gmane.linux.debian.user.security.announce
http://blog.gmane.org/gmane.linux.debian.user.security.announce
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
[DSA 2480-1] request-tracker3.8 security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2604
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-1 security< at >debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 24, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : request-tracker3.8
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085
CVE-2011-4458 CVE-2011-4459 CVE-2011-4460
Several vulnerabilities were discovered in Request Tracker, an issue
tracking system:
CVE-2011-2082
The vulnerable-passwords scripts introduced for CVE-2011-0009
failed to correct the password hashes of disabled users.
CVE-2011-2083
Several cross-site scripting issues have been discovered.
CVE-2011-2084
Password hashes could be disclosed by privileged users.
CVE-2011-2085
Several cross-site request forgery vulnerabilities have been
found. If this update breaks your setup, you can restore the old
behaviour by setting $RestrictReferrer to 0.
CVE-2011-4458
The code to support variable envelope return paths allowed the
execution of arbitrary code.
CVE-2011-4459
Disabled groups were not fully accounted as disabled.
CVE-2011-4460
SQL injection vulnerability, only exploitable by privileged users.
For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze2.
For the unstable distribution (sid), this problem has been fixed in
version 4.0.5-3.
We recommend that you upgrade your request-tracker3.8 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk++cYMACgkQXm3vHE4uylokxACguQb84ehN2ODvrYW4Mr1CmOLY
XIkAoJ/DIybBV9MxZA7txyMDE56vsWeM
=+4ft
-----END PGP SIGNATURE-----
</pre>Moritz Muehlenhoff2012-05-24T17:37:03[DSA 2479-1] libxml2 security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2603
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2479-1 security< at >debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libxml2
Vulnerability : off-by-one
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3102
Jueri Aedla discovered an off-by-one in libxml2, which could result in
the execution of arbitrary code.
For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze4.
For the unstable distribution (sid), this problem has been fixed in
version 2.7.8.dfsg-9.1.
We recommend that you upgrade your libxml2 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+9OesACgkQXm3vHE4uylpB8gCfamsExmrt7o3LVviFZm2UP6Lx
QY4AnjsL0TRs1Z1P6RUIxV1F+Cg1Xp6a
=JAT9
-----END PGP SIGNATURE-----
</pre>Moritz Muehlenhoff2012-05-23T19:39:41[DSA 2478-1] sudo security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2602
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2478-1 security< at >debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : sudo
Vulnerability : parsing error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2337
It was discovered that sudo misparsed network masks used in Host and
Host_List stanzas. This allowed the execution of commands on hosts,
where the user would not be allowed to run the specified command.
For the stable distribution (squeeze), this problem has been fixed in
version 1.7.4p4-2.squeeze.3.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your sudo packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+9OUMACgkQXm3vHE4uylrvIwCgtw2WtmYMmDjledpPsJGJFuyK
LP4AoNhim5wwymY9wnB8egwHXNlLLoRs
=ZP4O
-----END PGP SIGNATURE-----
</pre>Moritz Muehlenhoff2012-05-23T19:30:06[DSA 2477-1] sympa security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2601
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2477-1 security< at >debian.org
http://www.debian.org/security/ Florian Weimer
May 20, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : sympa
Vulnerability : authorization bypass
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2352
Debian Bug :
Several vulnerabilities have been discovered in Sympa, a mailing list
manager, that allow to skip the scenario-based authorization
mechanisms. This vulnerability allows to display the archives
management page, and download and delete the list archives by
unauthorized users.
For the stable distribution (squeeze), this problem has been fixed in
version 6.0.1+dfsg-4+squeeze1.
For the testing distribution (wheezy), this problem will be fixed
soon.
For the unstable distribution (sid), this problem has been fixed in
version 6.1.11~dfsg-2.
