New tiff packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 626-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 6th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : tiff
Vulnerability : unsanitised input
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1183
Dmitry V. Levin discovered a buffer overflow in libtiff, the Tag Image File Format library for processing TIFF graphics files. Upon reading a TIFF file it is possible to crash the application, and maybe also to execute arbitrary code.
For the stable distribution (woody) this problem has been fixed in version 3.5.5-6.woody5.
For the unstable distribution (sid) this problem has been fixed in version 3.6.1-5.
We recommend that you upgrade your libtiff package.
Debian GNU/Linux 3.0r4 CD/DVD images are now available as jigdo's
New pcal packages are available for Debian GNU/Linux 3.0
---------------------------------------------------------------------------
Debian Security Advisory DSA 625-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 5th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : pcal
Vulnerability : buffer overflows
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-1289
Debian Bug : 287039
Danny Lungstrom discovered two buffer overflows in pcal, a program to generate Postscript calendars, that could lead to the execution of arbitrary code when compiling a calendar.
For the stable distribution (woody) these problems have been fixed in version 4.7-8woody1.
For the unstable distribution (sid) these problems have been fixed in version 4.8.0-1.
We recommend that you upgrade your pcal package.
NewsForge has posted an interview with Debian Project Leader Martin Michlmayr
New zip packages are avaiable for Debian GNU/Linux 3.0
---------------------------------------------------------------------------
Debian Security Advisory DSA 624-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 5th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : zip
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1010
A buffer overflow has been discovered in zip, the archiver for .zip files. When doing recursive folder compression the program did not check the resulting path length, which would lead to memory being overwritten. A malicious person could convince a user to create an archive containing a specially crafted path name, which could lead to the execution of arbitrary code.
For the stable distribution (woody) this problem has been fixed in version 2.30-5woody2.
For the unstable distribution (sid) this problem has been fixed in version 2.30-8.
We recommend that you upgrade your zip package.
New nasm packages are available for Debian GNU/Linux 3.0
---------------------------------------------------------------------------
Debian Security Advisory DSA 623-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 4th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : nasm
Vulnerability : buffer overflow
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-1287
Debian Bug : 285889
Jonathan Rockway discovered a buffer overflow in nasm, the general-purpose x86 assembler, which could lead to the execution of arbitrary code when compiling a maliciously crafted assembler source file.
For the stable distribution (woody) this problem has been fixed in version 0.98.28cvs-1woody2.
For the unstable distribution (sid) this problem has been fixed in version 0.98.38-1.1.
We recommend that you upgrade your nasm package.
DotDeb.org has released eAccelerator packages for Debian GNU/Linux 3.0. eAccelerator is a fork of Turck MMCache with full PHP5 support
A new htmlheadline package has been released for Debian GNU/Linux 3.0
---------------------------------------------------------------------------
Debian Security Advisory DSA 622-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 3rd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : htmlheadline
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-1181
Javier Fernández-Sanguino Peña has discovered multiple insecure uses of temporary files that could lead to overwriting arbitrary files via a symlink attack.
For the stable distribution (woody) these problems have been fixed in version 21.8-3.
The unstable distribution (sid) does not contain this package.
We recommend that you upgrade your htmlheadline package.
Debian GNU/Linux 3.0r4 has been released. CD/DVD images are not available yet. Here the full announcement:
This is the fourth update of Debian GNU/Linux 3.0 (codename ‘woody’) which mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.
Please note that this update does not produce a new version of Debian GNU/Linux 3.0 but only adds a few updated packages to it. There is no need to throw away 3.0 CDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes.
DotDeb.org has released MySQL 4.0.23 packages for Debian GNU/Linux 3.0
DotDeb.org has released MySQL 4.1.8 packages for Debian GNU/Linux 3.0
OSNews has posted a Debian installation guide
Andreas Barth has posted a status update on the next Debian release:
After almost three weeks since the last update, the status of the release is as follows. We would have liked to present sarge as a Christmas present, but regrettably that didn't work out. We still hope that those of you who celebrate Christmas have a Merry Christmas, and we wish you all a Happy New Year.
