Size/MD5 checksum: 410304 720dc1cc4ded7c693e1df51090f5e7df http://security.debian.org/pool/updates/main/k/koffice
[Full-disclosure] [SECURITY] [DSA 1502-1] New wordpress packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1502-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans February 22, 2008 http://www.debian.org/security/faq - Package: wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-3238 CVE-2007-2821 CVE-2008-0193 CVE-2008-0194 Several remote vulnerabilities have been discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3238 Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. CVE-2007-2821 SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. CVE-2008-0193 Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. CVE-2008-0194 Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. For the stable distribution (etch), these problems have been fixed in version 2.0.10-1etch1. Wordpress is not present in the oldstable distribution (sarge). We recommend that you upgrade your wordpress package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch1.diff.gz Size/MD5 checksum:10454 5f3c8c32c87ac34dca41f2d93b87b1da http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch1.dsc Size/MD5 checksum: 572 aacd4d2338fa941f11147d36d85149b9 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch1_all.deb Size/MD5 checksum: 519232 7508cf16054729cfae3444e07b369caf These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHvhtRYrVLjBFATsMRAu7fAJ9xZL9Xz77s2IqZ/3aZtNoMysUY3ACaAn8X /t9dR3Px4yFVk7lZTfb1bg0= =9oIE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1483-1] New net-snmp packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1483-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans February 06, 2008 http://www.debian.org/security/faq - Package: net-snmp Vulnerability : design error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5846 The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. For the stable distribution (etch), this problem has been fixed in version 5.2.3-7etch2 For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 5.4.1~dfsg-2 We recommend that you upgrade your net-snmp package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch2.diff.gz Size/MD5 checksum:92129 d4395b24ac55a351ff666b146e50e7da http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch2.dsc Size/MD5 checksum: 1038 34169ea344d11cc6acbbc79598f1afbe http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz Size/MD5 checksum: 4006389 ba4bc583413f90618228d0f196da8181 Architecture independent packages: http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch2_all.deb Size/MD5 checksum: 855026 9ba19bd7e95b8b786db833d088033c20 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch2_all.deb Size/MD5 checksum: 1215052 492929e419a21cb45a6b9f7f892e51e5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 836522 8f375e58599f11a92c219432c3c40a50 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 942474 877cd68b94cc98c3ce277f81e94ad559 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 1901930 4ce94285480f0587b9c9006db0b1d892 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 2171130 b21a6b7ab1fc2084134b0746c46caaa8 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_alpha.deb Size/MD5 checksum: 932262 eb96a420dd3fb6b556ed8001bc44bb93 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 1892588 eed6e7f494feeb82dadfd6292aeb54f3 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 834892 1870924c9276f277d5e61b6929bc063a http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 931080 f413808b39167a15c6d1452767537e36 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 1561022 29910b7b991cc876540f926ee5e2453a http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_amd64.deb Size/MD5 checksum: 919590 0962031c17b2cc752b2aa0a34224face arm architecture (ARM) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch2_arm.deb Size/MD5 checksum: 1777992 b7bb0164b520a6240321efdafbde344b http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch2_arm.deb Size/MD5 checksum: 834966 473f0c386f9c6da35689b14ab1d379c1 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch2_arm.deb Size/MD5 checksum: 1344096 153ff9028f6accc63ed18d7bdf07485b http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch2_arm.deb Size/MD5 checksum: 927916 989b6de8d07d36bd144ca88423b8d027 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch2_arm.deb Size/MD5 checksum: 909516 6d3f6fd8e7472228f20c60be890d023e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3
[Full-disclosure] [SECURITY] [DSA 1458-1] New openafs packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1458-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans January 10, 2008http://www.debian.org/security/faq - Package: openafs Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-6599 BugTraq ID : 27132 A race condition in the OpenAFS fileserver allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock. For the stable distribution (etch), this problem has been fixed in version 1.4.2-6etch1 For the old stable distribution (sarge), this problem has been fixed in version 1.3.81-3sarge3 We recommend that you upgrade your openafs packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge3.dsc Size/MD5 checksum: 851 e976cc846cb191828237473b1d0e4983 http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81.orig.tar.gz Size/MD5 checksum: 13455346 d754e92f7a0cd9824991c850e001884c http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge3.diff.gz Size/MD5 checksum: 261881 e28ed82f25816569ae6f1e74c7cd651b Architecture independent packages: http://security.debian.org/pool/updates/main/o/openafs/openafs-modules-source_1.3.81-3sarge3_all.deb Size/MD5 checksum: 4616288 3e229a9fe2d2b561a71622feac362a0a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge3_alpha.deb Size/MD5 checksum: 526 3c76348f4a27d5cda9aaa689ae9b1e11 http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge3_alpha.deb Size/MD5 checksum: 271230 33707e0d7ad8bb2b2ed152e5d92ae1fb http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge3_alpha.deb Size/MD5 checksum: 693318 8977f1b81728d32a2f58fc7adaba7a49 http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge3_alpha.deb Size/MD5 checksum: 306556 c68d43f0a515c3ef40c26a69c3fa5267 http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge3_alpha.deb Size/MD5 checksum: 2228482 4df236f17ca09f966381191bc744738c http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge3_alpha.deb Size/MD5 checksum: 189 47914dd9a679b3e5ef7073d2c9b992f9 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge3_amd64.deb Size/MD5 checksum: 1442304 440380aae37ad9570d3488b2b94c1f20 http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge3_amd64.deb Size/MD5 checksum: 555860 3d5eeca465e786c8e3aeaa0f3a33c237 http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge3_amd64.deb Size/MD5 checksum: 246504 a1f8f9151ddf5d8b2223ccc9011262ea http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge3_amd64.deb Size/MD5 checksum: 229864 b17737eccca71f36bc1d2353979a8c5f http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge3_amd64.deb Size/MD5 checksum: 1833444 365d0d014c6328440fcab8c9f8a7b290 http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge3_amd64.deb Size/MD5 checksum: 884294 72860be9817d2a76f7dee14f133e55c3 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge3_hppa.deb Size/MD5 checksum: 248674 8211521a46ed37194b1389206967afaa http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge3_hppa.deb Size/MD5 checksum: 919204 c0fa4e2db69bcba11c9ee4dda530d361 http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge3_hppa.deb Size/MD5 checksum: 1827896 4555b91cc17ff27b33012e56736b93e7
[Full-disclosure] [SECURITY] [DSA 1413-1] New mysql packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1413-1 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans November 26, 2007 http://www.debian.org/security/faq - Package: mysql-dfsg, mysql-dfsg-5.0, mysql-dfsg-4.1 Vulnerability : multiple Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2583, CVE-2007-2691, CVE-2007-2692 CVE-2007-3780, CVE-2007-3782, CVE-2007-5925 Debian Bug : 426353, 424778, 424778, 451235 Several vulnerabilities have been found in the MySQL database packages with implications ranging from unauthorized database modifications to remotely triggered server crashes. CVE-2007-2583 The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40 allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference. (Affects source version 5.0.32) CVE-2007-2691 MySQL does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables. (All supported versions affected.) CVE-2007-2692 The mysql_change_db function does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges. (Affects source version 5.0.32) CVE-2007-3780 MySQL could be made to overflow a signed char during authentication. Remote attackers could use specially crafted authentication requests to cause a denial of service. (Upstream source versions 4.1.11a and 5.0.32 affected.) CVE-2007-3782 Phil Anderton discovered that MySQL did not properly verify access privileges when accessing external tables. As a result, authenticated users could exploit this to obtain UPDATE privileges to external tables. (Affects source version 5.0.32) CVE-2007-5925 The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error. (Affects source version 5.0.32) For the stable distribution (etch), these problems have been fixed in version 5.0.32-7etch3 of the mysql-dfsg-5.0 packages For the old stable distribution (sarge), these problems have been fixed in version 4.0.24-10sarge3 of mysql-dfsg and version 4.1.11a-4sarge8 of mysql-dfsg-4.1 We recommend that you upgrade your mysql packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch3.diff.gz Size/MD5 checksum: 158239 ceb5a1f5875bd86c34f1c8711fff1512 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch3.dsc Size/MD5 checksum: 1117 1f37ff72f1d5276c52b1adcebe796704 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch3_all.deb Size/MD5 checksum:53548 5eab71c3e41f585dfb86f360cf9413a8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch3_all.deb Size/MD5 checksum:47306 e3e2cf556bcf98b077090b9aa1551973 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch3_all.deb Size/MD5 checksum:45228 8ae0496a27a9919f0ef79100a294cb5c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch3_alpha.deb Size/MD5 checksum: 27367610 5b031c91101fc26da9fce90649f6af4f http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch3_alpha.deb
