package: webkit
version: 1.0.1-4
severity: grave
tags: security
hello,
webkit has recently been hit by a deluge of security issues [1],[2].
i've been trying to figure out the state of these problems and where
debian is affected, but apple's security announcements have been
notoriously sparse.
th
Package: pidgin
Version: 2.4.3-4lenny2
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pidgin.
CVE-2009-1889[0]:
| The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets
| the ICQWebMessage message type as the ICQS
fixed 533347 1.0.8-1
thanks
some more info about this issue can be found here [1]. please
coordinate with the security team to prepare updated packages for the
stable releases. thanks.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=501929
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ..
package: dillo
version: 0.8.5-4
severity: serious
tags: security
hello,
it has been found that dillo is vulnerable to an integer overflow. the
text of the problem is:
|Dillo, an open source graphical web browser, suffers from an integer
|overflow which may lead to a potentially exploitable heap
reopen 532522
forwarded 532522 http://www.dillo.org/bugtrack/Dquery.html
thanks
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
forwarded 532519 https://bugs.kde.org/show_bug.cgi?id=198971
thanks
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
forwarded 532516 https://bugzilla.mozilla.org/show_bug.cgi?id=502420
thanks
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
forwarded 532514 https://bugs.webkit.org/show_bug.cgi?id=26972
thanks
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
hello,
i just encountered this problem after upgrading xorg in unstable as
well. i use the dvorak keyboard, but now gdm and x have switched to
qwerty by default. i have tried reverting to libxi6 1.1.4 from
testing, but that did not solve the problem. i also tried setting up
the following in /etc
reopen 534973
fixed 534973 1:1.5.2-5
thanks
hello,
please assist the security team to prepare updates for this issue in
the stable releases. thank you.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lis
hello,
this issue is a target for the next etch/lenny point releases. please
coordinate with the security team to help them prepare updated
packages for the stable distributions. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscrib
Package: cups
Version: 1.3.8-1+lenny6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to c
Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to c
On Thu, 25 Jun 2009 22:33:10 + Moritz Muehlenhoff wrote:
> lynx supports neither Javascript nor multipart/form-data, so it's not
> affected.
i am trying to track the deeper cause here (the fact that all of the
web browsers use a predictable PRNG), rather than the symptom (this
particular explo
package: request-tracker3.4
version: 3.4.5-2
tags: security , patch
severity: normal
hello,
there is a security weakness in request-tracker. see [1] for
description and patches. this bug is to tracke version 3.4, which is
still in etch. please check to see whether this version is affected or
no
package: request-tracker3.6
version: 3.6.1-4
tags: security , patch
severity: normal
hello,
there is a security weakness in request-tracker. see [1] for
description and patches. this is already fixed in unstable, but
stable/oldstable are still vulnerable. please coordinate with the
security te
On Wed, 24 Jun 2009 22:41:35 +0200, Frank Lin PIAT wrote:
> I couldn't find any announcement of such announcement on RedHat/Google.
> Do you have some pointer?
i was mistaken, it was the FSA that i was referring to (i tend to
equate redhat and fedora). there have been no updates to redhat-propper
On Sat, 20 Jun 2009 18:15:16 +0200, Frank Lin PIAT wrote:
> I have analyzed the code, and made some test. It seems that there is no
> such "ACL vulnerability". Actually it doesn't even seems to be a bug:
> The developers seems to have decided to change the behavior of ACLs in
> moinmoin:
redhat di
Package: libpng
Version: 1.2.15~beta5-1+etch2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.
CVE-2009-2042[0]:
| libpng before 1.2.37 does not properly parse 1-bit interlaced images
| with width values that are not divisibl
package: moin
version: 1.5.3-1.2etch2
severity: important
tags: security , patch
hello,
moin in stable/oldstable has a heirarchical ACL vulnerability. this
is fixed in upstream 1.8.4, which is already in unstable. see [1].
please coordinate fixes with the security team.