We recommend that you upgrade your sympa packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPuT+EAAoJEL97/wQC1SS+vxAH/jYCNKyrlOKvMj61ZCc+bxxH
X/kgdQEGgqw70pQYnlxM81hZr1YdK0KgncTiNqa0R9iN3SrVDgYNGJNGOZSxAE+M
zGqduwkeh8QRXpwORb11DKqYIAPxVYvKnJwxHv/SzFskh9Lm4ppX1vdpVZqpDNpd
8GB2xlgqjb1SKy7YYmGaGIZ6mVMqzG4+bKuix7xIiAkFhu5loQ7mnSaWlgFjeMre
tdy0Gz56rfYfuwcpC0qdEn9tfVUWBVYALG5ZgWt2i1XeMN7dNAu3FRAZvNNmxqMt
YEft+TnXdfre34Vd68kszShRlVaqEqjjtYdAY2pq4Prttqg/vKXGWg139QfJEjE=
=LMTp
-----END PGP SIGNATURE-----
</pre>Florian Weimer2012-05-20T18:54:00[DSA 2476-1] pidgin-otr security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2600
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2476-1 security< at >debian.org
http://www.debian.org/security/ Jonathan Wiltshire
May 19, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : pidgin-otr
Vulnerability : format string vulnerability
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2369
Debian Bug : 673154
intrigeri discovered a format string error in pidgin-otr, an off-the-record
messaging plugin for Pidgin.
This could be exploited by a remote attacker to cause arbitrary code to
be executed on the user's machine.
The problem is only in pidgin-otr. Other applications which use libotr are
not affected.
For the stable distribution (squeeze), this problem has been fixed in
version 3.2.0-5+squeeze1.
For the testing distribution (wheezy), this problem has been fixed in
version 3.2.1-1.
For the unstable distribution (sid), this problem has been fixed in
version 3.2.1-1.
We recommend that you upgrade your pidgin-otr packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPt/OHAAoJEL97/wQC1SS+lH0IAIunPaG8K1FkRvp/HWeqAXHG
PeWKPCgeSw6bl5Ab5zQuaZLhCT3XLYLJJq+wKm6sEaTlFstA3C7Tcf8b+n802+yP
HXueDzn+J4wYhBD6l+R8xfPYkFUqnkjMIqVYoEvpEjbCTCBUhDep/vtzOOh3ZL8y
Iz0Hgun1CL186o1p4SCNd8irLfmxUg41vOob8+XTLNKYUxDyomLk9p111f8i62wV
AWOqGJ+AEzY2Ni6ThFNJdnbm2ThFfOfgS8TK3r3331PX9+eHpfR3+cxIBGZ+3dtu
Ox7qkDd6c/Ko7cLqkiT6A/DHYZ98p1KxEDqS5eTcTwTOyL+GE7s1cJMsSApCAdw=
=gcop
-----END PGP SIGNATURE-----
</pre>Jonathan Wiltshire2012-05-19T19:30:04[DSA 2475-1] openssl security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2599
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2475-1 security< at >debian.org
http://www.debian.org/security/ Raphael Geissert
May 17, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openssl
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2333
It was discovered that openssl did not correctly handle explicit
Initialization Vectors for CBC encryption modes, as used in TLS 1.1,
1.2, and DTLS. An incorrect calculation would lead to an integer
underflow and incorrect memory access, causing denial of service
(application crash.)
For the stable distribution (squeeze), this problem has been fixed in
version 0.9.8o-4squeeze13.
For the testing distribution (wheezy), and the unstable distribution
(sid), this problem has been fixed in version 1.0.1c-1.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk+1hlwACgkQYy49rUbZzlqjfACfYPRCBLE+aS8xVMrppXuPSnAi
d4gAn0gIzqCR+/YKt/2Nds2271ODpeBJ
=4mIz
-----END PGP SIGNATURE-----
</pre>Raphael Geissert2012-05-17T23:14:31[DSA 2474-1] ikiwiki security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2598
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2474-1 security< at >debian.org
http://www.debian.org/security/ Raphael Geissert
May 16, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ikiwiki
Vulnerability : cross-site scripting
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0220
Raúl Benencia discovered that ikiwiki, a wiki compiler, does not
properly escape the author (and its URL) of certain metadata, such as
comments. This might be used to conduct cross-site scripting attacks.
