[Full-disclosure] [SECURITY] [DSA 2281-1] opie security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2281-1 secur...@debian.org http://www.debian.org/security/Steffen Joeris July 21, 2011 http://www.debian.org/security/faq - - Package: opie Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2011-2489 CVE-2011-2490 CVE-2010-1938 Debian Bugs: 631344 631345 584932 Sebastian Krahmer discovered that opie, a system that makes it simple to use One-Time passwords in applications, is prone to a privilege escalation (CVE-2011-2490) and an off-by-one error, which can lead to the execution of arbitrary code (CVE-2011-2489). Adam Zabrocki and Maksymilian Arciemowicz also discovered another off-by-one error (CVE-2010-1938), which only affects the lenny version as the fix was already included for squeeze. For the oldstable distribution (lenny), these problems have been fixed in version 2.32-10.2+lenny2. For the stable distribution (squeeze), these problems have been fixed in version 2.32.dfsg.1-0.2+squeeze1 The testing distribution (wheezy) and the unstable distribution (sid) do not contain opie. We recommend that you upgrade your opie packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4nk6EACgkQ62zWxYk/rQfjAACfUmlzQ0haXhy9vk04RuGM+A5u bW0An2vThf6CqKRaqNmoZ82MP3INON2d =REWR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2279-1] libapache2-mod-authnz-external security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2279-1 secur...@debian.org http://www.debian.org/security/Steffen Joeris July 19, 2011 http://www.debian.org/security/faq - - Package: libapache2-mod-authnz-external Vulnerability : SQL injection Problem type : remote Debian-specific: no CVE ID : CVE-2011-2688 Debian Bug : 633637 It was discovered that libapache2-mod-authnz-external, an apache authentication module, is prone to an SQL injection via the $user paramter. For the stable distribution (squeeze), this problem has been fixed in version 3.2.4-2+squeeze1. The oldstable distribution (lenny) does not contain libapache2-mod-authnz-external For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.2.4-2.1. We recommend that you upgrade your libapache2-mod-authnz-external packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4k068ACgkQ62zWxYk/rQdEcACgl9otukAtTDPLIWRr8b7JlbCn gKYAniArSm7L6ND92ROY1fVsDgiKXD7R =07Sp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2280-1] libvirt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2280-1 secur...@debian.org http://www.debian.org/security/Steffen Joeris July 19, 2011 http://www.debian.org/security/faq - - Package: libvirt Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2011-2511 CVE-2011-1486 Debian Bugs: 633630 623222 It was discovered that libvirt, a library for interfacing with different virtualization systems, is prone to an integer overflow (CVE-2011-2511). Additionally, the stable version is prone to a denial of service, because its error reporting is not thread-safe (CVE-2011-1486). For the stable distribution (squeeze), these problems have been fixed in version 0.8.3-5+squeeze2. For the oldstable distribution (lenny), this problem has been fixed in version 0.4.6-10+lenny2. For the testing distribution (wheezy), these problems will fixed soon. For the unstable distribution (sid), these problems have been fixed in version 0.9.2-7). We recommend that you upgrade your libvirt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4k3LkACgkQ62zWxYk/rQe4PACgn2A0l43mGtxkVmTpbJiWJ4sO LZwAniQr0BWwmjQ5QzorFbWdEvMUT7Ao =AnRs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2278-1] horde3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2278-1 secur...@debian.org http://www.debian.org/security/Steffen Joeris July 16, 2011 http://www.debian.org/security/faq - - Package: horde3 Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2010-3077 CVE-2010-3694 Debian Bug : 598582 It was discovered that horde3, the horde web application framework, is prone to a cross-site scripting attack and a cross-site request forgery. For the oldstable distribution (lenny), these problems have been fixed in version 3.2.2+debian0-2+lenny3. For the stable distribution (squeeze), these problems have been fixed in version 3.3.8+debian0-2, which was already included in the squeeze release. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 3.3.8+debian0-2. We recommend that you upgrade your horde3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4hBwwACgkQ62zWxYk/rQcTKACggPUyYIk0q+vj0A1u5txRBOUp wDYAoKxgN0ABTihTrQStLr6y4hE1wrxK =YGKh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2204-1] imp4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2204-1 secur...@debian.org http://www.debian.org/security/Steffen Joeris March 27, 2011 http://www.debian.org/security/faq - - Package: imp4 Vulnerability : Insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2010-3695 Debian Bug : 598584 Moritz Naumann discovered that imp4, a webmail component for the horde framework, is prone to cross-site scripting attacks by a lack of input sanitising of certain fetchmail information. For the oldstable distribution (lenny), this problem has been fixed in version 4.2-4lenny3. For the stable distribution (squeeze), this problem has been fixed in version 4.3.7+debian0-2.1, which was already included in the squeeze release. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.3.7+debian0-2.1. We recommend that you upgrade your imp4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk2PExgACgkQ62zWxYk/rQcijwCgldihmhqvhj/l/aVxjDKSF2es tXUAoJtcseAhsS9CMhJK7VBsH0XW673n =IpN3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2111-1] New squid3 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2111-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris September 19, 2010http://www.debian.org/security/faq - Package: squid3 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2010-3072 Debian Bug : 596086 Phil Oester discovered that squid3, a fully featured Web Proxy cache, is prone to a denial of service attack via a specially crafted request that includes empty strings. For the stable distribution (lenny), this problem has been fixed in version 3.0.STABLE8-3+lenny4. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.1.6-1.1. We recommend that you upgrade your squid3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4.diff.gz Size/MD5 checksum:20699 8660e684fab99044d17ee435cd8718d9 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4.dsc Size/MD5 checksum: 1193 c301ce03c043f892a1dab392b82f5454 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8.orig.tar.gz Size/MD5 checksum: 2443502 b5d26e1b7e2285bb60cf4de249113722 Architecture independent packages: http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.STABLE8-3+lenny4_all.deb Size/MD5 checksum: 289406 954e5536f90c542c1fc7300fc9a6ad0e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_alpha.deb Size/MD5 checksum: 1120516 88adcda5d0b2ba1fb27341af183faaa3 http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_alpha.deb Size/MD5 checksum:90722 e6148340f94c9f0de77a9e944c294550 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_alpha.deb Size/MD5 checksum:94334 014271407be72d360f5ca0d4f483defe amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_amd64.deb Size/MD5 checksum:89072 0c3df278512da844a33cc3e4294f0860 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb Size/MD5 checksum:92634 13a26c111e3344c2e0bc2da0291c0b26 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_amd64.deb Size/MD5 checksum: 1008578 55e7a138a3cf2ac850757bdb3dc80d65 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_i386.deb Size/MD5 checksum: 934274 393c4a46b784cd36422a8ccfc070408a http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_i386.deb Size/MD5 checksum:87314 a548078782994991585417158ef64fe6 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_i386.deb Size/MD5 checksum:91310 2d82131a6dad26f5879bb8fa9e25d2cc ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_ia64.deb Size/MD5 checksum:92964 6e491b0751864bd35bb6d4b56d5542cb http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_ia64.deb Size/MD5 checksum:98848 1558483cfd3e776565be1198fb24c0d5 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_ia64.deb Size/MD5 checksum: 1490318 0801807239c83c712ffbdf7b1cece4dc mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_mipsel.deb Size/MD5 checksum: 1072524 e46d21e7e0d678862ce9ff5eaa7dc5fc http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_mipsel.deb Size/MD5 checksum:89806 5b58f3fb903ea2b59c84c4767b514467 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_mipsel.deb Size
[Full-disclosure] [SECURITY] [DSA 2113-1] New drupal6 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2113-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris September 20, 2010http://www.debian.org/security/faq - Package: drupal6 Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2010-3091 CVE-2010-3092 CVE-2010-3093 CVE-2010-3094 Debian Bug : 592716 Several vulnerabilities have been discovered in drupal6 a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3091 Several issues have been discovered in the OpenID module that allows malicious access to user accounts. CVE-2010-3092 The upload module includes a potential bypass of access restrictions due to not checking letter case-sensitivity. CVE-2010-3093 The comment module has a privilege escalation issue that allows certain users to bypass limitations. CVE-2010-3094 Several cross-site scripting (XSS) issues have been discovered in the Action feature. For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny6. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 6.18-1. We recommend that you upgrade your drupal6 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny6.dsc Size/MD5 checksum: 1130 7a2cb0258096a2076a4c16ee1ba7b74b http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny6.diff.gz Size/MD5 checksum:32605 b6ec50b492dc28d6a3273e6cafdcaf64 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny6_all.deb Size/MD5 checksum: 1093210 1f8147473dd2a1a7d48247c974892991 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyXa5UACgkQ62zWxYk/rQfEVQCff37s56InUKxguVrL1clPQtah efwAnAxQuz+BsZP37XLnbWlWmASmH4L1 =n+RP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2049-1] New barnowl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2049-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris May 23, 2010 http://www.debian.org/security/faq - Package: barnowl Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2010-0793 Debian Bug : 574418 It has been discovered that barnowl, a curses-based tty Jabber, IRC, AIM and Zephyr client, is prone to a buffer overflow via its CC: handling, which could lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 1.0.1-4+lenny1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.5.1-1. We recommend that you upgrade your barnowl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1.orig.tar.gz Size/MD5 checksum: 606923 5036fe3559becc5fa81de9a4dc028767 http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1.dsc Size/MD5 checksum: 1128 c005716429cc93f9aa13ecc32e9a83a8 http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1.diff.gz Size/MD5 checksum: 6186 431a62342081785abeac1d6f27cca56e Architecture independent packages: http://security.debian.org/pool/updates/main/b/barnowl/barnowl-irc_1.0.1-4+lenny1_all.deb Size/MD5 checksum:38992 662b9a48a4daf355222980b4b77e1dfe alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_alpha.deb Size/MD5 checksum: 521514 a50a7d27f8d679aaaf1aefbb7b0b8f00 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_amd64.deb Size/MD5 checksum: 497828 ec2b041ebdfcd8f60576d156a058 arm architecture (ARM) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_arm.deb Size/MD5 checksum: 453232 fa99d92090e14152f9d5119d3952c911 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_hppa.deb Size/MD5 checksum: 484984 e370789dab95d297ece10836eaa11c40 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_i386.deb Size/MD5 checksum: 468636 b4d0478d392975c7c10bf1bc5a8db665 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_ia64.deb Size/MD5 checksum: 580632 46327f82543d70285370f3b1abc770e2 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_mips.deb Size/MD5 checksum: 461968 91c665cd05e93568eda74970ea816dac powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_powerpc.deb Size/MD5 checksum: 484788 d6d20b834e74fe5eb76cb73b0fe4f8af s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_s390.deb Size/MD5 checksum: 488260 345d6df2dd4953aa4bca1aa7b0a2cb1a sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/b/barnowl/barnowl_1.0.1-4+lenny1_sparc.deb Size/MD5 checksum: 463060 869a67d8595133ae2c6a61cd9289e0a8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkv4mVUACgkQ62zWxYk/rQeSjgCcDLOEyV2ldWmowWIM175O7ANb 4YAAoKyssPkCqJUVTv+mNcVJk9Dlx1I6 =gzAO -END PGP SIGNATURE- ___ Full
[Full-disclosure] [SECURITY] [DSA 2025-1] New icedove packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2025-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 31, 2010http://www.debian.org/security/faq - Package: icedove Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-2408 CVE-2009-2404 CVE-2009-2463 CVE-2009-3072 CVE-2009-3075 CVE-2010-0163 Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2408 Dan Kaminsky and Moxie Marlinspike discovered that icedove does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate (MFSA 2009-42). CVE-2009-2404 Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names (MFSA 2009-43). CVE-2009-2463 monarch2020 discovered an integer overflow n a base64 decoding function (MFSA 2010-07). CVE-2009-3072 Josh Soref discovered a crash in the BinHex decoder (MFSA 2010-07). CVE-2009-3075 Carsten Book reported a crash in the JavaScript engine (MFSA 2010-07). CVE-2010-0163 Ludovic Hirlimann reported a crash indexing some messages with attachments, which could lead to the execution of arbitrary code (MFSA 2010-07). For the stable distribution (lenny), these problems have been fixed in version 2.0.0.24-0lenny1. Due to a problem with the archive system it is not possible to release all architectures. The missing architectures will be installed into the archive once they become available. For the testing distribution squeeze and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your icedove packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24.orig.tar.gz Size/MD5 checksum: 35856543 3bf6e40cddf593ddc1a66b9e721f12b9 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1.dsc Size/MD5 checksum: 1668 111c1a93c1ce498715e231272123f841 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1.diff.gz Size/MD5 checksum: 103260 4661b0c8c170d58f844337699cb8ca1a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 3723382 12c7fe63b0a5c59680ca36200a6f7d20 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum:61132 c0f96569d4ea0f01cff3950572b3dda9 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 57375560 95a614e1cb620fad510eb51ae5cb37c5 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 13468190 03a629abf18130605927f5817b097bac amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_amd64.deb Size/MD5 checksum: 57584134 7d909c9f1b67d4758e290dc2c1dc01f2 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_amd64.deb Size
[Full-disclosure] [SECURITY] [DSA 2023-1] New curl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2023-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 28, 2010http://www.debian.org/security/faq - Package: curl Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2010-0734 Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl's maximum limit for a fixed buffer size and do not perform any sanity checks themselves. For the stable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny4. Due to a problem with the archive software, we are unable to release all architectures simultaneously. Binaries for the hppa, ia64, mips, mipsel and s390 architectures will be provided once they are available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 7.20.0-1. We recommend that you upgrade your curl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.dsc Size/MD5 checksum: 1419 0b91fb707442ec5f1dff454ddd0d2679 http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz Size/MD5 checksum: 2273077 4fe99398a64a34613c9db7bd61bf6e3c http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.diff.gz Size/MD5 checksum:29053 205ea45b37707ca44847a0bb953a108e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 224560 39c97dc3fc8adfe369d050d4ccd57112 http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 211362 d04f5a02fbce3a0ed6b757e36aa21f37 http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 986188 ca28494e3f9ee836f9893608e5f82c1b http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 1150648 b33b695186a2f70f00fdf1dacfb25b62 http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 958014 ba4136dd3c9e204c03d7793d06f1205e http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 241806 b0bca91ebffa1b09ddf9ea07004423d4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 933302 b14bed60c0ff0d9f5647c7624bce4290 http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 209380 803de8e14287846ceae6f12a011d48bf http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 215342 4ee8ef24407aa837b37ada3b7c261047 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 1182708 9e4b1721388b113033cbff04c764bfa1 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 231906 6f9ce83dd70ce4ec606adcaa78e11904 http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 954234 8955fd4b4539044f08b074aae12d01e3 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_arm.deb Size/MD5 checksum: 222366 6a5c14d84303e3acfa699ba7fb14ed1a http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_arm.deb Size/MD5 checksum: 208124 219373aea91cfde58dfa15c7237462bf http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2
[Full-disclosure] [SECURITY] [DSA 2009-1] New tdiary packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2009-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 09, 2010http://www.debian.org/security/faq - Package: tdiary Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2010-0726 Debian Bug : 572417 It was discovered that tdiary, a communication-friendly weblog system, is prone to a cross-site scripting vulnerability due to insuficient input sanitising in the TrackBack transmission plugin. For the stable distribution (lenny), this problem has been fixed in version 2.2.1-1+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.2.1-1.1. We recommend that you upgrade your tdiary packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.2.1-1+lenny1.dsc Size/MD5 checksum: 1083 3256337487cc7177ac6a20a5815c2e5e http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.2.1-1+lenny1.diff.gz Size/MD5 checksum:28848 47109a3e807f5595fb580a3eed3ce2a6 http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.2.1.orig.tar.gz Size/MD5 checksum: 4207143 41bd634fc4a8a6ffe93f70d33c826865 Architecture independent packages: http://security.debian.org/pool/updates/main/t/tdiary/tdiary-theme_2.2.1-1+lenny1_all.deb Size/MD5 checksum: 3671582 e23890cfcdbd50cf8edd68dea769f8ec http://security.debian.org/pool/updates/main/t/tdiary/tdiary-contrib_2.2.1-1+lenny1_all.deb Size/MD5 checksum: 209268 4425e9c291d09015b1d89eba2d345155 http://security.debian.org/pool/updates/main/t/tdiary/tdiary-plugin_2.2.1-1+lenny1_all.deb Size/MD5 checksum: 270084 c27fa1b2a89f4bc7edb08332aa0270ab http://security.debian.org/pool/updates/main/t/tdiary/tdiary-mode_2.2.1-1+lenny1_all.deb Size/MD5 checksum:36916 9fee97c0332c554040f646660c22b54d http://security.debian.org/pool/updates/main/t/tdiary/tdiary_2.2.1-1+lenny1_all.deb Size/MD5 checksum: 201722 cf6df3658938bc5df5839f29cd51d34e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkuWw9EACgkQ62zWxYk/rQej9ACfdegOdRf45VOaZ2Tk7dcw9bZe 7xcAnA8mhpv5Gg2n8jpKV+P7zYfiyY4+ =2SOO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1991-1] New squid/squid3 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1991-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 04, 2010 http://www.debian.org/security/faq - Package: squid/squid3 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Ids: CVE-2009-2855 CVE-2010-0308 Debian Bug : 534982 Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2855 Bastian Blank discovered that it is possible to cause a denial of service via a crafted auth header with certain comma delimiters. CVE-2010-0308 Tomas Hoger discovered that it is possible to cause a denial of service via invalid DNS header-only packets. For the stable distribution (lenny), these problems have been fixed in version 2.7.STABLE3-4.1lenny1 of the squid package and version 3.0.STABLE8-3+lenny3 of the squid3 package. For the oldstable distribution (etch), these problems have been fixed in version 2.6.5-6etch5 of the squid package and version 3.0.PRE5-5+etch2 of the squid3 package. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your squid/squid3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch5.diff.gz Size/MD5 checksum: 274283 f35fba0ebbd63b22786d04c8775aacf6 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch2.dsc Size/MD5 checksum: 736 afa36dab050b287f83cb9ff2f802c52c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5.orig.tar.gz Size/MD5 checksum: 3061614 35cc83c17afb17c4718ffc8d0d71bcae http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch2.diff.gz Size/MD5 checksum:13917 b19a43d3e4fd77350b8f4f7343a3169c http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5.orig.tar.gz Size/MD5 checksum: 1636886 26cc918028340dc8ceb9c0c4b988d717 http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch5.dsc Size/MD5 checksum: 678 2e53013dd1d22bc98d694c4b0775a715 Architecture independent packages: http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch2_all.deb Size/MD5 checksum: 245540 c4dfb7902e784ae1d3272237f744581c http://security.debian.org/pool/updates/main/s/squid/squid-common_2.6.5-6etch5_all.deb Size/MD5 checksum: 439698 69401a11436668a2e47c1886ed671d97 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch2_alpha.deb Size/MD5 checksum:72214 14713da6c162394cedb830e077c7fd76 http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch2_alpha.deb Size/MD5 checksum:67820 240b81667c88a8d36d6a956de4a5f63c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch2_alpha.deb Size/MD5 checksum: 887818 2189938d4adca4944f2e80b1410270ca http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch5_alpha.deb Size/MD5 checksum: 119894 0f37fae0a9c76523d4c94c910288db09 http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch5_alpha.deb Size/MD5 checksum: 793752 86de0371720bd75455d4dad8680fb57e http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch5_alpha.deb Size/MD5 checksum:88574 c0198db9fc0625a9344d8c732edcd4b3 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.6.5-6etch5_amd64.deb Size/MD5 checksum: 117318 7d842bc07551d277ca2b9fad8a4cfd8c http://security.debian.org/pool/updates/main/s/squid/squidclient_2.6.5-6etch5_amd64.deb Size/MD5 checksum:86646 9366ef6a3699b718c2d8bfb8e2cc1c60 http://security.debian.org/pool/updates/main/s/squid/squid_2.6.5-6etch5_amd64.deb Size/MD5 checksum: 709444 b0fee816e56a72c0286b280eb1580b74 hppa architecture
[Full-disclosure] [SECURITY] [DSA 1986-1] New moodle packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1986-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 02, 2010 http://www.debian.org/security/faq - Package: moodle Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-4297 CVE-2009-4298 CVE-2009-4299 CVE-2009-4301 CVE-2009-4302 CVE-2009-4303 CVE-2009-4305 Debian Bugs: 559531 Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-4297 Multiple cross-site request forgery (CSRF) vulnerabilities have been discovered. CVE-2009-4298 It has been discovered that the LAMS module is prone to the disclosure of user account information. CVE-2009-4299 The Glossary module has an insufficient access control mechanism. CVE-2009-4301 Moodle does not properly check permissions when the MNET service is enabled, which allows remote authenticated servers to execute arbitrary MNET functions. CVE-2009-4302 The login/index_form.html page links to an HTTP page instead of using an SSL secured connection. CVE-2009-4303 Moodle stores sensitive data in backup files, which might make it possible for attackers to obtain them. CVE-2009-4305 It has been discovered that the SCORM module is prone to an SQL injection. Additionally, an SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed. For the stable distribution (lenny), these problems have been fixed in version 1.8.2.dfsg-3+lenny3. For the oldstable distribution (etch), there are no fixed packages available and it is too hard to backport many of the fixes. Therefore, we recommend to upgrade to the lenny version. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1.8.2.dfsg-6. We recommend that you upgrade your moodle packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg-3+lenny3.dsc Size/MD5 checksum: 1332 e6692ee05c7eda37d36ef9a0d24ce2ae http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg.orig.tar.gz Size/MD5 checksum: 10162497 d116f83641c70216a94168aa2c303004 http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg-3+lenny3.diff.gz Size/MD5 checksum:67070 e8843f3e443495842705c040c0d98779 Architecture independent packages: http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg-3+lenny3_all.deb Size/MD5 checksum: 8628382 1985ebd60f8f9f2fb03a25e9b0c58c50 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktoecgACgkQ62zWxYk/rQe57QCfVN1fhshCzlLxiQBhNUzAHspM rrcAnjTYkLYcdwNBFMjZ32wFWbCEgoD1 =YJFS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1982-1] New hybserv packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1982-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 29, 2010 http://www.debian.org/security/faq - Package: hybserv Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2010-0303 Debian Bug : 550389 Julien Cristau discovered that hybserv, a daemon running IRC services for IRCD-Hybrid, is prone to a denial of service attack via the commands option. For the stable distribution (lenny), this problem has been fixed in version 1.9.2-4+lenny2. Due to a bug in the archive system, it is not possible to release the fix for the oldstable distribution (etch) simultaneously. Therefore, etch will be fixed in version 1.9.2-4+etch1 as soon as it becomes available. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.9.2-4.1. We recommend that you upgrade your hybserv packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2.orig.tar.gz Size/MD5 checksum: 418829 b0ebd0027c2b858ef8db6f06ac0d284b http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2.dsc Size/MD5 checksum: 1000 1e53e47576f3165f8dff86114b5fbf9d http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2.diff.gz Size/MD5 checksum:12958 5af569d594f3208c96a3e02ee84ec4ba alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_alpha.deb Size/MD5 checksum: 237022 019c98668edd92146beb14cafe275e1d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_amd64.deb Size/MD5 checksum: 231134 19d0a065dce4f37dba188c114d0d9a23 arm architecture (ARM) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_arm.deb Size/MD5 checksum: 212804 71c8f8d108effc0576f58cd4f4397d9a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_hppa.deb Size/MD5 checksum: 233400 ec2a527b697dcf1be0c80b3a2622fa42 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_i386.deb Size/MD5 checksum: 210102 3e6afd1df128671cf09fb5ccc0ad475b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_ia64.deb Size/MD5 checksum: 308362 57b37a7aad8fbdcf803086dc4284798c mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_mipsel.deb Size/MD5 checksum: 227240 159f0509fdf4bb3287cdbb4d3fe6415a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_powerpc.deb Size/MD5 checksum: 229634 88cdd43d25c11741f33700518a13e16b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2_s390.deb Size/MD5 checksum: 222108 92f96bb22103eac2d1a0f6787329f95f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktjGZMACgkQ62zWxYk/rQevLwCghxDMXPAt05KRnVmuiFE3hB3D r2IAoIb152ELGSxBezBh2WVmL0KX7+XI =gZCX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1980-1] New ircd-hybrid/ircd-ratbox packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1980-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 27, 2010 http://www.debian.org/security/faq - Package: ircd-hybrid/ircd-ratbox Vulnerability : integer underflow/denial of service Problem type : remote Debian-specific: no CVE Ids: CVE-2009-4016 CVE-2010-0300 David Leadbeater discovered an integer underflow that could be triggered via the LINKS command and can lead to a denial of service or the execution of arbitrary code (CVE-2009-4016). This issue affects both, ircd-hybrid and ircd-ratbox. It was discovered that the ratbox IRC server is prone to a denial of service attack via the HELP command. The ircd-hybrid package is not vulnerable to this issue (CVE-2010-0300). For the stable distribution (lenny), this problem has been fixed in version 1:7.2.2.dfsg.2-4+lenny1 of the ircd-hybrid package and in version 2.2.8.dfsg-2+lenny1 of ircd-ratbox. Due to a bug in the archive software it was not possible to release the fix for the oldstable distribution (etch) simultaneously. The packages will be released as version 7.2.2.dfsg.2-3+etch1 once they become available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your ircd-hybrid/ircd-ratbox packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1.dsc Size/MD5 checksum: 1139 a48d912892925013b37fb773841d6710 http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2.orig.tar.gz Size/MD5 checksum: 756749 75896381ea6330aea860b35fff3c34bb http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2-4+lenny1.diff.gz Size/MD5 checksum: 115007 a8d23129d0675ff779e5e315f8632a6b http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1.diff.gz Size/MD5 checksum:18289 04a221b2b8dfd0654778a6608c7cb66b http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2-4+lenny1.dsc Size/MD5 checksum: 1230 f79125aafcc5d9fcbd09bedadd69fce7 http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg.orig.tar.gz Size/MD5 checksum: 673439 0eb7d1430a997a37af03f8b2f9eed4bb Architecture independent packages: http://security.debian.org/pool/updates/main/i/ircd-hybrid/hybrid-dev_7.2.2.dfsg.2-4+lenny1_all.deb Size/MD5 checksum:65708 85dba185f2fdd9e7b3c423ae8722cc2f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1_alpha.deb Size/MD5 checksum: 568252 35a559f24895dab0fbe71f6af3a8c0b1 http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox-dbg_2.2.8.dfsg-2+lenny1_alpha.deb Size/MD5 checksum: 929788 583d32d5afc9747d824499183d4a5761 http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2-4+lenny1_alpha.deb Size/MD5 checksum: 660008 1a2bca514133dbc27f91bca69ed2122e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox-dbg_2.2.8.dfsg-2+lenny1_amd64.deb Size/MD5 checksum: 937710 2867b5535578c017699418acab7565b7 http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1_amd64.deb Size/MD5 checksum: 542006 52ca320cdd28849bd65065c921f03623 http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2-4+lenny1_amd64.deb Size/MD5 checksum: 634416 d320f0d1b77cb08cb0caa9c9644d13aa arm architecture (ARM) http://security.debian.org/pool/updates/main/i/ircd-hybrid/ircd-hybrid_7.2.2.dfsg.2-4+lenny1_arm.deb Size/MD5 checksum: 589350 451a5bcf2b4b8f40e39128be3fdc479d armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox-dbg_2.2.8.dfsg-2+lenny1_armel.deb Size/MD5 checksum: 894654 4daf0784d8865e75c378630d7cf2d870