[1] http://hg.moinmo.in
package: pcsc-lite
version: 1.3.2-5
severity: important
tags: security , patch
hello,
pcsc-lite creates a world-writable directory. see [1] for info, and it
looks like there has already been a debian patch [2], so unstable may
already be fixed. please coordinate fixes for the stable distribution
package: apache2
version: 2.2.3-4+etch6
severity: important
tags: security
hello,
this package is supposedly vulnerable to something called a
"slowloris" denial-of-service attack. please check to see whether
this is a correct assessment. see [1],[2] for more info. thanks.
[1] http://ha.ckers.
reopen 532689
thank you
this bug isn't entirely fixed yet since stable is still affected.
please coordinate with the security team to prepare updates for lenny.
thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contac
since this is a minor issue, would you be interested in pushing out
fixes for this problem in a stable proposed update? if so, please
contact the security team.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas
CVE-2008-4723 is the wrong CVE, which is for firefox. it should be
CVE-2008-4724
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
reopen 520052
found 520052 1.0.1-4
fixed 520052 1.1.7-1
thanks
yes, i, as the original reporter, spent a non-insignificant amount of
time to determine that webkit is indeed affected. in fact, i believe
that my description in the original report is very complete and
describes the extent of the pro
this is CVE-2009-1389. patches available[1].
[1] http://git.kernel.org/linus/fdd7b4c3302c93f6833e338903ea77245eb510b4
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: linux-2.6
Version: FILLINAFFECTEDVERSION
Severity: important
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2009-1914[0]:
| The pci_register_iommu_region function in
| arch/sparc/kernel/pci_common.c in the Linux kerne
Package: linux-2.6
Severity: important
Version: 2.6.18.dfsg.1-24 (and newer)
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2009-1385[0]:
| Integer underflow in the e1000_clean_rx_irq function in
| drivers/net/e1000/e1000_main
found 532720 1.0.2-1+etch2
thank you
note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dbus.
CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
| in
package: webkit
severity: serious
tags: security
hello,
it has been discovered that all of the major web browsers use a
predictable pseudo-random number generator (PRNG). please see
reference [0]. the robust solution is to switch to a provably
unpredictable PRNG such as Blum Blum Shub [1,2].
[0
reopen 517639
found 517639 1.8.7.72-3
found 517639 1.8.5-4etch4
thank you
hi,
this bug is still present in the stable releases. please coordinate
with the security team (t...@security.debian.org) to prepare updated
packages. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.
package: ecryptfs-utils
version: 68-1
version: 75-1
severity: serious
tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ecryptfs-utils.
CVE-2009-1296[0]:
|Chris Jones discovered that the eCryptfs support utilities would
|report the mount passphrase int
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1~lenny1 0.10.4-4
Severity: serious
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gstreamer0.10-plugins-good.
CVE-2009-1932[0]:
| Multiple integer overflows in the (1) user_info_callback,
Subject: RFP: maniadrive -- 3D stunt driving game
Package: wnpp
Severity: wishlist
* Package name: maniadrive
Version : 1.2
Upstream Author : #raydium on irc.freenode.net
* URL : http://maniadrive.raydium.org/
* License : GPL
Programming Lang: C, PHP
Descrip
reopen 467237
found 467237 2.27.2-2
thank you
this bug has been improved, but still exists. middle-click will open
tabs in new windows, but there is no "open link in new tab" option in
the right-click menu.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject o
package: cacti
version: 0.8.6i-3.4
tags: security
hello, there is an xss vulnerability in etch's version of cacti [1].
this was fixed in 0.8.7b, which is already in lenny and sid.
[1] http://openwall.com/lists/oss-security/2009/05/15/1
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@list
package: openoffice.org-common
severity: grave
version: 1:3.1.0-2
the latest version of openoffice will not install because a mkdir
fails:
mkdir: cannot create directory '/var/lib/openoffice/share/config': No
such file or directory
if i manually create the directory, the installation works:
$
Package: linux-2.6
Version: 2.6.26
Severity: important
Tags: security patch
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2009-1360[0]:
| The __inet6_check_established function in net/ipv6/inet6_hashtables.c
| in the Linux kernel before 2.6.29, wh
On Mon, 18 May 2009 11:52:04 -0600, dann frazier wrote:
> On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote:
> > Package: linux-2.6
> > Version: 2.6.26-15lenny2
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > Th
tag 529326 patch
thank you
note that this affects the lenny and squeeze versions of the kernel
(2.6.26). even though the kernel changelog says that this problem only
affects 2.6.28, it actually affects any version before 2.6.28.9 that has
ecryptfs.