For the stable distribution (squeeze), this problem has been fixed in
version 3.20100815.9.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 3.20120516.
We recommend that you upgrade your ikiwiki packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk+0iecACgkQYy49rUbZzlppyQCeMC2K6TGlP5MVOcZeENaY1QAG
gu0An1jlFHnhZrq3a+sMsfL12csrSLAA
=badx
-----END PGP SIGNATURE-----
</pre>Raphael Geissert2012-05-17T05:17:26[DSA 2473-1] openoffice.org security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2597
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2473-1 security< at >debian.org
http://www.debian.org/security/ Florian Weimer
May 16, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openoffice.org
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2012-1149
Tielei Wang discovered that OpenOffice.org does not allocate a large
enough memory region when processing a specially crafted JPEG object,
leading to a heap-based buffer overflow and potentially arbitrary code
execution.
For the stable distribution (squeeze), this problem has been fixed in
version 1:3.2.1-11+squeeze5.
For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 1:3.4.5-1 of the
libreoffice package.
We recommend that you upgrade your openoffice.org packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPtClUAAoJEL97/wQC1SS+34IH/0INUvBvkuel/9IXtDDDXE3H
N2hgzgSHu92U6QfOPqu/P+C5rGH4O0I9kCbjhyYOiiIXTxWNPe+Ng2ml5X+QpdAH
Lj9hC9EwXJlcwVLm9v5FUkiWhvmUNt94HW22Qo61N6Jy1yeXqSG/nEIK1d5qe+84
k+lyUKICBaT+irn1KGUKc4zoYrmKFhR9og363LOA9ZZXQYWZG+wKH0dpMHpdFEvv
12mdEQNIbLpZlWJmYqVeaaY6f4C1Fdbqekcyu+sk6FofIV7zdtzxI3yBpuD9SiJf
XcQtDmyofDM8pWczh/HT/GiSckf2ebOYgSwvzk92sEGNSuZBH1y75kXa2p0kOBE=
=KEKg
-----END PGP SIGNATURE-----
</pre>Florian Weimer2012-05-16T22:04:38[DSA 2472-1] gridengine security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2596
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2472-1 security< at >debian.org
http://www.debian.org/security/ Florian Weimer
May 15, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : gridengine
Vulnerability : privilege escalation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0208
Dave Love discovered that users who are allowed to submit jobs to a
Grid Engine installation can escalate their privileges to root because
the environment is not properly sanitized before creating processes.
For the stable distribution (squeeze), this problem has been fixed in
version 6.2u5-1squeeze1.
For the unstable distribution (sid), this problem has been fixed in
version 6.2u5-6.
We recommend that you upgrade your gridengine packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPssBDAAoJEL97/wQC1SS+hQoH/0SS/5Y7YGa0ZId76G/BVCr7
4Wn+9pNSg0w9DXIPCdOXTOyYEyi1P5s4XS5ccr5QTsQ73rBhjMlgW/ASSbsJ50Na
vyKRGiGj/ISuNllFET4sk/V1sRnr2XNPC5JKQ2V6b4L8S8NRduPoTQ3XIBuduXGK
yPbd158qursgNd3J3nN/EMRhsexPsTqWj2ypcrjL9TfbNXgj4XMtvltNUzcFMEp6
1q9eNi2sXvVSV2Ecu8bWa65DuuXKgBYBX2dObM77DPXyL4Jkog4vssPZQ32Q3b7n
jhWeI5BvrgBh2OJEyq63rmnbRA3NMyHHMfcljVlplX9gl78qWTb+S3OtPP1AFuE=
=4w3Z
-----END PGP SIGNATURE-----
</pre>Florian Weimer2012-05-16T05:54:05[DSA 2457-2] New icedove/iceweasel packages fix regression
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2595
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2457-2 security< at >debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 13, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : iceweasel / icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477
CVE-2012-0479
The updates DSA-2457 and DSA-2458 for Iceweasel and Icedove introduced
a regression, which could lead to crashes when interpreting some
Javascript statements.