[Full-disclosure] [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1981-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 28, 2010 http://www.debian.org/security/faq - Package: maildrop Vulnerability : privilege escalation Problem type : local Debian-specific: no CVE Id : No CVE id yet Debian Bug : 564601 Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges. For the stable distribution (lenny), this problem has been fixed in version 2.0.4-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 2.0.2-11+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your maildrop packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1.dsc Size/MD5 checksum: 736 5d4c1da5e17a5055431958284386d2ae http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2.orig.tar.gz Size/MD5 checksum: 3217622 d799e44aa65027a02343e5e08b97f3a0 http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1.diff.gz Size/MD5 checksum:13865 b2f714d5aafbca2255ae600ed4d4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_alpha.deb Size/MD5 checksum: 396270 721dac0bfe0adfe12821648b114b529b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_amd64.deb Size/MD5 checksum: 363334 361b1d09e6029290979f22eef0fdba91 arm architecture (ARM) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_arm.deb Size/MD5 checksum: 349906 8fee827790bdc6698f3597e12fe52d6f hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_hppa.deb Size/MD5 checksum: 388340 08b9be87f2c3cc52c620db2adbfcacef i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_i386.deb Size/MD5 checksum: 355822 0a4b406123abee445305109c4915ba23 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_ia64.deb Size/MD5 checksum: 469936 91586db32dc8713252dd82239ae0eda8 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_mipsel.deb Size/MD5 checksum: 376078 1ab6b5a13b76f428dac12534de3caa01 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_powerpc.deb Size/MD5 checksum: 361516 932ec47bae8d8e0415cc34b9ef01da38 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch1_s390.deb Size/MD5 checksum: 366974 f39b7f1d816f17060e5b0253426a9438 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny1.dsc Size/MD5 checksum: 1137 fc8c7f28371afe62703db1c24103f348 http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4.orig.tar.gz Size/MD5 checksum: 3566630 78e6c27afe7eff9e132b8bc20087aae7 http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny1.diff.gz Size/MD5 checksum: 807697 85669f0b67c38a7e55e3f22e9431ea65 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny1_alpha.deb Size/MD5 checksum: 401854 c19dc4ca2946033b4fdeb85fed6d86e1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/maildrop
[Full-disclosure] [SECURITY] [DSA 1981-2] New maildrop packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1981-2 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 28, 2010 http://www.debian.org/security/faq - Package: maildrop Vulnerability : privilege escalation Problem type : local Debian-specific: no CVE Id : CVE-2010-0301 Debian Bug : 564601 The latest DSA for maildrop introduced two regressions. The maildrop program stopped working when invoked as a non-root user, such as with postfix. Also, the lenny version dropped a dependency on the courier-authlib package. For the stable distribution (lenny), this problem has been fixed in version 2.0.4-3+lenny3. For the oldstable distribution (etch), this problem has been fixed in version 2.0.2-11+etch2. For the testing distribution (squeeze) this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.2.0-3.1. For reference, the original advisory text is below. Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges. We recommend that you upgrade your maildrop packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2.dsc Size/MD5 checksum: 736 280d7371f21cd78c4977d65967f4695c http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2.diff.gz Size/MD5 checksum:13965 269c15cb493be7357dc5d8a8acbad25d http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2.orig.tar.gz Size/MD5 checksum: 3217622 d799e44aa65027a02343e5e08b97f3a0 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_alpha.deb Size/MD5 checksum: 398482 c4dcbec55c55dff97a738617b367f517 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_amd64.deb Size/MD5 checksum: 363478 94687bb12867af71bcf9680f089e422f arm architecture (ARM) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_arm.deb Size/MD5 checksum: 350004 513a26c626071a4d58abbbc22a7f9f4b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_hppa.deb Size/MD5 checksum: 388388 ce6100257045fe40df77af384d5d2b51 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_i386.deb Size/MD5 checksum: 355890 07f603a68d05bf05f9fad916f9de51e0 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_ia64.deb Size/MD5 checksum: 470078 78f1972ef14698a20d5c181b90dd31e7 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_mipsel.deb Size/MD5 checksum: 376390 678ed61359f44e3bb9161d03e4b6675f powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.2-11+etch2_powerpc.deb Size/MD5 checksum: 358184 c76433b354ed838938340a06a7f93cd2 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4.orig.tar.gz Size/MD5 checksum: 3566630 78e6c27afe7eff9e132b8bc20087aae7 http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3.diff.gz Size/MD5 checksum: 807850 15846a840e3bad8301778630d7e7bf24 http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3.dsc Size/MD5 checksum: 1137 826da92ceb403b0e0778c3609c109a1e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/maildrop/maildrop_2.0.4-3+lenny3_alpha.deb Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1974-1] New gzip packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1974-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 20, 2010 http://www.debian.org/security/faq - Package: gzip Vulnerability : several Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-2624 CVE-2010-0001 Debian Bug : 507263 Several vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2624 Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. CVE-2010-0001 Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. For the stable distribution (lenny), these problems have been fixed in version 1.3.12-6+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 1.3.5-15+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your gzip packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.dsc Size/MD5 checksum: 573 4a4c81d72ed695f7e0b710fa7da00201 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1.diff.gz Size/MD5 checksum:62547 34c6cab73195a3b9e2b187636cf69dc2 http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5.orig.tar.gz Size/MD5 checksum: 331550 3d6c191dfd2bf307014b421c12dc8469 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_alpha.deb Size/MD5 checksum:84202 2677656b86d648a05b54ba0c03028eb1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_amd64.deb Size/MD5 checksum:76988 86e571b7bf22e4924c5d7f82306ab064 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_arm.deb Size/MD5 checksum:79428 7e71e302f090a62f52b7f6f5d35b627b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_hppa.deb Size/MD5 checksum:81616 02d1712f3f62de9f05810cd3a1660d77 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_i386.deb Size/MD5 checksum:74324 ac441b57b7423d65985acaef2e40df9f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_ia64.deb Size/MD5 checksum:96216 89b544a5f93d7607e1608d7856fa70e8 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_mipsel.deb Size/MD5 checksum:82266 ff332d05f508dad0d3067dd713bee839 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_powerpc.deb Size/MD5 checksum:79722 1e117918ab793443c9da0af6f137e7a7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_s390.deb Size/MD5 checksum:80602 4c5accebc99f8b263cef9500a94ae2ca sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch1_sparc.deb Size/MD5 checksum:77262 f440c798c3fe592896286047b643116d Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenny1.diff.gz Size/MD5
[Full-disclosure] [SECURITY] [DSA 1966-1] New horde3 packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1966-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 07, 2010 http://www.debian.org/security/faq - Package: horde3 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Ids: CVE-2009-3237 CVE-2009-3701 CVE-2009-4363 Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3237 It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration file. CVE-2009-3701 It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators. CVE-2009-4363 It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages. For the stable distribution (lenny), these problems have been fixed in version 3.2.2+debian0-2+lenny2. For the oldstable distribution (etch), these problems have been fixed in version 3.1.3-4etch7. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 3.3.6+debian0-1. We recommend that you upgrade your horde3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.dsc Size/MD5 checksum: 691 48b9e415b5f6ab912615d4da1fdbf972 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7.diff.gz Size/MD5 checksum:17280 15471b64c8321f477800da4cfe3ff8e4 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7 Architecture independent packages: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch7_all.deb Size/MD5 checksum: 5282070 b0788ebca983b9059a7fa05ada2de4cb Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.dsc Size/MD5 checksum: 1389 c7d03777a3a09845206364f689752f30 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2.diff.gz Size/MD5 checksum:27993 866df86724501fbd550d5e164e4cdd3c http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz Size/MD5 checksum: 7180761 fb22a594bbdad07a0fbeef035a6d2f39 Architecture independent packages: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny2_all.deb Size/MD5 checksum: 7240984 9298abd370d67b6a4861f015e330d1c5 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAktFssAACgkQ62zWxYk/rQf9kACgmyXz0l/5q9TZiiafcbmrEWqf x/8An3Daz3amIFFmj0uGbiQ+g4CtZw9w =4/Rk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1957-1] New aria2 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1957-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 28, 2009 http://www.debian.org/security/faq - Package: aria2 Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2009-3575 Debian Bug : 551070 It was discovered that aria2, a high speed download utility, is prone to a buffer overflow in the DHT routing code, which might lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 0.14.0-1+lenny1. Binaries for powerpc, arm, ia64 and hppa will be provided once they are available. The oldstable distribution (etch) is not affected by this problem. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.2.0-1. We recommend that you upgrade your aria2 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1.dsc Size/MD5 checksum: 1102 eec49435dff989725e33c563b196460a http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1.diff.gz Size/MD5 checksum:20698 849ab814910b27bcceb43f70289deecf http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0.orig.tar.gz Size/MD5 checksum: 1343630 ae853240ee88e373a138021613e28cb1 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_alpha.deb Size/MD5 checksum: 1271036 e9f58f0333e8fa153e422e42124da627 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_amd64.deb Size/MD5 checksum: 1088722 5e454e6d927c361662b28eb1bd5fd344 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_armel.deb Size/MD5 checksum: 1015232 24a9356278fbe5e485a446bf4cbadf58 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_i386.deb Size/MD5 checksum: 1059854 231c131054416daf24647fbe0f3253d3 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_mips.deb Size/MD5 checksum: 1159418 09c033eb265aea089f66ef7f50633c15 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_mipsel.deb Size/MD5 checksum: 1150498 e8b0d5e3afb820d007afdc232a2c6e5c s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_s390.deb Size/MD5 checksum: 1029322 c88bd4cf8c8d48f2ab4cde0a93f68a1f sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny1_sparc.deb Size/MD5 checksum: 1165878 a978541d98f368a43bb8e1c702611e81 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAks4gOwACgkQ62zWxYk/rQfOdACfZsGyqgXHXxRqheq5nYSv+w8f jdoAn1+W1DkO6ivrx1FBDMYDgJ9qMSTh =PQxm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1954-1] New cacti packages fix insufficient input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1954-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 16, 2009 http://www.debian.org/security/faq - Package: cacti Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Ids: CVE-2007-3112 CVE-2007-3113 CVE-2009-4032 Debian Bugs: 429224 Several vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3112, CVE-2007-3113 It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters. This issue only affects the oldstable (etch) version of cacti. CVE-2009-4032 It was discovered that cacti is prone to several cross-site scripting attacks via different vectors. CVE-2009-4112 It has been discovered that cacti allows authenticated administrator users to gain access to the host system by executing arbitrary commands via the Data Input Method for the Linux - Get Memory Usage setting. There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain safe commands. For the moment, we recommend that such access is only given to trusted users and that the options Data Input and User Administration are otherwise deactivated. For the oldstable distribution (etch), these problems have been fixed in version 0.8.6i-3.6. For the stable distribution (lenny), this problem has been fixed in version 0.8.7b-2.1+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 0.8.7e-1.1. We recommend that you upgrade your cacti packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar.gz Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63 http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.diff.gz Size/MD5 checksum:38419 4ee9e373817ebc32297e1c3de8fee10d http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.dsc Size/MD5 checksum: 590 bb8fb25c6db1cd6a2a785f879943d969 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6_all.deb Size/MD5 checksum: 962816 9093e9f9abaa6c3dbbedad24cc1d4f7e Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.diff.gz Size/MD5 checksum:37232 04459452593e23c5e837920cfd0f1789 http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.dsc Size/MD5 checksum: 1117 d67349656ce9514266e7d5d2f378a219 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1_all.deb Size/MD5 checksum: 1847182 3876f128fdcc2aefa63d65531875d2ab These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksoyH0ACgkQ62zWxYk
[Full-disclosure] [SECURITY] [DSA 1955-1] New network-manager/network-manager-applet packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1955-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 16, 2009 http://www.debian.org/security/faq - Package: network-manager/network-manager-applet Vulnerability : information disclosure Problem type : local Debian-specific: no CVE Id : CVE-2009-0365 Debian Bug : 519801 It was discovered that network-manager-applet, a network management framework, lacks some dbus restriction rules, which allows local users to obtain sensitive information. If you have locally modified the /etc/dbus-1/system.d/nm-applet.conf file, then please make sure that you merge the changes from this fix when asked during upgrade. For the stable distribution (lenny), this problem has been fixed in version 0.6.6-4+lenny1 of network-manager-applet. For the oldstable distribution (etch), this problem has been fixed in version 0.6.4-6+etch1 of network-manager. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.7.0.99-1 of network-manager-applet. We recommend that you upgrade your network-manager and network-manager-applet packages accordingly. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1.dsc Size/MD5 checksum: 1034 9ca281c6a38a498e5735a9e8caa4b7bc http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1.diff.gz Size/MD5 checksum:20424 448d010bfa385c406fad97b0c9667731 http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4.orig.tar.gz Size/MD5 checksum: 1079499 2d8ec8b17f85ee9aa9c0e04c63b98c3a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 381334 d0fa566c6157cc9590fc4ac343494c06 http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 112752 eaccaea2845fbf15eb7785aea488ae23 http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 259300 2cba0b7225cb0bf54a213b629f8e549c http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 119400 ac8ae428f79e0643730d648fa785038b http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 127538 1f191e99e963f25791b788933f92fe67 http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 121702 e00aff6a1ce0de6fde754f8f26bd56cf http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_alpha.deb Size/MD5 checksum: 136174 4fb472c760ecb83864912cd403d6d68b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_amd64.deb Size/MD5 checksum: 377714 346447be8036a69f83dc33f33086535d http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_amd64.deb Size/MD5 checksum: 118648 242e933e9b2a4a217c26ba938dfec496 http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_amd64.deb Size/MD5 checksum: 127308 c98926309bc01886ea1e617b0ddd234c http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_amd64.deb Size/MD5 checksum: 124268 f924645be9b503ad97bc66abeb9a0250 http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_amd64.deb Size/MD5 checksum: 247392 faca3961e48d3ccb07334e741aec10df http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_amd64.deb Size/MD5 checksum: 111986 9c6fe9dbc9d2185eb702d6ff47398fe7 http://security.debian.org/pool/updates/main/n/network
[Full-disclosure] [SECURITY] [DSA 1951-1] New firefox-sage packages fix insufficient input sanitizing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1951-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 15, 2009 http://www.debian.org/security/faq - Package: firefox-sage Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-4102 Debian Bug : 559267 It was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitise the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack. For the stable distribution (lenny), this problem has been fixed in version 1.4.2-0.1+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.3.6-4etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.4.3-3. We recommend that you upgrade your firefox-sage packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.dsc Size/MD5 checksum: 607 d4175001caa8fc685f47452de46aaa03 http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6.orig.tar.gz Size/MD5 checksum: 135325 49c68a517b6611c7352feb6072be9567 http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.diff.gz Size/MD5 checksum:13123 a59b6403405d4c6214b569fdb068049f Architecture independent packages: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1_all.deb Size/MD5 checksum: 150172 57339ba6521e7611e4e27fce4f87df31 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.diff.gz Size/MD5 checksum:15552 c62acce299739cfe09c5ed671f0d310f http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2.orig.tar.gz Size/MD5 checksum: 169202 71f4d7379bc6e39640fc20016493f129 http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.dsc Size/MD5 checksum: 1039 f47c953cd90197453e1ce165f13cb701 Architecture independent packages: http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1_all.deb Size/MD5 checksum: 171308 63a27b648f10e021b18acf9c8d8d24f0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksneJ0ACgkQ62zWxYk/rQeRnACgl5xAjdWg9H6/gvteFqVkY1bh w/kAnRzc6lGDWUAoe6H3pjfZdP1XhMDx =CsHJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1952-1] New asterisk packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1952-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 15, 2009 http://www.debian.org/security/faq - Package: asterisk Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE ID : CVE-2009-0041 CVE-2008-3903 CVE-2009-3727 CVE-2008-7220 CVE-2009-4055 CVE-2007-2383 Debian Bug : 513413 522528 554487 554486 559103 Several vulnerabilities have been discovered in asterisk, an Open Source PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0041 It is possible to determine valid login names via probing, due to the IAX2 response from asterisk (AST-2009-001). CVE-2008-3903 It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled (AST-2009-003). CVE-2009-3727 It is possible to determine a valid SIP username via multiple crafted REGISTER messages (AST-2009-008). CVE-2008-7220 CVE-2007-2383 It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk (AST-2009-009). CVE-2009-4055 It was discovered that it is possible to perform a denial of service attack via RTP comfort noise payload with a long data length (AST-2009-010). For the stable distribution (lenny), these problems have been fixed in version 1:1.4.21.2~dfsg-3+lenny1. The security support for asterisk in the oldstable distribution (etch) has been discontinued before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1:1.6.2.0~rc7-1. We recommend that you upgrade your asterisk packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg.orig.tar.gz Size/MD5 checksum: 5295205 f641d1140b964e71e38d27bf3b2a2d80 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc Size/MD5 checksum: 1984 69dcaf09361976f55a053512fb26d7b5 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz Size/MD5 checksum: 150880 ba6e81cd6ab443ef04467d57a1d954b3 Architecture independent packages: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 1897736 f0b7912d2ea0377bbb3c56cbc067d230 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 478858 b483c77c21df4ae9cea8a4277f96966a http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 32514900 8d959ce35cc61436ee1e09af475459d1 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb Size/MD5 checksum: 427650 fb8a7dd925c8d209f3007e2a7d6602d8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_alpha.deb Size/MD5 checksum: 13039044 3fdf468968472853a921817681130898 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_alpha.deb Size/MD5 checksum: 393068 f6360d4fee30fd4e915ce6f381dd5e81 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_alpha.deb Size/MD5 checksum: 2761948 017041bb2c755b0e404351134d40808a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_amd64.deb Size/MD5 checksum: 397512 6f2936b9f76618b89c7994d094c372cf http://security.debian.org
[Full-disclosure] [SECURITY] [DSA 1946-1] New belpic packages fix cryptographic weakness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1946-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 04, 2009 http://www.debian.org/security/faq - Package: belpic Vulnerability : cryptographic weakness Problem type : remote Debian-specific: no CVE Id : CVE-2009-0049 Debian Bug : 511261 It was discovered that belpic, the belgian eID PKCS11 library, does not properly check the result of an OpenSSL function for verifying cryptographic signatures, which could be used to bypass the certificate validation. For the oldstable distribution (etch), this problem has been fixed in version 2.5.9-7.etch.1. For the stable distribution (lenny), this problem has been fixed in version 2.6.0-6, which was already included in the lenny release. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 2.6.0-6. We recommend that you upgrade your belpic packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/b/belpic/belpic_2.5.9-7.etch.1.diff.gz Size/MD5 checksum:20340 d0d4ce8373f2f49800971113432ab35e http://security.debian.org/pool/updates/main/b/belpic/belpic_2.5.9-7.etch.1.dsc Size/MD5 checksum: 778 6a552980e5274b74128f2b43d5eecd84 http://security.debian.org/pool/updates/main/b/belpic/belpic_2.5.9.orig.tar.gz Size/MD5 checksum: 1790274 517a8617e5919b3218acf2d5d859ea8e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/b/belpic/libbeid2-dev_2.5.9-7.etch.1_alpha.deb Size/MD5 checksum:87916 fce36aa5a4e516bece52ca1322328288 http://security.debian.org/pool/updates/main/b/belpic/beid-tools_2.5.9-7.etch.1_alpha.deb Size/MD5 checksum: 156018 4e75d5671006c371f4a5aeeb216d2749 http://security.debian.org/pool/updates/main/b/belpic/beidgui_2.5.9-7.etch.1_alpha.deb Size/MD5 checksum: 314606 2caa3f109ee32caabb5ef63702ff9536 http://security.debian.org/pool/updates/main/b/belpic/libbeidlibopensc2_2.5.9-7.etch.1_alpha.deb Size/MD5 checksum: 338216 75704f922f932f7453fd475af22bac15 http://security.debian.org/pool/updates/main/b/belpic/libbeid2_2.5.9-7.etch.1_alpha.deb Size/MD5 checksum: 153234 64e2984faecdb78f26566faa7b40c837 http://security.debian.org/pool/updates/main/b/belpic/libbeidlibopensc2-dev_2.5.9-7.etch.1_alpha.deb Size/MD5 checksum: 1013996 3a64d43f1fe914d0800b8cacb6a602ed amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/b/belpic/beid-tools_2.5.9-7.etch.1_amd64.deb Size/MD5 checksum: 151240 ff1be550e65c3c234ea0ae3e8fa3f39e http://security.debian.org/pool/updates/main/b/belpic/libbeid2_2.5.9-7.etch.1_amd64.deb Size/MD5 checksum: 150332 3dcdfb89cacf62cca1ffc3da471ff7c4 http://security.debian.org/pool/updates/main/b/belpic/libbeid2-dev_2.5.9-7.etch.1_amd64.deb Size/MD5 checksum:87572 8a357ceb7f8a783d9fe127e0c0bfe943 http://security.debian.org/pool/updates/main/b/belpic/libbeidlibopensc2_2.5.9-7.etch.1_amd64.deb Size/MD5 checksum: 330802 0ea774426304964b8bf07ee176fb4c91 http://security.debian.org/pool/updates/main/b/belpic/beidgui_2.5.9-7.etch.1_amd64.deb Size/MD5 checksum: 305592 0d28550e3a3b2929c53057533726cb13 http://security.debian.org/pool/updates/main/b/belpic/libbeidlibopensc2-dev_2.5.9-7.etch.1_amd64.deb Size/MD5 checksum: 1013976 51c8584f0dcb8fd6b67727e13935f073 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/b/belpic/libbeidlibopensc2-dev_2.5.9-7.etch.1_hppa.deb Size/MD5 checksum: 1012984 3f52c668f80dac56d6eba30b092bfa09 http://security.debian.org/pool/updates/main/b/belpic/libbeidlibopensc2_2.5.9-7.etch.1_hppa.deb Size/MD5 checksum: 346390 8cce55c26535945b3c9ba13b6404142e http://security.debian.org/pool/updates/main/b/belpic/libbeid2_2.5.9-7.etch.1_hppa.deb Size/MD5 checksum: 160238 2d6e75fb4994110b2f5b1227f2269a77 http://security.debian.org/pool/updates/main/b/belpic/libbeid2-dev_2.5.9-7.etch.1_hppa.deb Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1944-1] New request-tracker packages fix session hijack vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1944-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 03, 2009 http://www.debian.org/security/faq - Package: request-tracker3.4/request-tracker3.6 Vulnerability : session hijack Problem type : remote Debian-specific: no CVE Id : CVE-2009-3585 Mikal Gule discovered that request-tracker, an extensible trouble-ticket tracking system, is prone to an attack, where an attacker with access to the same domain can hijack a user's RT session. For the stable distribution (lenny), this problem has been fixed in version 3.6.7-5+lenny3. For the oldstable distribution (etch), this problem has been fixed in version 3.6.1-4+etch1 of request-tracker3.6 and version 3.4.5-2+etch1 of request-tracker3.4. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.6.9-2. We recommend that you upgrade your request-tracker packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5-2+etch1.diff.gz Size/MD5 checksum:24450 41891b8a012e671b706facdf4ece3402 http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1-4+etch1.diff.gz Size/MD5 checksum:23488 3c3914d16ad3e719cd502e2490561cc0 http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1-4+etch1.dsc Size/MD5 checksum: 916 c03c1972b5ccab3574f9dfdd3fec0bee http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5-2+etch1.dsc Size/MD5 checksum: 876 5a18cf29db217c6fd2265f6923a938cb http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5.orig.tar.gz Size/MD5 checksum: 1410154 16c8007cba54669e6c9de95cfc680b2a http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1.orig.tar.gz Size/MD5 checksum: 1545708 40c5a828fadaeef9e150255a517d0b17 Architecture independent packages: http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-apache2_3.6.1-4+etch1_all.deb Size/MD5 checksum: 118264 318517b3d5539a84dee1639710048d92 http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-apache_3.6.1-4+etch1_all.deb Size/MD5 checksum: 117786 6f3da07edc9499cc282ceed8e71cf26d http://security.debian.org/pool/updates/main/r/request-tracker3.4/rt3.4-clients_3.4.5-2+etch1_all.deb Size/MD5 checksum: 120578 e404452bd2f912820644b26c72de http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5-2+etch1_all.deb Size/MD5 checksum: 1198788 9af1648e53a722155dfd9acaaaf364cd http://security.debian.org/pool/updates/main/r/request-tracker3.4/rt3.4-apache_3.4.5-2+etch1_all.deb Size/MD5 checksum:92002 009fe1090c6142409210f3304f63240d http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1-4+etch1_all.deb Size/MD5 checksum: 1315556 9a06544261bd4b7800ae89065d4f4317 http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-clients_3.6.1-4+etch1_all.deb Size/MD5 checksum: 146902 8c4a83429ef704025849373a24cf06d5 http://security.debian.org/pool/updates/main/r/request-tracker3.4/rt3.4-apache2_3.4.5-2+etch1_all.deb Size/MD5 checksum:92402 2737f376b27e6c3087dd355e5977edb5 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.7.orig.tar.gz Size/MD5 checksum: 1764471 46c0b29cd14010ee6a3f181743aeb6ef http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny3.dsc Size/MD5 checksum: 1623 b8a904d8fa89cf4ea78fce2d95d95701 http
[Full-disclosure] [SECURITY] [DSA 1945-1] New gforge packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1945-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 03, 2009 http://www.debian.org/security/faq - Package: gforge Vulnerability : symlink attack Problem type : local Debian-specific: no CVE ID : CVE-2009-3304 Sylvain Beucler discovered that gforge, a collaborative development tool, is prone to a symlink attack, which allows local users to perform a denial of service attack by overwriting arbitrary files. For the stable distribution (lenny), this problem has been fixed in version 4.7~rc2-7lenny3. The oldstable distribution (etch), this problem has been fixed in version 4.5.14-22etch13. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 4.8.2-1. We recommend that you upgrade your gforge packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.dsc Size/MD5 checksum: 953 a170b517b1d68ca0ad53a1b8b03c3317 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13.diff.gz Size/MD5 checksum: 204328 33081d2f6a0056b31091360db3002a9f Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch13_all.deb Size/MD5 checksum:86628 c6b62116a819fa905acae8df867d http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch13_all.deb Size/MD5 checksum: 1012268 78dfb2931853c3f89d233cc9510199f2 http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch13_all.deb Size/MD5 checksum: 212786 1bc973b449b07020fbef4519fc8e074e http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch13_all.deb Size/MD5 checksum: 705446 286aba34673375cb8763765fd241d791 http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch13_all.deb Size/MD5 checksum:86344 394f14f010e9de88145cc3251e7e8982 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch13_all.deb Size/MD5 checksum:80562 52133da4596347d8c05e37643a959435 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch13_all.deb Size/MD5 checksum:88808 72ad3b9f7d9d1f8732551a99b5e74471 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch13_all.deb Size/MD5 checksum:76368 c7ba219bac6560994c07dfb639801c99 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch13_all.deb Size/MD5 checksum:89414 095ca81a4671193cd5d822e967d36684 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch13_all.deb Size/MD5 checksum:87434 8d960c7671eac2a480a43cd948a98d7d http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch13_all.deb Size/MD5 checksum:88904 8d3692ecc555ca40558d50333bf543a9 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch13_all.deb Size/MD5 checksum:82386 3bc6d055f6eb74edfd23ca8dbfb8fa3e http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch13_all.deb Size/MD5 checksum:95738 beee5393efe02def8071a78a3707244c http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch13_all.deb Size/MD5 checksum: 104062 a70e01f8055201519b14718555023abb Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny3.diff.gz Size/MD5 checksum: 106204