patches are available here:
http://git.kernel.o
Package: linux-2.6
Version: 2.6.26-15lenny2
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2009-0787[0]:
| The ecryptfs_write_metadata_to_contents function in the eCryptfs
| functionality in the Linux kernel 2.6.2
On Mon, 18 May 2009 06:49:48 +0200, Ola Lundqvist wrote:
> Thanks. However this applies only to the windows version as that
> functions do not even exist in the linux/unix version.
ok, yes, i see that now. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a su
Package: linux-2.6
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2007-6514[0]:
| Apache HTTP Server, when running on Linux with a document root on a
| Windows share mounted using smbfs, allows remote attackers to
package: drupal5
severity: important
tags: security
version: 5.17-1
hi,
a cross-site scripting vulnerability has been discovered in drupal. see
[1].
please coordinate with the security team to prepare fixes for the
stable releases.
thanks.
[1] http://drupal.org/node/461886
--
To UNSUBSCRI
package: drupal6
severity: important
tags: security
version: 6.11-1 6.6-3
hi,
a cross-site scripting vulnerability has been discovered in drupal. see
[1].
please coordinate with the security team to prepare fixes for the
stable releases.
thanks.
[1] http://drupal.org/node/461886
--
To UNS
this is CVE-2008-0388:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0388
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Fri, 15 May 2009 20:50:47 +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert [2009-05-15 19:45]:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which was file
On Fri, 15 May 2009 20:15:49 +0200, Andreas Metzler wrote:
> On 2009-05-15 "Michael S. Gilbert" wrote:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which w
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the gnutls26 package:
>
> #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability
does it make sense to close this bug since
On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote:
> Package: eggdrop
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> turns out my patch has a bug in it which opens this up for a
> buffer overflow again in case strlen(ctcpbuf) returns 0:
> http://www.gossamer-th
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote:
> Package: cron
> Version: 3.0pl1-105
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu jaunty ubuntu-patch
>
> Hi,
>
> I was reviewing a list of
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote:
> Hi,
>
> I wondered if any fix is likely to be available for CVE-2008-5519
> (information disclosure, looks potentially quite severe) any time
> soon or if any more help is needed?
hi,
no one has claimed this (that i've seen), and th
Package: gnutls26
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for gnutls26.
CVE-2009-1417[0]:
| gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and
| expiration times of X.509 certificates, which allows remote atta
Package: zoneminder
Severity: normal
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for zoneminder.
CVE-2008-6755[0]:
| ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to
| the apache user account, and sets the permissions to 0600, wh
hello all,
any news on the patches for ghostscript in stable (CVE-2007-6725,
CVE-2008-6679, and CVE-2009-0196)? these issues have been sitting
unfixed for quite a while now. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Tr
Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure rsa
On Fri, 8 May 2009 10:46:16 +0200 Pierre Chifflier wrote:
> While I appreciate the effort of checking security related things, I'll
> just point out that the verification was fairly trivial:
thanks for the info. i've found that it is often more effective to
defer to the expertise of the maintaine
package: pango
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.
CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization. Pango suffers from a multiplicative integer
Package: mpfr
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for mpfr.
CVE-2009-0757[0]:
| Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent
| attackers to cause a denial of service (crash) via the (1)
| mpfr_snpri
Package: prewikka
Severity: important
Tags: security
Hi,
Redhat recently issued security updates for prewikka [0] because the
password file is world readable. The text of the issue is:
| The permissions on the prewikka.conf file are world readable and contain the
sql
| database password used b
this bug is submitted to provide a place to discuss/track triage your
spu/ospu update for this issue.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
package: prelude-manager
tags: security
severity: important
hello,
fedora recently released a security update for prelude-manager [1].
the text of the issue is:
The configuration file of prelude-manager contains a database password
and is world readable. This update restricts permissions to
On Sat, 2 May 2009 15:37:52 +0200 Aurelien Jarno wrote:
> This is fixed in the lenny branch of the SVN.
great to hear. do you plan to work with the security team to issue a
DSA for this one, or is it minor enough that it would make more sense
to do it in an spu?