Blocker number 1 is still that testing-security is not available. Please see the last release update for details of what needs to be done to make it available. Since then, a raw patch for the most urgent changes in katie (the archive maintenance software) has been produced. This patch is currently being refined, and some more testing needs to take place. Once this change is done, the most urgent blocker for bringing up testing-security will be solved. Testing-proposed-updates will be fully usable at about the same time as testing-security.
New imlib packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 618-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 24th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : imlib
Vulnerability : buffer overflows, integer overflows
Problem-Type : local/remote
Debian-specific: no
CVE ID : CAN-2004-1025 CAN-2004-1026
BugTraq ID : 11830
Debian Bug : 284925
Pavel Kankovsky discovered that several overflows found in the libXpm library were also present in imlib, an imaging library for X and X11. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project identifies the following problems:
CAN-2004-1025
Multiple heap-based buffer overflows.
CAN-2004-1026
Multiple integer overflows.
For the stable distribution (woody) these problems have been fixed in version 1.9.14-2woody2.
For the unstable distribution (sid) these problems have been fixed in version 1.9.14-17.1.
We recommend that you upgrade your imlib packages immediately.
New libtiff packages has been released for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 617-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 24th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : tiff
Vulnerability : insufficient input validation
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1308
"infamous41md" discovered a problem in libtiff, the Tag Image File Format library for processing TIFF graphics files. Upon reading a TIFF file it is possible to allocate a zero sized buffer and write to it which would lead to the execution of arbitrary code.
For the stable distribution (woody) this problem has been fixed in version 3.5.5-6woody2.
For the unstable distribution (sid) this problem has been fixed in version 3.6.1-4.
We recommend that you upgrade your libtiff packages immediately.
New telnetd-ssl packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 616-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 23rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : netkit-telnet-ssl
Vulnerability : format string
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0998
Joel Eriksson discovered a format string vulnerability in telnetd-ssl which may be able to lead to the execution of arbitrary code on the victims machine.
For the stable distribution (woody) this problem has been fixed in version 0.17.17+0.1-2woody3.
For the unstable distribution (sid) this problem has been fixed in version 0.17.24+0.1-6.
We recommend that you upgrade your immediately package.
New debmake packages are available for Debian GNU/Linux
--------------------------------------------------------------------------
Debian Security Advisory DSA 615-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 22nd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : debmake
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: yes
CVE ID : CAN-2004-1179
Debian Bug : 286382
Javier Fernández-Sanguino Peña noticed that the debstd script from debmake, a deprecated helper package for Debian packaging, created temporary directories in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the victim.
For the stable distribution (woody) this problem has been fixed in version 3.6.10.woody.1.
For the unstable distribution (sid) this problem has been fixed in version 3.7.7.
We recommend that you upgrade your debmake package.
New xzgv packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 614-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 21st, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : xzgv
Vulnerability : integer overflows
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0994
Luke "infamous41md" discoverd multiple vulnerabilities in xzgv, a picture viewer for X11 with a thumbnail-based selector. Remote exploitation of an integer overflow vulnerability could allow the execution of arbitrary code.
For the stable distribution (woody) these problems have been fixed in version 0.7-6woody2.
For the unstable distribution (sid) these problems have been fixed in version 0.8-3.
We recommend that you upgrade your xzgv package immediately.
New ethereal packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 613-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
December 21st, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : ethereal
Vulnerability : infinite loop
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1142
Brian Caswell discovered that an improperly formatted SMB packet could make ethereal hang and eat CPU endlessly.
For the stable distribution (woody) this problem has been fixed in version 0.9.4-1woody9.
For the unstable distribution (sid) this problem has been fixed in version 0.10.8-1.
We recommend that you upgrade your ethereal packages.
