http://blog.gmane.org/gmane.linux.debian.user.security.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.linux.debian.user.security.announce/2604 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2480-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 24, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : request-tracker3.8 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085 CVE-2011-4458 CVE-2011-4459 CVE-2011-4460 Several vulnerabilities were discovered in Request Tracker, an issue tracking system: CVE-2011-2082 The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users. CVE-2011-2083 Several cross-site scripting issues have been discovered. CVE-2011-2084 Password hashes could be disclosed by p</pre> Moritz Muehlenhoff 2012-05-24T17:37:03 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2603 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2479-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 23, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libxml2 Vulnerability : off-by-one Problem type : remote Debian-specific: no CVE ID : CVE-2011-3102 Jueri Aedla discovered an off-by-one in libxml2, which could result in the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze4. For the unstable distribution (sid), this problem has been fixed in version 2.7.8.dfsg-9.1. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked q</pre> Moritz Muehlenhoff 2012-05-23T19:39:41 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2602 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2478-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 23, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sudo Vulnerability : parsing error Problem type : remote Debian-specific: no CVE ID : CVE-2012-2337 It was discovered that sudo misparsed network masks used in Host and Host_List stanzas. This allowed the execution of commands on hosts, where the user would not be allowed to run the specified command. For the stable distribution (squeeze), this problem has been fixed in version 1.7.4p4-2.squeeze.3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your sudo packages. Further information about Debian Security Advi</pre> Moritz Muehlenhoff 2012-05-23T19:30:06 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2601 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2477-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 20, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sympa Vulnerability : authorization bypass Problem type : remote Debian-specific: no CVE ID : CVE-2012-2352 Debian Bug : Several vulnerabilities have been discovered in Sympa, a mailing list manager, that allow to skip the scenario-based authorization mechanisms. This vulnerability allows to display the archives management page, and download and delete the list archives by unauthorized users. For the stable distribution (squeeze), this problem has been fixed in version 6.0.1+dfsg-4+squeeze1. For the testing distribution (wheezy), this problem will be fixed so</pre> Florian Weimer 2012-05-20T18:54:00 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2600 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2476-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Jonathan Wiltshire May 19, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pidgin-otr Vulnerability : format string vulnerability Problem type : remote Debian-specific: no CVE ID : CVE-2012-2369 Debian Bug : 673154 intrigeri discovered a format string error in pidgin-otr, an off-the-record messaging plugin for Pidgin. This could be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine. The problem is only in pidgin-otr. Other applications which use libotr are not affected. For the stable distribution (squeeze), this problem has been fixed in version 3.2.0-5+squeeze1. For the testing distributio</pre> Jonathan Wiltshire 2012-05-19T19:30:04 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2599 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2475-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Raphael Geissert May 17, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl Vulnerability : integer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-2333 It was discovered that openssl did not correctly handle explicit Initialization Vectors for CBC encryption modes, as used in TLS 1.1, 1.2, and DTLS. An incorrect calculation would lead to an integer underflow and incorrect memory access, causing denial of service (application crash.) For the stable distribution (squeeze), this problem has been fixed in version 0.9.8o-4squeeze13. For the testing distribution (wheezy), and the unstable distribution (sid), this </pre> Raphael Geissert 2012-05-17T23:14:31 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2598 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2474-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Raphael Geissert May 16, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ikiwiki Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2012-0220 Raúl Benencia discovered that ikiwiki, a wiki compiler, does not properly escape the author (and its URL) of certain metadata, such as comments. This might be used to conduct cross-site scripting attacks. For the stable distribution (squeeze), this problem has been fixed in version 3.20100815.9. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.20120516. </pre> Raphael Geissert 2012-05-17T05:17:26 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2597 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2473-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 16, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openoffice.org Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-1149 Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution. For the stable distribution (squeeze), this problem has been fixed in version 1:3.2.1-11+squeeze5. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:3.4.5-1 of the</pre> Florian Weimer 2012-05-16T22:04:38 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2596 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2472-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 15, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gridengine Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2012-0208 Dave Love discovered that users who are allowed to submit jobs to a Grid Engine installation can escalate their privileges to root because the environment is not properly sanitized before creating processes. For the stable distribution (squeeze), this problem has been fixed in version 6.2u5-1squeeze1. For the unstable distribution (sid), this problem has been fixed in version 6.2u5-6. We recommend that you upgrade your gridengine packages. Further inf</pre> Florian Weimer 2012-05-16T05:54:05 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2595 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2457-2 security&lt; at &gt;debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 13, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : iceweasel / icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477 CVE-2012-0479 The updates DSA-2457 and DSA-2458 for Iceweasel and Icedove introduced a regression, which could lead to crashes when interpreting some Javascript statements. For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-15 for Iceweasel and 2.0.11-12 for Icedove. The unstable distribution (sid) is not affected. We recommend that you upgrade your iceweasel and </pre> Moritz Muehlenhoff 2012-05-13T21:09:29 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2594 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2471-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 13, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ffmpeg Vulnerability : several Problem type : local(remote) Debian-specific: no CVE ID : CVE-2011-3892 CVE-2011-3893 CVE-2011-3895 CVE-2011-3929 CVE-2011-3936 CVE-2011-3940 CVE-2011-3947 CVE-2012-0853 CVE-2012-0947 Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/ demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska, Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of arbitrary code. These issues were discover</pre> Moritz Muehlenhoff 2012-05-13T20:37:22 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2593 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2670-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Yves-Alexis Perez May 11, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3122 CVE-2011-3125 CVE-2011-3126 CVE-2011-3127 CVE-2011-3128 CVE-2011-3129 CVE-2011-3130 CVE-2011-4956 CVE-2011-4957 CVE-2012-2399 CVE-2012-2400 CVE-2012-2401 CVE-2012-2402 CVE-2012-2403 CVE-2012-2404 Debian Bug : 670124 Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to u</pre> Yves-Alexis Perez 2012-05-11T20:41:14 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2592 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- Debian Security Advisory DSA-2469-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Dann Frazier May 10, 2012 http://www.debian.org/security/faq - ---------------------------------------------------------------------- Package : linux-2.6 Vulnerability : privilege escalation/denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2011-4086 CVE-2012-0879 CVE-2012-1601 CVE-2012-2123 CVE-2012-2133 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-4086 Eric Sandeen reported an issue in the journaling layer for EXT4 filesystems (jbd2). Local users can cause buffers to be accessed after they have been </pre> dann frazier 2012-05-10T15:48:18 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2591 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2468-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 09, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libjakarta-poi-java Vulnerability : unbounded memory allocation Problem type : local Debian-specific: no CVE ID : CVE-2012-0213 It was discovered that Apache POI, a Java implementation of the Microsoft Office file formats, would allocate arbitrary amounts of memory when processing crafted documents. This could impact the stability of the Java virtual machine. For the stable distribution (squeeze), this problem has been fixed in version 3.6+dfsg-1+squeeze1. We recommend that you upgrade your libjakarta-poi-java packages. Further information about Debian Security </pre> Florian Weimer 2012-05-09T19:46:15 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2590 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2422-2 security&lt; at &gt;debian.org http://www.debian.org/security/ Thijs Kinkhorst May 09, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : file Vulnerability : regression fix Problem type : remote Debian-specific: no CVE ID : CVE-2012-1571 A regression was discovered in the security update for file, which lead to false positives on the CDF format. This update fixes that regression. For reference the original advisory text follows. The file type identification tool, file, and its associated library, libmagic, do not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. Note that after this update, file may return different detection results for CDF files (we</pre> Thijs Kinkhorst 2012-05-09T18:23:22 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2589 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2467-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Thijs Kinkhorst May 09, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mahara Vulnerability : insecure defaults Problem type : remote Debian-specific: no It was discovered that Mahara, the portfolio, weblog, and resume builder, had an insecure default with regards to SAML-based authentication used with more than one SAML identity provider. Someone with control over one IdP could impersonate users from other IdP's. For the stable distribution (squeeze), this problem has been fixed in version 1.2.6-2+squeeze4. For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.4.2-1. We recommend th</pre> Thijs Kinkhorst 2012-05-09T17:47:16 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2588 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2466-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Thijs Kinkhorst May 09, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : rails Vulnerability : cross site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2012-1099 Debian Bug : 668607 Sergey Nartimov discovered that in Rails, a Ruby based framework for web development, when developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML into the document. For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze3. For the testing distribution (wheezy) and unstable distribution (sid), t</pre> Thijs Kinkhorst 2012-05-09T17:30:46 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2587 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2465-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Thijs Kinkhorst May 09, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1172 CVE-2012-1823 CVE-2012-2311 De Eindbazen discovered that PHP, when run with mod_cgi, will interpret a query string as command line parameters, allowing to execute arbitrary code. Additionally, this update fixes insufficient validation of upload name which lead to corrupted $_FILES indices. For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze9. The testing distribution (wheezy) will be fixed soon. For the unstable distribution (si</pre> Thijs Kinkhorst 2012-05-09T17:23:53 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2586 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2464-2 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 08, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : icedove Debian Bug : 671408 671410 The latest security update, DSA-2464-1, for Icedove, Debian's version of the Mozilla Thunderbird mail client, contained a regression: the removal of UTF-7 support resulted in incorrect display of IMAP folder names. For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze10. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/</pre> Florian Weimer 2012-05-08T19:28:25 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2585 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2459-2 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 04, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : quagga Vulnerability : regression Problem type : remote Debian-specific: no The recent quagga update, DSA-2459-1, introduced a memory leak in the bgpd process in some configurations. For the stable distribution (squeeze), this problem has been fixed in version 0.99.20.1-0+squeeze2. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce&lt; at &gt;lists.debian.org -----BEGI</pre> Florian Weimer 2012-05-04T21:50:07 http://comments.gmane.org/gmane.linux.debian.user.security.announce/2584 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2462-2 security&lt; at &gt;debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 3, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : imagemagick Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-0259 CVE-2012-0260 CVE-2012-1185 CVE-2012-1186 CVE-2012-1610 CVE-2012-1798 The initial update introduced a regression, which could lead to errors when processing some JPEG files. For the stable distribution (squeeze), this problem has been fixed in version 6.6.0.4-3+squeeze3. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked ques</pre> Moritz Muehlenhoff 2012-05-03T21:53:43 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.linux.debian.user.security.announce