For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-15 for Iceweasel and 2.0.11-12 for Icedove.
The unstable distribution (sid) is not affected.
We recommend that you upgrade your iceweasel and icedove packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+wItMACgkQXm3vHE4uylpELgCg6GtsxNG87TGHwtBSTS/1gSz1
nSEAn1iPiuxTAXbL6GIOKLQJJjKMsRDg
=mmi4
-----END PGP SIGNATURE-----
</pre>Moritz Muehlenhoff2012-05-13T21:09:29[DSA-2471-1] ffmpeg security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2594
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2471-1 security< at >debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 13, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ffmpeg
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE ID : CVE-2011-3892 CVE-2011-3893 CVE-2011-3895 CVE-2011-3929
CVE-2011-3936 CVE-2011-3940 CVE-2011-3947 CVE-2012-0853
CVE-2012-0947
Several vulnerabilities have been discovered in FFmpeg, a multimedia
player, server and encoder. Multiple input validations in the decoders/
demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska,
Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of
arbitrary code.
These issues were discovered by Aki Helin, Mateusz Jurczyk, Gynvael
Coldwind, and Michael Niedermayer.
For the stable distribution (squeeze), this problem has been fixed in
version 4:0.5.8-1.
For the unstable distribution (sid), this problem has been fixed in
version 6:0.8.2-1 of libav.
We recommend that you upgrade your ffmpeg packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+wGRoACgkQXm3vHE4uyloVcgCfQHEFzRDutwSM4pKOHzZzAUEE
09EAoJyfhkjYAhjWh7Mp8rxs8p38BPoG
=mVJb
-----END PGP SIGNATURE-----
</pre>Moritz Muehlenhoff2012-05-13T20:37:22[DSA 2670-1] wordpress security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2593
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2670-1 security< at >debian.org
http://www.debian.org/security/ Yves-Alexis Perez
May 11, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : wordpress
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3122 CVE-2011-3125 CVE-2011-3126 CVE-2011-3127
CVE-2011-3128 CVE-2011-3129 CVE-2011-3130 CVE-2011-4956
CVE-2011-4957 CVE-2012-2399 CVE-2012-2400 CVE-2012-2401
CVE-2012-2402 CVE-2012-2403 CVE-2012-2404
Debian Bug : 670124
Several vulnerabilities were identified in Wordpress, a web blogging
tool. As the CVEs were allocated from releases announcements and
specific fixes are usually not identified, it has been decided to
upgrade the Wordpress package to the latest upstream version instead
of backporting the patches.
This means extra care should be taken when upgrading, especially when
using third-party plugins or themes, since compatibility may have been
impacted along the way. We recommend that users check their install
before doing the upgrade.
For the stable distribution (squeeze), those problems have been fixed in
version 3.3.2+dfsg-1~squeeze1.
For the testing distribution (wheezy) and the unstable distribution
(sid), those problems have been fixed in version 3.3.2+dfsg-1.
We recommend that you upgrade your wordpress packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPrXyJAAoJEL97/wQC1SS+4EcH/1nAhgTx17pMJF7JbWFNG2ZY
/xSD6v4MDj3pLiZrntRx4c3y+Kbx91QKBN6KgqDxyHjDLoZgoNVVGwyozGjS2VBn
m2OwnjzLUJVqd77R+mUj5h3yEVS1d4O+VcYRcpugPTaD17d90rlPGL2HkZXnQAk1
OjOKGns+yiapuLpcHmNz5cjwvJxaNe355aZlwSUjFWumqtGjQcgyJeKy1XGW0s2o
h9YnLXGRNwtihXz0P+5qx7Qwcri3PXLn1Uapp2RSJStkNfiRjSJoqUkb5wqvhT7x
O6GhUWShBF6pZ11uvOySY2yU5jPOQDufSUn6T4R5CL4hYJ6Bif6iqkHznPubHeE=
=M38G
-----END PGP SIGNATURE-----
</pre>Yves-Alexis Perez2012-05-11T20:41:14[DSA 2469-1] linux-2.6 security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2592
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----------------------------------------------------------------------
Debian Security Advisory DSA-2469-1 security< at >debian.org
http://www.debian.org/security/ Dann Frazier
May 10, 2012 http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2011-4086 CVE-2012-0879 CVE-2012-1601 CVE-2012-2123
CVE-2012-2133
Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2011-4086
Eric Sandeen reported an issue in the journaling layer for EXT4 filesystems
(jbd2). Local users can cause buffers to be accessed after they have been
torn down, resulting in a denial of service (DoS) due to a system crash.