[Full-disclosure] [SECURITY] [DSA 1938-1] New php-mail packages fix insufficient input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1938-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris November 23, 2009 http://www.debian.org/security/faq - Package: php-mail Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id : No CVE id yet It was discovered that php-mail, a PHP PEAR module for sending email, has insufficient input sanitising, which might be used to obtain sensitive data from the system that uses php-mail. For the stable distribution (lenny), this problem has been fixed in version 1.1.14-1+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.1.6-2+etch1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.1.14-2. We recommend that you upgrade your php-mail packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6.orig.tar.gz Size/MD5 checksum:13702 47b38a06acdec73c4d8c01f9d7e5e8e2 http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6-2+etch1.diff.gz Size/MD5 checksum: 3310 64425237844fed79a4b71aa34ccb0cee http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6-2+etch1.dsc Size/MD5 checksum: 689 93c32b0cb655191ac6edb48013d18921 Architecture independent packages: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.6-2+etch1_all.deb Size/MD5 checksum:17884 a2abda15da9ddab5f1590198cc852b3f Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14-1+lenny1.dsc Size/MD5 checksum: 1258 6d361bf9406e9195813b4396bb7d5c13 http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14.orig.tar.gz Size/MD5 checksum:17537 e50da58b6b787b3903ce4d07dc791bb2 http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14-1+lenny1.diff.gz Size/MD5 checksum: 4105 a8154d9e86e98a591dfc9e84210ce163 Architecture independent packages: http://security.debian.org/pool/updates/main/p/php-mail/php-mail_1.1.14-1+lenny1_all.deb Size/MD5 checksum:21904 d5184514df44b348582071748e855c32 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksKPD4ACgkQ62zWxYk/rQelCQCfSj7eMrmJHQfKyjU3uQ3RVH89 8EwAnjtlML3vVJ0bh4icip/4NQWuRZHK =u2Qx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1937-1] New gforge packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1937-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris November 21, 2009 http://www.debian.org/security/faq - Package: gforge Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-3303 It was discovered that gforge, collaborative development tool, is prone to a cross-site scripting attack via the helpname parameter. Beside fixing this issue, the update also introduces some additional input sanitising. However, there are no known attack vectors. For the stable distribution (lenny), these problem have been fixed in version 4.7~rc2-7lenny2. The oldstable distribution (etch), these problems have been fixed in version 4.5.14-22etch12. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 4.8.1-3. We recommend that you upgrade your gforge packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.diff.gz Size/MD5 checksum: 203139 67406308953934e8d68ca1cd97154023 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.dsc Size/MD5 checksum: 953 2176dd5939538d180d60637d77260f19 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch12_all.deb Size/MD5 checksum: 705438 d40c97c6f0d0823b966b48b9b1b7eb6f http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12_all.deb Size/MD5 checksum:80534 c86b0696f707df2df400ef46838a2505 http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch12_all.deb Size/MD5 checksum: 1011566 644f57ac3a902d69369806763b29e484 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch12_all.deb Size/MD5 checksum: 104034 43bb51625ea030e4bca2a1753720acd0 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch12_all.deb Size/MD5 checksum:86598 801eb1462e783877698f8181e93c7d37 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch12_all.deb Size/MD5 checksum:87402 9601350198b4a1c4946b26cbfc0089f0 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch12_all.deb Size/MD5 checksum:88868 9c73567d60ede088fe7c952c0d575a22 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch12_all.deb Size/MD5 checksum:82348 ad231cb698733f3c3ce6cb65357aacee http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch12_all.deb Size/MD5 checksum:86318 448d7f114da5ef2188aa56f8dcd130f4 http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch12_all.deb Size/MD5 checksum:95726 d6557e001a5e9c53f38fed49c322 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch12_all.deb Size/MD5 checksum:88766 c78075b8eab9c9b3ead54716d10cf370 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch12_all.deb Size/MD5 checksum:89386 2837d3a26850e5622294eb44aa49f3e2 http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch12_all.deb Size/MD5 checksum: 212746 1c48e12e5e61d5f56edd0de46884af52 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch12_all.deb Size/MD5 checksum:76334 4e63c7735c92764d82dfdf4f742be2cb Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2
[Full-disclosure] [SECURITY] [DSA 1933-1] New cups packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1933-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris November 10, 2009 http://www.debian.org/security/faq - Package: cups Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-2820 Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks. For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1+lenny7. For the oldstable distribution (etch), this problem has been fixed in version 1.2.7-4+etch9. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your cups packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch9.diff.gz Size/MD5 checksum: 112995 fe3566daa6615bcd625288ce98e9384f http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch9.dsc Size/MD5 checksum: 1095 804241054cda1301d183492ea5969649 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4+etch9_all.deb Size/MD5 checksum: 917720 bc97c75dacbd345dfd07e9397c91c38f http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4+etch9_all.deb Size/MD5 checksum:46524 4f95c2485efda6dc7fc306162a5b1641 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch9_alpha.deb Size/MD5 checksum:72990 bf27b53404f44fcea401f8ff88de8aa2 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch9_alpha.deb Size/MD5 checksum: 1095268 d25ffb1cdb0d32cb3d80d6a551b355c7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch9_alpha.deb Size/MD5 checksum: 184818 00aa5f531b8c3a30c6c77b926be722d2 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch9_alpha.deb Size/MD5 checksum: 175652 d52f9ee130bbf84d5436a71bb526f56c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch9_alpha.deb Size/MD5 checksum:95922 8d80f7b83c755b59401fa7dd0b2ca81e http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch9_alpha.deb Size/MD5 checksum: 1605614 26620cc74617e392217a198fbde74860 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch9_alpha.deb Size/MD5 checksum:86404 5cebb372c4230f6ec95f89be9183293c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4+etch9_alpha.deb Size/MD5 checksum:39290 429780ee5c35d47504291877979b6a15 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4+etch9_amd64.deb Size/MD5 checksum: 162858 1efc0ec7be9fc17ec25aab13eeb6e169 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4+etch9_amd64.deb Size/MD5 checksum:80712 2f639382f1e7767254a39358e7a79aed http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4+etch9_amd64.deb Size/MD5 checksum: 1090142 e33720ca87a04a87fe9a23b281c1bac0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4+etch9_amd64.deb Size/MD5 checksum:86648 7eacddf27156689a52fe3b620392f734 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4+etch9_amd64.deb Size/MD5 checksum: 1578128 1726cfeb573c14d325bd7d3c6ec29188 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4+etch9_amd64.deb Size/MD5 checksum:53050 342387c9d81a32530263493d8a11eb86 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4+etch9_amd64.deb
[Full-disclosure] [SECURITY] [DSA 1930-1] New drupal6 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1930-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris November 07, 2009 http://www.debian.org/security/faq - Package: drupal6 Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-2372 CVE-2009-2373 CVE-2009-2374 Debian Bug : 535435 547140 Several vulnerabilities have been found in drupal6, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2372 Gerhard Killesreiter discovered a flaw in the way user signatures are handled. It is possible for a user to inject arbitrary code via a crafted user signature. (SA-CORE-2009-007) CVE-2009-2373 Mark Piper, Sven Herrmann and Brandon Knight discovered a cross-site scripting issue in the forum module, which could be exploited via the tid parameter. (SA-CORE-2009-007) CVE-2009-2374 Sumit Datta discovered that certain drupal6 pages leak sensible information such as user credentials. (SA-CORE-2009-007) Several design flaws in the OpenID module have been fixed, which could lead to cross-site request forgeries or privilege escalations. Also, the file upload function does not process all extensions properly leading to the possible execution of arbitrary code. (SA-CORE-2009-008) For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny3. The oldstable distribution (etch) does not contain drupal6. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 6.14-1. We recommend that you upgrade your drupal6 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3.dsc Size/MD5 checksum: 1130 489d56336053311b1ee24aaf17f41ffb http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3.diff.gz Size/MD5 checksum:24870 d70dfad8a6f211cb9dd62e071e5ddfd9 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3_all.deb Size/MD5 checksum: 1088258 6162b6933d636065c6a07e6f6199c7df These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkr0wzIACgkQ62zWxYk/rQegCACfaCVMO8lrhfH/57iPLCgFOkp5 5ykAnifSZR4vet+YNDY3Z6vOiTSgUe/0 =o5XE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1924-1] New mahara packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1924-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 31, 2009 http://www.debian.org/security/faq - Package: mahara Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-3298 CVE-2009-3299 Two vulnerabilities have been discovered in, an electronic portfolio, weblog, and resume builder. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3298 Ruslan Kabalin discovered a issue with resetting passwords, which could lead to a privilege escalation of an institutional administrator account. CVE-2009-3299 Sven Vetsch discovered a cross-site scripting vulnerability via the resume fields. For the stable distribution (lenny), these problems have been fixed in version 1.0.4-4+lenny4. The oldstable distribution (etch) does not contain mahara. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your mahara packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny4.dsc Size/MD5 checksum: 1304 a89de002e60d1435fe9c7375cdd353b3 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4.orig.tar.gz Size/MD5 checksum: 2383079 cf1158e4fe3cdba14fb1b71657bf8cc9 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny4.diff.gz Size/MD5 checksum:40473 61fa7821c6637801a3f7a22ed5993233 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny4_all.deb Size/MD5 checksum: 7908 ce0748a7b83729e5f987529b871f9428 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny4_all.deb Size/MD5 checksum: 1637754 cf0bdb218c9fbd5723f1be19ac4b84a6 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkrsvj4ACgkQ62zWxYk/rQdqEgCfYUqtPnoTGmAOhw8j1OZFmdQv 1gAAoJWYH98HT5jkEJsRYSYvrFrNvnB/ =etyf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1925-1] New proftpd-dfsg packages fix SSL certificate verification weakness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1925-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 31, 2009 http://www.debian.org/security/faq - Package: proftpd-dfsg Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE Id : CVE-2009-3639 It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled. For the stable distribution (lenny), this problem has been fixed in version 1.3.1-17lenny4. For the oldstable distribution (etch), this problem has been fixed in version 1.3.0-19etch3. Binaries for the amd64 architecture will be released once they are available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.3.2a-2. We recommend that you upgrade your proftpd-dfsg packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.tar.gz Size/MD5 checksum: 1905969 38528feb0ffb9bd88db6f175d6020b8d http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.dsc Size/MD5 checksum: 872 0bd9359e5bf664360be0c144225649b2 Architecture independent packages: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-19etch3_all.deb Size/MD5 checksum: 162748 5608f61ea367720d306635309b85d6bc http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-19etch3_all.deb Size/MD5 checksum: 162748 e16562c92cdc0f0c344ded50f5916d36 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-19etch3_all.deb Size/MD5 checksum: 162752 98b538acf18e6c6a7fedfcaab1a35dee http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.0-19etch3_all.deb Size/MD5 checksum: 492828 eb6950dbd7f5a48fea262fa373224d01 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_alpha.deb Size/MD5 checksum: 997748 b6db8df62a1a19529b8a75cd3965c61c arm architecture (ARM) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_arm.deb Size/MD5 checksum: 803396 01f586c57a9df10f764b1250182aaf4a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_hppa.deb Size/MD5 checksum: 936038 662b6032362df105994979458344e4c5 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_i386.deb Size/MD5 checksum: 798022 44f0f80e230c4f86e12daf20129ec636 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_ia64.deb Size/MD5 checksum: 1188390 9e68db2aa07f4f477e050f961e766bd5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mips.deb Size/MD5 checksum: 856696 0a9f117d838b1b612d05c88ac76caed4 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mipsel.deb Size/MD5 checksum: 856038 3b04229098a901c9b4de298443af7aff sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_sparc.deb Size/MD5 checksum: 830844 08971c1104010e23c01d52b343b11f56 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.dsc Size/MD5 checksum: 1349
[Full-disclosure] [SECURITY] [DSA 1912-2] New advi packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1912-2 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 23, 2009 http://www.debian.org/security/faq - Package: advi Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-3296 CVE-2009-2660 Due to the fact that advi, an active DVI previewer and presenter, statically links against camlimages it was neccessary to rebuilt it in order to incorporate the latest security fixes for camlimages, which could lead to integer overflows via specially crafted TIFF files (CVE-2009-3296) or GIFF and JPEG images (CVE-2009-2660). For the stable distribution (lenny), these problems have been fixed in version 1.6.0-13+lenny2. Due to a bug in the archive system, the fix for the oldstable distribution (etch) cannot be released at the same time. These problems will be fixed in version 1.6.0-12+etch2, once it is available. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1.6.0-14+b1. We recommend that you upgrade your advi package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2.diff.gz Size/MD5 checksum:51609 21aed220ab54cc689a7ef13e51f801d9 http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2.dsc Size/MD5 checksum: 1655 b3702857e76699041f5313515c4ae59c http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0.orig.tar.gz Size/MD5 checksum: 11436152 da0e71cbc99a8def27873d4f3c756fa6 Architecture independent packages: http://security.debian.org/pool/updates/main/a/advi/advi-examples_1.6.0-13+lenny2_all.deb Size/MD5 checksum: 3896628 78cbd5f431332e48bd6f6838c71c4bd6 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_amd64.deb Size/MD5 checksum: 738554 ff1868ddb0510d02db84f2c2a3fcdd36 arm architecture (ARM) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_arm.deb Size/MD5 checksum: 1315080 5abb37dd7194607f07b956826830e052 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_armel.deb Size/MD5 checksum: 1317700 76f406d64477573fee49c1403914f525 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_hppa.deb Size/MD5 checksum: 1328012 8d239035d7195a3da2d88a0ce1004df8 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_i386.deb Size/MD5 checksum: 873922 0ed738039c6877f8a98e462b7990e0fe ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_ia64.deb Size/MD5 checksum: 1366332 8113261f68b8ab1fa0a560cda28dddfb mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_mips.deb Size/MD5 checksum: 1319406 9108849fdeed00e2848511b4da97f405 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_mipsel.deb Size/MD5 checksum: 1317202 87f285d20318111851008f04698f17f0 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_powerpc.deb Size/MD5 checksum: 862788 260fba666be7c705daf8a4387692aff7 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_sparc.deb Size/MD5 checksum: 851648 b60cb2ad932c4d094b595a57a632afb8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http
[Full-disclosure] [SECURITY] [DSA 1912-1] New camlimages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1912-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 16, 2009 http://www.debian.org/security/faq - Package: camlimages Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-3296 CVE-2009-2660 It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images. For the oldstable distribution (etch), this problem has been fixed in version 2.20-8+etch3. For the stable distribution (lenny), this problem has been fixed in version 1:2.2.0-4+lenny3. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your camlimages package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch3.dsc Size/MD5 checksum: 1545 1170baf359b7ca7bd0490a4482e2cdcd http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch3.diff.gz Size/MD5 checksum: 9758 0c6c814cf06b854f2078747d166d714f http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20.orig.tar.gz Size/MD5 checksum: 1385525 d933eb58c7983f70b1a000fa01893aa4 Architecture independent packages: http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-doc_2.20-8+etch3_all.deb Size/MD5 checksum: 598648 ee530d7dc14ff4250358f7354fc4a8a1 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch3_alpha.deb Size/MD5 checksum: 1024484 72e9aea9c06f1ae264d70d1f7a6c85d2 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch3_alpha.deb Size/MD5 checksum:29570 eaa6ec5925c36acc5a155c72c7f29b01 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch3_amd64.deb Size/MD5 checksum: 872188 24f06eda9f7ca39b28b25932981b4cda http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch3_amd64.deb Size/MD5 checksum:28126 7d3cf0404d52d005103206dd7f30aa8a arm architecture (ARM) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch3_arm.deb Size/MD5 checksum:26196 6c735d474717b7025b1b594bf515a2de http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch3_arm.deb Size/MD5 checksum: 880106 7e9b0c0b13949b71f1a23010f5ef68c8 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch3_hppa.deb Size/MD5 checksum:30408 6c6afd274d1f944887d318394efe1dc2 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch3_hppa.deb Size/MD5 checksum: 483264 1f1f707859dca186cc518241390f6b84 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch3_i386.deb Size/MD5 checksum:24670 01ed837cea61b5fd6143edaede81636c http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch3_i386.deb Size/MD5 checksum: 845016 a2a7c9d64df8e2be8933ff994c9ace7e ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch3_ia64.deb Size/MD5 checksum: 1102148 001cb473b718078fbe7186f7e772633e http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch3_ia64.deb Size/MD5 checksum:36800 d877b308032849966a1f6cb5c2a00b6a mips architecture (MIPS (Big Endian)) http
[Full-disclosure] [SECURITY] [DSA 1910-1] New mysql-ocaml packages provide secure escaping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1910-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 14, 2009 http://www.debian.org/security/faq - Package: mysql-ocaml Vulnerability : missing escape function Problem type : remote Debian-specific: no CVE Id : CVE-2009-2942 It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.0.4-2+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your mysql-ocaml packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-2+etch1.diff.gz Size/MD5 checksum: 4922 747ef04d7a1889198ec4dbf74c67b2f9 http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-2+etch1.dsc Size/MD5 checksum: 1330 7fc48e4dcd193742a45c876fd526a57b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_amd64.deb Size/MD5 checksum:11790 fd99b55a5cd4b4a31ab19be4bcb381b1 http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_amd64.deb Size/MD5 checksum:56456 be0d2ab9fff0963365ebd00ad292a099 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_mips.deb Size/MD5 checksum:41052 0e192c84931718413f68bbbeecaae8de http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_mips.deb Size/MD5 checksum:11188 cfe215c414389beb6e209e0b1ad53836 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_mipsel.deb Size/MD5 checksum:41082 b5f411607c26b4ba66fdf5ca3fafdc1e http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_mipsel.deb Size/MD5 checksum:11212 55dbbcd2aaf1ce70c5f29ca294ab7c2f sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_sparc.deb Size/MD5 checksum:56836 945b6f4c98413031a91a14e48da7 http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_sparc.deb Size/MD5 checksum:10650 8c92747279818c517a0ebf6873fa01a3 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-4+lenny1.dsc Size/MD5 checksum: 1912 30bca56e3d5818eaca5bb7fde48fb7c4 http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-4+lenny1.diff.gz Size/MD5 checksum: 5094 99ca09aea5510a14cd9c89ef3df7db7b http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4.orig.tar.gz Size/MD5 checksum: 119584 76f1282bb7299012669bf40cde78216b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_alpha.deb Size/MD5 checksum:42870 8e8dbef7120c2ccfe7f4afc8c651f774 http://security.debian.org/pool/updates/main/m/mysql
[Full-disclosure] [SECURITY] [DSA 1911-1] New pygresql packages provide secure escaping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1911-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 14, 2009 http://www.debian.org/security/faq - Package: pygresql Vulnerability : missing escape function Problem type : remote Debian-specific: no CVE Id : CVE-2009-2940 It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution (lenny), this problem has been fixed in version 1:3.8.1-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1:3.8.1-1etch2. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1:4.0-1. We recommend that you upgrade your pygresql packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-1etch2.dsc Size/MD5 checksum: 694 086a34b31967d51ff8ca7a8804d39a91 http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-1etch2.diff.gz Size/MD5 checksum: 4253 f32240024a278f6650b4342a0ebcbb71 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_alpha.deb Size/MD5 checksum:93958 dbf107badf6bf7c7b0b2820141e42ef2 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_amd64.deb Size/MD5 checksum:92400 ea6b668eab27ad64d2e7b02e4affc727 arm architecture (ARM) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_arm.deb Size/MD5 checksum:90130 7b15f232b3dc6facd956eb7fca1bd4e5 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_i386.deb Size/MD5 checksum:90362 eaec4a360b3af5e4c334126cf870f4fc ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_ia64.deb Size/MD5 checksum:98092 488b3090825b958784a5ee748899f337 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_mips.deb Size/MD5 checksum:88844 92b80b8485000c7170959b1b10aa93a4 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_mipsel.deb Size/MD5 checksum:88586 8b64c4326529429d0bd1fbff149eb471 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_powerpc.deb Size/MD5 checksum:91086 653410357846b7870f33d93fc87e7348 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_s390.deb Size/MD5 checksum:91506 e3ad96489ac5acaf13d850a01027b8c8 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_sparc.deb Size/MD5 checksum:89030 a82665887545c1ef1d30f3aa55be7804 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-3+lenny1.diff.gz Size/MD5 checksum: 4466 a1c2ce06c800d605bfe14bcfe2dd0827 http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1.orig.tar.gz Size/MD5
[Full-disclosure] [SECURITY] [DSA 1906-1] End-of-life announcement for clamav in stable and oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1906-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris October 11, 2009 http://www.debian.org/security/faq - Package: clamav Security support for clamav, an anti-virus utility for Unix, has been discontinued for the stable distribution (lenny) and the oldstable distribution (etch). Clamav Upstream has stopped supporting the releases in etch and lenny. Also, it is not easily possible to receive signature updates for the virus scanner with our released versions anymore. We recommend that all clamav users consider switching to the version in debian-volatile, which receives regular updates and security support on a best effort basis. For more information on debian-volatile, please visit http://www.debian.org/volatile/ - Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkrRHHwACgkQ62zWxYk/rQfXfQCbBETZH8cHjX+0lXfUSvm/i3Xg xR8AnRgYQzPPPmldm/0lky7VrWt/vXMX =7Mzi -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1894-1] New newt packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1894-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris September 24, 2009http://www.debian.org/security/faq - Package: newt Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id : CVE-2009-2905 Miroslav Lichvar discovered that newt, a windowing toolkit, is prone to a buffer overflow in the content processing code, which can lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 0.52.2-11.3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 0.52.2-10+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon We recommend that you upgrade your newt packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2-10+etch1.diff.gz Size/MD5 checksum: 104625 e7c0a636b3e2d9bc4b2a6b9f68e712ce http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2-10+etch1.dsc Size/MD5 checksum: 867 fad99ed4d5166840b2de8da17b1afe9c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_alpha.deb Size/MD5 checksum:36396 8873dd9c8eafdfe203afcd0b7541150c http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_alpha.deb Size/MD5 checksum:72148 acc944c96352666c8b778cef8c0529a4 http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_alpha.deb Size/MD5 checksum: 101720 a57af3ec38cbe06c81a2bd4839bc3b05 http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_alpha.deb Size/MD5 checksum:40622 f5b8a0b9e82829251923f23ba249a7ab http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_alpha.deb Size/MD5 checksum:75070 260932a92f473fea16b9985c340ecc41 http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_alpha.deb Size/MD5 checksum:30696 a7c8c8f86dd21d92f62b152a8acc amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_amd64.deb Size/MD5 checksum:29706 1002818f7221e0d7dd1c467e7937e259 http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_amd64.deb Size/MD5 checksum:40642 5544a2173c8b71013b5cec90c220edec http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_amd64.deb Size/MD5 checksum:62200 27d76327c56feb8f8bd3e7dc8dedeba4 http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_amd64.deb Size/MD5 checksum:35414 ece6b444af84f433e0367fd57b86d035 http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_amd64.deb Size/MD5 checksum:68608 ff8fb8c9cc7fadbd3e44624a4caf719d http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_amd64.deb Size/MD5 checksum:90152 c3c841fb22e99c78d866910baca40301 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_arm.deb Size/MD5 checksum:34508 beddcaac2efcb9fe042fb50519d9effb http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_arm.deb Size/MD5 checksum:55964 e50294eb35ff224f5e2e43b65039ada5 http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_arm.deb Size/MD5 checksum:28486 d356a6c39e2549b5578b7bf8b23916cb http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_arm.deb Size/MD5 checksum:38392 e3c548d518db0ef7c11cdae2f106bbf6 http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_arm.deb Size/MD5 checksum:83858 939f2e69db6fb824b5302072d347a402 http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_arm.deb Size/MD5 checksum:63200 5fa817dce03725fa7068683d328f9610 i386 architecture
[Full-disclosure] [SECURITY] [DSA 1892-1] New dovecot packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1892-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 23, 2009http://www.debian.org/security/faq - Packages : dovecot Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2009-2632 CVE-2009-3235 Debian Bug : 546656 It was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. For the oldstable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch5. For the stable distribution (lenny), this problem has been fixed in version 1:1.0.15-2.3+lenny1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1:1.2.1-1. We recommend that you upgrade your dovecot packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz Size/MD5 checksum: 105496 25968ea91265d9c79869fd13e1cf18a7 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc Size/MD5 checksum: 1017 69660b4d8bd4c443a9e6a445cee73ae4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb Size/MD5 checksum: 583336 05cdd40c7eca4f076ebe18629d497b3b http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb Size/MD5 checksum: 621512 58f8c92c7567a9c1ed6eee44979e7abf http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb Size/MD5 checksum: 1378160 512ca0853d71066040c22daae6ff0e3a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb Size/MD5 checksum: 1224200 c43f474ed1a38e2b717463faf4a603a9 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb Size/MD5 checksum: 536502 9bc2da44bcb81f7c1d5a3381bc02c950 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb Size/MD5 checksum: 570646 7a5e8aa209ecee48bbc9daa5c5364788 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb Size/MD5 checksum: 506574 6a4be002eaaf4932161c03ef9a170e72 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb Size/MD5 checksum: 537184 d5d095c9771afaacfbd863f2f37700f6 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb Size/MD5 checksum: 1118568 c884c1632c4e20d9b6636806d2039b29 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb Size/MD5 checksum: 561854 1911ecd7f8336deb46986f3f37fae039 http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb Size/MD5 checksum: 1297502 a965f31d08deb751b26ca9a7b467aa9c http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb Size/MD5 checksum: 600138 867931a360b0bfeea1f3e28dfb073bf7 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb Size/MD5 checksum: 514726 e2fe7ef8a944f84d59c4d13c2583f37f http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb Size/MD5 checksum: 547040 41d4f84120825e06e41ff079dabd0429
