@@
+libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix SQL injection via the $user paramter (Closes: #633637)
+Fixes: CVE-2011-2688
+
+ -- Steffen Joeris wh...@debian.org Mon, 18 Jul 2011 10:26:11 +1000
+
libapache2-mod
Hi Amaya,
Steffen Joeris wrote:
I had a quick look and didn't see that code included in debian as far
as I can see the package has the same version in all suites or am I
missing anything?
Oh, $DEITY, you are absolutely right, I looked at a locally patched
version and confused
Package: libav
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for libav.
CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0
Package: openswan
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-2147[0]:
| Openswan 2.2.x does not properly restrict permissions for (1)
| /var/run/starter.pid,
Package: libruby1.9.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136
Package: ruby1.9
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 and
Package: ruby1.8
Version: 1.8.7.334-5
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
|
Package: python3.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for python3.1.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
| before 3.2.1 process
Package: python2.6
Version: 2.6.6-10
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for python2.6.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
|
Package: erlang
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Please see http://www.kb.cert.org/vuls/id/178990 for all the information.
The upstream patch can be reviewed here:
https://github.com/erlang/otp/commit/f228601de45c5
Cheers,
Steffen
-BEGIN
by the security team
+ * Fix cross-site scripting via the fm parameters (Closes: #598584)
+Fixes: CVE-2010-3695
+
+ -- Steffen Joeris wh...@debian.org Sun, 27 Mar 2011 20:42:56 +1100
+
imp4 (4.2-4lenny2) stable; urgency=low
* Backport patches from Horde CVS (http://bugs.horde.org/ticket/8836
Hi,
On Wed, Dec 08, 2010 at 09:03:17PM +, Adam D. Barratt wrote:
On Wed, 2010-12-08 at 21:10 +0100, Moritz Muehlenhoff wrote:
Please unblock package collectd. Judging by the changelog
4.10.1-1+squeeze1 and 4.10.1-2 look alike, but for some reason Steffen
NMUd the unstable version.
=high
+
+ * Non-maintainer upload by the security team
+ * Fix DoS in RRD file creation (Closes: #605092)
+Fixes: CVE-2010-4336
+Thanks to Florian Forster
+
+ -- Steffen Joeris wh...@debian.org Wed, 08 Dec 2010 17:45:50 +1100
+
collectd (4.10.1-2) unstable; urgency=medium
* debian
severity 603749 normal
thx
It seems that the vulnerable file was introduced after 1.2.6, which is
currently in sid. So as long as a fixed version is uploaded next, everything
should be fine.
Cheers,
Steffen
signature.asc
Description: This is a digitally signed message part.
team
+ * Fix DoS due to wrong string handling (Closes: #596086)
+Fixes: CVE-2010-3072
+
+ -- Steffen Joeris wh...@debian.org Mon, 13 Sep 2010 17:07:51 +1000
+
squid3 (3.1.6-1) unstable; urgency=low
* New upstream release
diff -u squid3-3.1.6/debian/patches/00list squid3-3.1.6/debian
Hi Sam
Could you prepare updated packages for lenny and send a debdiff? We'll need to
release a DSA for this issue.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Hi Hideki
Indeed this should be fixed via a DSA and for unstable as well.
I am still having slight problems understanding the XSS issue here.
Apparently, to_native() is converting it to another encoding, but shouldn't it
do some escaping of certain characters to avoid having the usual html
Hi Hideki
Thanks for the information. Have you been able to reproduce the problem with
IE and checked the patch?
Cheers
Steffen
On Sun, 7 Mar 2010 19:10:12 +1100
Steffen Joeris steffen.joe...@skolelinux.de wrote:
Apparently, to_native() is converting it to another encoding
On Mon, 8 Mar 2010 03:01:39 am Hideki Yamane wrote:
Hi Steffen,
On Sun, 7 Mar 2010 21:47:53 +1100
Steffen Joeris steffen.joe...@skolelinux.de wrote:
Thanks for the information. Have you been able to reproduce the problem
with IE and checked the patch?