[Full-disclosure] [SECURITY] [DSA 1398-1] New perdition packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1398-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans November 05, 2007 http://www.debian.org/security/faq - Package: perdition Vulnerability : format string error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5740 Debian Bug : 448853 Bernhard Mueller of SEC Consult has discovered a format string vulnerability in perdition, an IMAP proxy. This vulnerabilty could allow an unauthenticated remote user to run arbitrary code on the perdition server by providing a specially formatted IMAP tag. For the stable distribution (etch), this problem has been fixed in version 1.17-7etch1 For the old stable distribution (sarge), this problem has been fixed in version 1.15-5sarge1 We recommend that you upgrade your perdition package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/perdition/perdition_1.15-5sarge1.diff.gz Size/MD5 checksum: 7002 aa17651883aea7cca61424ad9bf8a38e http://security.debian.org/pool/updates/main/p/perdition/perdition_1.15.orig.tar.gz Size/MD5 checksum: 551692 7c3aaf30198cf73191a984a76637a940 http://security.debian.org/pool/updates/main/p/perdition/perdition_1.15-5sarge1.dsc Size/MD5 checksum: 919 0e3ce322a1b1ad44abbda163b925d642 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/perdition/perdition_1.15-5sarge1_alpha.deb Size/MD5 checksum: 140360 61d32cd4af764fa65e23d6869653a896 http://security.debian.org/pool/updates/main/p/perdition/perdition-odbc_1.15-5sarge1_alpha.deb Size/MD5 checksum:15650 6d6e3c3203ae4295c9662e0909fb5a6a http://security.debian.org/pool/updates/main/p/perdition/perdition-mysql_1.15-5sarge1_alpha.deb Size/MD5 checksum:15688 2b90d41bcdea29588c2f35fab48d0509 http://security.debian.org/pool/updates/main/p/perdition/perdition-ldap_1.15-5sarge1_alpha.deb Size/MD5 checksum:17238 5bead1ab538267fc333eb4f6b9c020ef http://security.debian.org/pool/updates/main/p/perdition/perdition-dev_1.15-5sarge1_alpha.deb Size/MD5 checksum: 6468 ecb0e3ac2a09ec9f0f44ed96ee4d8593 http://security.debian.org/pool/updates/main/p/perdition/perdition-postgresql_1.15-5sarge1_alpha.deb Size/MD5 checksum:15610 8f04933904f13f965f5f2898f1bdc9a3 arm architecture (ARM) http://security.debian.org/pool/updates/main/p/perdition/perdition-mysql_1.15-5sarge1_arm.deb Size/MD5 checksum:14328 a592a1921bd1705f318ec595aceefeab http://security.debian.org/pool/updates/main/p/perdition/perdition-ldap_1.15-5sarge1_arm.deb Size/MD5 checksum:15592 6aa78127518ba95bdb8a1266a5c6f1a0 http://security.debian.org/pool/updates/main/p/perdition/perdition-dev_1.15-5sarge1_arm.deb Size/MD5 checksum: 6294 e3b87dc37c4155bae044c4be22300921 http://security.debian.org/pool/updates/main/p/perdition/perdition_1.15-5sarge1_arm.deb Size/MD5 checksum: 122276 430dc58170a7a8ab2d704585f67fb99d http://security.debian.org/pool/updates/main/p/perdition/perdition-postgresql_1.15-5sarge1_arm.deb Size/MD5 checksum:14252 f5fa0615aab2a529ae3afc2dbe08a2cf http://security.debian.org/pool/updates/main/p/perdition/perdition-odbc_1.15-5sarge1_arm.deb Size/MD5 checksum:14232 7f2ced3580dc952edaf8bb1507a0285b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/perdition/perdition_1.15-5sarge1_i386.deb Size/MD5 checksum: 119726 4671079309c853aa5d13f2918f53c1f2 http://security.debian.org/pool/updates/main/p/perdition/perdition-ldap_1.15-5sarge1_i386.deb Size/MD5 checksum:15528 9079ac2b06bb7fba3144ce3f76c3c215 http://security.debian.org/pool/updates/main/p/perdition/perdition-mysql_1.15-5sarge1_i386.deb Size/MD5 checksum:14326 633db52e6fcf8b4f2e099937498a012f http://security.debian.org/pool/updates/main/p/perdition/perdition-dev_1.15-5sarge1_i386.deb Size/MD5 checksum: 6294 b16d645566732d1385de81877c952d96 http://security.debian.org/pool/updates/main/p/perdition/perdition-odbc_1.15-5sarge1_i386.deb Size/MD5 checksum:14348
[Full-disclosure] [SECURITY] [DSA 1388-3] New dhcp packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1388-3[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 29, 2007http://www.debian.org/security/faq - Package: dhcp Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5365 Debian Bug : 446354 The patch used to correct the DHCP server buffer overflow in DSA-1388-1 was incomplete and did not adequately resolve the problem. This update to the previous advisory makes available updated packages based on a newer version of the patch. For the stable distribution (etch), this problem has been fixed in version 2.0pl5-19.5etch2 Updates to the old stable version (sarge) are pending. We recommend that you upgrade your dhcp packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.5etch2.dsc Size/MD5 checksum: 683 0b58f9e8eb121cf97c069580fe7f8d2a http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.5etch2.diff.gz Size/MD5 checksum: 109536 e05751df16af9fef3826de1b13b19694 http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5.orig.tar.gz Size/MD5 checksum: 294909 ab22f363a7aff924e2cc9d1019a21498 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.5etch2_alpha.deb Size/MD5 checksum: 115986 5a3fad1441184f67ebfd259e225b8deb http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.5etch2_alpha.deb Size/MD5 checksum: 122958 70cf5573cdb9df0ade56fd58963526f7 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.5etch2_alpha.deb Size/MD5 checksum:81466 59a2774d3cbf426c116cda5b37004b02 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5etch2_alpha.udeb Size/MD5 checksum:53328 fc6a74bbf4ca3d11266894022967d215 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.5etch2_amd64.deb Size/MD5 checksum: 115646 5fb5be9e0df58591e2f09984b107b6ff http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.5etch2_amd64.deb Size/MD5 checksum:76622 699bdea9722e30a17d893a5fdfc59b3c http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.5etch2_amd64.deb Size/MD5 checksum: 109336 aca4a6dfbe89e12da8b5f57031c6749a http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5etch2_amd64.udeb Size/MD5 checksum:46762 b7ab045411264337a230c0e0547e976c arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.5etch2_arm.deb Size/MD5 checksum: 114446 e706691fe1b1da3e48556f3f3a2759dc http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5etch2_arm.udeb Size/MD5 checksum:44804 a7de3008bff776bc41f57939d6baef0c http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.5etch2_arm.deb Size/MD5 checksum:74574 c357f51c69cacd0c5e7f746735b050ee http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.5etch2_arm.deb Size/MD5 checksum: 107660 c0426fafa16454f4f3613b669be104b3 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.5etch2_hppa.deb Size/MD5 checksum: 115078 77698ad1416708c1bba42286717a6a38 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.5etch2_hppa.deb Size/MD5 checksum: 109288 ba099d48d08c7b63f17c901505069a93 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.5etch2_hppa.deb Size/MD5 checksum:77218 631787f11690111a20ca8e06da223955 http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5etch2_hppa.udeb Size/MD5 checksum:46534 e4563d516472ae7b00640c4faf63a69b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5etch2_i386.udeb Size/MD5 checksum:40922 439ee79ca28a824a3bd702e6d2a4782a http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5
[Full-disclosure] [SECURITY] [DSA 1390-1] New t1lib packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1390-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 18, 2007http://www.debian.org/security/faq - Package: t1lib Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2007-4033 Debian Bug : 439927 Hamid Ebadi has discovered a buffer overflow the intT1_Env_GetCompletePath routine in t1lib, a Type 1 font rasterizer library. This flaw could allow an attacker to crash and application using the t1lib shared libraries, and potentially execute arbitrary code within such an application's security context. For the stable distribution (etch), this problem has been fixed in version 5.1.0-2etch1 For the old stable distribution (sarge), this problem has been fixed in version 5.0.2-3sarge1 We recommend that you upgrade your t1lib package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/t1lib/t1lib_5.0.2.orig.tar.gz Size/MD5 checksum: 1697086 cc5d4130b25bb8a1c930488b78930e9b http://security.debian.org/pool/updates/main/t/t1lib/t1lib_5.0.2-3sarge1.diff.gz Size/MD5 checksum: 315328 73b04c0083681da97813ced3783dbd02 http://security.debian.org/pool/updates/main/t/t1lib/t1lib_5.0.2-3sarge1.dsc Size/MD5 checksum: 717 d82a7a9aaeca3868a1c01f3588a59137 Architecture independent packages: http://security.debian.org/pool/updates/main/t/t1lib/libt1-doc_5.0.2-3sarge1_all.deb Size/MD5 checksum: 607008 9f58a16450cc7c2ccd7477cc04c30fac alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/t1lib/t1lib-bin_5.0.2-3sarge1_alpha.deb Size/MD5 checksum:55804 c5a1e15a9e13fb2ba0d85bcc943f6c6c http://security.debian.org/pool/updates/main/t/t1lib/libt1-5_5.0.2-3sarge1_alpha.deb Size/MD5 checksum: 171702 0ac97fe5a81fe188e6bd1ff0fc41baa8 http://security.debian.org/pool/updates/main/t/t1lib/libt1-dev_5.0.2-3sarge1_alpha.deb Size/MD5 checksum: 250490 e06881a3fa3c1a75e4a0f5a4c3b1ec4d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/t1lib/t1lib-bin_5.0.2-3sarge1_amd64.deb Size/MD5 checksum:57148 0a0b216df77ba48431a63ebbedc0233c http://security.debian.org/pool/updates/main/t/t1lib/libt1-5_5.0.2-3sarge1_amd64.deb Size/MD5 checksum: 155504 51b66ac279d7c9fb4ea053aa6cc7aa2d http://security.debian.org/pool/updates/main/t/t1lib/libt1-dev_5.0.2-3sarge1_amd64.deb Size/MD5 checksum: 186478 7c929716eaafbff8ee664e5836fcd864 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/t1lib/t1lib-bin_5.0.2-3sarge1_hppa.deb Size/MD5 checksum:58626 6aee72f7f31daecfb528ee1986984b29 http://security.debian.org/pool/updates/main/t/t1lib/libt1-5_5.0.2-3sarge1_hppa.deb Size/MD5 checksum: 173154 d0617135ef8abf2d326e1ed99ed24f79 http://security.debian.org/pool/updates/main/t/t1lib/libt1-dev_5.0.2-3sarge1_hppa.deb Size/MD5 checksum: 209586 fed03ca1e54caca0e601617392271387 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/t1lib/libt1-dev_5.0.2-3sarge1_i386.deb Size/MD5 checksum: 171504 ad6838104a95c3a9f6933cdb072abaee http://security.debian.org/pool/updates/main/t/t1lib/libt1-5_5.0.2-3sarge1_i386.deb Size/MD5 checksum: 144334 e65ca2e30180f0ed3d9eadc6cc62216d http://security.debian.org/pool/updates/main/t/t1lib/t1lib-bin_5.0.2-3sarge1_i386.deb Size/MD5 checksum:53630 68660615bdbb04de7c79c56efcfe4e96 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/t1lib/t1lib-bin_5.0.2-3sarge1_ia64.deb Size/MD5 checksum:64650 96bee27e31af1a635d84c2d8eb6268a8 http://security.debian.org/pool/updates/main/t/t1lib/libt1-5_5.0.2-3sarge1_ia64.deb Size/MD5 checksum: 214292 38787cea2e2c8ace9abe4dee966a1d73 http://security.debian.org/pool/updates/main/t/t1lib/libt1-dev_5.0.2-3sarge1_ia64.deb Size/MD5 checksum: 264602 49703884c7ae0ffb2690c0750b3f2e4b m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/t1lib/libt1-5_5.0.2-3sarge1_m68