[Full-disclosure] [SECURITY] [DSA 1893-1] New cyrus-imapd-2.2/kolab-cyrus-imapd packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1893-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 23, 2009http://www.debian.org/security/faq - Packages : cyrus-imapd-2.2 kolab-cyrus-imapd Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2009-2632 CVE-2009-3235 Debian Bug : 547712 It was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. The update introduced by DSA 1881-1 was incomplete and the issue has been given an additional CVE id due to its complexity. For the oldstable distribution (etch), this problem has been fixed in version 2.2.13-10+etch4 for cyrus-imapd-2.2 and version 2.2.13-2+etch2 for kolab-cyrus-imapd. For the stable distribution (lenny), this problem has been fixed in version 2.2.13-14+lenny3 for cyrus-imapd-2.2, version 2.2.13-5+lenny2 for kolab-cyrus-imapd. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.2.13-15 for cyrus-imapd-2.2, and will be fixed soon for kolab-cyrus-imapd. We recommend that you upgrade your cyrus-imapd-2.2 and kolab-cyrus-imapd packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch4.dsc Size/MD5 checksum: 1299 b371ba64f70b734a7e04278a07b658c0 http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-2+etch2.diff.gz Size/MD5 checksum: 252652 06c66325dec89de63edebe4a8d341fc3 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch4.diff.gz Size/MD5 checksum: 259034 12fa685cbc3813af110f32cc5ba67c91 http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-imapd_2.2.13-2+etch2.dsc Size/MD5 checksum: 1268 b6da236eb5a15b71c99c8b5a6713e397 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13.orig.tar.gz Size/MD5 checksum: 2109770 3ff679714836d1d7b1e1df0e026d4844 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-10+etch4_all.deb Size/MD5 checksum: 225914 a9c3ac8f09e0cd606a7aedf8b4d77b40 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-10+etch4_all.deb Size/MD5 checksum:79758 376ec7d4f6ca891a62f9be25ff9bb79f http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-cyrus-admin_2.2.13-2+etch2_all.deb Size/MD5 checksum:81750 156e70e89554d0c4308d990b3272ddbe alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-10+etch4_alpha.deb Size/MD5 checksum: 1207536 7e21de3c6a90c4dd0d8feaffb891964d http://security.debian.org/pool/updates/main/k/kolab-cyrus-imapd/kolab-libcyrus-imap-perl_2.2.13-2+etch2_alpha.deb Size/MD5 checksum: 201192 da9469c2257b2143fb3031764201b917 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-10+etch4_alpha.deb Size/MD5 checksum: 197754 03db8471480fdce9f2b352c388a1e954 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch4_alpha.deb Size/MD5 checksum: 1007134 043146ba011a652ecc5a8688c4289720 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch4_alpha.deb Size/MD5 checksum: 138484 afd988d01950fd15792dafe8fcae06b1 http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-10+etch4_alpha.deb Size/MD5 checksum: 302250 7e9266e2d116452194d641cb91e19e11
[Full-disclosure] [SECURITY] [DSA 1891-1] New changetrack packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1891-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris September 22, 2009http://www.debian.org/security/faq - Package: changetrack Vulnerability : shell command execution Problem type : local Debian-specific: no CVE Id : CVE-2009-3233 Debian Bug : 546791 Marek Grzybowski discovered that changetrack, a program to monitor changes to (configuration) files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters. For the stable distribution (lenny), this problem has been fixed in version 4.3-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 4.3-3+etch1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 4.5-2. We recommend that you upgrade your changetrack packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1.diff.gz Size/MD5 checksum:13330 3334d9ef744a08cc0b4d8253c78b7c10 http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1.dsc Size/MD5 checksum: 710 b519ffa08cb165819e9bdd67f7e9a4f3 Architecture independent packages: http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+etch1_all.deb Size/MD5 checksum:21706 b1002889940ab122879f4d709fe8a573 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3.orig.tar.gz Size/MD5 checksum:16567 7600e72b299562c6773e9b6ac38aaa55 http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1.diff.gz Size/MD5 checksum:13325 c91d4a3d370dfe41ff41e6815eda7440 http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1.dsc Size/MD5 checksum: 1110 5e689f11bc4dca83328cda0a888ec1e4 Architecture independent packages: http://security.debian.org/pool/updates/main/c/changetrack/changetrack_4.3-3+lenny1_all.deb Size/MD5 checksum:21678 3b9fb111a49aa671886f6e5eaec66908 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkq4gmUACgkQ62zWxYk/rQdaFACfXtTyH9dQZCOhJJzuIDIKvQmU 29wAn3YRtZs0iQ0BcV20/Mw45MktymrP =gzFZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1890-1] New wxwidgets packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1890-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 19, 2009http://www.debian.org/security/faq - Packages : wxwindows2.4 wxwidgets2.6 wxwidgets2.8 Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2009-2369 Tielei Wang has discovered an integer overflow in wxWidgets, the wxWidgets Cross-platform C++ GUI toolkit, which allows the execution of arbitrary code via a crafted JPEG file. For the oldstable distribution (etch), this problem has been fixed in version 2.4.5.1.1+etch1 for wxwindows2.4 and version 2.6.3.2.1.5+etch1 for wxwidgets2.6. For the stable distribution (lenny), this problem has been fixed in version 2.6.3.2.2-3+lenny1 for wxwidgets2.6 and version 2.8.7.1-1.1+lenny1 for wxwidgets2.8. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.8.7.1-2 for wxwidgets2.8 and will be fixed soon for wxwidgets2.6. We recommend that you upgrade your wxwidgets packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wxwidgets2.6_2.6.3.2.1.5+etch1.dsc Size/MD5 checksum: 1070 122f76e514a09e27a2efeb83972508bf http://security.debian.org/pool/updates/main/w/wxwindows2.4/wxwindows2.4_2.4.5.1.1+etch1.tar.gz Size/MD5 checksum: 11008448 56e09f548341a24faab4e2494ccf3c2e http://security.debian.org/pool/updates/main/w/wxwindows2.4/wxwindows2.4_2.4.5.1.1+etch1.dsc Size/MD5 checksum: 1088 956079f1b2e0639fdd5edab2112c528a http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wxwidgets2.6_2.6.3.2.1.5+etch1.tar.gz Size/MD5 checksum: 15785194 de6ed02cb129ce6393d132452999cd17 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx2.6-i18n_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum: 664476 ab249de067119db66091ecc4a4412d35 http://security.debian.org/pool/updates/main/w/wxwidgets2.6/python-wxtools_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum:17782 f176eaeafccacf0b965c68d3b61a0253 http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx2.6-examples_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum: 3633304 e2b5d8c1c0edcd2287a35a327576ebdd http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx2.6-doc_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum: 1252698 cb859a2500031b5cd6d4397f7bfd5eb3 http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-i18n_2.4.5.1.1+etch1_all.deb Size/MD5 checksum: 372546 988d0727d645d9c75f4ae8509abd719b http://security.debian.org/pool/updates/main/w/wxwidgets2.6/python-wxversion_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum:21782 a704638d51c4ef98ec5a2f9473ae68a7 http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-doc_2.4.5.1.1+etch1_all.deb Size/MD5 checksum: 1076678 e6271674af7b940be14ebfb52e23b92d http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-examples_2.4.5.1.1+etch1_all.deb Size/MD5 checksum: 2709008 c7028e976a32f5244ebb27693db064c6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/w/wxwindows2.4/python-wxgtk2.4_2.4.5.1.1+etch1_alpha.deb Size/MD5 checksum: 2713910 ba15f692945dbefedb47bae998f013c3 http://security.debian.org/pool/updates/main/w/wxwindows2.4/libwxbase2.4-dev_2.4.5.1.1+etch1_alpha.deb Size/MD5 checksum:25074 21e8730a7006310d0a84c407e4f2ae0e http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-headers_2.4.5.1.1+etch1_alpha.deb Size/MD5 checksum: 564238 2370397d7591b72fc7609ce02f7f4f84 http://security.debian.org/pool/updates/main/w/wxwidgets2.6/libwxgtk2.6-dbg_2.6.3.2.1.5+etch1_alpha.deb Size/MD5 checksum: 19992954 db418cf6e2847b9907ef6a538f70adcc http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx-common_2.6.3.2.1.5+etch1_alpha.deb Size/MD5 checksum:50328 be45b6149b0c116e803fdd38e5572cef
[Full-disclosure] [SECURITY] [DSA 1887-1] New rails packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1887-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris September 15, 2009http://www.debian.org/security/faq - Package: rails Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-3009 Debian Bug : 545063 Brian Mastenbrook discovered that rails, the MVC ruby based framework geared for web application development, is prone to cross-site scripting attacks via malformed strings in the form helper. For the stable distribution (lenny), this problem has been fixed in version 2.1.0-7. For the oldstable distribution (etch) security support has been discontinued. It has been reported that rails in oldstable is unusable and several features that are affected by security issues are broken due to programming issues. It is highly recommended to upgrade to the version in stable (lenny). For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 2.2.3-1. We recommend that you upgrade your rails packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0-7.diff.gz Size/MD5 checksum:17520 866f4225a0496c3a2fbeae5da52b36a9 http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0-7.dsc Size/MD5 checksum: 1203 60d2bd20b3dae00c2675ed1d45ee99af http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0.orig.tar.gz Size/MD5 checksum: 195 edcc03e7177e1557653fcb92c90db0d1 Architecture independent packages: http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0-7_all.deb Size/MD5 checksum: 2374598 0a1648b6ff0105c4969f54f8c8bed8af These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkqvxQUACgkQ62zWxYk/rQepTACeMylU2PMJePwDfaGAAGFLLP6s Rz0AoLvIQHNfBsLVmXXG8xF9b5gsA+23 =tRi9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1883-2] New nagios2 packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1883-2 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 14, 2009http://www.debian.org/security/faq - Package: nagios2 Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Ids: CVE-2007-5624 CVE-2007-5803 CVE-2008-1360 Debian Bugs: 448371 482445 485439 The previous nagios2 update introduced a regression, which caused status.cgi to segfault when used directly without specifying the 'host' variable. This update fixes the problem. For reference the original advisory text follows. Several vulnerabilities have been found in nagios2, ahost/service/network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: Several cross-site scripting issues via several parameters were discovered in the CGI scripts, allowing attackers to inject arbitrary HTML code. In order to cover the different attack vectors, these issues have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360. For the oldstable distribution (etch), these problems have been fixed in version 2.6-2+etch5. The stable distribution (lenny) does not include nagios2 and nagios3 is not affected by these problems. The testing distribution (squeeze) and the unstable distribution (sid) do not contain nagios2 and nagios3 is not affected by these problems. We recommend that you upgrade your nagios2 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5.diff.gz Size/MD5 checksum:35726 1c9d7955bb59162fa82934ef12c53d73 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5.dsc Size/MD5 checksum: 948 93eeeb6eb5ba0d7d3d5c659f9cc762e4 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch5_all.deb Size/MD5 checksum:59516 8edae60c2b64183afbd5b5c5c79df649 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch5_all.deb Size/MD5 checksum: 1150060 c5b23e507b405aed13e6148381a5161f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_alpha.deb Size/MD5 checksum: 120 33fac2a26d60b48a2e3d6cc03ef161f2 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_alpha.deb Size/MD5 checksum: 1703082 685386628adefdea4ef139d8d073be57 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_amd64.deb Size/MD5 checksum: 1688192 fdc3c934dc4e0afa728d9789fc1071aa http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_amd64.deb Size/MD5 checksum: 1098470 c08807062733811fa047eb15d9727c82 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_arm.deb Size/MD5 checksum: 1025042 a9d7fa95c7eac54287a2e73478ea3ba6 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_arm.deb Size/MD5 checksum: 1537944 59b06b0f6ae1061d01a7f1a7b85fb4b4 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_hppa.deb Size/MD5 checksum: 1621998 07cca557bc05cb0f4845f05c0d2b9311 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_hppa.deb Size/MD5 checksum: 1148900 d5b10578c95a21ce66ff11cc5a870047 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch5_i386.deb Size/MD5 checksum: 1587914 84dcc6957ce50c2b6e7ff243d21b5e8d http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch5_i386.deb Size/MD5 checksum: 1017162 d57c40f4621e185fee5fe0bbd814b7d5 ia64
[Full-disclosure] [SECURITY] [DSA 1883-1] New nagios2 packages fix several cross-site scriptings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1883-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 10, 2009http://www.debian.org/security/faq - Package: nagios2 Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Ids: CVE-2007-5624 CVE-2007-5803 CVE-2008-1360 Debian Bugs: 448371 482445 485439 Several vulnerabilities have been found in nagios2, ahost/service/network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: Several cross-site scripting issues via several parameters were discovered in the CGI scripts, allowing attackers to inject arbitrary HTML code. In order to cover the different attack vectors, these issues have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360. For the oldstable distribution (etch), these problems have been fixed in version 2.6-2+etch4. The stable distribution (lenny) does not include nagios2 and nagios3 is not affected by these problems. The testing distribution (squeeze) and the unstable distribution (sid) do not contain nagios2 and nagios3 is not affected by these problems. We recommend that you upgrade your nagios2 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4.diff.gz Size/MD5 checksum:35589 5aee898df4f6ea4a0fa4a1fb22390a0b http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz Size/MD5 checksum: 1734400 a032edba07bf389b803ce817e9406c02 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4.dsc Size/MD5 checksum: 948 a4bd33d2bd5c812b5c9899fc41651e37 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch4_all.deb Size/MD5 checksum: 1149816 8b2d0a07cd650edc3e6d33f74b480cb2 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch4_all.deb Size/MD5 checksum:59416 f70cd9aa86a0eb1b64a914b40da984cd alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_alpha.deb Size/MD5 checksum: 1222136 4dc7d3e1230632930471fb0e0dcbd496 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_alpha.deb Size/MD5 checksum: 1702766 6ff7f9e7bb6cdaa0cea2fb0dfe35ae72 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_amd64.deb Size/MD5 checksum: 1687984 4c28fa0a9fa9883cdff1e038c56924e0 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_amd64.deb Size/MD5 checksum: 1097788 31afdb67e26e5f1a56a9da7a1452 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_arm.deb Size/MD5 checksum: 1537452 4e4d636a0699cf9f714a522885894a4e http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_arm.deb Size/MD5 checksum: 1023982 fb3a8f2b2b592bafcf1830172a7d5a8e hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_hppa.deb Size/MD5 checksum: 1148976 c875e0ab58ca0f39bf34b1704cc4a969 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_hppa.deb Size/MD5 checksum: 1622072 e002a9c7703542bd8aa8e509238ba29c i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_i386.deb Size/MD5 checksum: 1587836 778bd65bfb6cfb1f3f0efcb872a32360 http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_i386.deb Size/MD5 checksum: 1016950 720d00ef27782b51c0b7e675c2f82309 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_ia64.deb Size/MD5 checksum: 1623324 1a157461c15e81c93670ad92c3792b69 http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_ia64.deb Size/MD5 checksum:
[Full-disclosure] [SECURITY] [DSA 1871-2] New wordpress packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1871-2 secur...@debian.org http://www.debian.org/security/ Steffen Joeris August 27, 2009 http://www.debian.org/security/faq - Package: wordpress Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2008-6762 CVE-2008-6767 CVE-2009-2334 CVE-2009-2854 CVE-2009-2851 CVE-2009-2853 CVE-2008-1502 CVE-2008-4106 CVE-2008-4769 CVE-2008-4796 CVE-2008-5113 Debian Bugs: 531736 536724 504243 500115 504234 504771 The previous wordpress update introduced a regression when fixing CVE-2008-4769 due to a function that was not backported with the patch. Please note that this regression only affects the oldstable distribution (etch). For reference the original advisory text follows. Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-6762 It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. CVE-2008-6767 It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. CVE-2009-2334 It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. CVE-2009-2854 It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. CVE-2009-2851 It was discovered that the administrator interface is prone to a cross-site scripting attack. CVE-2009-2853 It was discovered that remote attackers can gain privileges via certain direct requests. CVE-2008-1502 It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. CVE-2008-4106 It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. CVE-2008-4769 It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. CVE-2008-4796 It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. CVE-2008-5113 It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. For the stable distribution (lenny), these problems have been fixed in version 2.5.1-11+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 2.0.10-1etch5. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 2.8.3-1. We recommend that you upgrade your wordpress packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wordpress
[Full-disclosure] [SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1871-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris August 23, 2009 http://www.debian.org/security/faq - Package: wordpress Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2008-6762 CVE-2008-6767 CVE-2009-2334 CVE-2009-2854 CVE-2009-2851 CVE-2009-2853 CVE-2008-1502 CVE-2008-4106 CVE-2008-4769 CVE-2008-4796 CVE-2008-5113 Debian Bugs: 531736 536724 504243 500115 504234 504771 Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-6762 It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. CVE-2008-6767 It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. CVE-2009-2334 It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. CVE-2009-2854 It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. CVE-2009-2851 It was discovered that the administrator interface is prone to a cross-site scripting attack. CVE-2009-2853 It was discovered that remote attackers can gain privileges via certain direct requests. CVE-2008-1502 It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. CVE-2008-4106 It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. CVE-2008-4769 It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. CVE-2008-4796 It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. CVE-2008-5113 It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. For the stable distribution (lenny), these problems have been fixed in version 2.5.1-11+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 2.0.10-1etch4. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 2.8.3-1. We recommend that you upgrade your wordpress packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch4.diff.gz Size/MD5 checksum:50984 45349b0822fc376b8cfef51b5cec3510 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54 http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch4.dsc Size/MD5 checksum: 607 d9389cbc71eee6f08b15762a97c9d537 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch4_all.deb Size/MD5 checksum: 521060 71a6aea482d0e7afb9c82701bef336e9 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w
[Full-disclosure] [SECURITY] [DSA 1867-1] New kdelibs packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1867-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris August 19, 2009 http://www.debian.org/security/faq - Package: kdelibs Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-1690 CVE-2009-1698 CVE-2009-1687 Debian Bugs: 534952 Several security issues have been discovered in kdelibs, core libraries from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1690 It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. CVE-2009-1698 It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets (CSS) attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. CVE-2009-1687 It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website. For the stable distribution (lenny), these problems have been fixed in version 4:3.5.10.dfsg.1-0lenny2. For the oldstable distribution (etch), these problems have been fixed in version 4:3.5.5a.dfsg.1-8etch2. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your kdelibs packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1.orig.tar.gz Size/MD5 checksum: 18684663 a3f13367dcadef4749ba0173c8bc5f8e http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch2.dsc Size/MD5 checksum: 1635 0eb586c194525c6efbfda4c7505faf97 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch2.diff.gz Size/MD5 checksum: 601893 1452f9edd815d35268c580caba07c69b Architecture independent packages: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch2_all.deb Size/MD5 checksum:34590 8d069056020a0d76c5657105c764c4c4 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-8etch2_all.deb Size/MD5 checksum: 8599236 93a407c519ffef8ecfb182aadb59a86f http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-8etch2_all.deb Size/MD5 checksum: 40223822 95cdb51e0f3104ff26fe2d3419c79ab7 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch2_alpha.deb Size/MD5 checksum: 11344306 6348981220a7b68267630b03e9b9c981 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch2_alpha.deb Size/MD5 checksum: 1385806 e64b605767065b4dff321c01caf5b037 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch2_alpha.deb Size/MD5 checksum: 47403994 898f8d449d4fcbf7ff69db361b1f5335 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch2_amd64.deb Size/MD5 checksum: 1341342 ae284490ea0849d87071e87a83a1c687 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch2_amd64.deb Size/MD5 checksum: 27018282 388423626ca47f92d01e7b643e6d http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch2_amd64.deb Size/MD5 checksum: 10400204 9bec5c062bbd4d58a9da7f024f0e04c3 arm architecture (ARM) http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch2_arm.deb Size/MD5 checksum: 1382100 bc7e214c08ebed30226eb8f42bebe172 http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch2_arm.deb Size/MD5 checksum: 46418580 f720c63d08017ccd553bc7d12ae93008 http://security.debian.org/pool
[Full-disclosure] [SECURITY] [DSA 1868-1] New kde4libs packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1868-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris August 19, 2009 http://www.debian.org/security/faq - Package: kde4libs Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-1690 CVE-2009-1698 CVE-2009-1687 Debian Bugs: 534949 Several security issues have been discovered in kde4libs, core libraries for all KDE 4 applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1690 It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. CVE-2009-1698 It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets (CSS) attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. CVE-2009-1687 It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website. For the stable distribution (lenny), these problems have been fixed in version 4:4.1.0-3+lenny1. The oldstable distribution (etch) does not contain kde4libs. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 4:4.3.0-1. We recommend that you upgrade your kde4libs packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/kde4libs/kde4libs_4.1.0-3+lenny1.dsc Size/MD5 checksum: 2149 7bc7675c4aa9e7afd4fa3f83b3f95810 http://security.debian.org/pool/updates/main/k/kde4libs/kde4libs_4.1.0-3+lenny1.diff.gz Size/MD5 checksum:91423 ecc50e9bedff96a3285a031141ea15d6 http://security.debian.org/pool/updates/main/k/kde4libs/kde4libs_4.1.0.orig.tar.gz Size/MD5 checksum: 11264345 05487ff0cbc3da093f19e59184b259c7 Architecture independent packages: http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-data_4.1.0-3+lenny1_all.deb Size/MD5 checksum: 3140792 47debc16cde2c9a927252ef09d89c1a3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_alpha.deb Size/MD5 checksum: 485854 b888554c3d2658b0af3abfa842c58588 http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_alpha.deb Size/MD5 checksum: 67441346 e6d761db09e246d88139e3416de56611 http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_alpha.deb Size/MD5 checksum: 1468330 b8c3ce39505d2532f2c5d7fc83de01d8 http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_alpha.deb Size/MD5 checksum: 11132464 6b307db1dd606a5fbbad60745cf51236 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_amd64.deb Size/MD5 checksum: 450758 dc184603a57dc4bbcedde957086463c3 http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_amd64.deb Size/MD5 checksum: 65872658 3bc3de5af3ff3722bd7817b6c4a4c4d4 http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_amd64.deb Size/MD5 checksum: 10078022 aec949a2390e430248089ebb3790ed78 http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_amd64.deb Size/MD5 checksum: 1454348 51a11bc442e5155ee37bc276c2cb025e arm architecture (ARM) http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_arm.deb Size/MD5 checksum: 445060 4c9f86c771e9d24459fc1a1369b19d1c http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_arm.deb Size/MD5 checksum: 67062788 8ead631de22e777ac573400dc7829728 http://security.debian.org/pool/updates/main/k
[Full-disclosure] [SECURITY] [DSA 1857-1] New camlimages packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1857-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris August 10, 2009 http://www.debian.org/security/faq - Package: camlimages Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-2660 Debian Bug : 540146 Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1 addressed the issue with PNG images. For the oldstable distribution (etch), this problem has been fixed in version 2.20-8+etch2. For the stable distribution (lenny), this problem has been fixed in version 1:2.2.0-4+lenny2. For the unstable distribution (sid), this problem has been fixed in version 1:3.0.1-3. We recommend that you upgrade your camlimages package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch2.diff.gz Size/MD5 checksum: 9346 cf4767d4ac5521e64b409605f3803506 http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20.orig.tar.gz Size/MD5 checksum: 1385525 d933eb58c7983f70b1a000fa01893aa4 http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch2.dsc Size/MD5 checksum: 904 9dc39921e9569777eeb24c38b0ba0fae Architecture independent packages: http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-doc_2.20-8+etch2_all.deb Size/MD5 checksum: 600500 16d54539aab49f9f6c7cc5a8fe7bbf92 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_alpha.deb Size/MD5 checksum: 1024080 5bb5670e039095dd74fc09831faacb25 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_alpha.deb Size/MD5 checksum:29454 c48de53b96d1358e56a1b9f1b0795527 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_amd64.deb Size/MD5 checksum: 820030 668fab0f7d5416229ec40bcbb508db82 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_amd64.deb Size/MD5 checksum:27888 d54c0e9a04629c4226b61a9b49f538e3 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_arm.deb Size/MD5 checksum: 879818 60f8dc22fb087ee654ff9375ac38359f http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_arm.deb Size/MD5 checksum:26028 3b3bf2cdf56485a29b871274519b6bc6 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_hppa.deb Size/MD5 checksum: 482842 d5573f24528c510df3144e0096e1a7f1 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_hppa.deb Size/MD5 checksum:30270 530aca3cc44c9b4d1afedc89dbb19722 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_i386.deb Size/MD5 checksum:24594 2a25218e9ad03594f8c22f884e850cff http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_i386.deb Size/MD5 checksum: 845868 a4abd61aa97cfb9996e0641c9ed9f378 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_ia64.deb Size/MD5 checksum: 1101544 a4c3c311105476617a51f6067d91f015 http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_ia64.deb Size/MD5 checksum:36510 368745aec6d1ea85becb03c0b8028fed mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/camlimages/libcamlimages-ocaml
[Full-disclosure] [SECURITY] [DSA 1851-1] New gst-plugins-bad0.10 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1851-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris August 06, 2009 http://www.debian.org/security/faq - Package: gst-plugins-bad0.10 Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2009-1438 Debian Bugs: 527075 It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the bad set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name. For the stable distribution (lenny), this problem has been fixed in version 0.10.7-2+lenny2. For the oldstable distribution (etch), this problem has been fixed in version 0.10.3-3.1+etch3. For the testing distribution (squeeze) and the unstable distribution (sid), gst-plugins-bad0.10 links against libmodplug. We recommend that you upgrade your gst-plugins-bad0.10 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3.orig.tar.gz Size/MD5 checksum: 1377759 6d09962ac9ae6218932578ccc623407f http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch3.diff.gz Size/MD5 checksum:10336 5e68af9a67d4b74d0b952ba9a03f458b http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch3.dsc Size/MD5 checksum: 820 6789b3d031b8def3dd61b1f27eef238f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_alpha.deb Size/MD5 checksum: 720624 173cfe37545979df17cc1ac5f0d87793 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_amd64.deb Size/MD5 checksum: 550246 cc610896227967b7fb5fda1d2d6e1d3d arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_arm.deb Size/MD5 checksum: 561456 4d77c24b42bef05f8ac326bd3e7fd6e8 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_hppa.deb Size/MD5 checksum: 682050 0d51f9a9102f78190870df138d717207 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_i386.deb Size/MD5 checksum: 552622 e26d89435d4663762f10672078d2382d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_ia64.deb Size/MD5 checksum: 832350 4a954aa4a54c18f9323a110d1fff816c mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_mips.deb Size/MD5 checksum: 605384 de9e5832fcc88c50ed87e09a7e8075a2 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_mipsel.deb Size/MD5 checksum: 600302 e1dfce03325040d91af0d749820a6325 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_powerpc.deb Size/MD5 checksum: 609498 708a10fa3924abc1cdd44689dbb54046 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_s390.deb Size/MD5 checksum: 580896 d597f796dd108c0a4d5fe6649d5d9d36 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch3_sparc.deb Size/MD5 checksum: 567240 5ab2f0d96d8249bada46164456067ee5 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64