CVE-2012-0879
Louis Rilling reported two reference counting issues in the CLONE_IO
feature of the kernel. Local users can prevent io context structures
from being freed, resulting in a denial of service.
CVE-2012-1601
Michael Ellerman reported an issue in the KVM subsystem. Local users could
cause a denial of service (NULL pointer dereference) by creating VCPUs
before a call to KVM_CREATE_IRQCHIP.
CVE-2012-2123
Steve Grubb reported in an issue in fcaps, a filesystem-based capabilities
system. Personality flags set using this mechanism, such as the disabling
of address space randomization, may persist across suid calls.
CVE-2012-2133
Shachar Raindel discovered a use-after-free bug in the hugepages
quota implementation. Local users with permission to use hugepages
via the hugetlbfs implementation may be able to cause a denial of
service (system crash).
For the stable distribution (squeeze), this problem has been fixed in version
2.6.32-44. Updates are currently only available for the amd64, i386 and sparc
ports.
NOTE: Updated linux-2.6 packages will also be made available in the release
of Debian 6.0.5, scheduled to take place the weekend of 2012.05.12. This
pending update will be version 2.6.32-45, and provides an additional fix for
build failures on some architectures. Users for whom this update is not
critical, and who may wish to avoid multiple reboots, should consider waiting
for the 6.0.5 release before updating, or installing the 2.6.32-45 version
ahead of time from proposed-updates.
The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:
Debian 6.0 (squeeze)
user-mode-linux 2.6.32-1um-4+44
We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJPq+L0AAoJEBv4PF5U/IZAif4P/37pRiZO/yTy5yZfIUUJFc25
THOrPGJfioLuFocGgd84+3YdC1tIPR4mFZLJbYWVmpD94x9d13Pdowt5kyaofmye
UYGl6Z5RPYQuwY1W4dFq29wEpcte1kwFXqmiCr14uEx6H0T2FAzvgN9YjTtQCt9t
r/6gkjn0NfzLnhVlER6RjMJGABW1hTUf9lME1urUCD/D8hBJwP5snjCFxjZgbeHt
NNp1vOV7pkj8DTKmSlCpmQFm1QpPM9Ix+4tCvmBG5S2pKDWtQ0O9oZlk0/e9grMU
CDUxtQy95NfSX2vIcHyNv8fwVMjtu6PxsgQPU/x6H7MPcn45Ys8Yf0ztmYilltAc
HNCswIF1hH62DOssX46JlTjcRhtNGOuGEyvzqL0sQyLbJB7xNuqQ7jYpGVyXuWCY
zAyN2OzgTeMoLzly+ZRT/m8lHh58WCXPC5lNtgU0ICxmdwudTEYa1J2HOaCvPWwd
Lki/t2c4Zv8Cs0o1BFd1OYwgTetOa2hFxAX61+Hr2TKeIayBgruX/VWZmd/m6S0v
fR+5JwiiRxh7YXLgTOZf+4rBeYHi/XBmcKMOiB/RQYUnq1+kWH46kOowqq2WbaTN
SBFTCxQNI1rwjdJ4YrL5NwOixzCwypp4MYzhw58/+pLsuUfpUqBp88GRkiS2DqNm
rGAnURG2dPbD6A/7UiVE
=ztHh
-----END PGP SIGNATURE-----
</pre>dann frazier2012-05-10T15:48:18[DSA 2468-1] libjakarta-poi-java security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2591
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2468-1 security< at >debian.org
http://www.debian.org/security/ Florian Weimer
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libjakarta-poi-java
Vulnerability : unbounded memory allocation
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-0213
It was discovered that Apache POI, a Java implementation of the
Microsoft Office file formats, would allocate arbitrary amounts of
memory when processing crafted documents. This could impact the
stability of the Java virtual machine.