[Full-disclosure] [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1379-2[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 10, 2007 - Package: openssl097, openssl096 Vulnerability : off-by-one error/buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5135 Debian Bug : 35 An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. This update to DSA 1379 announces the availability of the libssl0.9.6 and libssl0.9.7 compatibility libraries for sarge (oldstable) and etch (stable), respectively. We recommend that you upgrade your openssl097 and openssl096 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.dsc Size/MD5 checksum: 617 d5c107efd03887064c12ca3f3785eb22 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz Size/MD5 checksum: 2184918 1b63bfdca1c37837e9f1623498f9 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.diff.gz Size/MD5 checksum:21639 3a9b336e6f7e1ecdb12b925928bf9061 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_alpha.deb Size/MD5 checksum: 1966700 cb66c5de2c58624ce1a066d9f6db108b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_amd64.deb Size/MD5 checksum: 578788 acbc334b7cbf3b154c5bd5516160043d arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_arm.deb Size/MD5 checksum: 519050 1f32d009ee447998eb0b7b5d977ec269 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_hppa.deb Size/MD5 checksum: 588092 0640e3135183515b1d5739cc35471501 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_i386.deb Size/MD5 checksum: 1758424 afcd7f2f3b9ceb67eda7a1b6008af9d1 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_ia64.deb Size/MD5 checksum: 815824 e1e0e0e29d2fadaa9126a0f40ef0f7ac mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_mips.deb Size/MD5 checksum: 577428 9b2b390a8841638216d14dfb59244486 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_powerpc.deb Size/MD5 checksum: 583112 6b926d1b39bc0a83e4f098b873b3f111 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_s390.deb Size/MD5 checksum: 603014 698f599a8765889800a62e088674fcf7 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_sparc.deb Size/MD5 checksum: 1460366 0e4d599821004ace0bf499fd688a22f1 Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.dsc Size/MD5 checksum: 769 b7a4e535383394c3be009e3a1df09bdd http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz Size/MD5 checksum: 3292692 be6bba1d67b26eabb48cf1774925416f http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.diff.gz Size/MD5 checksum:33285 dc2f489812286cecb705f5b77d523a1e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl097/libssl
[Full-disclosure] [SECURITY] [DSA 1379-1] New openssl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1379 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 02, 2007 - Package: openssl Vulnerability : off-by-one error/buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5135 Debian Bug : 35 An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch1. For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9. We recommend that you upgrade your openssl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.diff.gz Size/MD5 checksum:30634 b64d10acf6285197d3ad8e923883b6d7 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.dsc Size/MD5 checksum: 639 d19d0a6a8faf12e7e2abe6b82409af05 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 3342712 38ada0535339d8394a829f22ce835578 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_alpha.udeb Size/MD5 checksum: 662280 2e67541092c341c4e26e2d17ad11ccc7 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 2449572 a4e4d409db4eb013544112da61b764be http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_alpha.deb Size/MD5 checksum: 940288 928194da95c5f7edb570847de437fbf4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 703530 ca501fee744837c951c78959070eea14 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 903938 b4c46339201162d467bd46a50c9a0f4e http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_amd64.udeb Size/MD5 checksum: 495318 2d10728b8ebfb6fbb4d48bd675f866b8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_amd64.deb Size/MD5 checksum: 2694270 cc856b1fdd41fffc03b867de55ad2b2c arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 607492 63a3b6d82a8d5dd53aa9201322d5f89d http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 2559868 0427629ed30efabf0ea0d168a6c9d36e http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_arm.udeb Size/MD5 checksum: 410604 6d52b2de602333bcb70306fa2198205e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_arm.deb Size/MD5 checksum: 905292 4b0944650181c97b07abb6e2dcb826a6 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_hppa.udeb Size/MD5 checksum: 510404 06fc22d1d0ff5a2c7d36e08d280d4dea http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 722886 3db792d32f4709c143cb729721278e6c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_hppa.deb Size/MD5 checksum: 914764 2ce08cb33e5eed3dff1c3e35af46298c http://security.debian.org/pool/updates/main/o/op
[Full-disclosure] [SECURITY] [DSA 1301-1] New Gimp packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1301-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans June 09, 2007 - Package: gimp Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2007-2356 A buffer overflow has been identified in Gimp's SUNRAS plugin in versions prior to 2.2.15. This bug could allow an attacker to execute arbitrary code on the victim's computer by inducing the victim to open a specially crafted RAS file. For the stable distribution (etch), this problem has been fixed in version 2.2.13-1etch1. For the old stable distribution (sarge), this problem has been fixed in version 2.2.6-1sarge2. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 2.2.14-2. We recommend that you upgrade your gimp package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gimp/gimp_2.2.6-1sarge2.dsc Size/MD5 checksum: 1089 9f0ff14c63a26b17cc2aa1c2808b6960 http://security.debian.org/pool/updates/main/g/gimp/gimp_2.2.6.orig.tar.gz Size/MD5 checksum: 20496404 a6450200858c59bb46ace6987f1fc6ee http://security.debian.org/pool/updates/main/g/gimp/gimp_2.2.6-1sarge2.diff.gz Size/MD5 checksum:26637 8db2f51aa0871e876a640b756efa6fd0 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gimp/libgimp2.0-doc_2.2.6-1sarge2_all.deb Size/MD5 checksum: 515026 72e655e559efb9e315f17bc40ea700cb http://security.debian.org/pool/updates/main/g/gimp/gimp1.2_2.2.6-1sarge2_all.deb Size/MD5 checksum:31716 59f1369bf3b5f3a657a31a519a2b2b98 http://security.debian.org/pool/updates/main/g/gimp/gimp-data_2.2.6-1sarge2_all.deb Size/MD5 checksum: 6276804 664c9f5fc20b10abc24294c451dc60cd alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gimp/gimp-helpbrowser_2.2.6-1sarge2_alpha.deb Size/MD5 checksum:45218 9a0125772861f9eb5922ad69607d7c18 http://security.debian.org/pool/updates/main/g/gimp/gimp-svg_2.2.6-1sarge2_alpha.deb Size/MD5 checksum:45018 9943a8932e50fe0fbd33aa14d75ee3a4 http://security.debian.org/pool/updates/main/g/gimp/libgimp2.0_2.2.6-1sarge2_alpha.deb Size/MD5 checksum: 577002 4e230c3282c9f772b8c33a23cb46 http://security.debian.org/pool/updates/main/g/gimp/gimp_2.2.6-1sarge2_alpha.deb Size/MD5 checksum: 3889798 638388ab91a57000152518556eec785e http://security.debian.org/pool/updates/main/g/gimp/gimp-python_2.2.6-1sarge2_alpha.deb Size/MD5 checksum: 127074 e8002ab5a7c931a4363d85e415ef6a72 http://security.debian.org/pool/updates/main/g/gimp/libgimp2.0-dev_2.2.6-1sarge2_alpha.deb Size/MD5 checksum:99030 e522c07d737d0024f4eb08861e90240f amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gimp/gimp-helpbrowser_2.2.6-1sarge2_amd64.deb Size/MD5 checksum:43760 a876daebc8d5635bc5a9f6a5136b20ff http://security.debian.org/pool/updates/main/g/gimp/gimp-svg_2.2.6-1sarge2_amd64.deb Size/MD5 checksum:43502 39f9b1c77aaf7c9151b9078fa623086e http://security.debian.org/pool/updates/main/g/gimp/libgimp2.0_2.2.6-1sarge2_amd64.deb Size/MD5 checksum: 543874 5000b6a2a7681b1d9ded45f989085c92 http://security.debian.org/pool/updates/main/g/gimp/gimp_2.2.6-1sarge2_amd64.deb Size/MD5 checksum: 3266170 aa057b49433068ce11ae9de639f394ff http://security.debian.org/pool/updates/main/g/gimp/gimp-python_2.2.6-1sarge2_amd64.deb Size/MD5 checksum: 122058 37e7d984215b57fdf7acf12a73ae2b09 http://security.debian.org/pool/updates/main/g/gimp/libgimp2.0-dev_2.2.6-1sarge2_amd64.deb Size/MD5 checksum:98288 99fffa020fa1b0b671726eba9f83e9ad arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gimp/gimp-helpbrowser_2.2.6-1sarge2_arm.deb Size/MD5 checksum:41970 27af0aaa21d12ec6c2651b33b073e701 http://security.debian.org/pool/updates/main/g/gimp/libgimp2.0-dev_2.2.6-1sarge2_arm.deb Size/MD5 checksum:98466 16ff6d95511b24840ae7ce364d936d07 http://security.debian.org/pool/updates/m
[Full-disclosure] [SECURITY] [DSA 1281-2] New clamav packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1281-2[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 21, 2007 - Package: clamav Vulnerability : file descriptor leak Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2029 BugTraq ID : 23656 On 25 April, the Debian Security Team released clamav 0.90.1-3etch1, an update to the Clam anti-virus toolkit, to address several vulnerabilities. Unfortunately, there was an error in the updated packages and CVE-2007-2029, a file descriptor leak in the PDF document handler, was not properly fixed in Debian 4.0 (etch) or the Debian testing distribution (lenny). This problem has been fixed in version 0.90.1-3etch2 for Debian 4.0 (etch). The problem will be fixed in testing (lenny) in version clamav_0.90.1-3.1lenny2, to be released via the testing-security channel, as soon as possible. Other versions of Debian are not affected. We recommend that you upgrade your clamav packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1.orig.tar.gz Size/MD5 checksum: 11643310 cd11c05b5476262eaea4fa3bd7dc25bf http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch2.diff.gz Size/MD5 checksum: 202678 b69d5dd04efa34a1b5d754d00d02325a http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch2.dsc Size/MD5 checksum: 886 8ea6dec6430464f80367174cbf1522ee Architecture independent packages: http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.90.1-3etch2_all.deb Size/MD5 checksum: 200024 399e614261bcf6fc11f9d8cb1f31aa36 http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.90.1-3etch2_all.deb Size/MD5 checksum: 1005888 07cf61246264a02b5f3f75b712dc352f http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.90.1-3etch2_all.deb Size/MD5 checksum: 157450 84cfbe25cbb8f43f84d3e7608dd1ff00 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 405598 e89e635ca763a960a2b9641034cffe1f http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 863126 be2975967f9abcad74ac30ad1a7b4ecc http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 509806 596fb241736d8336811f5631ef922937 http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 184282 678347363c2723c9562aa7e5edda23fe http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 643780 d44e46beb7ed21b5f423cc40d93feae9 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 9303354 954ef0ff1af4fbafdf32d0230edf6d79 http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch2_alpha.deb Size/MD5 checksum: 179444 d066c1c6f9d1b738abba4150ecfbe3ef amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch2_amd64.deb Size/MD5 checksum: 176536 3b19c1bfabe694d90a047232a3cb21ea http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch2_amd64.deb Size/MD5 checksum: 178048 1d2d279449991d196c0444502fd05e7a http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch2_amd64.deb Size/MD5 checksum: 637530 8914446075225de9dc8c97dd16b83acd http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch2_amd64.deb Size/MD5 checksum: 856120 96322f73a53bc97b115ee7fcbfb3560e http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch2_amd64.deb Size/MD5 checksum: 366656 ff2956673dbbb4a62e5ab9153a80a9cf http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch2_amd64.deb Size/MD5 checksum: 385832 56bd5d5f8a4b2a1241c109d88d3b4279 http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1