[Full-disclosure] [SECURITY] [DSA 1840-1] New xulrunner packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1840-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris July 23, 2009 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-2462 CVE-2009-2463 CVE-2009-2464 CVE-2009-2465 CVE-2009-2466 CVE-2009-2467 CVE-2009-2469 CVE-2009-2471 CVE-2009-2472 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2462 Martijn Wargers, Arno Renevier, Jesse Ruderman, Olli Pettay and Blake Kaplan disocvered several issues in the browser engine that could potentially lead to the execution of arbitrary code. (MFSA 2009-34) CVE-2009-2463 monarch2020 reported an integer overflow in a base64 decoding function. (MFSA 2009-34) CVE-2009-2464 Christophe Charron reported a possibly exploitable crash occuring when multiple RDF files were loaded in a XUL tree element. (MFSA 2009-34) CVE-2009-2465 Yongqian Li reported that an unsafe memory condition could be created by specially crafted document. (MFSA 2009-34) CVE-2009-2466 Peter Van der Beken, Mike Shaver, Jesse Ruderman, and Carsten Book discovered several issues in the JavaScript engine that could possibly lead to the execution of arbitrary JavaScript. (MFSA 2009-34) CVE-2009-2467 Attila Suszter discovered an issue related to a specially crafted Flash object, which could be used to run arbitrary code. (MFSA 2009-35) CVE-2009-2469 PenPal discovered that it is possible to execute arbitrary code via a specially crafted SVG element. (MFSA 2009-37) CVE-2009-2471 Blake Kaplan discovered a flaw in the JavaScript engine that might allow an attacker to execute arbitrary JavaScript with chrome privileges. (MFSA 2009-39) CVE-2009-2472 moz_bug_r_a4 discovered an issue in the JavaScript engine that could be used to perform cross-site scripting attacks. (MFSA 2009-40) For the stable distribution (lenny), these problems have been fixed in version 1.9.0.12-0lenny1. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.9.0.12-1. We recommend that you upgrade your xulrunner packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12-0lenny1.dsc Size
[Full-disclosure] [SECURITY] [DSA 1839-1] New gst-plugins-good0.10 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1839-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris July 19, 2009 http://www.debian.org/security/faq - Package: gst-plugins-good0.10 Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2009-1932 Debian Bugs: 531631 532352 It has been discovered that gst-plugins-good0.10, the GStreamer plugins from the good set, are prone to an integer overflow, when processing a large PNG file. This could lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 0.10.8-4.1~lenny2. For the oldstable distribution (etch), this problem has been fixed in version 0.10.4-4+etch1. Packages for the s390 and hppa architectures will be released once they are available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.10.15-2. We recommend that you upgrade your gst-plugins-good0.10 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.4.orig.tar.gz Size/MD5 checksum: 1894794 88aa3c31909ed467605ed04434474c4d http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.4-4+etch1.dsc Size/MD5 checksum: 1576 4369a23f0e8576377918d7d07d6328dd http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gst-plugins-good0.10_0.10.4-4+etch1.diff.gz Size/MD5 checksum:24338 e5b085ae2275c9da0af25175f65c7baf Architecture independent packages: http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-doc_0.10.4-4+etch1_all.deb Size/MD5 checksum:95182 11e977d541258f5bb44fcfa9725544be alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_alpha.deb Size/MD5 checksum:36152 824c86b12c45a27350e4aa619e032152 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_alpha.deb Size/MD5 checksum: 701616 03d794c04e432e88e63d46fae06280a1 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_alpha.deb Size/MD5 checksum: 1724576 290c5da8efa9ca0fb8d891e972dd0d3a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_amd64.deb Size/MD5 checksum: 1732384 18059f6e0ad6e22d30cd37f67e805242 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_amd64.deb Size/MD5 checksum: 657520 38e793fe7760a4c0ff377c2334312672 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_amd64.deb Size/MD5 checksum:35932 07678ef5b78b7d92e558432780249b53 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_arm.deb Size/MD5 checksum: 1682156 eae4e709d2092212c332a38584a0b02b http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_arm.deb Size/MD5 checksum:36330 c66b476327a3a8af4ff2007df3195ad9 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good_0.10.4-4+etch1_arm.deb Size/MD5 checksum: 648606 7eaca1b32d4f041fd8a470b4d2cde52d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-plugins-good-dbg_0.10.4-4+etch1_i386.deb Size/MD5 checksum: 1663280 57029198e3d83aa970ab33d6ca350b39 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10/gstreamer0.10-esd_0.10.4-4+etch1_i386.deb Size/MD5 checksum:35760 5edf5708f77639289fe677ed7ca2e420 http://security.debian.org/pool/updates/main/g/gst-plugins-good0.10
[Full-disclosure] [SECURITY] [DSA 1837-1] New dbus packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1837-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris July 18, 2009 http://www.debian.org/security/faq - Package: dbus Vulnerability : programming error Problem type : local Debian-specific: no CVE Id : CVE-2009-1189 Debian Bug : 532720 It was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1. For the stable distribution (lenny), this problem has been fixed in version 1.2.1-5+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.0.2-1+etch3. Packages for ia64 and s390 will be released once they are available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.2.14-1. We recommend that you upgrade your dbus packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch3.diff.gz Size/MD5 checksum:20482 fd114e50577aade0211a25bc05ac064d http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2.orig.tar.gz Size/MD5 checksum: 1400278 0552a9b54beb4a044951b7cdbc8fc855 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch3.dsc Size/MD5 checksum: 824 0befb91739de13f92197336b6a3f3f06 Architecture independent packages: http://security.debian.org/pool/updates/main/d/dbus/dbus-1-doc_1.0.2-1+etch3_all.deb Size/MD5 checksum: 1622204 67e2242179a8af1f3a7363d0d9728702 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch3_alpha.deb Size/MD5 checksum: 289142 2da5aaed2ca0e1dfe4627f2d51923a1a http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch3_alpha.deb Size/MD5 checksum: 184834 a14af28f5651f06cd41f4aa8b264d486 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch3_alpha.deb Size/MD5 checksum: 378214 95128d7c15be44464dd1a785788fdc3d http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch3_alpha.deb Size/MD5 checksum: 403766 5facc50da806d2f82a1ca839e045035d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch3_amd64.deb Size/MD5 checksum: 279294 6b0085ce0a01a81a13b068759de269b8 http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch3_amd64.deb Size/MD5 checksum: 348654 4d1f1c1d5c074be51b777b93b332eaf7 http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch3_amd64.deb Size/MD5 checksum: 363928 54ed19ba7cbd0dd3475827c6e6df5acf http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch3_amd64.deb Size/MD5 checksum: 184200 e5bc33b1e7dbfea9c372a3056e3f1848 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch3_arm.deb Size/MD5 checksum: 343960 e7c6c2269903d8dbd4422103a9e1edaf http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch3_arm.deb Size/MD5 checksum: 265322 4e7ce3fca8c685e540092e70474e6fbd http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch3_arm.deb Size/MD5 checksum: 330958 cee5e85136606605bd290035d9452f90 http://security.debian.org/pool/updates/main/d/dbus/dbus-1-utils_1.0.2-1+etch3_arm.deb Size/MD5 checksum: 183240 d7e3c477f4f4fbbc49c04b035e92ff2a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dbus/dbus_1.0.2-1+etch3_hppa.deb Size/MD5 checksum: 374136 7d297f74e9fde26e726f06f321208dae http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-3_1.0.2-1+etch3_hppa.deb Size/MD5 checksum: 286074 0a55d6aa6400d4d5750ebd92e9de7aab http://security.debian.org/pool/updates/main/d/dbus/libdbus-1-dev_1.0.2-1+etch3_hppa.deb Size/MD5 checksum: 362166 013680aca7b38c66292a8727855bfc06 http
[Full-disclosure] [SECURITY] [DSA 1829-2] New sork-passwd-h3 packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1829-2 secur...@debian.org http://www.debian.org/security/ Steffen Joeris July 14, 2009 http://www.debian.org/security/faq - Package: sork-passwd-h3 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-2360 Debian Bug : 536554 The previous update introduced a regression in main.php, causing the module to fail. This update corrects the flaw. . For reference the original advisory text is below. It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. For the oldstable distribution (etch), this problem has been fixed in version 3.0-2+etch2. For the stable distribution (lenny), this problem has been fixed in version 3.0-2+lenny2. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.1-1.2. We recommend that you upgrade your sork-passwd-h3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0.orig.tar.gz Size/MD5 checksum: 966096 ca5612500c91c4ef3c838e8e94376332 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch2.diff.gz Size/MD5 checksum: 8109 14058de6d3445e1cac53b98f031a4384 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch2.dsc Size/MD5 checksum: 722 e03e7aff3a183735534643002e2e2b62 Architecture independent packages: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch2_all.deb Size/MD5 checksum: 93 b031037d56cde718e6406cf3c1e8eca5 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0.orig.tar.gz Size/MD5 checksum: 966096 ca5612500c91c4ef3c838e8e94376332 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny2.diff.gz Size/MD5 checksum: 8109 e8933892adfa29e6a33190faced6da28 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny2.dsc Size/MD5 checksum: 1134 bac30df2620ff7edd10cd3d1a7375fbf Architecture independent packages: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny2_all.deb Size/MD5 checksum: 936634 86e21e645eea5866292604b3ee7934cb These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpcThEACgkQ62zWxYk/rQcG9wCcD0lvVgd1xMF5maqlaM/5yaPq 2YUAn0gWKcN4MF/jDQcglax2GaQJpHjz =oxvF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1829-1] New sork-passwd-h3 packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1829-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris July 11, 2009 http://www.debian.org/security/faq - Package: sork-passwd-h3 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-2360 Debian Bug : 536554 It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. For the oldstable distribution (etch), this problem has been fixed in version 3.0-2+etch1. For the stable distribution (lenny), this problem has been fixed in version 3.0-2+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.1-1.1. We recommend that you upgrade your sork-passwd-h3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0.orig.tar.gz Size/MD5 checksum: 966096 ca5612500c91c4ef3c838e8e94376332 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1.dsc Size/MD5 checksum: 722 9c114c8b4abf6db6b91a94f4e0359f77 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1.diff.gz Size/MD5 checksum: 8070 f8bdcfd6195df252914144f2a9e78869 Architecture independent packages: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+etch1_all.deb Size/MD5 checksum: 936654 8827158aa7959c230edd2f264061309d Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1.dsc Size/MD5 checksum: 1134 21cddfb0875a3513716238b2482c8f48 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0.orig.tar.gz Size/MD5 checksum: 966096 ca5612500c91c4ef3c838e8e94376332 http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1.diff.gz Size/MD5 checksum: 8075 ac8d69e8612a96eeb18f3d68960dfaa2 Architecture independent packages: http://security.debian.org/pool/updates/main/s/sork-passwd-h3/sork-passwd-h3_3.0-2+lenny1_all.deb Size/MD5 checksum: 936656 b931e5db33decf642d8911f01b5656a1 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpYPGIACgkQ62zWxYk/rQcNnQCgkfrojthpvgPbe0LqBvmh0y5A 8mgAn2+JAEoDspL4DLr3MO527dYAh5lN =YZe4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1827-1] New ipplan packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1827-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris July 06, 2009 http://www.debian.org/security/faq - Package: ipplan Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-1732 Debian Bug : 530271 It was discovered that ipplan, a web-based IP address manager and tracker, does not sufficiently escape certain input parameters, which allows remote attackers to conduct cross-site scripting attacks. For the stable distribution (lenny), this problem has been fixed in version 4.86a-7+lenny1. The oldstable distribution (etch) does not contain ipplan. For the testing distribution (squeeze) this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 4.91a-1.1. We recommend that you upgrade your ipplan packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/ipplan/ipplan_4.86a-7+lenny1.diff.gz Size/MD5 checksum:24624 1337c00d254c8e9fe8ca1d7b0764c7d2 http://security.debian.org/pool/updates/main/i/ipplan/ipplan_4.86a.orig.tar.gz Size/MD5 checksum: 1463553 04a5da8b7e08fcf5bfe0afc31bb7f711 http://security.debian.org/pool/updates/main/i/ipplan/ipplan_4.86a-7+lenny1.dsc Size/MD5 checksum: 1142 37202f9941e647237b80853e536e11ef Architecture independent packages: http://security.debian.org/pool/updates/main/i/ipplan/ipplan_4.86a-7+lenny1_all.deb Size/MD5 checksum: 755870 2a38517b8ad7b3e1371025a4e834effd These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpRzzAACgkQ62zWxYk/rQeNjwCgmdOXQtTKtY9RHKsvARb/OMO5 1esAni4vTmGq7MIlbQrf7wvc7ukzL0Iw =owoO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1821-1] New amule packages fix insufficient input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1821-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris June 22, 2009 http://www.debian.org/security/faq - Package: amule Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-1440 Debian Bug : 525078 Sam Hocevar discovered that amule, a client for the eD2k and Kad networks, does not properly sanitise the filename, when using the preview function. This could lead to the injection of arbitrary commands passed to the video player. For the stable distribution (lenny), this problem has been fixed in version 2.2.1-1+lenny2. The oldstable distribution (etch) is not affected by this issue. For the testing distribution (squeeze) this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.2.5-1.1. We recommend that you upgrade your amule packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1.orig.tar.gz Size/MD5 checksum: 5945095 4af457cf1112cd2c23f133f98d0b1123 http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.diff.gz Size/MD5 checksum:21192 cbae4dfde8c2ee4108354ae5a3b33b7c http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.dsc Size/MD5 checksum: 1360 44eaea8c76492a09197b4764f6602c38 Architecture independent packages: http://security.debian.org/pool/updates/main/a/amule/amule-common_2.2.1-1+lenny2_all.deb Size/MD5 checksum: 2253976 3a393eacd88cbe16e4c6714d244b600c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_alpha.deb Size/MD5 checksum: 464220 8d763c84917f2591e724d9db0c3bf730 http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_alpha.deb Size/MD5 checksum: 1428344 8924427d6f9f3c7c59b04829b1e689e4 http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_alpha.deb Size/MD5 checksum: 1350778 af463e0b04b01767c32a4d40cd611065 http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_alpha.deb Size/MD5 checksum: 2094352 e12c37ac77be795df6b6e57503b2085e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_amd64.deb Size/MD5 checksum: 1294100 fd70acd8c4b1c86aa09da145450de94b http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_amd64.deb Size/MD5 checksum: 448166 64d61b24c0307c21e6a13cc676bb7361 http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_amd64.deb Size/MD5 checksum: 1192552 6a3c91f293913531a70dd4647cffa6e7 http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_amd64.deb Size/MD5 checksum: 1858846 2933a8ad9f7dda33940efff5ee9194b6 arm architecture (ARM) http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_arm.deb Size/MD5 checksum: 449514 1dee31e34becbb25690e98f5bcb7fc81 http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_arm.deb Size/MD5 checksum: 1976994 ebff75684dbab7ac1b6b5f0f217acd35 http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_arm.deb Size/MD5 checksum: 1266254 a8ca8a7f528ef533baf6a4022f15d625 http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_arm.deb Size/MD5 checksum: 1351714 a66eb56243ef7c70957dbaebfafc0ae7 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_armel.deb Size/MD5 checksum: 429464 ac82fc01cf3792d837b68df26d2509aa http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_armel.deb Size/MD5 checksum: 1092808 3a8d674aa4f3c1a5bfb2836e4d5e5d3f http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_armel.deb Size/MD5 checksum: 1236006
[Full-disclosure] [SECURITY] [DSA 1818-1] New gforge packages fix insufficient input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1818-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris June 18, 2009 http://www.debian.org/security/faq - Package: gforge Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE IDs: CVE ids pending Laurent Almeras and Guillaume Smet have discovered a possible SQL injection vulnerability and cross-site scripting vulnerabilities in gforge, a collaborative development tool. Due to insufficient input sanitising, it was possible to inject arbitrary SQL statements and use several parameters to conduct cross-site scripting attacks. For the stable distribution (lenny), these problem have been fixed in version 4.7~rc2-7lenny1. The oldstable distribution (etch), these problems have been fixed in version 4.5.14-22etch11. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 4.7.3-2. We recommend that you upgrade your gforge packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch11.diff.gz Size/MD5 checksum: 201451 94977f0fcf9809c2c56b7b4f030c749d http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch11.dsc Size/MD5 checksum: 952 73cb38a7bb8fb7371886d1af0632f0f6 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch11_all.deb Size/MD5 checksum: 1011474 0a38ec79e8b10ee730169e6abe70d7a2 http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch11_all.deb Size/MD5 checksum: 212716 db347a6691d2ee6155ee4eb404e3503c http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch11_all.deb Size/MD5 checksum:86560 3a76aa7d0e44e188b0e4a92685127162 http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch11_all.deb Size/MD5 checksum:86266 de7a343ca8786dc611820b1fda735135 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch11_all.deb Size/MD5 checksum:80488 cbb1fb7d47b3ac865e3baa446d0af066 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch11_all.deb Size/MD5 checksum:89334 42feee7a50b0b106919a78fdcff4167e http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch11_all.deb Size/MD5 checksum:88730 a06c1f5db2a6a7c703d07e165a6ece53 http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch11_all.deb Size/MD5 checksum:95708 8338b93e5bd4cda3befe20c02a67a321 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch11_all.deb Size/MD5 checksum:76296 bf558ca5cc8332056033710f98b1c015 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch11_all.deb Size/MD5 checksum:88824 f4839730b37f387e4d5e50944b1164c5 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch11_all.deb Size/MD5 checksum:87368 2d0393bf75d68ec115fd2ca74ebacb5d http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch11_all.deb Size/MD5 checksum: 705186 cde383e7fb26af98e925ae64c8a36b01 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch11_all.deb Size/MD5 checksum:82304 5434b187e218fc807ad900c3dd4b9a86 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch11_all.deb Size/MD5 checksum: 103986 dd0c348499935f9e02f04ecdb9ef150d Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc
[Full-disclosure] [SECURITY] [DSA 1819-1] New vlc packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1819-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris June 18, 2009 http://www.debian.org/security/faq - Package: vlc Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2008-1768 CVE-2008-1769 CVE-2008-1881 CVE-2008-2147 CVE-2008-2430 CVE-2008-3794 CVE-2008-4686 CVE-2008-5032 Debian Bugs: 478140 477805 489004 496265 503118 504639 480724 Several vulnerabilities have been discovered in vlc, a multimedia player and streamer. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-1768 Drew Yao discovered that multiple integer overflows in the MP4 demuxer, Real demuxer and Cinepak codec can lead to the execution of arbitrary code. CVE-2008-1769 Drew Yao discovered that the Cinepak codec is prone to a memory corruption, which can be triggered by a crafted Cinepak file. CVE-2008-1881 Luigi Auriemma discovered that it is possible to execute arbitrary code via a long subtitle in an SSA file. CVE-2008-2147 It was discovered that vlc is prone to a search path vulnerability, which allows local users to perform privilege escalations. CVE-2008-2430 Alin Rad Pop discovered that it is possible to execute arbitrary code when opening a WAV file containing a large fmt chunk. CVE-2008-3794 Pınar Yanardağ discovered that it is possible to execute arbitrary code when opening a crafted mmst link. CVE-2008-4686 Tobias Klein discovered that it is possible to execute arbitrary code when opening a crafted .ty file. CVE-2008-5032 Tobias Klein discovered that it is possible to execute arbitrary code when opening an invalid CUE image file with a crafted header. For the oldstable distribution (etch), these problems have been fixed in version 0.8.6-svn20061012.debian-5.1+etch3. For the stable distribution (lenny), these problems have been fixed in version 0.8.6.h-4+lenny2, which was already included in the lenny release. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 0.8.6.h-5. We recommend that you upgrade your vlc packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian.orig.tar.gz Size/MD5 checksum: 15168393 30c18a2fdc4105606033ff6e6aeab81c http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch3.diff.gz Size/MD5 checksum: 2390010 aacfe6dc712b98ae872794d9d70fe1e3 http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch3.dsc Size/MD5 checksum: 2622 bc3a4f4ee0ecd699820b478e96beecad Architecture independent packages: http://security.debian.org/pool/updates/main/v/vlc/wxvlc_0.8.6-svn20061012.debian-5.1+etch3_all.deb Size/MD5 checksum: 778 62c36d9c3fe088478b442efec17b5b7e http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-alsa_0.8.6-svn20061012.debian-5.1+etch3_all.deb Size/MD5 checksum: 786 12f8c6ef696cb7c6b8b1e33b313f72f0 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb Size/MD5 checksum: 5028 1c44834297096fe893775a5d95d1913b http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb Size/MD5 checksum: ad948e7f91e08a0261a009a62bd2a76b http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb Size/MD5 checksum: 1157956 da37f9efbdef57c192781d775818e042 http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb Size/MD5 checksum:40298 3c6639b6241c035f35508ed2b41e94b7 http://security.debian.org/pool/updates
[Full-disclosure] [SECURITY] [DSA 1820-1] New xulrunner packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1820-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris June 18, 2009 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840 CVE-2009-1841 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1392 Several issues in the browser engine have been discovered, which can result in the execution of arbitrary code. (MFSA 2009-24) CVE-2009-1832 It is possible to execute arbitrary code via vectors involving double frame construction. (MFSA 2009-24) CVE-2009-1833 Jesse Ruderman and Adam Hauner discovered a problem in the JavaScript engine, which could lead to the execution of arbitrary code. (MFSA 2009-24) CVE-2009-1834 Pavel Cvrcek discovered a potential issue leading to a spoofing attack on the location bar related to certain invalid unicode characters. (MFSA 2009-25) CVE-2009-1835 Gregory Fleischer discovered that it is possible to read arbitrary cookies via a crafted HTML document. (MFSA 2009-26) CVE-2009-1836 Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential man-in-the-middle attack, when using a proxy due to insufficient checks on a certain proxy response. (MFSA 2009-27) CVE-2009-1837 Jakob Balle and Carsten Eiram reported a race condition in the NPObjWrapper_NewResolve function that can be used to execute arbitrary code. (MFSA 2009-28) CVE-2009-1838 moz_bug_r_a4 discovered that it is possible to execute arbitrary JavaScript with chrome privileges due to an error in the garbage-collection implementation. (MFSA 2009-29) CVE-2009-1839 Adam Barth and Collin Jackson reported a potential privilege escalation when loading a file::resource via the location bar. (MFSA 2009-30) CVE-2009-1840 Wladimir Palant discovered that it is possible to bypass access restrictions due to a lack of content policy check, when loading a script file into a XUL document. (MFSA 2009-31) CVE-2009-1841 moz_bug_r_a4 reported that it is possible for scripts from page content to run with elevated privileges and thus potentially executing arbitrary code with the object's chrome privileges. (MFSA 2009-32) For the stable distribution (lenny), these problems have been fixed in version 1.9.0.11-0lenny1. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.9.0.11-1. We recommend that you upgrade your xulrunner packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.11.orig.tar.gz Size/MD5 checksum: 43878486 54e05857f54ecaaf8c18a8ff8977ede9 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.11-0lenny1.diff.gz Size/MD5 checksum: 116016 9e90e48c64a417b432c07204a0cca3c7 http://security.debian.org/pool/updates/main/x/xulrunner
[Full-disclosure] [SECURITY] [DSA 1808-1] New drupal6 packages fix insufficient input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1808-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris June 01, 2009 http://www.debian.org/security/faq - Package: drupal6 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : no CVE id yet Debian Bug : 529190 531386 Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny2. The oldstable distribution (etch) does not contain drupal6. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 6.11-1.1. We recommend that you upgrade your drupal6 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2.diff.gz Size/MD5 checksum:21561 55998c89be8cde527e192e57b7c439d5 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2.dsc Size/MD5 checksum: 1132 7d8a825a0e670972ab6dd4ee98c341c4 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2_all.deb Size/MD5 checksum: 1088692 fc0fd6e5d35869f6b8bc692fe7183248 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoj58gACgkQ62zWxYk/rQfG7ACcCaIP6IqB4ZybMtiz37gWHZ1t 038An3zTZ4RP8FIBwAuBI5CrSzcCQLTL =TsNN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1798-1] New pango1.0 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1798-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris May 10, 2009 http://www.debian.org/security/faq - Package: pango1.0 Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2009-1194 Debian Bugs: 527474 Will Drewry discovered that pango, a system for layout and rendering of internationalized text, is prone to an integer overflow via long glyphstrings. This could cause the execution of arbitrary code when displaying crafted data through an application using the pango library. For the stable distribution (lenny), this problem has been fixed in version 1.20.5-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.14.8-5+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.24-1. We recommend that you upgrade your pango1.0 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/pango1.0/pango1.0_1.14.8.orig.tar.gz Size/MD5 checksum: 1903985 18c64e6cd7b91d04c40ef621a3d8fa4a http://security.debian.org/pool/updates/main/p/pango1.0/pango1.0_1.14.8-5+etch1.diff.gz Size/MD5 checksum:26479 ed32cd0fab563f3d0446fd9ec43b2f7c http://security.debian.org/pool/updates/main/p/pango1.0/pango1.0_1.14.8-5+etch1.dsc Size/MD5 checksum: 1755 dc9d2d9010dc5dcc17fdf589db1a2e5e Architecture independent packages: http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-doc_1.14.8-5+etch1_all.deb Size/MD5 checksum: 253836 dbc3410b16ec27ddfed6dc8c1fb23daf http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-common_1.14.8-5+etch1_all.deb Size/MD5 checksum: 6668 f10d91ab42b3eba15ef083bfb7540de5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-udeb_1.14.8-5+etch1_alpha.udeb Size/MD5 checksum: 248652 708bd8f608c2447f8e0a82febf1e587a http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0_1.14.8-5+etch1_alpha.deb Size/MD5 checksum: 362654 22a3cea2b5598180f52caf057dba3ecd http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-dev_1.14.8-5+etch1_alpha.deb Size/MD5 checksum: 496650 9b68bc2d3e14db69c128b0845eaa4a85 http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0-dbg_1.14.8-5+etch1_alpha.deb Size/MD5 checksum: 695224 d72beaf860b54f76008af828e71eacd0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0-dbg_1.14.8-5+etch1_amd64.deb Size/MD5 checksum: 704936 0535ac16c732c783b55bbd0a877d8a78 http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0_1.14.8-5+etch1_amd64.deb Size/MD5 checksum: 335362 3181dcff1339b37ebc22d4a65751dc99 http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-dev_1.14.8-5+etch1_amd64.deb Size/MD5 checksum: 384990 88a73bdbf1ade11b93416eeaa47fed05 http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-udeb_1.14.8-5+etch1_amd64.udeb Size/MD5 checksum: 224702 eed5fa5149bae7cb5425af34f1ec3edc arm architecture (ARM) http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0-dbg_1.14.8-5+etch1_arm.deb Size/MD5 checksum: 662692 853a22e95710cdbc2d6466d8a57d4869 http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-dev_1.14.8-5+etch1_arm.deb Size/MD5 checksum: 349496 dffb98f863c7d1965ceee910db8e02c7 http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-udeb_1.14.8-5+etch1_arm.udeb Size/MD5 checksum: 202936 b4574bd7f773fd4de522caf2cf9947bd http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0_1.14.8-5+etch1_arm.deb Size/MD5 checksum: 307638 31237ca7f49f47c18b8f648cd2886856 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/pango1.0/libpango1.0-0_1.14.8-5+etch1_hppa.deb Size/MD5 checksum: 357600