--
To UNSUBSCRIBE, email to de
it looks like webkit is tagged as not-affected for CVE-2008-3950 in
the security tracker [1], but there has been no discussion on the matter
in this report. is the tracker data accurate? and if so, i think that
this bug can safely be closed.
mike
[1] http://security-tracker.debian.net/tracker/CVE
package: bugs.debian.org
severity: wishlist
hello,
i've recently been submitting some bugs related to security issues in
the stable releases that already have fixes in testing/unstable. i
would like to be able to tag this information at the time that i submit
the report, but it is currently not
Package: clamav
Severity: important
Tags: security
Tags: fixed 0.95+dfsg-1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for clamav.
CVE-2009-1241[0]:
| Unspecified vulnerability in ClamAV before 0.95 allows remote
| attackers to bypass detection of malware via a mod
Package: clamav
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for clamav.
CVE-2008-5525[0]:
| ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is
| used, allows remote attackers to bypass detection of malware in an
|
Package: qemu
Severity: important
Tags: security
Tags: fixed 0.9.1+svn20081101-1
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2008-4539[0]:
| Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM
| before kvm-82 and (2) QEMU on Debian
fixed 526013 0.9.1-5
thanks
i should have mentioned that qemu > 0.9.1-5 is already in lenny, so the
security update will need to be for etch only.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: qemu
Severity: important
Tags: security
Fixed: 0.9.1-5
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2008-1945[0]:
| QEMU 0.9.0 does not properly handle changes to removable media, which
| allows guest OS users to read arbitrary files on the h
CVE-2009-0579 looks like a good candidate for a stable/old-stable
proposed update since it's not really a security issue, but it would be
good for the package to adhere to the administrator's desired policy.
please coordinate with the security team (t...@securuty.debian.org) if
you plan to work on
fyi, ubuntu issued a usn [1] for this issue. not sure if any of their
work may be useful to you.
[1] http://www.ubuntu.com/usn/USN-761-1
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote:
> Hi,
> turns out CVE-2008-6679 also is fixed since 8.64.
> The only unfixed issue in this report is CVE-2009-0196.
>
> Michael, please better check the code next time, this would
> have save me a lot of time this evening.
I appologize. I ha
On Sun, 26 Apr 2009 10:17:22 +0200 Moritz Muehlenhoff wrote:
> On Wed, Feb 25, 2009 at 12:38:12AM -0500, Michael Gilbert wrote:
> > does this problem (with cookies) really affect the version of webkit in
> > debian, which does not currently support cookies (or more accurately
> > the libraries in
does this bug affect php4 at all? asking to determine whether a dsa
needs to be issued for php4 in etch. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Sat, 25 Apr 2009 01:15:11 + Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the nautilus package:
>
> #515104: nautilus: potential exploits via application launchers
awesome! any chance of backporting this to lenny
On Thu, 23 Apr 2009 21:54:14 +0200, Josselin Mouette wrote:
> > i presume that a new install via debian-installer does not circumvent
> > apt's default behavior. is there any reason to think that this is not
> > the case?
>
> It is disabled during initial installation, but even if it wasn’t, and
On Thu, 23 Apr 2009 16:41:07 +0200, Emilio Pozuelo Monfort wrote:
> Michael S. Gilbert wrote:
> > recommends are now automatically installed, so this shouldn't happen too
> > often.