For the stable distribution (squeeze), this problem has been fixed in
version 3.6+dfsg-1+squeeze1.
We recommend that you upgrade your libjakarta-poi-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPqs4eAAoJEL97/wQC1SS+vW4H/javD0EcF4EUw9KN9zJb8gJG
sBtULjsxoMsKOog5L2HNxKuqnU8dBVnJlO+OleAaaThhS6hg/dytsGjZ0Zclro9W
Oe7N3INrTgjNZ1t1+rUUP7p03STjVwClcLXzhuxU5jzCIqJ8kxHfHtZUbwo7O9dQ
eUkTGtPQIvRlYv9mQtbb4v526EMiSLKQzWF49rguxHQVnePlZ4cTPCg3/je0NdV8
L+E1iThzqQo1MHFX3jFa4sYU2xz4f/d6R6cxul9ElDRLNqnWLe3dmxgaYbNfpD3y
+To3gPtYiW2yaFis58iqTOTN8w+yK+ImjR7Vb6RmQVKripx7eWvKAnprO7THpMA=
=7m5/
-----END PGP SIGNATURE-----
</pre>Florian Weimer2012-05-09T19:46:15[DSA 2422-2] file regression fix
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2590
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2422-2 security< at >debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : file
Vulnerability : regression fix
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1571
A regression was discovered in the security update for file, which
lead to false positives on the CDF format. This update fixes that
regression. For reference the original advisory text follows.
The file type identification tool, file, and its associated library,
libmagic, do not properly process malformed files in the Composite
Document File (CDF) format, leading to crashes.
Note that after this update, file may return different detection
results for CDF files (well-formed or not). The new detections are
believed to be more accurate.
For the stable distribution (squeeze), this problem has been fixed in
version 5.04-5+squeeze2.
We recommend that you upgrade your file packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPqrXUAAoJEOxfUAG2iX57TGYH/A6pECZxJm/wGWMSFdwopEAt
qt82sYxL8p2lWRNdz2cP5BiexDxh242XuZ7infVjMEvHKbp2u4OEpaw/vu26Pxs6
JnWCAGrr0QSCy+v4rMpYwift5q5aL1b6N3OhLRndstzSRecpZNjWJ6XbU4d1UZFY
RGl6tNGk+gTGwHNhr4wQme0JsgXvvDnas592ikVB0E+RFne5HC1lAPDvb+URVkc4
A0p8dDcxlQzbN59SN3s/RGQj/SJSNIIheBgzlVSqG8aHuW7WXcPH4wRPJT+sjxp7
7nGFzpn77D43l3g1dOyUhFdtCxa7GRAWXuZHFKDxZjJsDA6qrxPuV/rZ2aMqke8=
=Q0M1
-----END PGP SIGNATURE-----
</pre>Thijs Kinkhorst2012-05-09T18:23:22[DSA 2467-1] mahara security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2589
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2467-1 security< at >debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : mahara
Vulnerability : insecure defaults
Problem type : remote
Debian-specific: no
It was discovered that Mahara, the portfolio, weblog, and resume builder,
had an insecure default with regards to SAML-based authentication used
with more than one SAML identity provider. Someone with control over one
IdP could impersonate users from other IdP's.
For the stable distribution (squeeze), this problem has been fixed in
version 1.2.6-2+squeeze4.
For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 1.4.2-1.