[Full-disclosure] [SECURITY] [DSA 1791-1] New moin packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1791-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris May 06, 2009 http://www.debian.org/security/faq - Package: moin Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-1482 Debian Bug : 526594 It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks when renaming attachements or performing other sub-actions. For the stable distribution (lenny), this problem has been fixed in version 1.7.1-3+lenny2. The oldstable distribution (etch) is not vulnerable. For the testing (squeeze) distribution and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your moin packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny2.diff.gz Size/MD5 checksum:78829 46802a81d20427b26a8aa60af1f576c9 http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1.orig.tar.gz Size/MD5 checksum: 5468224 871337b8171c91f9a6803e5376857e8d http://security.debian.org/pool/updates/main/m/moin/moin_1.7.1-3+lenny2.dsc Size/MD5 checksum: 1258 13d23d74a20087879c69545351a59dad Architecture independent packages: http://security.debian.org/pool/updates/main/m/moin/python-moinmoin_1.7.1-3+lenny2_all.deb Size/MD5 checksum: 4506106 9fb6772b6c4f6eb816a488593257f026 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoBduUACgkQ62zWxYk/rQeaLQCcCIjUe5bXFabGIkRa+qYFEn6E JzYAnRahgUz15biKGLL2Ys99GLGYQ7+y =KC1a -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1786-1] New acpid packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1786-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris May 02, 2009 http://www.debian.org/security/faq - Package: acpid Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2009-0798 It was discovered that acpid, a daemon for delivering ACPI events, is prone to a denial of service attack by opening a large number of UNIX sockets, which are not closed properly. For the stable distribution (lenny), this problem has been fixed in version 1.0.8-1lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.0.4-5etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.0.10-1. We recommend that you upgrade your acpid packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.4.orig.tar.gz Size/MD5 checksum:23416 3aff94e92186e99ed5fd6dcee2db7c74 http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.4-5etch1.dsc Size/MD5 checksum: 623 5bdf431edd68f502a269c3ed93023416 http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.4-5etch1.diff.gz Size/MD5 checksum:12446 97300b3586c815e0954b8dbd4eea7aa2 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.4-5etch1_amd64.deb Size/MD5 checksum:28616 626f43fa08946939e3d44092c30e8538 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.4-5etch1_i386.deb Size/MD5 checksum:25372 7c0e2c68816e6ddb5d1e2ac0ae7f5580 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.4-5etch1_ia64.deb Size/MD5 checksum:33650 e12d65573422a71a5529587543601146 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.8-1lenny1.diff.gz Size/MD5 checksum:18689 bad776513fe975f1d028d605be805be3 http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.8-1lenny1.dsc Size/MD5 checksum: 1289 6f9dc2ce42fbcd28d217f0208cdfd566 http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.8.orig.tar.gz Size/MD5 checksum:25308 ee48ff966292ec517ba83b37dd0a3256 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.8-1lenny1_amd64.deb Size/MD5 checksum:37898 27be010a11b42cf1a92cced7f09dfc8b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.8-1lenny1_i386.deb Size/MD5 checksum:35596 4638a7439832ecdc869e592c6066ea4b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/acpid/acpid_1.0.8-1lenny1_ia64.deb Size/MD5 checksum:42846 1046165b9c0cdcdb9021375179279b2d These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkn7ptwACgkQ62zWxYk/rQcCpwCfQatV3Lveg6siCmSx+JFvK58V 8cMAn0bx3TjrqRbhpx3TVoGf9oG2BIy6 =sME5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1781-1] New ffmpeg-debian packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1781-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 29, 2009http://www.debian.org/security/faq - Package: ffmpeg-debian Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-0385 CVE-2008-3162 Debian Bugs: 524799 489965 Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. CVE-2008-3162 It was discovered that using a crafted STR file can lead to the execution of arbitrary code. For the oldstable distribution (etch), these problems have been fixed in version 0.cvs20060823-8+etch1. For the stable distribution (lenny), these problems have been fixed in version 0.svn20080206-17+lenny1. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 0.svn20080206-16. We recommend that you upgrade your ffmpeg-debian packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1.dsc Size/MD5 checksum: 1271 9ec2715aea4be5b91b1ed1e694d71e72 http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20060823.orig.tar.gz Size/MD5 checksum: 2309921 12e2e5d9e46ebfd08851b05665ecce25 http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1.diff.gz Size/MD5 checksum:37279 acab6c61a1f82caa6e44da962f40db41 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec0d_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum: 1758996 d6d582615c3b06220f87e480599ae780 http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat-dev_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum: 468626 ca150f7e2ecb6be6e61426ce5a87dfc9 http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc0d_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum:44738 77bdfc1faf07b98af2a7c74cbd8a8227 http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec-dev_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum: 1954418 c147594951f7233d8a3878c18845137f http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum: 193846 811504b6006ac5fa9687aa6315e74a20 http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat0d_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum: 315844 93ae83ed9fc96a8fc274dd6148577d58 http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc-dev_0.cvs20060823-8+etch1_alpha.deb Size/MD5 checksum:46530 62191f7707e034589e64f83caf17c74d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc-dev_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum:64986 028d66d1ace6ef0046362b218ad10f11 http://security.debian.org/pool/updates/main/f/ffmpeg/libpostproc0d_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum:64098 6fe0063a201e3da5bd395cddf8f539a9 http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec-dev_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum: 1550626 e3c31d11701a70bfa542dd693fa43c78 http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat0d_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum: 268932 4635daf9397ea8e83f90c1419c3fbde2 http://security.debian.org/pool/updates/main/f/ffmpeg/libavformat-dev_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum: 335418 09c864a8cb6f0afc41b8a0efcb2ba3eb http://security.debian.org/pool/updates/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum: 181666 d4391f84650eedae1416ef90bc8a566e http://security.debian.org/pool/updates/main/f/ffmpeg/libavcodec0d_0.cvs20060823-8+etch1_amd64.deb Size/MD5 checksum: 1486582
[Full-disclosure] [SECURITY] [DSA 1775-1] New php-json-ext packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1775-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 20, 2009http://www.debian.org/security/faq - Package: php-json-ext Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2009-1271 It was discovered that php-json-ext, a JSON serialiser for PHP, is prone to a denial of service attack, when receiving a malformed string via the json_decode function. For the oldstable distribution (etch), this problem has been fixed in version 1.2.1-3.2+etch1. The stable distribution (lenny) does not contain a separate php-json-ext package, but includes it in the php5 packages, which will be fixed soon. The testing distribution (squeeze) and the unstable distribution (sid) do not contain a separate php-json-ext package, but include it in the php5 packages. We recommend that you upgrade your php-json-ext packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/php-json-ext/php-json-ext_1.2.1-3.2+etch1.dsc Size/MD5 checksum: 655 0ec03d0f1b9070acbc7cd27d0391f5b8 http://security.debian.org/pool/updates/main/p/php-json-ext/php-json-ext_1.2.1-3.2+etch1.diff.gz Size/MD5 checksum: 6927 38f1e8a9a59ed98b8734c8032a26141c http://security.debian.org/pool/updates/main/p/php-json-ext/php-json-ext_1.2.1.orig.tar.gz Size/MD5 checksum: 205184 2f1229af3e99a0dd64b4d4f1fe7eb8f4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_alpha.deb Size/MD5 checksum:15400 8bd9efc1a2953772d190af010e07db18 http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_alpha.deb Size/MD5 checksum:16164 db0bde2a0c19be169f4e5942f9931d8b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_amd64.deb Size/MD5 checksum:14902 b9a1f994c0635b16c4eb9dcbcfcbb361 http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_amd64.deb Size/MD5 checksum:14492 a7d56a24e70aed46ba4e8364109a6bff arm architecture (ARM) http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_arm.deb Size/MD5 checksum:14692 38de5778f6d426ee6f7bb22f70eac6ba http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_arm.deb Size/MD5 checksum:13858 a4a428de898e847854ac9b1d5a47b498 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_hppa.deb Size/MD5 checksum:15888 e4341419ce1d6b4598ce6d7973c4f181 http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_hppa.deb Size/MD5 checksum:15470 6f2def991b9f7f73d50765412efbe1e6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_i386.deb Size/MD5 checksum:14796 6c085917b6825c03f92ee1715ce7bc2c http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_i386.deb Size/MD5 checksum:14362 e280d560eea3f4bd8ea838ee60bddd88 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_ia64.deb Size/MD5 checksum:19344 c0a8a9a9ea921270e0e5b23f1e54b0fb http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_ia64.deb Size/MD5 checksum:20124 ed4a1b3a31c24b47500b73a5188b37b5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/php-json-ext/php4-json_1.2.1-3.2+etch1_mips.deb Size/MD5 checksum:14502 36aa4fe7f7d516bbb388ae311d3ce8a7 http://security.debian.org/pool/updates/main/p/php-json-ext/php5-json_1.2.1-3.2+etch1_mips.deb Size/MD5 checksum:14782 75092e11b7479d1a57c5d3417af74f91 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/php-json
[Full-disclosure] [SECURITY] [DSA 1773-1] New cups packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1773-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 17, 2009http://www.debian.org/security/faq - Package: cups Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2009-0163 It was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. For the stable distribution (lenny), this problem has been fixed in version 1.3.8-1lenny5. For the oldstable distribution (etch), this problem has been fixed in version 1.2.7-4etch7. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your cups packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7.dsc Size/MD5 checksum: 1092 4203af9c21af4d6918245cd45acb06bb http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7.diff.gz Size/MD5 checksum: 109374 af603a7173c6df4f33b048ffc7115bd8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch7_all.deb Size/MD5 checksum:46244 44171d0a66210c387b6af8448f6d521d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch7_all.deb Size/MD5 checksum: 893990 3f5525cb2fc50e8a06352e587737e2dc alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_alpha.deb Size/MD5 checksum:39294 ced5ae3328348f9d3ae2676353e726bb http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_alpha.deb Size/MD5 checksum: 184844 ecdf10a00e54d73bc9bba1044f42fc22 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_alpha.deb Size/MD5 checksum: 1093362 f5be00bdf1562065aae9ea9fdb6663dc http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_alpha.deb Size/MD5 checksum: 175490 5b2ece54509d960d8a1a3641412937f8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_alpha.deb Size/MD5 checksum:86398 7f312dfb4ff21681dff286d99d3896d8 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_alpha.deb Size/MD5 checksum: 1604044 5656d9acd49fba643a50934599675ebc http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_alpha.deb Size/MD5 checksum:95756 127511aa7fc682dab5e853b608ccba11 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_alpha.deb Size/MD5 checksum:72988 5da04efb7c621d273910e5f5fe9ec9c1 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_amd64.deb Size/MD5 checksum:36358 81cea5176eb873a11c89fccd558da98f http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_amd64.deb Size/MD5 checksum:86462 6c33916f4c531bba16f777f71f772293 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_amd64.deb Size/MD5 checksum: 1576296 724f40dec3726a6d099c97fc3cafb484 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_amd64.deb Size/MD5 checksum: 142530 0e9faa06043e872626093a03fa17292c http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_amd64.deb Size/MD5 checksum: 162692 bd08c8846a95488ec98fea36e105638b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_amd64.deb Size/MD5 checksum: 1088628 03b7431460c4d52d15f8525c0b01eddf http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_amd64.deb Size/MD5 checksum:80736 06d9dd7cd306e846e36047a0eb6f0699 http
[Full-disclosure] [SECURITY] [DSA 1774-1] New ejabberd packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1774-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 17, 2009http://www.debian.org/security/faq - Package: ejabberd Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-0934 It was discovered that ejabberd, a distributed, fault-tolerant Jabber/XMPP server, does not sufficiently sanitise MUC logs, allowing remote attackers to perform cross-site scripting (XSS) attacks. For the stable distribution (lenny), this problem has been fixed in version 2.0.1-6+lenny1. The oldstable distribution (etch) is not affected by this issue. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.0.5-1. We recommend that you upgrade your ejabberd packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1.diff.gz Size/MD5 checksum:56231 d59d9f9bddb5e44e586bf7b6e33ab716 http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1.dsc Size/MD5 checksum: 1387 4352a0860f0d1e64d2ba40ebcb68f484 http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1.orig.tar.gz Size/MD5 checksum: 1054739 9c9417ab8dc334094ec7a611016c726e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_alpha.deb Size/MD5 checksum: 1184310 ddc0af584b7028daab554fe4f78a8799 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_amd64.deb Size/MD5 checksum: 1190944 9dc0d2c7bdf2f1fe4d5a38b6f696cb58 arm architecture (ARM) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_arm.deb Size/MD5 checksum: 1182006 48c8ffe2ee133fbd5e57ff8cec261623 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_armel.deb Size/MD5 checksum: 1187286 6b99fe6dcc94f06640644f4fa1213bcb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_hppa.deb Size/MD5 checksum: 1197222 c226141fb23cc04783026550797333a1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_i386.deb Size/MD5 checksum: 1190002 eebdbe567fd8eff45f219c80ca1e3896 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_ia64.deb Size/MD5 checksum: 1205758 182b7c589bd3d3597708217b350a1086 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_mips.deb Size/MD5 checksum: 1172112 c3ff0676aa396750c20f8fc587493d8d powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_powerpc.deb Size/MD5 checksum: 1180126 d337fe77c6d199512c5d278129de77f2 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_s390.deb Size/MD5 checksum: 1174796 6efefe5a9937d19b38b9e235405823fb sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/e/ejabberd/ejabberd_2.0.1-6+lenny1_sparc.deb Size/MD5 checksum: 1185162 becf1c3f8e0fc7f56bb5bf5c35e113c1 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknoK4cACgkQ62zWxYk/rQfWgACfenCG0DztFUzVi5+CFubfKpWf
[Full-disclosure] [SECURITY] [DSA 1770-1] New imp4 packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1770-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 13, 2009 http://www.debian.org/security/faq - Package: imp4 Vulnerability : Insufficient input sanitising Problem type : remote Debian-specific: no CVE Ids: CVE-2008-4182 CVE-2009-0930 Debian Bugs: 500114 500553 513266 Several vulnerabilities have been found in imp4, a webmail component for the horde framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4182 It was discovered that imp4 suffers from a cross-site scripting (XSS) attack via the user field in an IMAP session, which allows attackers to inject arbitrary HTML code. CVE-2009-0930 It was discovered that imp4 is prone to several cross-site scripting (XSS) attacks via several vectors in the mail code allowing attackers to inject arbitrary HTML code. For the oldstable distribution (etch), these problems have been fixed in version 4.1.3-4etch1. For the stable distribution (lenny), these problems have been fixed in version 4.2-4, which was already included in the lenny release. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 4.2-4. We recommend that you upgrade your imp4 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3-4etch1.dsc Size/MD5 checksum: 1059 2502fe9fc8aceeb3bd3492b739a6c53a http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3.orig.tar.gz Size/MD5 checksum: 4178089 91fb63a44805bdff178c39c9bd1c73c5 http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3-4etch1.diff.gz Size/MD5 checksum:10716 156684bbc1de0c24a44ccef4b979d10a Architecture independent packages: http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3-4etch1_all.deb Size/MD5 checksum: 4167730 fc8bbcc5348d4548bf9c707bbad8aec7 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknjVVYACgkQ62zWxYk/rQeKAgCguUQGF7RsrFVNslohtgGLK9N3 hUAAn2pdOPR/zPHGNOSSSBevDbim8/eS =0AOt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1765-1] New horde3 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1765-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 08, 2009http://www.debian.org/security/faq - Package: horde3 Vulnerability : Multiple vulnerabilities Problem type : remote Debian-specific: no CVE Ids: CVE-2009-0932 CVE-2008-3330 CVE-2008-5917 Debian Bugs: 513265 512592 492578 Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0932 Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. CVE-2008-3330 It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. CVE-2008-5917 It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. For the oldstable distribution (etch), these problems have been fixed in version 3.1.3-4etch5. For the stable distribution (lenny), these problems have been fixed in version 3.2.2+debian0-2, which was already included in the lenny release. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 3.2.2+debian0-2. We recommend that you upgrade your horde3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7 http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch5.diff.gz Size/MD5 checksum:13749 d7ad332e2f535b9df1ab49bd9c7233fa http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch5.dsc Size/MD5 checksum: 1076 c6082f3a21860b6b65b7edc4c58b0c07 Architecture independent packages: http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch5_all.deb Size/MD5 checksum: 5274074 e4cfd0484345a153c33481101472a1fe These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknciAAACgkQ62zWxYk/rQf6NACgl4Z3R+twK6GotVqQ5Zy4BFAR eIYAn26ZSZN4qVqNHz1U4TRcmGpDymkx =kJWX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1762-1] New icu packages fix cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1762-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris April 02, 2009 http://www.debian.org/security/faq - Package: icu Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2008-1036 It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to cross- site scripting attacks. For the stable distribution (lenny), this problem has been fixed in version 3.8.1-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 3.6-2etch2. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 4.0.1-1. We recommend that you upgrade your icu packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch2.diff.gz Size/MD5 checksum:14912 d15e89ba186f4003cf0fe25523bf5b68 http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch2.dsc Size/MD5 checksum: 600 be64e9d5a346866e9cb5c0f60243d2fe http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz Size/MD5 checksum: 9778863 0f1bda1992b4adca62da68a7ad79d830 Architecture independent packages: http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch2_all.deb Size/MD5 checksum: 3334030 c6e6fbd348c8d802746a890393a767a5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_alpha.deb Size/MD5 checksum: 5584350 c988d1810f2abe6aca3c530061343674 http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_alpha.deb Size/MD5 checksum: 7009562 489c1341f1331b8664ec201d7b0896ac amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_amd64.deb Size/MD5 checksum: 5444828 4cf4fecae90466c879a1b506da4b54da http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_amd64.deb Size/MD5 checksum: 6584058 b74be6476a73b13f397c742dd05a46ef arm architecture (ARM) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_arm.deb Size/MD5 checksum: 5455872 ffd9a4362bd56c95ac8c9e2d59b0f85b http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_arm.deb Size/MD5 checksum: 6625136 a64d8a5965f960b7a42f175465552d1b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_i386.deb Size/MD5 checksum: 6480730 bab51b594e5b159ec97c4d0a78e137d4 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_i386.deb Size/MD5 checksum: 5464844 6022ce1a314dc2ac9ba6a4e7c2364c0f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_ia64.deb Size/MD5 checksum: 7240032 54c98bff14b4d4b9106cbe4a0f37a790 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_ia64.deb Size/MD5 checksum: 5865936 dfe2b9a21d02b3f6d0328076e90884b9 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_mips.deb Size/MD5 checksum: 5747772 6f7e94aa52df7e55632aded82da5be5b http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_mips.deb Size/MD5 checksum: 7032276 c873f62a11e599880d349171be6724b7 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_mipsel.deb Size/MD5 checksum: 6767430 c34cfe617b2fa3b0ac265f445a77b151 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_mipsel.deb Size/MD5 checksum: 5462642 42cec53922ec7b565c314daca3480331 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_powerpc.deb Size/MD5 checksum: 6889534 dbbcea68da2b4cde02734cf8af6a8bdd http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6
[Full-disclosure] [SECURITY] [DSA 1759-1] New strongswan packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1759-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 30, 2009 http://www.debian.org/security/faq - Package: strongswan Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2009-0790 Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. For the stable distribution (lenny), this problem has been fixed in version 4.2.4-5+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 2.8.0+dfsg-1+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your strongswan packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1.dsc Size/MD5 checksum: 811 15760a0423c8cf0829c0f71d5424ab27 http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg.orig.tar.gz Size/MD5 checksum: 3155518 8b9ac905b9bcd41fb826e3d67e90a33d http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1.diff.gz Size/MD5 checksum:57545 276bae2bae3230bcef527b44f3b9fb99 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_alpha.deb Size/MD5 checksum: 1197696 7fc7c6438f1c2739373c193784934461 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_amd64.deb Size/MD5 checksum: 1100438 4004ce8cfc2b2de41712a4d73a520de2 arm architecture (ARM) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_arm.deb Size/MD5 checksum: 1070794 dc1e10007ea82d547591052d032e0216 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_hppa.deb Size/MD5 checksum: 1136062 9f5996ea05d930e0a7a361336263be58 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_i386.deb Size/MD5 checksum: 1051780 25b41b38e8698a6f61b3f4f523ca52c7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_ia64.deb Size/MD5 checksum: 1454480 19818a3ec7756710ea1abfdbd9ebadcc mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_mips.deb Size/MD5 checksum: 1124636 be7189aac59d98fbec7a9bf9a5f7b74d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_mipsel.deb Size/MD5 checksum: 1130402 25bdc2ca2651db73a88f079902a35f43 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_powerpc.deb Size/MD5 checksum: 1097994 e1eb29c9c4dd776259178308a6b40a04 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_s390.deb Size/MD5 checksum: 1084268 90b6459bb59a264eaf1aa2b26ed82acd sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/strongswan/strongswan_2.8.0+dfsg-1+etch1_sparc.deb Size/MD5 checksum: 1024106 9ad2a093d9efad364a0eb80a0f20057f Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/strongswan/strongswan_4.2.4-5+lenny1.dsc Size/MD5 checksum: 1310 c6dc3521aee080f275ea0f65ded35bca http://security.debian.org/pool/updates/main/s/strongswan/strongswan_4.2.4-5+lenny1.diff.gz Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1760-1] New openswan packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1760-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 30, 2009 http://www.debian.org/security/faq - Package: openswan Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2008-4190 CVE-2009-0790 Debian Bug : 496374 Two vulnerabilities have been discovered in openswan, an IPSec implementation for linux. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4190 Dmitry E. Oboukhov discovered that the livetest tool is using temporary files insecurely, which could lead to a denial of service attack. CVE-2009-0790 Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet. For the stable distribution (lenny), this problem has been fixed in version 2.4.12+dfsg-1.3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 2.4.6+dfsg.2-1.1+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your openswan packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1.diff.gz Size/MD5 checksum:92351 d43193ea57c9ba646aa9a2ae479c65dd http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2.orig.tar.gz Size/MD5 checksum: 3555236 e5ef22979f8a67038f445746fdc7ff38 http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1.dsc Size/MD5 checksum: 887 0bb9a0b8fda2229aed2ea1e7755259db Architecture independent packages: http://security.debian.org/pool/updates/main/o/openswan/linux-patch-openswan_2.4.6+dfsg.2-1.1+etch1_all.deb Size/MD5 checksum: 598920 7f24c626025d0725409fc5f282834859 http://security.debian.org/pool/updates/main/o/openswan/openswan-modules-source_2.4.6+dfsg.2-1.1+etch1_all.deb Size/MD5 checksum: 525862 69a5d63858abbde46369f1178715bb23 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_alpha.deb Size/MD5 checksum: 1742492 a6a7ab937c9a172c74e19bf85ed5af15 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_amd64.deb Size/MD5 checksum: 1744812 6c1cd62d31174fce3dae9b8393594c73 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_arm.deb Size/MD5 checksum: 1719132 30678772efa350b67ba19b7eb5ebc4c2 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_hppa.deb Size/MD5 checksum: 1758480 cc2108239ed20143d7dc8ead6c6cb6c0 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_i386.deb Size/MD5 checksum: 1712448 07a390d204baaf83a5fb4cb6745a786a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_ia64.deb Size/MD5 checksum: 1930720 1c95baf380d131f78767af55841566ab mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_mips.deb Size/MD5 checksum: 1692214 90f1710f68414a17fb4d29168746bbed mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_mipsel.deb Size/MD5 checksum: 1697294 ce452a37b284bd1c49925482c4be6554 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_powerpc.deb Size/MD5 checksum: 1667818 786f2533b336ced17cb15b988586c224 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_s390.deb Size/MD5 checksum: 1671506
[Full-disclosure] [SECURITY] [DSA 1757-1] New auth2db packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1757-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 30, 2009 http://www.debian.org/security/faq - Package: auth2db Vulnerability : SQL injection Problem type : remote Debian-specific: no CVE Id : no CVE id yet Debian Bug : 521823 It was discovered that auth2db, an IDS logger, log viewer and alert generator, is prone to an SQL injection vulnerability, when used with multibyte character encodings. For the stable distribution (lenny), this problem has been fixed in version 0.2.5-2+dfsg-1+lenny1. The oldstable distribution (etch) doesn't contain auth2db. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 0.2.5-2+dfsg-1.1. We recommend that you upgrade your auth2db packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Source archives: http://security.debian.org/pool/updates/main/a/auth2db/auth2db_0.2.5-2+dfsg-1+lenny1.dsc Size/MD5 checksum: 1124 6a583f694b1d8925e134c09aa093bbe2 http://security.debian.org/pool/updates/main/a/auth2db/auth2db_0.2.5-2+dfsg.orig.tar.gz Size/MD5 checksum: 1648457 30187f48d223c6eb43a4c4a050a210bf http://security.debian.org/pool/updates/main/a/auth2db/auth2db_0.2.5-2+dfsg-1+lenny1.diff.gz Size/MD5 checksum: 660051 22884e0a64958362dd10fb9d95cc605c Architecture independent packages: http://security.debian.org/pool/updates/main/a/auth2db/auth2db_0.2.5-2+dfsg-1+lenny1_all.deb Size/MD5 checksum:29286 92513e873ad82b08553b96185d3619ea http://security.debian.org/pool/updates/main/a/auth2db/auth2db-filters_0.2.5-2+dfsg-1+lenny1_all.deb Size/MD5 checksum:13970 897b87dfe350e656c05a944e7d2b1fc9 http://security.debian.org/pool/updates/main/a/auth2db/auth2db-common_0.2.5-2+dfsg-1+lenny1_all.deb Size/MD5 checksum: 648700 7421594af2889badd95f52fc11e600aa http://security.debian.org/pool/updates/main/a/auth2db/auth2db-frontend_0.2.5-2+dfsg-1+lenny1_all.deb Size/MD5 checksum: 566262 7753eb86bcb06358042702547008110e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknQmVIACgkQ62zWxYk/rQfMxwCgrfOSyNYmcqWPSWllt6aS6ylj f8MAn2qv88TKwVjinJF/yOCPVqP9JfTO =bs+/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1745-2] New lcms packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1745-2 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 25, 2009 http://www.debian.org/security/faq - Package: lcms Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 This update fixes a possible regression introduced in DSA-1745-1 and also enhances the security patch. For reference the original advisory text is below. Several security issues have been discovered in lcms, a color management library. The Common Vulnerabilities andi Exposures project identifies the following problems: CVE-2009-0581 Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. CVE-2009-0723 Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. CVE-2009-0733 Chris Evans discovered the lack of upper-gounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. For the stable distribution (lenny), these problems have been fixed in version 1.17.dfsg-1+lenny2. For the oldstable distribution (etch), these problems have been fixed in version 1.15-1.1+etch3. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your lcms packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.diff.gz Size/MD5 checksum: 5160 16d7404b4dc2f31cfe8c83336013cddd http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.dsc Size/MD5 checksum: 644 5fe77039701cfa261d3ef84842d0e81e http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.gz Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_alpha.deb Size/MD5 checksum: 181316 b06ba5e4b64f5199ef241bd9fe8f293c http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_alpha.deb Size/MD5 checksum:60246 89c087c9dd7e2d5dd2d78cbfb80c4017 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_alpha.deb Size/MD5 checksum: 154378 9ab10ab4eae2ad103b2a7abc18e6cfc4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_amd64.deb Size/MD5 checksum: 149534 1c06e35f87a683ad05c0fb1503859b4b http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_amd64.deb Size/MD5 checksum: 141016 f957d77d929d2e5ab9a4749cafab3b65 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_amd64.deb Size/MD5 checksum:53242 52fe759a62f8b111a65550f074c5037b arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_arm.deb Size/MD5 checksum: 136610 d7c849cdf0eef3e2c0c1318a31f9e7c1 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_arm.deb Size/MD5 checksum: 135176 501beeb4b4309ae863c8c0d46fde6b1a http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_arm.deb Size/MD5 checksum:51742 bc7e60d9b5ac44efdf24a0b384f0f173 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_hppa.deb Size/MD5 checksum: 169464 312f7f7f841c09396a6c30ca76a35754 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_hppa.deb Size/MD5 checksum: 158496 9d0fa35be0159f82709447b53df2a003 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_hppa.deb Size/MD5 checksum:59260 88e7279014e0482a797d54140e74e828 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lcms