with IE6 and IE8, I cannot
Hi Mirco
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast f...@novell.com
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to
prevent possible buffer
Hi Andres
I've read your previous comments to the bugreport, but wanted to stress the
point that it will not be acceptable for mediabomb to use an internal copy of
prototypejs. We do not want a version of the package in squeeze that does not
use the system wide protoypejs. I understand that
Package: libgmime-2.0-2a
Severity: grave
Tags: security patch
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast f...@novell.com
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN):
reopen 559531
severity 559531 important
thanks
Hi
MSA-09-0025 and MSA-09-0029 don't seem to be fixed. Both issues are minor
security issues, so I am lowering the severity.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
-1.9.4/debian/changelog
--- audiere-1.9.4/debian/changelog
+++ audiere-1.9.4/debian/changelog
@@ -1,3 +1,11 @@
+audiere (1.9.4-3.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Fix FTBFS with GCC 4.4 (Closes: #505122)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris wh...@debian.org
Package: courier-maildrop
Severity: important
Hi
During the last DSA I realised that we have a maildrop and a
courier-maildrop package in debian. Both have the same code and the only
difference afaik are some configure options and maybe a different build
system. However, I don't see a reason for
Hi
FYI, This issue has been assigned CVE-2010-0301.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
descriptors
+Thanks to Julien Cristau
+
+ -- Steffen Joeris wh...@debian.org Fri, 29 Jan 2010 14:30:27 +0100
+
hybserv (1.9.2-4) unstable; urgency=low
* Update 01_fhs+mkdirfix.dpatch:
diff -u hybserv-1.9.2/debian/hybserv.postinst hybserv-1.9.2/debian/hybserv.postinst
--- hybserv-1.9.2
Hi
For the record, this issue got CVE-2010-0303 assigned.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
severity 554788 serious
thanks
Hi
This bug caused the regression on the last DSA and dpkg-shlibdeps is still not
able to set a proper dependency on courier-authlib. This might be fixed for
maildrop by a hard dependency, but this is not the way to go. Please fix this
issue for squeeze and IMHO
Package: oftc-hybrid
Severity: grave
Tags: security patch
Hi
Please include the patch from DSA-1980-1, which fixes an integer
underflow (patch attached).
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9 @@
}
Package: ircd-ratbox
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed two issues in ircd-ratbox, patches attached. Please
include them in the next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9
Package: ircd-hybrid
Version: 1:7.2.2.dfsg.2-6.1
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed an issue in ircd-hybrid, patch attached. Please
include this patch in your next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++
dependency in init LSB header to use $network rather than
+$local_fs to make sure networking is available during boot and to
+make the package installation work again (Closes: #563784)
+Thanks to Petter Reinholdtsen
+
+ -- Steffen Joeris wh...@debian.org Sat, 23 Jan 2010 13:08:40 +0100
Hi
Unfortunately, the package still doesn't work, but please find the patch for
the initialising error from the newer compiler below.
Cheers
Steffen
--- insight-6.7.1.dfsg.1.orig/gdb/eval.c
+++ insight-6.7.1.dfsg.1/gdb/eval.c
@@ -1627,6 +1627,8 @@
if (nargs != ndimensions)
Hi Andrew
Following up on this bugreport, if I take the current argus-server package
from unstable and try to rebuild it, I'll end up without the argus (or
argus_linux) binary in the package[0]. There seems to be a change in the
libpcap package's API. Also, you've used the pcap_read() and
-16.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Use pcap_dispatch() rather than the private functions
+pcap_offline_read()/pcap_read() and fix a few compilation errors
+(Closes: #557807)
+
+ -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 15:16:59 +0100
+
argus (1:2.0.6
by adjusting configure.ac and debian/rules
+(Closes: #565287) Thanks to Peter Green
+
+ -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 21:39:05 +0100
+
gwget2 (1.0.4-1) unstable; urgency=low
* New upstream release. Closes: #533658, #552715.
diff -u gwget2-1.0.4/debian/rules gwget2
GCC compiler (Closes: #505626)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 23:08:35 +0100
+
mm3d (1.3.7-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- mm3d-1.3.7.orig/src/mm3dcore/tool.h
+++ mm3d-1.3.7/src
Package: gzip
Version: 1.3.12-8
Severity: grave
Tags: security patch
Hi Bdale, Carl
Carl, I saw too late that you're a new co-maintainer so I only
forwarded the pre-notification to Bdale (who is probably busy at LCA).
i
the following CVE (Common Vulnerabilities Exposures) id was
published for
Hi Christoph
I've prepared an NMU for dc-qt (versioned as 0.2.0.alpha-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Thanks for your work.
I am not really maintaining the package anymore. I guess I should check
whether the alternatives are good
Hi Adam
These issues have been assigned CVE ids, see below:
CVE-2009-4214[0]:
| Cross-site scripting (XSS) vulnerability in the strip_tags function in
| Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
| attackers to inject arbitrary web script or HTML via vectors involving
|
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and
Hi Luigi
By the way, drupal5 is also affected by at least one of these issues. Can we
remove drupal5 from debian or is there a reason for keeping it? It would be
easier foaev it gone, then we'd only have to track one package.