>
> Except for new installs AFAIK.
i presume that a new install via debian-installer
On Wed, 22 Apr 2009 11:31:44 +0200, Josselin Mouette wrote:
> > Maybe if evince doesn't fail miserably if libspectre1 or other dependencies
> > of
> > the backends aren't found, we could exclude them from Depends and put them
> > on
> > Recommends, or maybe split the backends into separate packag
On Tue, 21 Apr 2009 17:21:20 +0200, Emilio Pozuelo Monfort wrote:
> Michael S. Gilbert wrote:
> > On Tue, 21 Apr 2009 11:49:57 +0200, Emilio Pozuelo Monfort wrote:
> >> Michael Gilbert wrote:
> >>> it seems like ghostscript support in evince is a bonus feature (rathe
On Tue, 21 Apr 2009 11:49:57 +0200, Emilio Pozuelo Monfort wrote:
> Michael Gilbert wrote:
> > it seems like ghostscript support in evince is a bonus feature (rather
> > a core component). it would be nice if the libgs8 dependency were
> > treated as recommends instead of a depends. this is espec
On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote:
> On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> > i was looking at the link as provided in redhat's announcement. this
> > seems to be CVE-2009-1285, which debian is already tracking as
> >
i was looking at the link as provided in redhat's announcement. this
seems to be CVE-2009-1285, which debian is already tracking as
unimportant. however, the phpmyadmin page considers the issue to be
critical. perhaps the debian severity is too low?
mike
--
To UNSUBSCRIBE, email to debian-b
Wouter Verhelst wrote:
> There are several ways in which a local attacker can get root access.
> 'init=/bin/bash'. boot with the 'emergency' option (which causes
> sysvinit to do almost the same thing as 'init=/bin/bash'). Boot a
> live-CD, chroot into the target system. Worst case, remove the disk
On Thu, 16 Apr 2009 23:50:54 -0600 dann frazier wrote:
> > > The support for dynamically loadable kernel modules in Linux can be
> > > abuses similarly. Does that make it a "grave security issue"?
> >
> > probably...at least until someone comes up with a secure way to do it.
>
> Oh, come on.
>
package: cups
severity: grave
tags: security
hello,
redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183
these are
package: poppler
severity: grave
tags: security
hello,
ubuntu recently patched the following poppler issues [0]:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
the
package: mplayer
severity: important
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for mplayer.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| atta
package: phpmyadmin
severity: important
tags: security
hello,
fedora issued a security update for myphpadmin [0]:
Improvements for 3.1.3.2: - [security] Insufficient output sanitizing
when generating configuration file
http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php
does th
package: ghostscript
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for ghostscript.
CVE-2007-6725[0]:
| The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
| other versions, allows remote attackers to cause a denial
package: ntop
severity: important
tags: security
hello,
fedora issued the following as a security update for ntop [0]:
ls -lh /var/log/ntop/access.log -rw-rw-rw- 1 root root 0 2009-02-04
11:53 /var/log/ntop/access.log
Fixed.
log world-writable when the --access-log- file option
package: ffmpeg-debian
severity: important
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for ffmpeg-debian.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows r
On Fri, 10 Apr 2009 18:18:00 +0100 Darren Salt wrote:
> This does not apply to xine-lib. You mean CVE-2009-0698, which is fixed in
> unstable (and should soon be fixed in, at least, stable too; it probably
> applies to oldstable too, but I've not looked yet).
not that i nor anyone else should trus
fyi, see upstream changelog as well:
http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
this is the only libquantum3 bug on its page [1]. maybe you can get the
bugs.debian.org maintainers to change their presentation to include all
source bugs when looking at the binary package pages?
[1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libquantum3
On Sun, 19 Apr 2009 12:18:06 +0100
btw, redhat-based distros are thought to be invulnerable to these
attacks due their incorporation of execshield (in particular, due to
address space randomization). perhaps it's high time that debian
consider doing the same?
i know that execshield is not in the vanilla kernel, but when it comes
to
reopen 524373
thanks
On Thu, 16 Apr 2009 16:53:38 -0400 Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 04:21:10PM -0400, Michael S. Gilbert wrote:
> >
> > i think that any flaw that allows an attacker to elevate his pwnage from
> > root to hidden should always be consid
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
> > as seen in recent articles and discussions, the linux kernel is
> > currently vulnerable to rootkit attacks via the /dev/mem device. one
> >
101 - 200 of 231 matches
Mail list logo