[Full-disclosure] [SECURITY] [DSA 1747-1] New glib2.0 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1747-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 20, 2009 http://www.debian.org/security/faq - Package: glib2.0 Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2008-4316 Debian Bugs: 520046 Diego Petten discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 2.16.6-1+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 2.12.4-2+etch1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.20.0-1. We recommend that you upgrade your glib2.0 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/glib2.0/glib2.0_2.12.4.orig.tar.gz Size/MD5 checksum: 3838981 d121999e4cdfdc68621e3eb23f66cd66 http://security.debian.org/pool/updates/main/g/glib2.0/glib2.0_2.12.4-2+etch1.dsc Size/MD5 checksum: 1499 18cae69e02a1227e09226857626c0533 http://security.debian.org/pool/updates/main/g/glib2.0/glib2.0_2.12.4-2+etch1.diff.gz Size/MD5 checksum:18438 9b22fc1fa8d82aded0a08cc9a7a6f55d Architecture independent packages: http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-data_2.12.4-2+etch1_all.deb Size/MD5 checksum: 285378 f30d726d7a8aa293c9b4c5b864b61ce6 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-doc_2.12.4-2+etch1_all.deb Size/MD5 checksum: 737208 275321184f9ed1e0edb0a6a26f477836 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-udeb_2.12.4-2+etch1_alpha.udeb Size/MD5 checksum: 660018 7eb178037a58b0aa675b02caab127538 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0_2.12.4-2+etch1_alpha.deb Size/MD5 checksum: 561114 f564925a0a93600dd07e336ab3414077 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-dev_2.12.4-2+etch1_alpha.deb Size/MD5 checksum: 772822 6617975204dd5a8b96549bab7edb05d4 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_alpha.deb Size/MD5 checksum: 600216 fd6feec3f3d92b19ab6736c059f9adbf amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-dev_2.12.4-2+etch1_amd64.deb Size/MD5 checksum: 595848 44d3bded85806ec86c1da38350791e39 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb Size/MD5 checksum: 605210 561ab303f654edd1c3da1e854eb1c162 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0_2.12.4-2+etch1_amd64.deb Size/MD5 checksum: 547570 4796b12af73cbe7c18ce91cf300f9049 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb Size/MD5 checksum: 656440 735a0b44ed7edf2eac961beae0046b43 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-udeb_2.12.4-2+etch1_arm.udeb Size/MD5 checksum: 622256 dc73ea0f82d4268fc00a7cedb0e38ab0 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0_2.12.4-2+etch1_arm.deb Size/MD5 checksum: 513506 a8d4f32a3193c7c020782c4b838e3494 http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-dev_2.12.4-2+etch1_arm.deb Size/MD5 checksum: 537132 95ba75ae0b010885405b892f4a091c4f http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_arm.deb Size/MD5 checksum: 554820 f2b3e61b465bb077da5d871b73f1064b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_hppa.deb Size/MD5 checksum: 584818 06d00ef19400440a20a3590332bbebd2 http://security.debian.org/pool/updates
[Full-disclosure] [SECURITY] [DSA 1748-1] New libsoup packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1748-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 20, 2009 http://www.debian.org/security/faq - Package: libsoup Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2009-0585 Debian Bugs: 520039 It was discovered that libsoup, an HTTP library implementation in C, handles large strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code. For the oldstable distribution (etch), this problem has been fixed in version 2.2.98-2+etch1. The stable distribution (lenny) is not affected by this issue. The testing distribution (squeeze) and the unstable distribution (sid) are not affected by this issue. We recommend that you upgrade your libsoup packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libs/libsoup/libsoup_2.2.98-2+etch1.diff.gz Size/MD5 checksum: 6510 65ab0f023a150170e8a181890a00b023 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup_2.2.98-2+etch1.dsc Size/MD5 checksum: 1537 cd5b947c0b3b9203aa52f6d0ec40821c http://security.debian.org/pool/updates/main/libs/libsoup/libsoup_2.2.98.orig.tar.gz Size/MD5 checksum: 692665 b20e2a41ab0d21cc8d84fd76b4dbf47b Architecture independent packages: http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-doc_2.2.98-2+etch1_all.deb Size/MD5 checksum: 148102 b1e78a8f3396ae6d58f3cf3889c8c6ff alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_alpha.deb Size/MD5 checksum: 143528 45221b9485dd0b1d7a5b2a0dc68b1dc0 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_alpha.deb Size/MD5 checksum: 225664 646feecbfdae326e7e131682c87eb490 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_amd64.deb Size/MD5 checksum: 173460 91bbd9ff1aba8b8a5739fee06c67d5c8 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_amd64.deb Size/MD5 checksum: 134338 4f0863cdc2d1d2b11020ea48d383da47 arm architecture (ARM) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_arm.deb Size/MD5 checksum: 156102 5b9fc9b512df31fc13545b1ad5b58b59 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_arm.deb Size/MD5 checksum: 122166 1f7ffd4f62f0e3da5dfda7bba9b6cf8e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_i386.deb Size/MD5 checksum: 159014 ceff344964f226cbe0c3d9fe33d269c1 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_i386.deb Size/MD5 checksum: 127618 233269397ec53a7728efbbe4bb5ffdbf ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_ia64.deb Size/MD5 checksum: 166682 3e731257e90366342668ae79a62d765c http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_ia64.deb Size/MD5 checksum: 224356 ef42597d156076f2c8b14719ba86b6f7 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_mips.deb Size/MD5 checksum: 123812 4cf102e455c0dbd0b216ba566a0c0ab8 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_mips.deb Size/MD5 checksum: 186234 cd10eebffdc0cd2d3054312e33e4ce8e mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-8_2.2.98-2+etch1_mipsel.deb Size/MD5 checksum: 123834 98548a14e5ce79bebb383a6aecee4c98 http://security.debian.org/pool/updates/main/libs/libsoup/libsoup2.2-dev_2.2.98-2+etch1_mipsel.deb Size/MD5 checksum: 184598
[Full-disclosure] [SECURITY] [DSA 1745-1] New lcms packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1745-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 20, 2009 http://www.debian.org/security/faq - Package: lcms Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 Several security issues have been discovered in lcms, a color management library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0581 Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. CVE-2009-0723 Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. CVE-2009-0733 Chris Evans discovered the lack of upper-gounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. For the stable distribution (lenny), these problems have been fixed in version 1.17.dfsg-1+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 1.15-1.1+etch2. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your lcms packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.gz Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73 http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch2.diff.gz Size/MD5 checksum: 4632 9a790aa45cdeb69aa46f584689a99f98 http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch2.dsc Size/MD5 checksum: 644 d4cb8388b8c902a533506ec16ca63501 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch2_alpha.deb Size/MD5 checksum: 181050 b27152b25309aa9e6ad1c34bb3c26366 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch2_alpha.deb Size/MD5 checksum:60202 53d74752d434e3c9ee30aa9129f0a1e8 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch2_alpha.deb Size/MD5 checksum: 154196 d4fa9270d9a8ca7de7129192ef998506 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch2_amd64.deb Size/MD5 checksum: 149428 30c41aaae075c75890eebc1ce4e5a210 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch2_amd64.deb Size/MD5 checksum: 141048 0c6fa8d6f1d39976480ffc5a835a998a http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch2_amd64.deb Size/MD5 checksum:53166 df6375dd38801b739fbc160e1eb57eaf arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch2_arm.deb Size/MD5 checksum: 136286 d21fb48afe1c612b88a3cc65f6500e44 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch2_arm.deb Size/MD5 checksum:51050 1c7d4e76aaf8c7ec7d9090ca04a492f5 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch2_arm.deb Size/MD5 checksum: 136060 20069a3b809cef749d92da5b0e04c583 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch2_hppa.deb Size/MD5 checksum: 169382 3ed56562edaa688b42cd108a3ac468c3 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch2_hppa.deb Size/MD5 checksum: 158440 1616cbcfd9e8fcc8f1774b4aabb0bcf9 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch2_hppa.deb Size/MD5 checksum:59212 602d13389c04ceba66b5a3f73dfc9f1b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch2_i386.deb Size/MD5 checksum:50220 c5d54e09d401fa67c09112d1a63095f1 http://security.debian.org/pool/updates/main/l/lcms
[Full-disclosure] [SECURITY] [DSA 1746-1] New ghostscript packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1746-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 20, 2009 http://www.debian.org/security/faq - Package: ghostscript Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2009-0583 CVE-2009-0584 Two security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0583 Jan Lieskovsky discovered multiple integer overflows in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. CVE-2009-0584 Jan Lieskovsky discovered insufficient upper-bounds checks on certain variable sizes in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. For the stable distribution (lenny), these problems have been fixed in version 8.62.dfsg.1-3.2lenny1. For the oldstable distribution (etch), these problems have been fixed in version 8.54.dfsg.1-5etch2. Please note that the package in oldstable is called gs-gpl. For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your ghostscript/gs-gpl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1.orig.tar.gz Size/MD5 checksum: 11695732 05938e26bfa8769e28cf2bb38efd9673 http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2.diff.gz Size/MD5 checksum: 222025 2c1bc048ef7c965631c44e4f5fdf2421 http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2.dsc Size/MD5 checksum: 837 548225280e3ea0cc9f0752a0b84ee16a Architecture independent packages: http://security.debian.org/pool/updates/main/g/gs-gpl/gs_8.54.dfsg.1-5etch2_all.deb Size/MD5 checksum:14404 acbacfffd7964c8d7e2efc6d7b0c5fff alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_alpha.deb Size/MD5 checksum: 5838820 d4e38d1dbc1265ca2b4ad8e49b8700cb amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_amd64.deb Size/MD5 checksum: 5617322 f9d719e1c72e869f0aa530057d5da244 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_arm.deb Size/MD5 checksum: 5509682 3581a6fa9c7e1b7eecb139a69bad831d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_hppa.deb Size/MD5 checksum: 5766684 408f1bc20285d13ebdaa1e92be345004 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_i386.deb Size/MD5 checksum: 5526514 3f23df691da756cd3dbd7a56b1f7baae ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_ia64.deb Size/MD5 checksum: 6551116 f0204f85d0c2342ce1df8a877b09ee68 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_mips.deb Size/MD5 checksum: 5737602 48b8a1cd5c68383cb2bd673845a26a4c mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_mipsel.deb Size/MD5 checksum: 5744092 cc66db4d6319f3115bebbe7a530950e0 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_powerpc.deb Size/MD5 checksum: 5581730 cacef2383b679cecc01b5f8b039c6a5f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_s390.deb Size/MD5 checksum: 5536144 043ff8f2871620435156699cb28ab897 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org
[Full-disclosure] [SECURITY] [DSA 1743-1] New libtk-img packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1743-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 17, 2009 http://www.debian.org/security/faq - Package: libtk-img Vulnerability : buffer overflows Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2007-5137 CVE-2007-5378 Debian Bug : 519072 Two buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5137 It was discovered that libtk-img is prone to a buffer overflow via specially crafted multi-frame interlaced GIF files. CVE-2007-5378 It was discovered that libtk-img is prone to a buffer overflow via specially crafted GIF files with certain subimage sizes. For the stable distribution (lenny), these problems have been fixed in version 1.3-release-7+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 1.3-15etch3. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1.3-release-8. We recommend that you upgrade your libtk-img packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3.diff.gz Size/MD5 checksum: 245234 735f4c10ef82cb9d871351b180ae47dc http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3.orig.tar.gz Size/MD5 checksum: 3918119 ee19a7fdaaa64e9d85eeecd3b78bce8f http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3.dsc Size/MD5 checksum: 663 3a273d841105b8978f96eca6533eeefd alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_alpha.deb Size/MD5 checksum: 491110 07e4cdac4f3fba01a3b7d84648c6809d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_amd64.deb Size/MD5 checksum: 461822 cae988f3575b2087b7d04eea38a25440 arm architecture (ARM) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_arm.deb Size/MD5 checksum: 436356 7ef635df0204508e8e883eb4a54ae58f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_i386.deb Size/MD5 checksum: 430104 b00a0cb661ea599ce296796547520fe0 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_ia64.deb Size/MD5 checksum: 601608 49309def501db030330443b5bb955d38 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_mips.deb Size/MD5 checksum: 441054 026d2c2af3bed4b7f3452a7bddfaaee3 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_mipsel.deb Size/MD5 checksum: 441044 24d9bc504e550643afd51fe1f3fff1e1 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_powerpc.deb Size/MD5 checksum: 452226 3769f2ee4ac052602db18ad14e5a33d0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_s390.deb Size/MD5 checksum: 457496 870628476aec308c566d3f4bea697730 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-15etch3_sparc.deb Size/MD5 checksum: 424242 5ff1ceda5f92c0ce34398ad1a375b3ce Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libt/libtk-img/libtk-img_1.3-release-7+lenny1.diff.gz Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1740-1] New yaws packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1740-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 14, 2009 http://www.debian.org/security/faq - Package: yaws Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2009-0751 It was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header. For the stable distribution (lenny), this problem has been fixed in version 1.77-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.65-4etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.80-1. We recommend that you upgrade your yaws package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1.diff.gz Size/MD5 checksum:15050 de600331ea301eb9a8cd82987bbecac1 http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1.dsc Size/MD5 checksum: 742 5ff0d18eaf5b0982cab087a0da30546b http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65.orig.tar.gz Size/MD5 checksum: 775978 4c08ba6abb40e41a49066a4c35d66102 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_alpha.deb Size/MD5 checksum: 920326 bcdde19abfa0509a7fec5980ae4c6977 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_amd64.deb Size/MD5 checksum: 922808 f69d7ec4e1082067e8ce2c5b35088ed7 arm architecture (ARM) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_arm.deb Size/MD5 checksum: 921284 74360fb5c5ace09cde4a0afe9612b35e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_i386.deb Size/MD5 checksum: 923758 b6f68cab4953d114197eecef7e89a5d7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_ia64.deb Size/MD5 checksum: 921190 be465d69af82a67b1d0a5e4bf6e21984 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_mips.deb Size/MD5 checksum: 923582 fa6d77670fee39cfc6bd1cd0c5532786 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_mipsel.deb Size/MD5 checksum: 919572 a235d55de32b60a838b0ca92fa2e5308 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_powerpc.deb Size/MD5 checksum: 920814 23d52c172afae1269fccc7a536418fbe s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_s390.deb Size/MD5 checksum: 919460 39fca419254eaca0a843e4d5a8abfd5e sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/y/yaws/yaws_1.65-4etch1_sparc.deb Size/MD5 checksum: 784600 ab81930fb47510802e13cd26cad09c73 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/y/yaws/yaws_1.77.orig.tar.gz Size/MD5 checksum: 838170 7e01d9e8f4fe12895c76081ee4cf7754 http://security.debian.org/pool/updates/main/y/yaws/yaws_1.77-3+lenny1.dsc Size/MD5 checksum: 1206 6b5844871553c42a824f401586aa46a1 http://security.debian.org/pool/updates/main/y/yaws/yaws_1.77-3+lenny1.diff.gz Size/MD5 checksum:19814 253cfc5da27428df313c4e8b4dfbf93a Architecture independent packages: http://security.debian.org/pool/updates/main/y/yaws/yaws-wiki_1.77-3+lenny1_all.deb Size/MD5 checksum: 200784 8731c7f94f6f3550f142f21d225d918d http://security.debian.org/pool/updates/main/y/yaws/yaws-chat_1.77-3+lenny1_all.deb Size/MD5 checksum:65076
[Full-disclosure] [SECURITY] [DSA 1736-1] New mahara packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1736-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 10, 2009http://www.debian.org/security/faq - Package: mahara Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2009-0660 It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting attacks, which allows the injection of arbitrary Java or HTML code. For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny1. The oldstable distribution (etch) does not contain mahara. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your mahara package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny1.dsc Size/MD5 checksum: 1303 e78e2f84879067ead786f022b3fb9e65 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny1.diff.gz Size/MD5 checksum:38565 dab9ae59c86acc880749118e0c7fab20 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4.orig.tar.gz Size/MD5 checksum: 2383079 cf1158e4fe3cdba14fb1b71657bf8cc9 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny1_all.deb Size/MD5 checksum: 1636658 52d68deb52604b9d5ae0ad910ef0ef78 http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny1_all.deb Size/MD5 checksum: 7778 9b1ddde46afd38972b0789e0c18e740a These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkm2zjoACgkQXm3vHE4uylp99ACdGLxX5QiuHmIP5ugO8mvWtuXT HzcAoM0ifVwpizr87+vJt9XxqI8dLBPV =R8Rx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1737-1] New wesnoth packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1737-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 11, 2009 http://www.debian.org/security/faq - Package: wesnoth Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE Ids: CVE-2009-0366 CVE-2009-0367 Several security issues have been discovered in wesnoth, a fantasy turn-based strategy game. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0366 Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data. CVE-2009-0367 Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly. For the stable distribution (lenny), these problems have been fixed in version 1.4.4-2+lenny1. For the oldstable distribution (etch), these problems have been fixed in version 1.2-5. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1.4.7-4. We recommend that you upgrade your wesnoth packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-5.dsc Size/MD5 checksum: 908 13b2424eea086adcad02b938684cc12a http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2.orig.tar.gz Size/MD5 checksum: 74823113 722a459282abe6d04dbe228d031c088e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-5.diff.gz Size/MD5 checksum:37822 ba8821ce92bfd56e036e49ea6e2531a0 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-data_1.2-5_all.deb Size/MD5 checksum: 24525466 591ef75a9100039197c0f1c9158a9e2c http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-music_1.2-5_all.deb Size/MD5 checksum: 25575278 648efb6dac567763a6fcf5a92f4c6d24 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-tsg_1.2-5_all.deb Size/MD5 checksum: 1453160 0223f87ade242a0b96e76b0dd770fe27 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-trow_1.2-5_all.deb Size/MD5 checksum: 4095912 ea0e14709dfd5541b434e44f02e5a945 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ttb_1.2-5_all.deb Size/MD5 checksum: 344160 ced00a2ced60e7132d0ce25687d9e9d3 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-ei_1.2-5_all.deb Size/MD5 checksum: 1016982 f3c6dfed6b98f3d74f3c9acfcd69a5a8 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-utbs_1.2-5_all.deb Size/MD5 checksum: 4827956 8d7dc2407649d09594cf14c3b95535df http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-httt_1.2-5_all.deb Size/MD5 checksum: 4853808 46b6cf5a221fe2e0d5c188347f3453db alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-5_alpha.deb Size/MD5 checksum: 346526 56c5e0724c81f37eb9bbfd6172535803 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-5_alpha.deb Size/MD5 checksum: 2254222 c66cd5c8593b3bfddccb93d1678f13c2 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-5_alpha.deb Size/MD5 checksum: 1771958 0c71e3b4eb856cb184be051ae7488c07 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-server_1.2-5_amd64.deb Size/MD5 checksum: 313816 0022303edc4c3d99c59aac3414584136 http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth_1.2-5_amd64.deb Size/MD5 checksum: 1956750 c815f8494db4091db1a13c9f5a82f10e http://security.debian.org/pool/updates/main/w/wesnoth/wesnoth-editor_1.2-5_amd64.deb Size/MD5 checksum: 1535928 42fcb96edf4c9dc8dd31f53e424bc998 arm architecture (ARM) http://security.debian.org/pool
[Full-disclosure] [SECURITY] [DSA 1730-1] New proftpd-dfsg packages fix SQL injection vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1730-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 02, 2009http://www.debian.org/security/faq - Package: proftpd-dfsg Vulnerability : SQL injection vulnerabilites Problem type : remote Debian-specific: no CVE Id : CVE-2009-0542 CVE-2009-0543 The security update for proftpd-dfsg in DSA-1727-1 caused a regression with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution (etch) is not affected by the security issues. For reference the original advisory follows. Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. For the stable distribution (lenny), these problems have been fixed in version 1.3.1-17lenny2. The oldstable distribution (etch) is not affected by these problems. For the unstable distribution (sid), these problems have been fixed in version 1.3.2-1. For the testing distribution (squeeze), these problems will be fixed soon. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.dsc Size/MD5 checksum: 1348 999a90bce53bdbedb466c330f53930b3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.diff.gz Size/MD5 checksum: 102454 7aef5be0467c618268e6855853cc6ede http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9 Architecture independent packages: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny2_all.deb Size/MD5 checksum: 194944 c8ff69e853fa9f2d99ac2f2ec6ef1931 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny2_all.deb Size/MD5 checksum: 1256374 246af0eb2708ed8a95a4b09e6c12eeb6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_alpha.deb Size/MD5 checksum: 204606 e7684fb8cea0eab2e70768e649cabfda http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_alpha.deb Size/MD5 checksum: 204494 0a8af70dbca35c00922dd74ac157950e http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_alpha.deb Size/MD5 checksum: 783174 412ec178e00e2c81b5ac03c011289cb9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_alpha.deb Size/MD5 checksum: 215212 8ed3a97fd48134c095155b80280944f4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_amd64.deb Size/MD5 checksum: 744994 088cc61e58bfe5cb69d1a289a01583c9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_amd64.deb Size/MD5 checksum: 214394 2f91032b7ed9ac63bd185e44fbd9f9fc http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_amd64.deb Size/MD5 checksum: 203948 93a20998ec01d0146896715fff2eef4b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_amd64.deb Size/MD5 checksum: 203960 2432cb98472f84d422af51b1e73f162f arm architecture (ARM) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_arm.deb Size/MD5 checksum: 203054 82374f3091fde19ef25a05c6e84875f3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_arm.deb Size/MD5 checksum: 699514
[Full-disclosure] [SECURITY] [DSA 1729-1] New gst-plugins-bad0.10 packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1729-1 secur...@debian.org http://www.debian.org/security/ Noah Meyerhans March 02, 2009http://www.debian.org/security/faq - Package: gst-plugins-bad0.10 Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Id : CVE-2009-0386 CVE-2009-0387 CVE-2009-0397 Several vulnerabilities have been found in gst-plugins-bad0.10, a collection of various GStreamer plugins. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0386 Tobias Klein discovered a buffer overflow in the quicktime stream demuxer (qtdemux), which could potentially lead to the execution of arbitrary code via crafted .mov files. CVE-2009-0387 Tobias Klein discovered an array index error in the quicktime stream demuxer (qtdemux), which could potentially lead to the execution of arbitrary code via crafted .mov files. CVE-2009-0397 Tobias Klein discovered a buffer overflow in the quicktime stream demuxer (qtdemux) similar to the issue reported in CVE-2009-0386, which could also lead to the execution of arbitrary code via crafted .mov files. For the stable distribution (lenny), these problems have been fixed in version 0.10.8-4.1~lenny1 of gst-plugins-good0.10, since the affected plugin has been moved there. The fix was already included in the lenny release. For the oldstable distribution (etch), these problems have been fixed in version 0.10.3-3.1+etch1. For the unstable distribution (sid) and the testing distribution (squeeze), these problems have been fixed in version 0.10.8-4.1 of gst-plugins-good0.10. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch1.dsc Size/MD5 checksum: 819 3a44313023fb5a930247b5b981e700ae http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3.orig.tar.gz Size/MD5 checksum: 1377759 6d09962ac9ae6218932578ccc623407f http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch1.diff.gz Size/MD5 checksum: 9477 74cfd15f0e32f3b56509e648953fdec8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_alpha.deb Size/MD5 checksum: 733630 5a57a10505b41e4c28bc4e0642f8650a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_amd64.deb Size/MD5 checksum: 549878 cd0413ebf02e178ea27c5c8d16ad95fa arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_arm.deb Size/MD5 checksum: 561194 a0724a6cab918a8da823d7bf46443ef1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_i386.deb Size/MD5 checksum: 552386 5925c3bdbbb3d1f498653ca201112ca0 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_ia64.deb Size/MD5 checksum: 832140 365297044bf80b32378e97fa3657f201 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_mips.deb Size/MD5 checksum: 619356 053cceaa42b6c38dc1cc1d64a8d3e7bd mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_mipsel.deb Size/MD5 checksum: 600068 09cf53d117f6c449664d96bba3e3fc9a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_powerpc.deb Size/MD5 checksum: 600966 6a0e5ed57d4da5875040be8cc96345f5 s390 architecture (IBM S/390)
[Full-disclosure] [SECURITY] [DSA 1731-1] New ndiswrapper packages fix arbitrary code execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1731-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 02, 2009http://www.debian.org/security/faq - Package: ndiswrapper Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2008-4395 Debian Bugs: 504696 Anders Kaseorg discovered that ndiswrapper suffers from buffer overflows via specially crafted wireless network traffic, due to incorrectly handling long ESSIDs. This could lead to the execution of arbitrary code. For the oldstable distribution (etch), this problem has been fixed in version 1.28-1+etch1. For the stable distribution (lenny), this problem has been fixed in version 1.53-2, which was already included in the lenny release. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.53-2. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper_1.28-1+etch1.diff.gz Size/MD5 checksum: 8480 5f89b53c0adefd6c3a894ea0f35f8d25 http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper_1.28.orig.tar.gz Size/MD5 checksum: 187576 c7655d7e85df7d724be4c0ae973d957e http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper_1.28-1+etch1.dsc Size/MD5 checksum: 723 b38be610377feff2433069addb88bb7b Architecture independent packages: http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper-common_1.28-1+etch1_all.deb Size/MD5 checksum:16556 335ac5bfd0898d13d2467005a68b1a03 http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper-source_1.28-1+etch1_all.deb Size/MD5 checksum: 150532 7a09fe7069f263df9c659f519a5e5a2e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper-utils-1.9_1.28-1+etch1_amd64.deb Size/MD5 checksum:30402 3316cdad5626350a07a09830b29cb55a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/ndiswrapper/ndiswrapper-utils-1.9_1.28-1+etch1_i386.deb Size/MD5 checksum:30414 464e12e2751d26e6e0d810d608fde8d9 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJrErsYrVLjBFATsMRAv/DAJ4tYKYJmdtVdhtORaWR7pzwXnN7DQCghNfd W7LFAgF1YopnDi6HGmeMBBM= =CEvb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1732-1] New squid3 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1732secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 03, 2009http://www.debian.org/security/faq - Package: squid3 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-0478 Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion error in squid3, a full featured Web Proxy cache, which could lead to a denial of service attack. For the stable distribution (lenny), this problem has been fixed in version 3.0.STABLE8-3, which was already included in the lenny release. For the oldstable distribution (etch), this problem has been fixed in version 3.0.PRE5-5+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 3.0.STABLE8-3. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5.orig.tar.gz Size/MD5 checksum: 3061614 35cc83c17afb17c4718ffc8d0d71bcae http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1.diff.gz Size/MD5 checksum:13354 4993554616685c3596d9f96eb12d53c1 http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1.dsc Size/MD5 checksum: 735 98fac484b56ec7ee5f69ad6336656e28 Architecture independent packages: http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.PRE5-5+etch1_all.deb Size/MD5 checksum: 248732 2b26e7e28cefe82d5c7a94d7cdb73c74 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_alpha.deb Size/MD5 checksum:66928 73ba707ff043dabf778d8839591ff00c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_alpha.deb Size/MD5 checksum: 887986 246a0992ee6867cba9b5bd90ae3bb167 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_alpha.deb Size/MD5 checksum:71404 11af955fd5604bd2595fcce41e6d4632 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_amd64.deb Size/MD5 checksum:64534 3bb28edd86a31e8fdfb37551631f3da8 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_amd64.deb Size/MD5 checksum:68328 798fa101699710b329935a78bf0cd0ea http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_amd64.deb Size/MD5 checksum: 792302 78aa4fae02843d22ee8784e5f1ee87cb arm architecture (ARM) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_arm.deb Size/MD5 checksum:63484 d6f2107d20788bf7dd07abb9b206172c http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_arm.deb Size/MD5 checksum: 769738 10d6ac7123424be28690c2030cbf5eb7 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_arm.deb Size/MD5 checksum:67272 2fdd845095b8fa0cb3d9574e5fdb4bcd hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_hppa.deb Size/MD5 checksum:69974 604c4c10f65c185b89d1cff91136a32e http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_hppa.deb Size/MD5 checksum: 929058 a90594d57f20ea12d7f1cd05fab538a4 http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_hppa.deb Size/MD5 checksum:66514 961004e071bff449058b1fcbbf11910c i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/squid3/squid3-client_3.0.PRE5-5+etch1_i386.deb Size/MD5 checksum:64442 8f93ed7979e6346f09240bda0f8397fb http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.PRE5-5+etch1_i386.deb Size/MD5 checksum: 743098 85d673af4e6a9451acca3e519a057727 http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.PRE5-5+etch1_i386.deb Size/MD5 checksum:68450 b4b71002a819ed312b5049f52f6b26af