Cheers
Steffen
--
To UNSUBSCRIBE, email to
+
+ * Non-maintainer upload
+ * Add libmagickcore2-extra as build-depends since imagemagick has
+reorganised the plugin packages (thanks to Stuart Prescott)
+(Closes: #560604)
+
+ -- Steffen Joeris wh...@debian.org Wed, 23 Dec 2009 22:19:35 +0100
+
qemulator (0.5-3) unstable; urgency=low
by the security team
+ * Fix several cross-site scriptings via different vectors
+Fixes: CVE-2009-4032
+
+ -- Steffen Joeris wh...@debian.org Wed, 16 Dec 2009 12:06:20 +0100
+
cacti (0.8.7e-1) unstable; urgency=low
* New upstream release (Closes: #541490).
diff -u cacti-0.8.7e/debian/patches
Package: cacti
Severity: grave
Tags: security
Hi Sean
the following CVE (Common Vulnerabilities Exposures) id was
published for cacti.
CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the Data Input Method for the Linux -
Package: dstat
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for dstat.
CVE-2009-4081[0]:
| Untrusted search path vulnerability in dstat before r3199 allows local
| users to gain privileges via a Trojan horse Python module in
Package: release-notes
Severity: important
Hi
Please indicate that the packages ocsinventory-server and sql-ledger
only receive limited security support, because they should only be used
behind authenticated HTTP zones. For sql-ledger, this is true for etch,
lenny and squeeze and for
Package: cups
Version: 1.4.1-5
Severity: grave
Tags: security patch
Hi Martin
The recent DSA (DSA-1933-1) fixed a few cross-site scripting issues.
Please include the patch in the unstable/testing distribution.
Cheers
Steffen
diff -u cupsys-1.2.2/debian/changelog cupsys-1.2.2/debian/changelog
On Sun, 11 Oct 2009 07:38:01 am Mehdi Dogguy wrote:
Michael S Gilbert a écrit :
Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) id was
published for camlimages. advi statically links to camlimages, so
Hi
I am using version 0.7.1-2.
I do switch between several LAN connections and in the past nm used to update
the /etc/resolv.conf file correctly and only added the used name server. Now it
adds the other nameserver, but keeps the one from a previous connection as
well, which causes DNS
Package: newt
Severity: grave
Tags: security patch
Hi
There is a buffer overflow in textbox.c. This issue is CVE-2009-2905.
In textbox.c the following patch has been applied.
- result = malloc(strlen(text) + (strlen(text) / width) + 2);
+ result = malloc(strlen(text) +
Package: release.debian.org
Severity: normal
Hi
destar is security buggy and we have assessed the situation and decided
that it is best to remove the package from (old)stable. Please schedule
its removal with the next point release.
Cheers
Steffen
--
To UNSUBSCRIBE, email to
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
On Wed, 16 Sep 2009 02:47:38 am Steffen Joeris wrote:
Debian Security Advisory DSA-1887-1 secur
Package: viewvc
Severity: grave
Tags: security patch
Hi
According to upstream:
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
Hi
You can base security uploads on NMUs, so I think you could get
+deb50.1
+deb50.1+nmu1
+deb50.2
+deb50.2+nmu1
Hum I understand +nmu1+deb50.1 for a security upload of a package whose
last upload was an NMU, but I don't see in what occasions you would NMU a
package in
Because the init script sends out emails?
Why should we need to install a mail server in order to check the
consistency of our raid arrays? Please remove the bsd-mailx dependency.
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture:
Hi
On Mon, 10 Aug 2009 08:58:12 pm Teste Teste wrote:
The script should check if it can send emails and not make it a mandatory
dependency.
I think mpt-status users mostly want to check the raid status as part of
existing health check systems which send notifications themselves. Trying
to
patch for integer overflows to also cover other
+image types (Closes: #540146)
+Fixes: CVE-2009-2660
+
+ -- Steffen Joeris wh...@debian.org Sat, 08 Aug 2009 07:05:38 +
+
camlimages (1:3.0.1-2) unstable; urgency=low
[ Mehdi Dogguy ]
diff -u camlimages-3.0.1/debian/patches
Package: dhcp3-server
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for dhcp3.