[Full-disclosure] [SECURITY] [DSA 1291-2] New samba packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1291-2[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 15, 2007 - Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2446 CVE-2007-2447 This update to DSA-1291 covers the old stable version of Debian, 3.1 (sarge). The current stable distribution, 4.0 (etch) was updated previously. Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux. CVE-2007-2446 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. CVE-2007-2447 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution For the old stable distribution (sarge), these problems have been fixed in version 3.0.14a-3sarge6 We recommend that you upgrade your samba package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge6.diff.gz Size/MD5 checksum: 122946 4f8326351368c07b9ff7e4925f65bc64 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a.orig.tar.gz Size/MD5 checksum: 15605851 ebee37e66a8b5f6fd328967dc09088e8 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge6.dsc Size/MD5 checksum: 1081 c3bcc5438c9dc922f5ac9bc75bf825cb Architecture independent packages: http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.14a-3sarge6_all.deb Size/MD5 checksum: 12117076 75895a83ad2be113b383bdf4d5f16c24 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 3128680 fdc226d93c10ffb386b3c9bcff83314e http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 3251018 e3eb57b061d45bc4fd20083292cf2075 http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 20269380 bf7af04d9d769277c42e004fafd908a1 http://security.debian.org/pool/updates/main/s/samba/python2.3-samba_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 5237292 ca9d898183187b3db37131b8be456c65 http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 659878 4b35df8ced7e2aea0080c1aed7c0f9eb http://security.debian.org/pool/updates/main/s/samba/swat_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 4223662 5401c52bda1aee10d4c919b794c69f9a http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 1015318 dadfd640543ef97d00b438d2e6c6cab9 http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 402080 6025f427e4f2079a9a3c0d38ccff2590 http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 2408536 f3dc91c30a136ccc0258fb46717d1100 http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 459420 47640a2054996e789d30e4b87bd89dfe http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.14a-3sarge6_alpha.deb Size/MD5 checksum: 1824256 c8318790e5753f909c1357077a1aa9e7 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.14a-3sarge6_amd64.deb Size/MD5 checksum: 410744 71f863e69b711158d0554b9ab0bdea91 http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.14a-3sarge6_amd64.deb Size/MD5 checksum: 2194602 d7fdf1b2bbc022c2c28f2fc144150423 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge6_amd64.deb Size/MD5 checksum: 2809708 1c458a57b0d71ce87c351604b1b09a56 http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.14a-3sarge6_amd64.deb Size/MD5 checksum: 2867578 6fe353c5220415d216c226752380ad92 http://security.debian.org/pool/updates/main/s/samba/python2.3-samba_3.0.14a-3sarge6_
[Full-disclosure] [SECURITY] [DSA 1292-1] New qt4-x11 packages fix cross-site scripting vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1292-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 15, 2007 - Package: qt4-x11 Vulnerability : missing input validation Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2007-0242 BugTraq ID : 23269 Debian Bug : 417391 Andreas Nolden discovered a bug in the UTF8 decoding routines in qt4-x11, a C++ GUI library framework, that could allow remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. For the stable distribution (etch), this problem has been fixed in version 4.2.1-2etch1 For the testing and unstable distribution (lenny and sid, respectively), this problem has been fixed in version 4.2.2-2 We recommend that you upgrade your qt4-x11 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-x11_4.2.1-2etch1.dsc Size/MD5 checksum: 1390 4c2ac9fc65dc3d31b90473d7ec038f1f http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-x11_4.2.1.orig.tar.gz Size/MD5 checksum: 37069122 2ab1c88084f55b94809f025a8503bf18 http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-x11_4.2.1-2etch1.diff.gz Size/MD5 checksum:22806 26c69455f8d09fffdfb9413a18f69174 Architecture independent packages: http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-doc_4.2.1-2etch1_all.deb Size/MD5 checksum: 21219244 450031c80fd48650103cb7dfb72ea4d3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-core_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 1275656 9881f80acbf96bd8279b1ea27bd01486 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-qt3support_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 1382940 c69e58cc57b87c77332d21f9b8325f94 http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-dev-tools_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 804814 bdda30be03d1c5cda09caf4c3b7e8803 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-sql_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 354964 14a3d2e028391002861dc94d448880b4 http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-qtconfig_4.2.1-2etch1_alpha.deb Size/MD5 checksum:99652 99eddea5a7be2cfccff4689955ebe7b4 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-debug_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 57674544 824c85f2ab97e6f480d60730e7244e13 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-dev_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 4784924 76f7f0e56ad72818a905ce5f6eaf55f0 http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-designer_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 1105144 274482c1b490076e2f05c758ec4dc495 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-gui_4.2.1-2etch1_alpha.deb Size/MD5 checksum: 4983572 1805e33b31231fea005abf49c40f3f59 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/qt4-x11/qt4-designer_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 1060908 d1132452139c18dd3d2ac96608a4c8f0 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-gui_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 4450316 a4c5af2560005fe85390c54f26118364 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-qt3support_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 1218820 98d8ef5491e28a96d4ce1e1392341819 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-dev_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 4289826 072954140ccc4baa4869479f52a22d54 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-sql_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 314114 3c4fbf8805f823cce3a19663749ce28f http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-debug_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 57719944 6623d3a7b981512c9ade3377d56f1293 http://security.debian.org/pool/updates/main/q/qt4-x11/libqt4-core_4.2.1-2etch1_amd64.deb Size/MD5 checksum: 1149424 77f92b9998c9e72cd55be91743a98b74 http://security.debian.org/pool
[Full-disclosure] [SECURITY] [DSA 1291-1] New samba packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1291-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 15, 2007 - Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2444 CVE-2007-2446 CVE-2007-2447 Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux. CVE-2007-2444 When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. CVE-2007-2446 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. CVE-2007-2447 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch1 For the testing and unstable distributions (lenny and sid, respectively), these problems have been fixed in version 3.0.25-1 We recommend that you upgrade your samba package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch1.dsc Size/MD5 checksum: 1425 04c3ba2544a4dba0e23748697bbcb93c http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24.orig.tar.gz Size/MD5 checksum: 17708128 89273f67a6d8067cbbecefaa13747153 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch1.diff.gz Size/MD5 checksum: 209279 01a1d7d0cb1afcb8cff7da5937c72318 Architecture independent packages: http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.24-6etch1_all.deb Size/MD5 checksum: 6913100 ad2bda3c198d48346696f83dcc44a919 http://security.debian.org/pool/updates/main/s/samba/samba-doc-pdf_3.0.24-6etch1_all.deb Size/MD5 checksum: 6598732 ae5dd6f0ee9ede4135507778fe939c5b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 12298820 361c9a38d1601d5f40b5999712b421ce http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 4845328 6cadfc3b139943f558066c08737d43f6 http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 2286174 f020a21acc276108270b364574635bff http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 879246 cd710df2be2d347a3a57d4aeb3e538e0 http://security.debian.org/pool/updates/main/s/samba/python-samba_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 6705430 2b66a4a7d2e202592af3e76143246085 http://security.debian.org/pool/updates/main/s/samba/swat_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 956068 c78ed74384834b23fc0cdb744eae6ca4 http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 521138 be541e59b60bbaf52cb410ae77afe8a9 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 4000850 42c314e7c7baa6713e34fff690b94b63 http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 482750 962077ae64d617de90980ca7536844e2 http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 2841098 0b9e462523e6e5deb926833b64738751 http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.24-6etch1_alpha.deb Size/MD5 checksum: 113804 2596db0188695f092541f23d5e702842 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.24-6etch1_amd64.deb Size/MD5 checksum: 2596718 117b0b1a3193555a92616ee3ff0da8
[Full-disclosure] [SECURITY] [DSA 1287-1] New ldap-account-manager packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1287-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 07, 2007 - Package: ldap-account-manager (0.4.9-2sarge1) Vulnerability : multiple Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-7191 CVE-2007-1840 Debian Bug : 415379 Two vulnerabilities have been identified in the version of ldap-account-manager shipped with Debian 3.1 (sarge). CVE-2006-7191 An untrusted PATH vulnerability could allow a local attacker to execute arbitrary code with elevated privileges by providing a malicious rm executable and specifying a PATH environment variable referencing this executable. CVE-2007-1840 Improper escaping of HTML content could allow an attacker to execute a cross-site scripting attack (XSS) and execute arbitrary code in the victim's browser in the security context of the affected web site. For the old stable distribution (sarge), this problem has been fixed in version 0.4.9-2sarge1. Newer versions of Debian (etch, lenny, and sid), are not affected. We recommend that you upgrade your ldap-account-manager package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/ldap-account-manager/ldap-account-manager_0.4.9-2sarge1.dsc Size/MD5 checksum: 629 e35751aee6f3d2658caa7f7e605b7c69 http://security.debian.org/pool/updates/main/l/ldap-account-manager/ldap-account-manager_0.4.9-2sarge1.diff.gz Size/MD5 checksum:12059 4c853e7304c431d7da29e8988bafff7a http://security.debian.org/pool/updates/main/l/ldap-account-manager/ldap-account-manager_0.4.9.orig.tar.gz Size/MD5 checksum: 423988 6478d91210dbf13c9d49b7aa1a971be1 Architecture independent packages: http://security.debian.org/pool/updates/main/l/ldap-account-manager/ldap-account-manager_0.4.9-2sarge1_all.deb Size/MD5 checksum: 408360 47e7959aedbc6f62a3c266708d8208a8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGPzdXYrVLjBFATsMRAhJLAJ9eZzohQdNCeDjj6WlZ3U82AUiEEACePhHm JkkfWaNRbI9NDrCPGvaRCak= =TTks -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1285-1] New wordpress packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1285-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans May 01, 2007 - Package: wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897 CVE-2007-1622 Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. CVE-2007-1893 WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." CVE-2007-1894 Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function. CVE-2007-1897 SQL injection vulnerability in xmlrpc.php in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. For the stable distribution (etch) these issues have been fixed in version 2.0.10-1. For the testing and unstable distributions (lenny and etch, respectively), these issues have been fixed in version 2.1.3-1 We recommend that you upgrade your wordpress package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1.diff.gz Size/MD5 checksum: 8967 a9975366a65611eb333557603ca18b00 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1.dsc Size/MD5 checksum: 561 baaa9fd3c5e532e30043b8a2a11be6aa Architecture independent packages: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1_all.deb Size/MD5 checksum: 529582 369bb4778790a5b3aa79584bcc7ea8ec These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGN4CZYrVLjBFATsMRAlJzAJ9HIb9tpJ6Sid9eIRytA5gBsvRuXQCfQ+Rw /lDGH8WS6Jd/lwTCdkhfUnY= =ep3v -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1278-1] New man-db packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1278-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans April 06, 2007 - Package: man-db Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2006-4250 A buffer overflow has been dicovered in the man command that could allow an attacker to execute code as the man user by providing specially crafted arguments to the -H flag. This is likely to be an issue only on machines with the man and mandb programs installed setuid. For the stable distribution (sarge), this problem has been fixed in version 2.4.2-21sarge1 For the upcoming stable distribution (etch) and the unstable distribution (sid), this problem has been fixed in version 2.4.3-5. We recommend that you upgrade your man-db package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2.orig.tar.gz Size/MD5 checksum: 730134 15855f899a76aa302c83ffec81526ab4 http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1.dsc Size/MD5 checksum: 673 add0d09882262adb0cbbde6845af0fbb http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1.diff.gz Size/MD5 checksum: 104832 c5befcaee1865b8582d7bbe8ac21f537 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_alpha.deb Size/MD5 checksum: 641194 92131ea27cf1f17fcdaaea36accfa930 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_amd64.deb Size/MD5 checksum: 607660 464ca88aca62d8cd8ee84072993ce0f7 arm architecture (ARM) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_arm.deb Size/MD5 checksum: 559372 1d5563046ce831b2b7088caa044694de hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_hppa.deb Size/MD5 checksum: 609530 efa1144900b1ee014dd93eb5fb1bf223 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_i386.deb Size/MD5 checksum: 579774 feb44785cde0c8f64cd22f35aa674ab8 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_ia64.deb Size/MD5 checksum: 687208 1400e1e708ec327de4517557de51eca3 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_m68k.deb Size/MD5 checksum: 544688 d9bd8753aeaf7ceaa7ff29903085ca33 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_mips.deb Size/MD5 checksum: 609644 b8cc5d9b03e70a2bf671983a31d858ba mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_mipsel.deb Size/MD5 checksum: 611036 6e3cf522a309f85ce579d1985c83 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_powerpc.deb Size/MD5 checksum: 602320 05dac7703f16fde62ecf61f07e8ecf97 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_s390.deb Size/MD5 checksum: 600014 a9d162c3c25869260895ada582042e95 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/m/man-db/man-db_2.4.2-21sarge1_sparc.deb Size/MD5 checksum: 574580 ee5ab4089c0ff87d3f976f82b4e01c27 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGFnWEYrVLjBFATsMRAizAAJwNWOX6b/I9bOvi86BTyNPAqELANwCeNO0g zGPcBBT57zwIUmbSHllvZbE=
[Full-disclosure] [SECURITY] [DSA 1277-1] New XMMS packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1277-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans April 04, 2007 - Package: xmms Vulnerability : several Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-0654 CVE-2007-0653 BugTraq ID : 23078 Debian Bug : 416423 Multiple errors have been found in the skin handling routines in xmms, the X Multimedia System. These vulnerabilities could allow an attacker to run arbitrary code as the user running xmms by inducing the victim to load specially crafted interface skin files. For the stable distribution (sarge), these problems have been fixed in version 1.2.10+cvs20050209-2sarge1 For the upcoming stable distrubution (etch) and the unstable distribution (sid), these problems have been fixed in versions 1:1.2.10+20061101-1etch1 and 1:1.2.10+20070401-1, respectively. We recommend that you upgrade your xmms packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.diff.gz Size/MD5 checksum: 333600 8d25c5173ec7d94d0db9f92b418610ce http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209.orig.tar.gz Size/MD5 checksum: 2796215 ec03ce185b2fd255d58ef5d2267024eb http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.dsc Size/MD5 checksum: 1065 d03e55ebe9c6a5ba2337d5f3542bc883 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_alpha.deb Size/MD5 checksum: 2700990 aa024afc093e8f415b19d783e39b81c0 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_alpha.deb Size/MD5 checksum:48766 5fd631196c28fd44df02ecf25ab9c676 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_amd64.deb Size/MD5 checksum: 2434966 5c10a5a20aa5329b1c120cef213ef164 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_amd64.deb Size/MD5 checksum:37810 06a82b2325505c9e30e4b7d9c6a17ffe arm architecture (ARM) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_arm.deb Size/MD5 checksum: 2396722 fcead4025c4743996a4c307a003377df http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_arm.deb Size/MD5 checksum:35376 e4f630de7290d4141964cc6ae8758ac4 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_hppa.deb Size/MD5 checksum: 2585550 c73dd34f37131785adcf699e65b55ac3 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_hppa.deb Size/MD5 checksum:40834 90fe696e1dee1d694cd8148ac83a6b88 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_i386.deb Size/MD5 checksum:33842 52fef7c2ef6a73f329d18b4df43ee6e5 http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_i386.deb Size/MD5 checksum: 2395578 c0a4c275b67ce3bc166128cd4c1fa747 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_ia64.deb Size/MD5 checksum: 2717624 e7d9b41eda0f4b32c3bba2c2dff15fc1 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_ia64.deb Size/MD5 checksum:48220 28fef757212bef0da7ed46bec7e76740 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_m68k.deb Size/MD5 checksum: 2315470 1a93ec2577d2a79b9b645003e1d22a03 http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_m68k.deb Size/MD5 checksum:31624 30bd86c18e943f3a93a983a63c2c1fb7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mips.deb Size/MD5 checksum: 2412762 e340f997cfbbe0ef8ef50f78b5ec5d71 http
[Full-disclosure] [SECURITY] [DSA 1275-1] New zope2.7 packages fix cross-site scripting flaw
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1275-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans April 02, 2007 - Package: zope2.7 Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-0240 BugTraq ID : 23084 Debian Bug : 416500 A cross-site scripting vulnerability in zope, a web application server, could allow an attacker to inject arbitrary HTML and/or JavaScript into the victim's web browser. This code would run within the security context of the web browser, potentially allowing the attacker to access private data such as authentication cookies, or to affect the rendering or behavior of zope web pages. For the stable distribution (sarge), this problem has been fixed in version 2.7.5-2sarge4 The upcoming stable distribution (etch) and the unstable distribution (sid) include zope2.9, and this vulnerability is fixed in version 2.9.6-4etch1 for etch and 2.9.7-1 for sid. We recommend that you upgrade your zope2.7 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5.orig.tar.gz Size/MD5 checksum: 2885871 5b5c5823c62370d9f7325c6014a49d8b http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4.diff.gz Size/MD5 checksum:56167 685e49f63b9a702081892b6ed645089f http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4.dsc Size/MD5 checksum: 906 8c2978255c5b9aa7306a976690f2a1b9 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_alpha.deb Size/MD5 checksum: 2670996 accef51032d175ec661fdf8ee24fef02 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_amd64.deb Size/MD5 checksum: 2662496 e7ecf995badfbb26d04a9d2226733ef0 arm architecture (ARM) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_arm.deb Size/MD5 checksum: 2616846 cf77838bf9f58c4891c0bcbcbef3e4a2 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_hppa.deb Size/MD5 checksum: 2737962 48289387ae5aec6619c390472a711457 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_i386.deb Size/MD5 checksum: 2631626 b28fa77d6ad2819f60c231181e616ebd ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_ia64.deb Size/MD5 checksum: 2961068 94cb9c371e891a7b9618073b85f0b15d m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_m68k.deb Size/MD5 checksum: 2602568 551415edf8048443e31ae622b3e4c20a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_mips.deb Size/MD5 checksum: 2677104 5480833a55d7d52aec4468adf05ed543 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_mipsel.deb Size/MD5 checksum: 2679900 bd5a007af00fdf3bc6757aee775383a2 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_powerpc.deb Size/MD5 checksum: 2725358 c70d786cb6616b22a409c9423d7e89f0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_s390.deb Size/MD5 checksum: 2664652 3cea3d42b498e00b5e581b6068d2fa28 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/z/zope2.7/zope2.7_2.7.5-2sarge4_sparc.deb Size/MD5 checksum: 2672100 19dc901aa2b4da6f945f84b176224c93 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-ann