[Full-disclosure] [SECURITY] [DSA 1733-1] New vim packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1733secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 03, 2009http://www.debian.org/security/faq - Package: vim Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE Ids: CVE-2008-2712 CVE-2008-3074 CVE-2008-3075 CVE-2008-3076 CVE-2008-4104 Debian Bugs: 486502 506919 Several vulnerabilities have been found in vim, an enhanced vi editor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-2712 Jan Minar discovered that vim did not properly sanitise inputs before invoking the execute or system functions inside vim scripts. This could lead to the execution of arbitrary code. CVE-2008-3074 Jan Minar discovered that the tar plugin of vim did not properly sanitise the filenames in the tar archive or the name of the archive file itself, making it prone to arbitrary code execution. CVE-2008-3075 Jan Minar discovered that the zip plugin of vim did not properly sanitise the filenames in the zip archive or the name of the archive file itself, making it prone to arbitrary code execution. CVE-2008-3076 Jan Minar discovered that the netrw plugin of vim did not properly sanitise the filenames or directory names it is given. This could lead to the execution of arbitrary code. CVE-2008-4101 Ben Schmidt discovered that vim did not properly escape characters when performing keyword or tag lookups. This could lead to the execution of arbitrary code. For the stable distribution (lenny), these problems have been fixed in version 1:7.1.314-3+lenny1, which was already included in the lenny release. For the oldstable distribution (etch), these problems have been fixed in version 1:7.0-122+1etch4. For the testing distribution (squeeze), these problems have been fixed in version 1:7.1.314-3+lenny1. For the unstable distribution (sid), these problems have been fixed in version 2:7.2.010-1. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/v/vim/vim_7.0.orig.tar.gz Size/MD5 checksum: 8457888 9ba05680b0719462f653e82720599f32 http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5.diff.gz Size/MD5 checksum: 309257 3fb68c04086cf384e9a0be519a0faa6d http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5.dsc Size/MD5 checksum: 1445 f49da047b6b5836abfe2d7d93d30d11d Architecture independent packages: http://security.debian.org/pool/updates/main/v/vim/vim-gui-common_7.0-122+1etch5_all.deb Size/MD5 checksum: 166080 77259d158e96c1406dba1f1b4b47a2d2 http://security.debian.org/pool/updates/main/v/vim/vim-runtime_7.0-122+1etch5_all.deb Size/MD5 checksum: 6436142 3e7fee588474fbc9ad1110ae78cdffb5 http://security.debian.org/pool/updates/main/v/vim/vim-doc_7.0-122+1etch5_all.deb Size/MD5 checksum: 2048224 d5005e3efc24d3d7bd3d6a9c7b01cc42 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_alpha.deb Size/MD5 checksum: 1072856 8193230db603c1254188fc2013288c55 http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_alpha.deb Size/MD5 checksum: 1158448 6ceb30fd5932d2945b962dee13d4f4cf http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_alpha.deb Size/MD5 checksum: 925404 23d8b9608aaf47fe3a651aedd3b3c3ce http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_alpha.deb Size/MD5 checksum: 205362 0c7fb486c98a609ac9185c2a794c4ef8 http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_alpha.deb Size/MD5 checksum: 1065236 90a42e55852d6450cbd79b10a2dd9582 http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_alpha.deb Size/MD5 checksum: 1080626 973d5e77cf259e3025fb73d9e5734e51 http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_alpha.deb Size/MD5 checksum
[Full-disclosure] [SECURITY] [DSA 1727-1] New proftpd-dfsg packages fix SQL injection vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1727-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 26th, 2009 http://www.debian.org/security/faq - -- Package: proftpd-dfsg Vulnerability : SQL injection vulnerabilites Problem type : remote Debian-specific: no CVE Ids: CVE-2009-0542 CVE-2009-0543 Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. For the stable distribution (lenny), these problems have been fixed in version 1.3.1-17lenny1. For the oldstable distribution (etch), these problems will be fixed soon. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.3.2-1. We recommend that you upgrade your proftpd-dfsg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.dsc Size/MD5 checksum: 1348 bb4118976a78b6eef4356123b4e322da http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.diff.gz Size/MD5 checksum: 102388 7873fdab33c5e044dce721300d496d7e http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny1_all.deb Size/MD5 checksum: 1256300 f0e73bd54793839c802b3c3ce85bb123 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny1_all.deb Size/MD5 checksum: 194896 cda6edb78e4a5ab9c8a90cfdaeb19b32 AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 744914 4c09f5af5f825f0c068f3dce4a1c7a84 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 214334 eb8f6f56afda836f85f6d808a6086c6a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203878 8d13ce2c0d2c15eec496d3e014aa1ea3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203902 ce74fcf7e0f082fcf4454120e984a0c3 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 696884 cab353aa755852b2c07916f234268e39 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 213832 faad0df7dab14fdca108c6370ae3edf0 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203260 3940f22df22db3ce6a3644a22b68e82b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203448 35f6cb99d5f9886d74a8a1e72df36a2d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 688540 bdcbe2b33ed58bf474824c4639dcfb99 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 212208 bcb4bce6c950fe4fd416fcf9e97b79f6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 203074 55e8334da716aeb8efe43803c8f71d00 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod
[Full-disclosure] [SECURITY] [DSA 1710-1] New ganglia-monitor-core packages fix remote code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1710-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 25, 2009 http://www.debian.org/security/faq - Package: ganglia-monitor-core Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2009-0241 Spike Spiegel discovered a stack-based buffer overflow in gmetad, the meta-daemon for the ganglia cluster monitoring toolkit, which could be triggered via a request with long path names and might enable arbitrary code execution. For the stable distribution (etch), this problem has been fixed in version 2.5.7-3.1etch1. For the unstable distribution (sid) this problem has been fixed in version 2.5.7-5. For the testing distribution (lenny), this problem will be fixed soon. We recommend that you upgrade your ganglia-monitor-core packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor-core_2.5.7.orig.tar.gz Size/MD5 checksum: 508535 7b312d76d3f2d0cfe0bafee876337040 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor-core_2.5.7-3.1etch1.diff.gz Size/MD5 checksum: 316476 052c6ae45b1d114616ae8a4d04530cfe http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor-core_2.5.7-3.1etch1.dsc Size/MD5 checksum: 759 cf4c7357786fd423ee1c04a936dfc389 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1-dev_2.5.7-3.1etch1_alpha.deb Size/MD5 checksum: 150882 e0450d50127c267dbb97d3f27b41603a http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/gmetad_2.5.7-3.1etch1_alpha.deb Size/MD5 checksum: 111420 5050aa958bd47ca0202f782989a3f662 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1_2.5.7-3.1etch1_alpha.deb Size/MD5 checksum: 106024 204e913ca281f7698d94c28e0b53fa7d http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor_2.5.7-3.1etch1_alpha.deb Size/MD5 checksum: 168450 5476515111a428a8e13c27437ef9f18c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/gmetad_2.5.7-3.1etch1_amd64.deb Size/MD5 checksum: 102418 e4f43cb6911e3b8ebcd38dd400698c70 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1-dev_2.5.7-3.1etch1_amd64.deb Size/MD5 checksum: 132094 ea40ef93a55598d06bbebd6ca297371b http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1_2.5.7-3.1etch1_amd64.deb Size/MD5 checksum:98228 c7694aad20a0c47144fcf9ed3a8c7005 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor_2.5.7-3.1etch1_amd64.deb Size/MD5 checksum: 153468 c3b2b87c5ccc506aa5294ca7fe4c5c65 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/gmetad_2.5.7-3.1etch1_arm.deb Size/MD5 checksum:92476 58bbe3b2bab165d03c0b4042152b558c http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1_2.5.7-3.1etch1_arm.deb Size/MD5 checksum:88620 7eeb57376971a530a8630a31d428f63f http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1-dev_2.5.7-3.1etch1_arm.deb Size/MD5 checksum: 119844 8b79fdc26c8d936ae851e3eae7782644 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor_2.5.7-3.1etch1_arm.deb Size/MD5 checksum: 138300 60bd39e5a8c5591d2c81e450a6b410ad i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1_2.5.7-3.1etch1_i386.deb Size/MD5 checksum:93078 93bcce44d781f9b6338e563f335487a5 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/gmetad_2.5.7-3.1etch1_i386.deb Size/MD5 checksum:95864 364689bae05cead30438b1f58ed39254 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/ganglia-monitor_2.5.7-3.1etch1_i386.deb Size/MD5 checksum: 141914 1e81a8e3a078e0fbf6c24ced266452d7 http://security.debian.org/pool/updates/main/g/ganglia-monitor-core/libganglia1
[Full-disclosure] [SECURITY] [DSA 1707-1] New iceweasel packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1707-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 15, 2009 http://www.debian.org/security/faq - Package: iceweasel Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE ID : CVE-2008-5500 CVE-2008-5503 CVE-2008-5504 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5510 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5500 Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) CVE-2008-5503 Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) CVE-2008-5504 It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62) CVE-2008-5506 Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) CVE-2008-5507 Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) CVE-2008-5508 Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) CVE-2008-5510 Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67) CVE-2008-5511 It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an unloaded document. (MFSA 2008-68) CVE-2008-5512 It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) CVE-2008-5513 moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69) For the stable distribution (etch) these problems have been fixed in version 2.0.0.19-0etch1. For the testing distribution (lenny) and the unstable distribution (sid) these problems have been fixed in version 3.0.5-1. Please note iceweasel in Lenny links dynamically against xulrunner. We recommend that you upgrade your iceweasel package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch1.diff.gz Size/MD5 checksum: 186830 9bf2b415ae6550f234fb4287f1ffc178 http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19.orig.tar.gz Size/MD5 checksum: 47265190 487603397f7f68e720088f5a9fff7568 http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch1.dsc Size/MD5 checksum: 1289 a84453d1fcc2392126ee0a86a5f876bc Architecture independent packages: http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.19-0etch1_all.deb Size/MD5 checksum: 239862 2beb51f15a93ff0fbb52bf9ee2bf9262 http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.19-0etch1_all.deb Size/MD5 checksum:54674 7cc2d42685bfeb9f569c27fa81ebed6c http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.19-0etch1_all.deb Size/MD5 checksum:54706 16e2a91256b94fca61df51819750f7e9 http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.19-0etch1_all.deb Size/MD5 checksum:55348 23c72591d917fdcd02d9cb404bdb69e6 http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.19-0etch1_all.deb Size/MD5 checksum:54822 d9c2d70c48526a6ca4a1f8e68351594d http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.19
[Full-disclosure] [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1704secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 14, 2009 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE ID : CVE-2008-5500 CVE-2008-5503 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5500 Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) CVE-2008-5503 Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) CVE-2008-5506 Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) CVE-2008-5507 Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) CVE-2008-5508 Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) CVE-2008-5511 It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an unloaded document. (MFSA 2008-68) CVE-2008-5512 It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) For the stable distribution (etch) these problems have been fixed in version 1.8.0.15~pre080614i-0etch1. For the testing distribution (lenny) and the unstable distribution (sid) these problems have been fixed in version 1.9.0.5-1. We recommend that you upgrade your xulrunner packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1.diff.gz Size/MD5 checksum: 971 73ec26e81ce6e401845eb070aa26d909 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1.dsc Size/MD5 checksum: 1981 87dd485ac774e78373be5a196cbc8320 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i.orig.tar.gz Size/MD5 checksum: 43320191 82b3061f947787bf267a36513a6bd2dd Architecture independent packages: http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum: 231436 f692e056f6eccb9633771a1b5d56d115 http://security.debian.org/pool/updates/main/x/xulrunner/libxul-common_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum: 1052120 9935f278d06c5256a1cb6d34f6b43777 http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum: 176532 03d96486a1cb92ca65b39376add42232 http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum: 2638014 f4c9fed2489696b18ecedf945729ffa7 http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs1_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum:37402 033e412379eab51f4608530af659596a http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum: 1032570 b8277c4699e9f2edc9131c525c72ac2a http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-dev_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum: 208008 d6685b7c5a83eb2fc383ad2284e0c300 http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs-dev_1.8.0.15~pre080614i-0etch1_all.deb Size/MD5 checksum:37436 a668ef6417fe2f868964b2e1f1cd9028 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb Size/MD5 checksum: 46039574 068112b86f727680427633606c026ee8 http://security.debian.org/pool/updates/main
[Full-disclosure] [SECURITY] [DSA 1697-1] New iceape packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1697-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris January 07, 2009 http://www.debian.org/security/faq - Package: iceape Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE ID : CVE-2008-0016 CVE-2008-0304 CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 CVE-2008-2933 CVE-2008-3835 CVE-2008-3836 CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 CVE-2008-4070 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5017 CVE-2008-0017 CVE-2008-5021 CVE-2008-5022 CVE-2008-5500 CVE-2008-5503 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 Several remote vulnerabilities have been discovered in Iceape an unbranded version of the Seamonkey internet suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0016 Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. (MFSA 2008-37) CVE-2008-0304 It was discovered that a buffer overflow in MIME decoding can lead to the execution of arbitrary code. (MFSA 2008-26) CVE-2008-2785 It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. (MFSA 2008-34) CVE-2008-2798 Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-21) CVE-2008-2799 Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-21) CVE-2008-2800 moz_bug_r_a4 discovered several cross-site scripting vulnerabilities. (MFSA 2008-22) CVE-2008-2801 Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context or signed JAR archives. (MFSA 2008-23) CVE-2008-2802 moz_bug_r_a4 discovered that XUL documements can escalate privileges by accessing the pre-compiled fastload file. (MFSA 2008-24) CVE-2008-2803 moz_bug_r_a4 discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceape itself is not affected, but some addons are. (MFSA 2008-25) CVE-2008-2805 Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. (MFSA 2008-27) CVE-2008-2807 Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. (MFSA 2008-29) CVE-2008-2808 Masahiro Yamada discovered that file URLS in directory listings were insufficiently escaped. (MFSA 2008-30) CVE-2008-2809 John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings of secure connections. (MFSA 2008-31) CVE-2008-2810 It was discovered that URL shortcut files could be used to bypass the same-origin restrictions. This issue does not affect current Iceape, but might occur with additional extensions installed. (MFSA 2008-32) CVE-2008-2811 Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code. (MFSA 2008-33) CVE-2008-2933 Billy Rios discovered that passing an URL containing a pipe symbol to Iceape can lead to Chrome privilege escalation. (MFSA 2008-35) CVE-2008-3835 moz_bug_r_a4 discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed. (MFSA 2008-38) CVE-2008-3836 moz_bug_r_a4 discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. (MFSA 2008-39) CVE-2008-3837 Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. (MFSA 2008-40) CVE-2008-4058 moz_bug_r_a4 discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) CVE-2008-4059 moz_bug_r_a4 discovered a vulnerability which
[Full-disclosure] [SECURITY] [DSA 1692-1] New php-xajax packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1692-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 27, 2008 http://www.debian.org/security/faq - Package: php-xajax Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2739 It was discovered that php-xajax, a library to develop Ajax applications, did not sufficiently sanitise URLs, which allows attackers to perform cross-site scripting attacks by using malicious URLs. For the stable distribution (etch) this problem has been fixed in version 0.2.4-2+etch1. For the testing (lenny) and unstable (sid) distributions this problem has been fixed in version 0.2.5-1. We recommend that you upgrade your php-xajax package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2.4-2+etch1.dsc Size/MD5 checksum: 648 f4bbc450f631e1a000679690858997ff http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2.4-2+etch1.diff.gz Size/MD5 checksum: 3441 37934d6df03bca92b0ee2d029b46faa4 http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2.4.orig.tar.gz Size/MD5 checksum:48261 58229c55be17c681a22699b564e6be26 Architecture independent packages: http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2.4-2+etch1_all.deb Size/MD5 checksum:44770 152e977b65bc603155947edf9738ab31 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJVflRAAoJEL97/wQC1SS+hcIH/0kGCBer0lWzivFYSjuomfpe vS3FmudLu7K4wf2HMhQkBYV9krH2S6Jyki16k6hmerh5cDDOlrZxKuLFkqUfPBIr Xd2XQC51gP7+/l6W3jEdsndiqPFx5uJhklzUddKrg665EqyDXxG2GIDwvJ67P7YG +GY2ngEEIkGnr9akEPVWXIUS2NTMm45RpS0l1ZjK7tuSNWwLYg66JLKhXcwV7THJ DUMex6/6HlZdXgezxpbM3hDwc6sa9bK+/LBIcgcxbLcdbV8ODGCvH+Z0OmYtEsov 4/TGaNlI+OgdoCtC2t9+6HeA31SYyaxN79qhM8B7W5OI5gN+xGxjkAKsb29jA70= =xPXX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1688-1] New courier-authlib packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1688secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 20, 2008 http://www.debian.org/security/faq - Package: courier-authlib Vulnerability : SQL injection Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-2380 CVE-2008-2667 Two SQL injection vulnerabilities have beein found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database interface (CVE-2008-2667). For the stable distribution (etch), these problems have been fixed in version 0.58-4+etch2. For the testing distribution (lenny) and the unstable distribution (sid), these problems have been fixed in version 0.61.0-1+lenny1. We recommend that you upgrade your courier-authlib packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58.orig.tar.gz Size/MD5 checksum: 3342115 75b5b2b72d550048ed1b29e687a1a60d http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2.diff.gz Size/MD5 checksum:44232 5345604d34a363e4519077032a9aeb1f http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2.dsc Size/MD5 checksum: 970 9652de3cb3cd60fa91aee7cb1e0b8dca alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_alpha.deb Size/MD5 checksum:23168 fadd251992d42011cc6a7ebd98fab8ec http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_alpha.deb Size/MD5 checksum: 6872 6a4b4a3b87e9d42347e7c5ee8e373cc1 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_alpha.deb Size/MD5 checksum:20252 14b6526559b01af55bf98623d6a9dbc2 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_alpha.deb Size/MD5 checksum:20360 7fd32c031bc84d59b48e229855d7e347 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_alpha.deb Size/MD5 checksum:39046 0b4d0fe9ef5ecfa66d1cef14dc65bb89 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_alpha.deb Size/MD5 checksum: 8862 90e0a8316f719256734af61ca2bf147d http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_alpha.deb Size/MD5 checksum: 149956 19cb601a37c170b9de0d3090c56002ab http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_alpha.deb Size/MD5 checksum:92666 f2c54e7b23aa10157cf8b9704a44ed66 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_amd64.deb Size/MD5 checksum: 6882 5607bf027063ab70597301e99401b57a http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_amd64.deb Size/MD5 checksum:19774 ae1bee7da212b8996858b6e077fcc852 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_amd64.deb Size/MD5 checksum:34296 d42351150f3a4e621c27608aeee9144a http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_amd64.deb Size/MD5 checksum: 8298 8318ba2b8d4cadcd55646686534c42ff http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_amd64.deb Size/MD5 checksum: 111816 985dd2b71cee857a8a44b1805dd03768 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_amd64.deb Size/MD5 checksum:22182 b5fab407e60b9e7bec23535ea8030274 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_amd64.deb Size/MD5 checksum:19942 780fbf86d2f64743d00bf82dccc45aef http
[Full-disclosure] [SECURITY] [DSA 1685-1] New uw-imap packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1685-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris December 12, 2008 http://www.debian.org/security/faq - Package: uw-imap Vulnerability : buffer overflows, null pointer dereference Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-5005 CVE-2008-5006 Two vulnerabilities have been found in uw-imap, an IMAP implementation. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that several buffer overflows can be triggered via a long folder extension argument to the tmail or dmail program. This could lead to arbitrary code execution (CVE-2008-5005). It was discovered that a NULL pointer dereference could be triggered by a malicious response to the QUIT command leading to a denial of service (CVE-2008-5006). For the stable distribution (etch), these problems have been fixed in version 2002edebian1-13.1+etch1. For the unstable distribution (sid) and the testing distribution (lenny), these problems have been fixed in version 2007d~dfsg-1. We recommend that you upgrade your uw-imap packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1.orig.tar.gz Size/MD5 checksum: 1517069 8ff277e7831326988d0ee0bfeca7c8ff http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1-13.1+etch1.dsc Size/MD5 checksum: 874 ac3703de07e1cf10e7aa72a10a5fb20b http://security.debian.org/pool/updates/main/u/uw-imap/uw-imap_2002edebian1-13.1+etch1.diff.gz Size/MD5 checksum:99906 6c0172a213d199583e0d6c1dc5957a20 Architecture independent packages: http://security.debian.org/pool/updates/main/u/uw-imap/ipopd-ssl_2002edebian1-13.1+etch1_all.deb Size/MD5 checksum:20760 b418a43ee29d858752497a83897588c9 http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd-ssl_2002edebian1-13.1+etch1_all.deb Size/MD5 checksum:20756 4381ee8fe7865bc2fbf4f83f44ddd0e3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_alpha.deb Size/MD5 checksum:50618 972cf2d773feb8547ba6cc0bd933dbea http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_alpha.deb Size/MD5 checksum: 650718 1d084bff43e5efde07706f8b54134625 http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_alpha.deb Size/MD5 checksum:47364 d1550ecb166961b3dd7c948fd7333e18 http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_alpha.deb Size/MD5 checksum:26688 9a2ed6fd202bd4b7dfbd555170664979 http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_alpha.deb Size/MD5 checksum:80168 d26aa9867204cbc27107bc0eb046649a http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_alpha.deb Size/MD5 checksum: 1196482 41dba8f6a0cc1b7c602060ddf3dae58c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/u/uw-imap/libc-client-dev_2002edebian1-13.1+etch1_amd64.deb Size/MD5 checksum: 1040748 89a2bb86ee48bbc3ce0ce6ac06736e5d http://security.debian.org/pool/updates/main/u/uw-imap/uw-imapd_2002edebian1-13.1+etch1_amd64.deb Size/MD5 checksum:76348 e2506d3191e383e511b73851f7b2403d http://security.debian.org/pool/updates/main/u/uw-imap/uw-mailutils_2002edebian1-13.1+etch1_amd64.deb Size/MD5 checksum:50416 9db96b845240094cb130050463e5b8da http://security.debian.org/pool/updates/main/u/uw-imap/libc-client2002edebian_2002edebian1-13.1+etch1_amd64.deb Size/MD5 checksum: 606040 458cf8d820a650978eed89b234c2d018 http://security.debian.org/pool/updates/main/u/uw-imap/ipopd_2002edebian1-13.1+etch1_amd64.deb Size/MD5 checksum:46470 a6f2e3922fdd861d7209635ffc03b35b http://security.debian.org/pool/updates/main/u/uw-imap/mlock_2002edebian1-13.1+etch1_amd64.deb Size/MD5 checksum:26394 847986887b14d0a038057478d2b30872 arm architecture (ARM) http://security.debian.org/pool/updates/main/u/uw-imap/uw
[Full-disclosure] [SECURITY] [DSA 1678-1] New perl packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1678-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steffen Joeris December 03, 2008 http://www.debian.org/security/faq - Package: perl Vulnerability : design flaws Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-5302 CVE-2008-5303 Debian Bug : 286905 286922 Paul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later. For the stable distribution (etch), these problems have been fixed in version 5.8.8-7etch5. For the unstable distribution (sid), these problems have been fixed in version 5.10.0-18 and will migrate to the testing distribution (lenny) shortly. We recommend that you upgrade your perl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch5.dsc Size/MD5 checksum: 750 a57837967b7420057558cab7efca9202 http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8.orig.tar.gz Size/MD5 checksum: 12829188 b8c118d4360846829beb30b02a6b91a7 http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch5.diff.gz Size/MD5 checksum: 105052 cfd4c3d27c5a7a342c441383867dae89 Architecture independent packages: http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.8.8-7etch5_all.deb Size/MD5 checksum:41082 9dfa8758852aadcaadb2edbdfa17f942 http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.8.8-7etch5_all.deb Size/MD5 checksum: 7378812 3baade38d4a703ae7db0e2f7d7b2df62 http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.8.8-7etch5_all.deb Size/MD5 checksum: 2316518 dc45e7d6fbedf992db42f31326457df2 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch5_alpha.deb Size/MD5 checksum: 4150162 345ac6cfebda2d2e6807a1dc0e14957c http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch5_alpha.deb Size/MD5 checksum: 1006 f010eb97c3f81b2958c7546ba69296eb http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch5_alpha.deb Size/MD5 checksum: 2928894 52f0aa7e688e63cd4d487a6492d9ee2e http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch5_alpha.deb Size/MD5 checksum:36236 eb16c8490e1e164ef6444f4b7680fbc6 http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch5_alpha.deb Size/MD5 checksum: 821796 d48d9e6f1a07eafdc6acb6d990cf1fbc http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch5_alpha.deb Size/MD5 checksum: 880174 f32a7823fd919ada981b3eda1abe6a70 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch5_amd64.deb Size/MD5 checksum: 630776 4f134545671885f476770a9da3695301 http://security.debian.org/pool/updates/main/p/perl/perl-base_5.8.8-7etch5_amd64.deb Size/MD5 checksum: 806610 02ed83b2872342eb732c0179daa52869 http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.8.8-7etch5_amd64.deb Size/MD5 checksum:32774 4db9f5a96272f4a561abadbc3a1ed175 http://security.debian.org/pool/updates/main/p/perl/perl_5.8.8-7etch5_amd64.deb Size/MD5 checksum: 4248964 b09695271b26cb6b6245a791e9e7122d http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.8.8-7etch5_amd64.deb Size/MD5 checksum: 2735132 c8bb2c571273b1ef47beb05874ae4277 http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch5_amd64.deb Size/MD5 checksum: 1010 4223d65b463272ca026ee7e7d7d0ff02 arm architecture (ARM) http://security.debian.org/pool/updates/main/p/perl/libperl5.8_5.8.8-7etch5_arm.deb Size/MD5 checksum: 1008 fd5146b7fceeb55c7ba16831e95f0b4a http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.8.8-7etch5_arm.deb Size/MD5 checksum: 562112 24fe7aacf39d42673555f228e6edd5d7