CVE-2009-1892[0]:
| dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and
| hardware ethernet configuration settings are both used,
Hi Yaroslav
Thanks for investing the time into xoscope.
On Wed, 22 Jul 2009 02:48:03 pm Yaroslav Halchenko wrote:
my ignorant take to prepare NMU: patch seems to be obsolete,
not sure what to do about those magic ranames in debian/rules,
also some issues with menu/desktop are pointed out with
Hi
So I had another look at the issue. Indeed, set_nss_error was undefined, so I
used a different function. Also, I think there was another regression with
displaying signed and encrypted S/MIME messages. Could you please test these
updated packages[0] in your environments and tell me, whether
-maintainer upload by the security team
+ * Fix XSS via the backend parameter (Closes: #536554)
+Fixes: CVE-2009-2360
+
+ -- Steffen Joeris wh...@debian.org Sat, 11 Jul 2009 06:02:56 +
+
sork-passwd-h3 (3.1-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- sork
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote
team
+ * Fix cross-site scripting vulnerability, which can be exploited via
+the userid, userdescrip, useremail, grp and grpdescrip parameters
+(Closes: #530271)
+Fixes: CVE-2009-1732
+
+ -- Steffen Joeris wh...@debian.org Mon, 06 Jul 2009 08:09:24 +
+
ipplan (4.91a-1) unstable
Package: wnpp
Severity: normal
ckage: mpt-status
Priority: extra
Section: admin
Installed-Size: 84
Maintainer: Steffen Joeris wh...@debian.org
Architecture: i386
Version: 1.2.0-4.2
Depends: libc6 (= 2.7-1), lsb-base, daemon, mailx
Filename: pool/main/m/mpt-status/mpt-status_1.2.0-4.2_i386.deb
On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote:
The existing patch is correct - using htmlspecialchars will have the
effect of placing escaped stings in the database. It will also have
the effect of double escaping each time you edit a field.
My patch replaces the display template
Hi Richard
I am not sure about your patch.
Setting a maximum length does not fix a potential xss issue. Why not using
htmlspecialchars() to take care of escaping? I have attached a potential patch
for that. Of course, it would be good to check the rest of the code as well
and see whether it is
sure that the single tick is handled properly in order to avoid
+code execution (Closes: #525078)
+Fixes: CVE-2009-1440
+
+ -- Steffen Joeris wh...@debian.org Thu, 18 Jun 2009 14:10:54 +
+
amule (2.2.5-1) unstable; urgency=low
+++ The Fido, Your Leash Is Too Long release.
diff -u
Hi
On 2009 m. June 15 d., Monday 16:17:23 Steffen Joeris wrote:
Sometimes I just lose my keyboard and it won't respond anymore under
kde. I can help myself by changing to a system console and restart kdm.
Not sure what debugging information you'd want me to include. I am happy
to collect
Package: kdm
Version: 4:4.2.4-1
Severity: normal
Hi
Sometimes I just lose my keyboard and it won't respond anymore under
kde. I can help myself by changing to a system console and restart kdm.
Not sure what debugging information you'd want me to include. I am happy
to collect some files next
Hi Sam
How about the lines below (2300-2302)?
#ifndef __WXMSW__
rawFileName.Replace(QUOTE, wxT('\'\'));
#endif
Wouldn't it be sufficient to just run this over rawFileName at any time and
escape the single tick or am I missing something?
Cheers
Steffen
signature.asc
Hi Jonas
Could you please upload a fixed moin version to unstable, so it can migrate to
testing? I can't test it here right now.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: libstruts1.2-java
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for libstruts1.2-java.
CVE-2008-2025[0]:
| Cross-site scripting (XSS) vulnerability in Apache Struts before
| 1.2.9-162.31.1 on SUSE Linux Enterprise
On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote:
On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
P.S. can you upload moin 1.7, I can't since I am not DD/DM.
I'll do it now!
- Jonas
Also, please upload fixed packages for unstable with urgency high. :)
Cheers
Steffen
Package: moin
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for moin.
CVE-2009-1482[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
| attackers to
Hi John
Steffen,
I went to the URLs in this bug report, and nothing even indicated
where in the source the problem was. I see no indication that
upstream is even aware of this problem. The CVE status, in fact, is
under review and I'm not certain that this is really an issue.
Can you
Package: plone3
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for plone3.
CVE-2009-0662[0]:
| The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product
| for Plone, does not properly handle the login form, which
Package: ntp
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for ntp.
