http://permalink.gmane.org/gmane.linux.debian.user.security.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1733 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1679-1 security< at >debian.org http://www.debian.org/security/ Florian Weimer December 03, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : awstats Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-3714 Debian Bug : 495432 Morgan Todd discovered a cross-site scripting vulnerability in awstats, a log file analyzer, involving the "config" request parameter (and possibly others; CVE-2008-3714). For the stable distribution (etch), this problem has been fixed in version 6.5+dfsg-1+etch1. The unstable (sid) and testing (lenny) distribution will be fixed soon. We recommend that you upgrade your awstats package. Upgrade instructions - -------------------- wget Florian Weimer 2008-12-03T11:05:53 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1732 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1678-1 security< at >debian.org http://www.debian.org/security/ Steffen Joeris December 03, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : perl Vulnerability : design flaws Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-5302 CVE-2008-5303 Debian Bug : 286905 286922 Paul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later. For the stable distribution (etc Steffen Joeris 2008-12-03T06:15:24 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1731 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1677-1 security< at >debian.org http://www.debian.org/security/ Martin Schulze December 2nd, 2008 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : cupsys Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2008-5286 Debian Bug : 507183 An integer overflow has been discovered in the image validation code of cupsys, the Common UNIX Printing System. An attacker could trigger this bug by supplying a malicious graphic that could lead to the execution of arbitrary code. For the stable distribution (etch) this problem has been fixed in version 1.2.7-4etch6. For testing distribution (lenny) this issue will be fixed soon. For the unstable distribution (sid) this Martin Schulze 2008-12-02T21:09:10 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1730 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1676-1 security< at >debian.org http://www.debian.org/security/ dann frazier December 01, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : flamethrower (0.1.8-1+etch1) Vulnerability : insecure temp file generation Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-5141 Debian Bug : 506350 Dmitry E. Oboukhov discovered that flamethrower creates predictable temporary filenames, which may lead to a local denial of service through a symlink attack. For the stable distribution (etch), this problem has been fixed in version 0.1.8-1+etch1. For the unstable distribution (sid), this problem has been fixed in version 0.1.8-2. We recommend that you upgrade your flamethrower package. Upgrade instructions - -- dann frazier 2008-12-01T22:49:35 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1729 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1675-1 security< at >debian.org http://www.debian.org/security/ Thijs Kinkhorst November 30, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : phpmyadmin Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-4326 Masako Oono discovered that phpMyAdmin, a web-based administration interface for MySQL, insufficiently sanitises input allowing a remote attacker to gather sensitive data through cross site scripting, provided that the user uses the Internet Explorer web browser. This update also fixes a regression introduced in DSA 1641, that broke changing of the language and encoding in the login screen. For the stable distribution (etch), these problems have bee Thijs Kinkhorst 2008-11-30T12:53:28 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1728 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1674-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 30, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : jailer Vulnerability : insecure temp file generation Debian-specific: no CVE Id(s) : CVE-2008-5139 Debian Bug : 410548 Javier Fernandez-Sanguino Pena discovered that updatejail, a component of the chroot maintenance tool Jailer, creates a predictable temporary file name, which may lead to local denial of service through a symlink attack. For the stable distribution (etch), this problem has been fixed in version 0.4-9+etch1. For the upcoming stable distribution (lenny) and the unstable distribution (sid), this problem has been fixed in version 0.4-10. We recommend that Moritz Muehlenhoff 2008-11-30T08:33:23 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1727 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1673-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 29, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2008-3137 CVE-2008-3138 CVE-2008-3141 CVE-2008-3145 CVE-2008-3933 CVE-2008-4683 CVE-2008-4684 CVE-2008-4685 Several remote vulnerabilities have been discovered network traffic analyzer Wireshark. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-3137 The GSM SMS dissector is vulnerable to denial of service. CVE-2008-3138 The PANA and KISMET dissectors are vulnerable to denial of service. CVE-2008-3141 The RMI dissector coul Moritz Muehlenhoff 2008-11-29T23:07:40 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1726 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1672-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 29, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : imlib2 Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-5187 Debian Bug : 505714 Julien Danjou and Peter De Wachter discovered that a buffer overflow in the XPM loader of Imlib2, a powerful image loading and rendering library, might lead to arbitrary code execution. For the stable distribution (etch), this problem has been fixed in version 1.3.0.0debian1-4+etch2. For the upcoming stable distribution (lenny) and the unstable distribution (sid), this problem has been fixed in version 1.4.0-1.2. We recommend that you Moritz Muehlenhoff 2008-11-29T02:28:21 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1725 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1671-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 24, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2008-0017 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 Several remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0017 Justin Schuh discovered that a buffer overflow in the http-index-format parser could lead to arbitrary Moritz Muehlenhoff 2008-11-24T21:36:25 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1724 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1670-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 24, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : enscript Vulnerability : buffer overflows Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-3863 CVE-2008-4306 Several vulnerabilities have been discovered in Enscript, a converter from ASCII text to Postscript, HTML or RTF. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-3863 Ulf Harnhammer discovered that a buffer overflow may lead to the execution of arbitrary code. CVE-2008-4306 Kees Cook and Tomas Hoger discovered that several buffer overflows may lead to the execution of arbitrary code. Moritz Muehlenhoff 2008-11-24T21:01:09 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1723 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1669-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 23, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : xulrunner Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-0016 CVE-2008-3835 CVE-2008-3836 CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-0017 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and E Moritz Muehlenhoff 2008-11-23T20:29:40 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1722 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1668-1 security< at >debian.org http://www.debian.org/security/ Steve Kemp November 22, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : hf Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-2378 Debian Bug : 504182 Steve Kemp discovered that hf, an amateur-radio protocol suite using a soundcard as a modem, insecurely tried to execute an external command which could lead to the elevation of privileges for local users. For the stable distribution (etch), this problem has been fixed in version 0.7.3-4etch1. For the unstable distribution (sid), this problem has been fixed in version 0.8-8.1. We recommend that you upgrade your hf package. Upgrade instruction Steve Kemp 2008-11-22T10:59:48 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1721 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1667-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 19, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : python2.4 Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-2315 David Remahl discovered several integer overflows in the stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule modules. CVE-2008-3142 Justin Ferguson discovered that inc Moritz Muehlenhoff 2008-11-19T18:23:36 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1720 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1666-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 17, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libxml2 Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-4225 CVE-2008-4226 Several vulnerabilities have been discovered in the GNOME XML library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4225 Drew Yao discovered that missing input sanitising in the xmlBufferResize() function may lead to an infinite loop, resulting in denial of service. CVE-2008-4226 Drew Yao discovered that an integer overflow in the xmlSAX2Characters() function may lead to denial of se Moritz Muehlenhoff 2008-11-17T23:34:04 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1719 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1665-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 12, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libcdaudio Vulnerability : heap overflow Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2008-5030 It was discovered that a heap overflow in the CDDB retrieval code of libcdaudio, a library for controlling a CD-ROM when playing audio CDs, may result in the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 0.99.12p2-2+etch1. A package for hppa will be provided later. For the upcoming stable distribution (lenny) and the unstable distribution (sid), this problem has been fixed in version 0.99.12p2-7. We Moritz Muehlenhoff 2008-11-12T22:30:18 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1718 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1664-1 security< at >debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 10, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : ekg Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-4776 It was discovered that ekg, a console Gadu Gadu client performs insufficient input sanitising in the code to parse contact descriptions, which may result in denial of service. For the stable distribution (etch), this problem has been fixed in version 1:1.7~rc2-1etch2. For the unstable distribution (sid) and the upcoming stable distribution (lenny), this problem has been fixed in version 1:1.8~rc1-2 of libgadu. We recommend that you upgrade your ekg package. Moritz Muehlenhoff 2008-11-10T18:52:41 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1717 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1663-1 security< at >debian.org http://www.debian.org/security/ Thijs Kinkhorst November 09, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : net-snmp Vulnerability : several Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-0960 CVE-2008-2292 CVE-2008-4309 Debian Bugs : 485945 482333 504150 Several vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0960 Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets. CVE-2008-22 Thijs Kinkhorst 2008-11-09T09:49:16 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1716 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1662-1 security< at >debian.org http://www.debian.org/security/ Devin Carraway November 06, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : mysql-dfsg-5.0 Vulnerability : authorization bypass Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-4098 Debian Bug : 480292 A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access. The Common Vulnerabilities and Exposures project identifies this vulne Devin Carraway 2008-11-06T04:20:00 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1715 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1661-1 security< at >debian.org http://www.debian.org/security/ Martin Schulze October 29th, 2008 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs : CVE-2008-2237 CVE-2008-2238 Several vulnerabilities have been discovered in the OpenOffice.org office suite: CVE-2008-2237 The SureRun Security team discovered a bug in the WMF file parser that can be triggered by manipulated WMF files and can lead to heap overflows and arbitrary code execution. CVE-2008-2238 An anonymous researcher working with the iDefense discovered a bug in the EMF file parser that can be triggered by manipulated EMF Martin Schulze 2008-10-29T18:16:58 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1714 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1660-1 security< at >debian.org http://www.debian.org/security/ Florian Weimer October 26, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : clamav Vulnerability : null pointer derefence, resource exhaustation Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-3912, CVE-2008-3913, CVE-2008-3914 Several denial-of-service vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Insufficient checking for out-of-memory conditions results in null pointer derefences (CVE-2008-3912). Incorrect error handling logic leads to memory leaks (CVE-2008-3913) and file descriptor leaks (CVE-2008-3914). For the stable distribution (etch), these problems have been fixed in version 0.90.1dfsg-4 Florian Weimer 2008-10-26T13:43:46 http://permalink.gmane.org/gmane.linux.debian.user.security.announce/1713 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1659-1 security< at >debian.org http://www.debian.org/security/ Florian Weimer October 23, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libspf2 Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-2469 Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (CVE-2008-2469). Note that the SPF configuration template in Debian's Exim configuration recommends to use libmail-spf-query-perl, which does not suffer from this issue. For the stable distribution (etch), this problem has been fixed in version 1.2.5-4+e Florian Weimer 2008-10-23T20:00:50 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.linux.debian.user.security.announce