[Full-disclosure] [SECURITY] [DSA 1274-1] New file packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1274-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans April 02, 2007 - Package: file Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2007-1536 CERT advisory : 606700 BugTraq ID : 23021 Debian Bug : 415362 416678 An integer underflow bug has been found in the file_printf function in file, a tool to determine file types based analysis of file content. The bug could allow an attacker to execute arbitrary code by inducing a local user to examine a specially crafted file that triggers a buffer overflow. For the stable distribution (sarge), this problem has been fixed in version 4.12-1sarge1. For the upcoming stable distribution (etch), this problem has been fixed in version 4.17-5etch1. For the unstable distribution (sid), this problem has been fixed in 4.20-1. We recommend that you upgrade your file package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (testing) - Testing updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/file/file_4.17-5etch1.dsc Size/MD5 checksum: 693 951d84ef18e8738d58cda73d1680ce66 http://security.debian.org/pool/updates/main/f/file/file_4.17-5etch1.diff.gz Size/MD5 checksum:24145 ef79b92b6d0d4af9985200abb3eb24f5 http://security.debian.org/pool/updates/main/f/file/file_4.17.orig.tar.gz Size/MD5 checksum: 556270 50919c65e0181423d66bb25d7fe7b0fd alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/file/file_4.17-5etch1_alpha.deb Size/MD5 checksum:32578 75a84c91d0dc6e4045e0307cc62fb918 http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.17-5etch1_alpha.deb Size/MD5 checksum:70020 b69805d0887244d6b7918080df4e8b7b http://security.debian.org/pool/updates/main/f/file/libmagic1_4.17-5etch1_alpha.deb Size/MD5 checksum: 281336 6276a026bb520a16fcfb947dc725eb43 http://security.debian.org/pool/updates/main/f/file/python-magic_4.17-5etch1_alpha.deb Size/MD5 checksum:23568 94acf8d52b7856807e71b35d60eb74af amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/file/libmagic1_4.17-5etch1_amd64.deb Size/MD5 checksum: 276290 37c72fc764b288f8d4a7894f4cebf3ef http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.17-5etch1_amd64.deb Size/MD5 checksum:56574 2aba6876dd12752ea2ecd56f898ab9af http://security.debian.org/pool/updates/main/f/file/file_4.17-5etch1_amd64.deb Size/MD5 checksum:32104 0f00096249fe444ebb95ddae6492909c http://security.debian.org/pool/updates/main/f/file/python-magic_4.17-5etch1_amd64.deb Size/MD5 checksum:23394 36dd3f866c7fb19e77d761b8416b4b2c arm architecture (ARM) http://security.debian.org/pool/updates/main/f/file/file_4.17-5etch1_arm.deb Size/MD5 checksum:31742 43b1a7fee3dfd774824f8293e9220073 http://security.debian.org/pool/updates/main/f/file/libmagic1_4.17-5etch1_arm.deb Size/MD5 checksum: 274096 1f863470c5588fbc24847bd1a1c7759f http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.17-5etch1_arm.deb Size/MD5 checksum:53536 ee901555075f56e83be246d395e4718c http://security.debian.org/pool/updates/main/f/file/python-magic_4.17-5etch1_arm.deb Size/MD5 checksum:22818 748d71238d5e4e1624a57eaacf28ab5c hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/f/file/file_4.17-5etch1_hppa.deb Size/MD5 checksum:32648 55eae0d1ec07c49ccfe1345884dab0f0 http://security.debian.org/pool/updates/main/f/file/libmagic1_4.17-5etch1_hppa.deb Size/MD5 checksum: 281328 0921611f2e7dbf5f1d94ded1e7887321 http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.17-5etch1_hppa.deb Size/MD5 checksum:63238 69270cb5bd7219367fcf269f1c624cb0 http://security.debian.org/pool/updates/main/f/file/python-magic_4.17-5etch1_hppa.deb Size/MD5 checksum:23892 98ac67130b2f5c8faadba02c304bee05 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/f/file/libmagic1_4.17-5etch1_i386.deb Size/MD5 checksum: 275476 73727e6a1bee1b2050fe7d010fb832d2 http
[Full-disclosure] [SECURITY] [DSA 1273-1] New nas packages fix multiple remote vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1273-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans March 27, 2007 - Package: nas Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-1543 CVE-2007-1544 CVE-2007-1545 CVE-2007-1546 CVE-2007-1547 BugTraq ID : 23017 Debian Bug : 416038 Several vulnerabilities have been discovered in nas, the Network Audio System. CVE-2007-1543 A stack-based buffer overflow in the accept_att_local function in server/os/connection.c in nas allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection. CVE-2007-1544 Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. CVE-2007-1545 The AddResource function in server/dia/resource.c allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID. CVE-2007-1546 Array index error allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c. CVE-2007-1547 The ReadRequestFromClient function in server/os/io.c allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference. For the stable distribution (sarge), these problems have been fixed in version 1.7-2sarge1 For the upcoming stable distribution (etch) and the unstable distribution (sid) these packages have been fixed in version 1.8-4. We recommend that you upgrade your nas package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nas/nas_1.7.orig.tar.gz Size/MD5 checksum: 1288569 c9918e9c9c95d587a95b455bbabe3b49 http://security.debian.org/pool/updates/main/n/nas/nas_1.7-2sarge1.dsc Size/MD5 checksum: 693 2f0821d157ae249adfda1ddcf39bf9aa http://security.debian.org/pool/updates/main/n/nas/nas_1.7-2sarge1.diff.gz Size/MD5 checksum: 124076 b057e678fb808ef95666d766944ce498 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nas/nas-doc_1.7-2sarge1_all.deb Size/MD5 checksum: 150478 744cbca330f9f8463a36251836514cc4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nas/libaudio2_1.7-2sarge1_alpha.deb Size/MD5 checksum:82560 ac84bfe7e6f04f0693b787b33c5a1890 http://security.debian.org/pool/updates/main/n/nas/libaudio-dev_1.7-2sarge1_alpha.deb Size/MD5 checksum: 1330046 e8b1709f240ca6ee0c7e893a6d4598ac http://security.debian.org/pool/updates/main/n/nas/nas-bin_1.7-2sarge1_alpha.deb Size/MD5 checksum: 622528 6d14250da6aab5da4737af8d2f3d4930 http://security.debian.org/pool/updates/main/n/nas/nas_1.7-2sarge1_alpha.deb Size/MD5 checksum: 120098 2efb7c2fd2c6cfbce699789f7b1e9782 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nas/libaudio-dev_1.7-2sarge1_amd64.deb Size/MD5 checksum: 1291220 019146fc7d079820c088bf1a597a91bf http://security.debian.org/pool/updates/main/n/nas/nas_1.7-2sarge1_amd64.deb Size/MD5 checksum: 102672 40c936bde0db91e5cef3f90c88c03168 http://security.debian.org/pool/updates/main/n/nas/libaudio2_1.7-2sarge1_amd64.deb Size/MD5 checksum:74620 e8d8d3d5ec14dcfdb8285d6eb5e6b67b http://security.debian.org/pool/updates/main/n/nas/nas-bin_1.7-2sarge1_amd64.deb Size/MD5 checksum: 526904 7cc01f5259953f12f0f82cbd1b6ecc62 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nas/libaudio2_1.7-2sarge1_arm.deb Size/MD5 checksum:70894 b55f037fe9266c92d3a3b9650ae750d7 http://security.debian.org/pool/updates/main/n/nas/libaudio-dev_1.7-2sarge1_arm.deb Size/MD5 checksum: 1201362 99b1f795e47faf04db5a3b9ec8ed3440 http://security.debian.org/pool/updates/main/n/nas/nas-bin_1.7-2sarge1_arm.deb Size/MD5 checksum: 473996
[Full-disclosure] [SECURITY] [DSA 1271-1] New openafs packages fix remote privilege escalation bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1271-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans March 20, 2007 - Package: openafs Vulnerability : design error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-1507 A design error has been identified in the OpenAFS, a cross-platform distributed filesystem included with Debian. OpenAFS historically has enabled setuid filesystem support for the local cell. However, with its existing protocol, OpenAFS can only use encryption, and therefore integrity protection, if the user is authenticated. Unauthenticated access doesn't do integrity protection. The practical result is that it's possible for an attacker with knowledge of AFS to forge an AFS FetchStatus call and make an arbitrary binary file appear to an AFS client host to be setuid. If they can then arrange for that binary to be executed, they will be able to achieve privilege escalation. OpenAFS 1.3.81-3sarge2 changes the default behavior to disable setuid files globally, including the local cell. It is important to note that this change will not take effect until the AFS kernel module, built from the openafs-modules-source package, is rebuilt and loaded into your kernel. As a temporary workaround until the kernel module can be reloaded, setuid support can be manually disabled for the local cell by running the following command as root fs setcell -cell -nosuid Following the application of this update, if you are certain there is no security risk of an attacker forging AFS fileserver responses, you can re-enable setuid status selectively with the following command, however this should not be done on sites that are visible to the Internet fs setcell -cell -suid For the stable distribution (sarge), this problem has been fixed in version 1.3.81-3sarge2. For the unstable distribution (sid) and the upcoming stable distribution (etch), this problem will be fixed in version 1.4.2-6. We recommend that you upgrade your openafs package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge2.dsc Size/MD5 checksum: 851 45351031494d87ff12f1bf08d14533f9 http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81-3sarge2.diff.gz Size/MD5 checksum: 262444 5804a2d738b2ec24f4055489c6287dca http://security.debian.org/pool/updates/main/o/openafs/openafs_1.3.81.orig.tar.gz Size/MD5 checksum: 13455346 d754e92f7a0cd9824991c850e001884c Architecture independent packages: http://security.debian.org/pool/updates/main/o/openafs/openafs-modules-source_1.3.81-3sarge2_all.deb Size/MD5 checksum: 4491356 e71b35c9862df561b51b67a3c90fafc9 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.3.81-3sarge2_alpha.deb Size/MD5 checksum: 578 026440f88e9a4929dfe1c1eb7b5da586 http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.3.81-3sarge2_alpha.deb Size/MD5 checksum: 2227596 e5517039ed51c445dbc02fb13be3e952 http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.3.81-3sarge2_alpha.deb Size/MD5 checksum: 306552 b7afabee0f80a4bf00ab42eb84f165c2 http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.3.81-3sarge2_alpha.deb Size/MD5 checksum: 693726 76ce60f5f960fb68301d15653dea0873 http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_alpha.deb Size/MD5 checksum: 269148 928b0eab345fe24ec067dfe46540fce6 http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_alpha.deb Size/MD5 checksum: 1878670 e75770cead20c34ba5f27f56d13689e9 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openafs/libpam-openafs-kaserver_1.3.81-3sarge2_amd64.deb Size/MD5 checksum: 229812 ed52b06bdb86dc060a430efad6e5c1a2 http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.3.81-3sarge2_amd64.deb Size/MD5 checksum: 1442080 1a037eab6cf0e2701c127c85c06386ae http://security.debian.org/po