We recommend that you upgrade your mahara packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPqq1YAAoJEOxfUAG2iX57XpsH/jd+dpSgjuT/oetg3PP3+g92
Byq+pr5sNNQq7RAGtSdZFB0eN8zAtJIf06bIM0uc8qK3yHaLWu81j0sW6SOobHlO
nm0A5HeLLc6SrQPsleZdPupBi0mU7EgSX2U88imfhDbGTdM6PalMt7quSE38rC0g
r+NRO9PXt3xxIiUlmgT90RdSLeeqFAE1kE8SrvMR4vxKdxVyZW24ZKUtpAguS4ch
CsqvpMaX8nnHEIV1ffWVDE4mfroj9/+Nts0fxZD6SxMiTVjPZDXTmkYP2YuGzO7P
zQTTal42Gf5De+Rf4XD1PjKlcQb2m1QLMqa00k9I4FjWq5Se3x5aL8g+tw6eGIA=
=MHiw
-----END PGP SIGNATURE-----
</pre>Thijs Kinkhorst2012-05-09T17:47:16[DSA 2466-1] rails security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2588
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2466-1 security< at >debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : rails
Vulnerability : cross site scripting
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1099
Debian Bug : 668607
Sergey Nartimov discovered that in Rails, a Ruby based framework for
web development, when developers generate html options tags manually,
user input concatenated with manually built tags may not be escaped
and an attacker can inject arbitrary HTML into the document.
For the stable distribution (squeeze), this problem has been fixed in
version 2.3.5-1.2+squeeze3.
For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 2.3.14.
We recommend that you upgrade your rails packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPqqmUAAoJEOxfUAG2iX576TAIANWp4utpgGLj6hVuNsrmuYOo
fIxOW0nJDhoDfAUglXZvjkTFP/4z241H9L9MeG0MuSQL0mIbZ3yp8tg8MONWtfUJ
l9TPPucCMukRBNZXAGcL3Q3VQcQDTRVZygDdEE6h7ZCQnXyYYFGaE9XyKpE4iMwQ
ZBxIs3rITS1nqUSGRJqQOXXTA/UsEAAmeTtrwXz0CJuxlml/poFAhiGwVE/WmzyR
06bxelDxSklEpPB9TBCsDNOwIBkNEb5rL+0WkM4C4VZ7A1oKdxougNZhs+QNWxXI
Nup7Wm0XpykwvR6b7n5iWjnO8ACL2eS9p/sivKqIRwcmMzwyFBzJMHKrGE7IFOQ=
=0qiE
-----END PGP SIGNATURE-----
</pre>Thijs Kinkhorst2012-05-09T17:30:46[DSA 2465-1] php5 security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2587
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2465-1 security< at >debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php5
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1172 CVE-2012-1823 CVE-2012-2311
De Eindbazen discovered that PHP, when run with mod_cgi, will
interpret a query string as command line parameters, allowing to
execute arbitrary code.
Additionally, this update fixes insufficient validation of upload
name which lead to corrupted $_FILES indices.
For the stable distribution (squeeze), this problem has been fixed in
version 5.3.3-7+squeeze9.
The testing distribution (wheezy) will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 5.4.3-1.
We recommend that you upgrade your php5 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPqqf3AAoJEOxfUAG2iX57MqcIALyiggqZ6SR+lOtdAd7npKd3
lZ3nXZVUvyC5e4/gageT3s2BlmuipGIrBvyraWR2TvAlNYIu7Ia6EMVsjG0T3gHu
iM2yB4+wCaV8CIHqzmyN9lDaotxVty9gQ8BdtJaZguwi9+Sw7KfaCw6CXTluqPkU
Ocdb7Saz7eVnNnVwTORxOCBnlIZDn4PbiW9tMLZawGTwNgdT/2lMS8czJGVmf/Oj
j4c631zN1K8vlnctHCYQAS269nr9jwmEx0JKcWl5khc7XMi/SmcUG9xG4p5JpGrA
ZbBAySyLuxr9bdMA3I9Jqxmmq4uaGwpCH8DSfMJd5FHNXKfq7efnL1Hp5mOERHU=
=snJW
-----END PGP SIGNATURE-----
</pre>Thijs Kinkhorst2012-05-09T17:23:53[DSA 2464-2] icedove regression update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2586
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2464-2 security< at >debian.org
http://www.debian.org/security/ Florian Weimer
May 08, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : icedove
Debian Bug : 671408 671410
The latest security update, DSA-2464-1, for Icedove, Debian's version
of the Mozilla Thunderbird mail client, contained a regression: the
removal of UTF-7 support resulted in incorrect display of IMAP folder
names.