CVE-2009-0159[0]:
| Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c
| in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to
Hi Rene
Unfortunately, this doesn't apply as dpd code seems to have moved out of
demux.c (I didn't find any of the patch context). Have you had contact with
openswan upstream concerning this bug?
Isn't the vulnerable code in programs/pluto/ikev1.c?
Cheers
Steffen
--
To UNSUBSCRIBE, email
vulnerability when used with multibyte
+encodings by using mysql_real_escape_string()
+
+ -- Steffen Joeris wh...@debian.org Mon, 30 Mar 2009 11:21:06 +0200
+
auth2db (0.2.5-2+dfsg-1) unstable; urgency=medium
* New debian-specific+upstream release (Closes: #493132):
diff -u auth2db-0.2.5-2+dfsg
upload by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris wh...@debian.org Tue, 24 Mar 2009 13:20:43 +
+
openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high
* Non-maintainer upload.
diff -u openswan-2.4.12+dfsg
by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris wh...@debian.org Tue, 24 Mar 2009 12:31:39 +
+
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
diff -u
Package: squid
Severity: wishlist
Hi
I am running transparent squid in a setup with more than 1000 users. I
reached the limit of file descriptors and that slowed down the internet
for everyone. I've now increased the number of file descriptors in the
default configuration, which seemed to solve
Package: yaws
Severity: important
Hi
The package seems to have an FTBFS, if I build it twice in a row.
The build log is below.
Cheers
Steffen
wh...@security:~/yaws/yaws-1.80$ debuild -us -uc
dpkg-buildpackage -rfakeroot -D -us -uc
dpkg-buildpackage: set CFLAGS to default value: -g -O2
Package: psi
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for psi.
CVE-2008-6393[0]:
| PSI Jabber client before 0.12.1 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| file
Package: movabletype-opensource
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for movabletype-opensource.
CVE-2009-0752[0]:
| Unspecified vulnerability in Movable Type Pro and Community Solution
| 4.x before 4.24 has unknown impact and
Package: libpoppler3
Version: 0.8.7-1
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for poppler.
CVE-2009-0756[0]:
| The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4
| allows remote attackers to cause a
Package: openssl
Version: 0.9.8g-15
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openssl.
CVE-2009-0653[0]:
| OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an
| intermediate CA-signed certificate, which
Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for xine-lib.
CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote
Package: webkit
Severity: important
Tags: security
Hi Mike,
the following CVE (Common Vulnerabilities Exposures) id was
published for webkit.
CVE-2008-6059[0]:
| xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not
| properly restrict access from web pages to the (1) Set-Cookie
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for proftpd.
CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection
Package: release.debian.org
Severity: important
Tags: security
Hi
I was working on a security update for tmsnc, a textbased msn client. When I
tried to test the update, I found out that the program is not able to connect
to MSN servers anymore due to a protocol missmatch. I assume that the
; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Include upstream patch to fix DoS via error in request processing
+code (Closes: #514142)
+
+ -- Steffen Joeris wh...@debian.org Thu, 05 Feb 2009 18:28:57 +
+
squid (2.7.STABLE3-4) unstable; urgency=low
* debian/rules
diff
Package: audacity
Version: 1.3.5-2
Severity: grave
Tags: security
Justification: user security hole
There is a buffer overflow in audacity apparently affecting the etch
and lenny version. You can find a reproducer here[0].
However, I just took a random .gro file and when importing it under
Package: squid
Severity: grave
Tags: security
Justification: user security hole
Hi
A DoS issue has been reported[0] for squid. So far I cannot see the
vulnerable code in the stable release, but it would be nice, if you
could check that as well. Lenny seems to be affected and needs fixing.
I've
fixed 514138 1.3.6-1
thanks
Hi Benjamin
On Wed, 4 Feb 2009 04:29:05 pm Benjamin Drung wrote:
The upcoming audacity 1.3.7-1 does not crash if I open the generated
file from [0]. According to the Gentoo bug tracker [1] audacity 1.3.6
does not have this bug any more. You can find
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for gst-plugins-good0.10.
CVE-2009-0386[0]:
| Heap-based buffer overflow in the
Package: roundcube
Version: 0.2~alpha-4
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for roundcube.
CVE-2009-0413[0]:
| Cross-site scripting (XSS) vulnerability in RoundCube Webmail
| (roundcubemail) 0.2 stable allows remote
Package: wordpress
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for wordpress.
CVE-2008-5695[0]:
| wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2
| and earlier, does not properly validate requests to update an
1 - 100 of 724 matches
Mail list logo