[Full-disclosure] [SECURITY] [DSA 1247-1] New libapache-mod-auth-kerb packages fix remote denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1247-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans January 08, 2007 - Package: libapache-mod-auth-kerb Vulnerability : heap overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-5989 BugTraq ID : 21214 Debian Bug : 400589 An off-by-one error leading to a heap-based buffer overflow has been identified in libapache-mod-auth-kerb, an Apache module for Kerberos authentication. The error could allow an attacker to trigger an application crash or potentially execute arbitrary code by sending a specially crafted kerberos message. For the stable distribution (sarge), this problem has been fixed in version 4.996-5.0-rc6-1sarge1. For the unstable version (sid) and the forthcoming stable version (etch), this problem has been fixed in version 5.3-1. We recommend that you upgrade your libapache-mod-auth-kerb package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1.dsc Size/MD5 checksum: 744 5e045be08755cab316754a7f214eeaae http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1.diff.gz Size/MD5 checksum:49849 3ebbb5101629ddd8917159c1cbdf20ab http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6.orig.tar.gz Size/MD5 checksum:68787 b6a6c80b25b362eb7394f69cdc91f76d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_amd64.deb Size/MD5 checksum:28574 65078aa7e78f2728499849047eaf2fbb http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_amd64.deb Size/MD5 checksum:27148 60ce4d39ac022335bd98ea7ed412f24d arm architecture (ARM) http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_arm.deb Size/MD5 checksum:24078 053e0b54c348251be97c7708d43b5542 http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_arm.deb Size/MD5 checksum:25498 e1882b8b0e408cb2339ef4d43c800bd7 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_hppa.deb Size/MD5 checksum:28796 e29c79c55af53fc66cc1ea9084c63403 http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_hppa.deb Size/MD5 checksum:27246 4d2394e0fc2a429c03ad6063c9ea2cce i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_i386.deb Size/MD5 checksum:25014 20666ea4edbce196ba0b4ea120425af5 http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_i386.deb Size/MD5 checksum:27176 6e7e40781f4beadec9226a918c8d4591 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_ia64.deb Size/MD5 checksum:31886 8146de1df6e65b32e213bfdc9b1320d2 http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_ia64.deb Size/MD5 checksum:33946 a2f93809df0703311c64ab28bc71a435 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_m68k.deb Size/MD5 checksum:24592 111a715b11307ad90a8c3c72d144067d http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_m68k.deb Size/MD5 checksum:24904 058b9470f905b33b7db5c1b7c82b704c mips architecture (MIPS (Big Endian)) http
[Full-disclosure] [SECURITY] [DSA 1223-1] New tar packages fix arbitrary file overwrite
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1223-1 [EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans December 01, 2006 - Package: tar Vulnerability : input validation error Problem type : local Debian-specific: no CVE Id(s) : CVE-2006-6097 BugTraq ID : 21235 Debian Bug : 399845 Teemu Salmela discovered a vulnerability in GNU tar that could allow a malicious user to overwrite arbitrary files by inducing the victim to attempt to extract a specially crafted tar file containing a GNUTYPE_NAMES record with a symbolic link. For the stable distribution (sarge), this problem has been fixed in version 1.14-2.3 For the unstable distribution (sid) and the forthcoming stable release (etch), this problem will be fixed in version 1.16-2. We recommend that you upgrade your tar package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tar/tar_1.14.orig.tar.gz Size/MD5 checksum: 1485633 3094544702b1affa32d969f0b6459663 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.diff.gz Size/MD5 checksum:51004 d6513454cbe12eec5908c2b41253f843 http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3.dsc Size/MD5 checksum: 554 85503d4264d7b39c7969051c3661fa96 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_alpha.deb Size/MD5 checksum: 520736 4b14a87c6e8b4dda327d802eddcf9af7 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_amd64.deb Size/MD5 checksum: 503902 98a8169210eb273252a7997c726c4333 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_arm.deb Size/MD5 checksum: 500266 49ef1817d4ee1753f66bd37be8f91455 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_hppa.deb Size/MD5 checksum: 517810 5f48745a747ee36c330d97f3bc5cc980 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_i386.deb Size/MD5 checksum: 499560 c764b0894f6c3317a78124177cfed9fe ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_ia64.deb Size/MD5 checksum: 543432 0dc8b4d66a82d05d7b68f2dbee960791 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_m68k.deb Size/MD5 checksum: 489058 381e468152e0a5a37113f412f13d85a7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mips.deb Size/MD5 checksum: 520512 29bc4c6133bfeb259175fea45277a647 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_mipsel.deb Size/MD5 checksum: 520258 ed3b0aadf8720c97a1df6334a90efe3c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_powerpc.deb Size/MD5 checksum: 506908 3a57a912dc159ee20d47ca1591a68619 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_s390.deb Size/MD5 checksum: 511972 79cb92aaeee839c2d82efe743a8cea59 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/t/tar/tar_1.14-2.3_sparc.deb Size/MD5 checksum: 499698 d260b9f5db00b12414d6136c63e37202 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFcFcbYrVLjBFATsMRAn5hAJ93K1jekZBwWNyIksJkhFoJjcFczwCdHu23 g3FxyAVvV5ABJFj/9m4O8iE= =Es6i -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-discl
[Full-disclosure] [SECURITY] [DSA 1219-1] New texinfo packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1219-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans November 27, 2006 - Package: texinfo Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2005-3011 CVE-2006-4810 BugTraq ID : 14854 20959 Multiple vulnerabilities have been found in the GNU texinfo package, a documentation system for on-line information and printed output. CVE-2005-3011 Handling of temporary files is performed in an insecure manner, allowing an attacker to overwrite any file writable by the victim. CVE-2006-4810 A buffer overflow in util/texindex.c could allow an attacker to execute arbitrary code with the victim's access rights by inducing the victim to run texindex or tex2dvi on a specially crafted texinfo file. For the stable distribution (sarge), these problems have been fixed in version 4.7-2.2sarge2 Note that binary packages for the mipsel architecture are not currently available due to technical problems with the build host. These packages will be made available as soon as possible. For unstable (sid) and the upcoming stable release (etch), these problems have been fixed in version 4.8.dfsg.1-4 We recommend that you upgrade your texinfo package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.dsc Size/MD5 checksum: 622 f146d738696417a3f14e04875066ef9a http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7.orig.tar.gz Size/MD5 checksum: 1979183 72a57e378efb9898c9e41ca839554dae http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2.diff.gz Size/MD5 checksum:10614 07a591b00a79ba8e2acf13d7654bf3e8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_alpha.deb Size/MD5 checksum: 207720 1fce59e479c10386d5bab3d8aec99ddd http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_alpha.deb Size/MD5 checksum: 884956 93a3606294fd0059390b7da3c5803a1a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_amd64.deb Size/MD5 checksum: 191308 035c9fb7bffa818819e6e104218d5911 http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_amd64.deb Size/MD5 checksum: 863680 8300c746fbb75231a09229f32f57d126 arm architecture (ARM) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_arm.deb Size/MD5 checksum: 178812 d8781c075692500d4d6a799019697a72 http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_arm.deb Size/MD5 checksum: 848862 4d31ba02e3004a5e290d6204ba402b19 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_hppa.deb Size/MD5 checksum: 867668 934d2a72b73c4342066f1fba21c35fff http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_hppa.deb Size/MD5 checksum: 195122 07ea3515643ddb8dc29791802974ec40 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_i386.deb Size/MD5 checksum: 846972 eb370f53f4db1681ead784353f6711c4 http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_i386.deb Size/MD5 checksum: 179614 ee08c755b1eb00043173acfdae2420d7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_ia64.deb Size/MD5 checksum: 912350 c99196682ffe5436a1f99da332e77f91 http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_ia64.deb Size/MD5 checksum: 229398 e9e6dca2f2250bd07c0605e393105339 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/t/texinfo/info_4.7-2.2sarge2_m68k.deb Size/MD5 checksum: 171354 93b5762ecf847bba77396f08b04e225e http://security.debian.org/pool/updates/main/t/texinfo/texinfo_4.7-2.2sarge2_m68k.deb Size/MD5 checksum: 838386 2d63f36ef81c84ae8bdad8f2be5f1797 mips architecture (MIPS (Big Endian))
[Full-disclosure] [SECURITY] [DSA 1212-1] New openssh packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1212-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans November 15, 2006 - Package: openssh (1:3.8.1p1-8.sarge.6) Vulnerability : Denial of service Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-4924 CVE-2006-5051 BugTraq ID : 20216 20241 Debian Bug : 392428 Two denial of service vulnerabilities have been found in the OpenSSH server. CVE-2006-4924 The sshd support for ssh protcol version 1 does not properly handle duplicate incoming blocks. This could allow a remote attacker to cause sshd to consume significant CPU resources leading to a denial of service. CVE-2006-5051 A signal handler race condition could potentially allow a remote attacker to crash sshd and could theoretically lead to the ability to execute arbitrary code. For the stable distribution (sarge), these problems have been fixed in version 1:3.8.1p1-8.sarge.6 For the unstable and testing distributions, these problems have been fixed in version 1:4.3p2-4 We recommend that you upgrade your openssh package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssh/openssh_3.8.1p1-8.sarge.6.dsc Size/MD5 checksum: 842 b58f3585c4ce713f58096cc8f86e4550 http://security.debian.org/pool/updates/main/o/openssh/openssh_3.8.1p1.orig.tar.gz Size/MD5 checksum: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d http://security.debian.org/pool/updates/main/o/openssh/openssh_3.8.1p1-8.sarge.6.diff.gz Size/MD5 checksum: 157942 413fea91d9074513db60e466ca053f0d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.6_alpha.udeb Size/MD5 checksum: 216100 0595066001c0004f181b58e781153ae2 http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.6_alpha.deb Size/MD5 checksum:52112 dcca41fba77489a57bf5a7e9c9069e90 http://security.debian.org/pool/updates/main/o/openssh/ssh_3.8.1p1-8.sarge.6_alpha.deb Size/MD5 checksum: 886462 71f73c733794ea68f8c8c6e05ca2e8d3 http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.6_alpha.udeb Size/MD5 checksum: 195114 32b3d7e2b11a5ae016ea19d44380f0d1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.6_amd64.udeb Size/MD5 checksum: 159608 2d8c050003def7b7a2c8832333f90cf0 http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.6_amd64.deb Size/MD5 checksum:51688 ca60feebdef5f772ab0d42b6fd2c61f0 http://security.debian.org/pool/updates/main/o/openssh/ssh_3.8.1p1-8.sarge.6_amd64.deb Size/MD5 checksum: 748382 59cebd0c9413b12894b88f9688216847 http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.6_amd64.udeb Size/MD5 checksum: 176252 d886a611e7b150786b6e3ccdac303018 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssh/ssh_3.8.1p1-8.sarge.6_arm.deb Size/MD5 checksum: 673038 a58f22f69602835be4ebe87493d6f006 http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.6_arm.udeb Size/MD5 checksum: 153938 5c668e80ea8429d686f9fb1e450d http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.6_arm.deb Size/MD5 checksum:51028 3fc55eba3c4ec515fb70220b5f64a8d3 http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.6_arm.udeb Size/MD5 checksum: 144324 f8ca3e9ae3592445e1b18cc84f111f30 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.6_hppa.udeb Size/MD5 checksum: 166640 ef7a980dfd7fbb3319d7be72a34783cd http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.6_hppa.deb Size/MD5 checksum:51764 5e5dfa87acf51e46224f54b3caf39814 http://security.debian.org/pool/updates/main/o/openssh