For the stable distribution (squeeze), this problem has been fixed in
version 3.0.11-1+squeeze10.
We recommend that you upgrade your icedove packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPqXg8AAoJEL97/wQC1SS+4WAH/3/zuRDz1RZ+assGHwwuJQ5h
ysVGW3TDYU3I2ugnWe06V2LcqydCHZBfB05/K0VxMl9PTsS+ljP6ds9lgWzw0zxr
RuV4TXg1c7+oyxPfOZz76C33JjddflSIGQNOWq3loq7GXVuAW9zvXb+MzaRITFKM
9JoSy/JpPdCdJ8Zf4ATj8vDHfEoXJ2ZrTC8ZiS6CINef+jMt/WWpZqb6bWlhuZby
CQmqDQs4rDgQa4weNL+HIBXI7gQrv33yUh9wexBxx9/NaW1YsvD+LC0ZDG9DEQKa
Fi+Br8DXhQJlpyLEqJHuGud+5Ar8KNBemGTDdc7ctQHV2nIBfbrh4W8ZsqUEo1E=
=JT0i
-----END PGP SIGNATURE-----
</pre>Florian Weimer2012-05-08T19:28:25[DSA 2459-2] quagga security update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2585
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2459-2 security< at >debian.org
http://www.debian.org/security/ Florian Weimer
May 04, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : quagga
Vulnerability : regression
Problem type : remote
Debian-specific: no
The recent quagga update, DSA-2459-1, introduced a memory leak in the
bgpd process in some configurations.
For the stable distribution (squeeze), this problem has been fixed in
version 0.99.20.1-0+squeeze2.
We recommend that you upgrade your quagga packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJPpFAgAAoJEL97/wQC1SS+HzgH/ikUoSRCeVqx2664IJklSEin
1Yi/dcKS1zUM9fk7nNlIk7NSpRXGBFhQ72QSo7PKCXw4FmglZXJCn5i7rnMv2/xT
nxFsUtnrk6L25X12V0vlTws15t/04iHE2nmuOhqy1rOIxlq91T6ngrilr4+ZpMVp
ePvKpRQBjqPIOd+8HFtHsmcrEkCpkOHupvUZ3rTIIs+rIs1ijZP3j+PzJbIDkqLR
GhQEShktIrQ8HD1mq+eIw7AQ5dWPctwLT0ZmuLLU5nS9BP3j5BQM/syHKDQEhdfj
BbCudBN0sjt8kK3Rvyu9Lw7ByCj/7RSSRzkyVT/+VmGCgojJ0Xw1nkFCJ/o3wd4=
=xo1n
-----END PGP SIGNATURE-----
</pre>Florian Weimer2012-05-04T21:50:07[DSA 2462-2] imagemagick regression update
http://permalink.gmane.org/gmane.linux.debian.user.security.announce/2584
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2462-2 security< at >debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 3, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : imagemagick
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0259 CVE-2012-0260 CVE-2012-1185 CVE-2012-1186
CVE-2012-1610 CVE-2012-1798
The initial update introduced a regression, which could lead to errors
when processing some JPEG files.
For the stable distribution (squeeze), this problem has been fixed in
version 6.6.0.4-3+squeeze3.
We recommend that you upgrade your imagemagick packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+i/hcACgkQXm3vHE4uyloJHACgyNolJxkvTzip/AJ/Ua5pBoBb
BXgAoNAEwbTSwSwgEuuIUO5iV3NzSuc2
=0onH
-----END PGP SIGNATURE-----
</pre>Moritz Muehlenhoff2012-05-03T21:53:43Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.linux.debian.user.security.announce