[Full-disclosure] [SECURITY] [DSA 1200-1] New Qt packages fix integer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1200-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 30, 2006 - Package: qt-x11-free Vulnerability : integer overflow Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2006-4811 BugTraq ID : 20599 Debian Bug : 394313 An integer overflow has been found in the pixmap handling routines in the Qt GUI libraries. This could allow an attacker to cause a denial of service and possibly execute arbitrary code by providing a specially crafted image file and inducing the victim to view it in an application based on Qt. For the stable distribution (sarge), this problem has been fixed in version 3:3.3.4-3sarge1 For the unstable distribution (sid), this problem has been fixed in versions 3:3.3.7-1 and 4.2.1-1. We recommend that you upgrade your qt-x11-free packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/q/qt-x11-free/qt-x11-free_3.3.4-3sarge1.dsc Size/MD5 checksum: 1847 4e23bf141a07e7421e3c72c60e2c16de http://security.debian.org/pool/updates/main/q/qt-x11-free/qt-x11-free_3.3.4-3sarge1.diff.gz Size/MD5 checksum:56195 e75b0a8c776be31f8493e3212a26a11b http://security.debian.org/pool/updates/main/q/qt-x11-free/qt-x11-free_3.3.4.orig.tar.gz Size/MD5 checksum: 17422638 9b327962af5a1799fd31b7a576948ad5 Architecture independent packages: http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3-i18n_3.3.4-3sarge1_all.deb Size/MD5 checksum:92408 af39fdbdd21de88a73a4fc7af58e5f76 http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-doc_3.3.4-3sarge1_all.deb Size/MD5 checksum: 5425044 b8b3549f749dc253fc0b195f08b9d892 http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-examples_3.3.4-3sarge1_all.deb Size/MD5 checksum: 1553262 1ae0594e494e9b35db74a2b90a39956d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-qtconfig_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 102296 b70ad78294b12c92944f07cc69f35ecf http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-linguist_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 358512 9472f8c8149ca3b32b635f3061774ffa http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3c102-sqlite_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 236190 c500064821a2bdc5a1cdb5f732d95029 http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3c102-mysql_3.3.4-3sarge1_alpha.deb Size/MD5 checksum:48486 a8f7a2d0c810d6baf709d776f9e2142c http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-dev-tools-compat_3.3.4-3sarge1_alpha.deb Size/MD5 checksum:70792 49fe9c668dc9253d1036f1a484484dc5 http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3c102-psql_3.3.4-3sarge1_alpha.deb Size/MD5 checksum:55092 224cf57abf2ed57ebcf3413dadca01ac http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-dev-tools_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 1529278 faa84c4f2bcc517b21d32ecfd5f71916 http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3c102-mt_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 3500486 0c0b0442ea43dccffd58573a543a0f03 http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3-compat-headers_3.3.4-3sarge1_alpha.deb Size/MD5 checksum:34268 2baf250cb17e5f4ad9af606255cb09eb http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-assistant_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 264282 95679482df3315caa6c11e0274b1343c http://security.debian.org/pool/updates/main/q/qt-x11-free/qt3-apps-dev_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 2878114 9f5c457432d6cea8965a3f974b876ac3 http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3-dev_3.3.4-3sarge1_alpha.deb Size/MD5 checksum:40500 ad17590bae9ef78c53c98a4428b7e32b http://security.debian.org/pool/updates/main/q/qt-x11-free/libqt3c102-mt-sqlite_3.3.4-3sarge1_alpha.deb Size/MD5 checksum: 236086 93e2a5c4d0fdbc7d2ca313ec33572379 http://security.debian.org/pool/updates/main/q/qt-x11-free
[Full-disclosure] [SECURITY] [DSA 1199-1] New webmin packages fix input validation problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1199-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 23, 2006 - Package: webmin Vulnerability : multiple Problem type : remote Debian-specific: no CVE Id(s) : CVE-2005-3912 CVE-2006-3392 CVE-2006-4542 BugTraq ID : 15629 18744 19820 Debian Bug : 341394 381537 391284 Several vulnerabilities have been identified in webmin, a web-based administration toolkit. CVE-2005-3912 A format string vulnerability in miniserv.pl could allow an attacker to cause a denial of service by crashing the application or exhausting system resources, and could potentially allow arbitrary code execution. CVE-2006-3392 Improper input sanitization in miniserv.pl could allow an attacker to read arbitrary files on the webmin host by providing a specially crafted URL path to the miniserv http server. CVE-2006-4542 Improper handling of null characters in URLs in miniserv.pl could allow an attacker to conduct cross-site scripting attacks, read CGI program source code, list local directories, and potentially execute arbirary code. For the stable distribution (sarge), these problems have been fixed in version 1.180-3sarge1 Webmin is not included in unstable (sid) or testing (etch), so these problems are not present. We recommend that you upgrade your webmin (1.180-3sarge1) package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180-3sarge1.dsc Size/MD5 checksum: 703 5e723deaccb3db60794e0cb385666992 http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180.orig.tar.gz Size/MD5 checksum: 2261496 ff19d5500955302455e517cb2942c9d0 http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180-3sarge1.diff.gz Size/MD5 checksum:31458 f8fe363e7ccd8fe4072d84cd86a3510e Architecture independent packages: http://security.debian.org/pool/updates/main/w/webmin/webmin-core_1.180-3sarge1_all.deb Size/MD5 checksum: 1121200 8fa7064325ded44e7f8dbd226b81d9dd http://security.debian.org/pool/updates/main/w/webmin/webmin_1.180-3sarge1_all.deb Size/MD5 checksum: 1097552 34d96210d581dde8ffea7be82e0897f4 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFPWexYrVLjBFATsMRAoUMAJoD7NOzzETLIGE+1vYShqxQDZVT4gCfcYfm f1fqxSNrMBz71bBqOA2hlFk= =849e -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1195-1] new openssl096 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1195-1[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 10, 2006 - Package: openssl096 Vulnerability : denial of service (multiple) Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 Multiple vulnerabilities have been discovered in the OpenSSL cryptographic software package that could allow an attacker to launch a denial of service attack by exhausting system resources or crashing processes on a victim's computer. CVE-2006-3738 Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer. CVE-2006-4343 Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash. CVE-2006-2940 Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL a DoS was discovered. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. For the stable distribution (sarge) these problems have been fixed in version 0.9.6m-1sarge4 This package exists only for compatibility with older software, and is not present in the unstable or testing branches of Debian. We recommend that you upgrade your openssl096 package. Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge4.diff.gz Size/MD5 checksum:21115 9019caf796eb866f24d5949503b1cdb5 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz Size/MD5 checksum: 2184918 1b63bfdca1c37837e9f1623498f9 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge4.dsc Size/MD5 checksum: 617 7d60c6c3ecdf502734068ab2a8b32118 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_alpha.deb Size/MD5 checksum: 1966534 9f78dcc0f9685641a7fc3d927370d819 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_amd64.deb Size/MD5 checksum: 578632 f1574a0058e85cb0e2c6cff996530c97 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_arm.deb Size/MD5 checksum: 519304 66fa4a65d803f0115dd80d5359944a2d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_hppa.deb Size/MD5 checksum: 587946 353d46f3351d5a19dfdaf22f605fc627 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_i386.deb Size/MD5 checksum: 1756270 2747688d91dfe1cd00430a74bdef6265 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_ia64.deb Size/MD5 checksum: 815662 45a5b6503ed631149fea28b37a980e21 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_m68k.deb Size/MD5 checksum: 477288 da4ddff773fd7d6af0604363719b368a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_mips.deb Size/MD5 checksum: 577284 d2bf3c9d86dbba15bbb9d1cb93a6fc51 mipsel architecture (MIPS (Little E
[Full-disclosure] [SECURITY] [DSA 1185-2] New openssl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1185-2[EMAIL PROTECTED] http://www.debian.org/security/ Noah Meyerhans October 2nd, 2006 http://www.debian.org/security/faq - -- Package: openssl Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-2940 The fix used to correct CVE-2006-2940 introduced code that could lead to the use of uninitialized memory. Such use is likely to cause the application using the openssl library to crash, and has the potential to allow an attacker to cause the execution of arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 0.9.7e-3sarge4. For the unstable and testing distributions (sid and etch, respectively), these problems will be fixed in version 0.9.7k-3 of the openssl097 compatibility libraries, and version 0.9.8c-3 of the openssl package. We recommend that you upgrade your openssl package. Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc Size/MD5 checksum: 639 179f34093d860afff66964b5f1c99ee3 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz Size/MD5 checksum:29707 0b4d462730327aba5a751bd4bec71c10 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 3341886 f0d0ef51fac89227b0d0705116439f5c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 2448092 8065c52c7649f36221f8a48adfb4cb29 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 930234 5953c4c4a45352d41c3c414eda63ff00 AMD64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 2693980 cbd25bbed17ec73561337bfc3d8ed2ed http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 769904 2671cdf2f48013617ea509daac2bb4dc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 903782 e370684d7c84d1eebcb69cdda35c6c6c ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 2556330 75c1a253ddad0b7ad87053552770e5c4 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 690202 ccd435ca2c183940152f3bd70d84ee0b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 894144 2e5caaa90184d9ee9e607d18728e6f93 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 2695990 58fe1a247ef47faa559eef610b437db6 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 791382 f0c64d06307af937218944d6d8db6e2f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 914576 631c681a3c4ce355962a7c684767a155 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 2554956 c4c9aa14e74dbd6dac2cadd7cf48b522 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 2265180 9047b6c6036c048ad75fa397f220ae39 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 906268 070d1d1680f90da5509121c44de7a254 Intel IA-64 architecture: http
