Linux Compatible - Debian (Page 21)

DSA 693-1: New luxman packages fix local root exploit

Debian 10954 Published 2005-03-14 11:49 by Philipp Esselbach 0

New luxman packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 693-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 14, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : luxman
Vulnerability : buffer overflow
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0385

Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based PacMan clone, that could lead to the execution of arbitrary commands as root.

For the stable distribution (woody) this problem has been fixed in version 0.41-17.2.

For the unstable distribution (sid) this problem has been fixed in version 0.41-20.

We recommend that you upgrade your luxman package.

DSA 662-2: New squirrelmail package fixes regression

Debian 10954 Published 2005-03-14 09:23 by Philipp Esselbach 0

A new squirrelmail package has been released for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 662-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 14th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : squirrelmail
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0104 CAN-2005-0152
Debian Bug : 292714 295836

Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout. For completeness below is the original advisory text:

Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-0104

Upstream developers noticed that an unsanitised variable could lead to cross site scripting.

CAN-2005-0152

Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.

For the stable distribution (woody) these problems have been fixed in version 1.2.6-3.

The correction in the unstable distribution (sid) is not affected by this regression.

We recommend that you upgrade your squirrelmail package.

MySQL 4.1.10a for Debian Woody

Debian 10954 Published 2005-03-14 09:20 by Philipp Esselbach 0

DotDeb.org has released new MySQL packages for Debian GNU/Linux 3.0.

Here the apt source for /etc/apt/sources.list:

deb http://packages.dotdeb.org ./

To install MySQL Server 4.1.10a run: apt-get update && apt-get install mysql-server-4.1

DSA 692-1: New kppp packages fix privileged file descriptor leak

Debian 10954 Published 2005-03-08 12:00 by Philipp Esselbach 0

New kppp packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 692-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 8th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : kdenetwork
Vulnerability : design flaw
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0205

The KDE team fixed a bug in kppp in 2002 which was now discovered to be exploitable by iDEFENSE. By opening a sufficiently large number of file descriptors before executing kppp which is installed setuid root a local attacker is able to take over privileged file descriptors.

For the stable distribution (woody) this problem has been fixed in version 2.2.2-14.7.

The testing (sarge) and unstable (sid) distributions are not affected since KDE 3.2 already contained the correction.

We recommend that you upgrade your kppp package.

DSA 691-1: New abuse packages fix local root exploit

Debian 10954 Published 2005-03-07 10:44 by Philipp Esselbach 0

New abuse packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 691-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 7th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : abuse
Vulnerability : several
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0098 CAN-2005-0099

Several vulnerabilities have been discovered in abuse, the SDL port of the Abuse action game. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-0098

Erik Sjölund discovered several buffer overflows in the command line handling, which could lead to the execution of arbitrary code with elevated privileges since it is installed setuid root.

CAN-2005-0099

Steve Kemp discoverd that that abuse creates some files without dropping privileges first, which may lead to the creation and overwriting of arbitrary files.

For the stable distribution (woody) these problems have been fixed in version 2.00+-3woody4.

The unstable distribution (sid) does not contain an abuse package anymore.

We recommend that you upgrade your abuse package.

phpMyAdmin 2.6.1pl2 for Debian Woody

Debian 10954 Published 2005-03-02 06:18 by Philipp Esselbach 0

DotDeb.org has released a new phpMyAdmin 2.6.1pl2 package for Debian GNU/Linux 3.0

Here the apt source for /etc/apt/sources.list:

deb http://packages.dotdeb.org ./

To install phpMyAdmin run: apt-get update && apt-get install phpmyadmin

DSA 690-1: New bsmtpd packages fix arbitrary command execution

Debian 10954 Published 2005-02-25 09:31 by Philipp Esselbach 0

New bsmtpd packages are available for Debian GNU/Linux

--------------------------------------------------------------------------
Debian Security Advisory DSA 690-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 25th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : bsmtpd
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0107

Bastian Blank a vulnerability in bsmtpd, a batched SMTP mailer for sendmail and postfix. Unsanitised addresses can cause the execution of arbitrary commands during alleged mail delivery.

For the stable distribution (woody) this problem has been fixed in version 2.3pl8b-12woody1.

For the unstable distribution (sid) this problem has been fixed in version 2.3pl8b-16.

We recommend that you upgrade your bsmtpd package.

DSA 689-1: New mod_python packages fix information leak

Debian 10954 Published 2005-02-23 08:14 by Philipp Esselbach 0

New mod_python packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 689-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 23rd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : libapache-mod-python
Vulnerability : missing input sanisiting
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0088

Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation's mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak).

For the stable distribution (woody) this problem has been fixed in version 2.7.8-0.0woody5.

For the unstable distribution (sid) this problem has been fixed in version 2.7.10-4 of libapache-mod-python and in version 3.1.3-3 of libapache2-mod-python.

We recommend that you upgrade your libapache-mod-python package.

DSA 688-1: New squid packages fix denial of service

Debian 10954 Published 2005-02-23 05:59 by Philipp Esselbach 0

New sqid packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 688-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 23rd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : squid
Vulnerability : mising input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0446

Upstream developers have discovered several problems in squid, the Internet object cache, the popular WWW proxy cache. A remote attacker can cause squid to crash via certain DNS responses.

For the stable distribution (woody) these problems have been fixed in version 2.4.6-2woody7.

For the unstable distribution (sid) these problems have been fixed in version 2.5.8-3.

We recommend that you upgrade your squid package.

Debian 3.1 Status Update

Debian 10954 Published 2005-02-22 17:57 by Philipp Esselbach 0

Andreas Barth has posted another status update on the upcoming release of Debian GNU/Linux 3.1

DSA 674-3: New mailman packages really fix several vulnerabilities

Debian 10954 Published 2005-02-21 07:02 by Philipp Esselbach 0

Another mailman update is available for Debian GNU/Linux 3.0

---------------------------------------------------------------------------
Debian Security Advisory DSA 674-3 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 21st, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : mailman
Vulnerability : cross-site scripting, directory traversal
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1177 CAN-2005-0202

Due to an incompatibility between Python 1.5 and 2.1 the last mailman update did not run with Python 1.5 anymore. This problem is corrected with this update. This advisory only updates the packages updated with DSA 674-2. The version in unstable is not affected since it is not supposed to work with Python 1.5 anymore. For completeness below is the original advisory text:

MySQL 4.1.10 for Debian Woody

Debian 10954 Published 2005-02-18 17:51 by Philipp Esselbach 0

DotDeb.org has released new MySQL 4.1.10 packages for Debian GNU/Linux 3.0. The DotDeb.org main site is still down because of a server crash.

Here the apt source for /etc/apt/sources.list:

deb http://packages.dotdeb.org ./

To install MySQL Server 4.1.10 run: apt-get update && apt-get install mysql-server-4.1

DSA 687-1: New bidwatcher packages fix format string vulnerability

Debian 10954 Published 2005-02-18 13:12 by Philipp Esselbach 0

New bidwatcher packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 687-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 18th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : bidwatcher
Vulnerability : format string
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0158

Ulf Härnhammar from the Debian Security Audit Project discovered a format string vulnerability in bidwatcher, a tool for watching and bidding on eBay auctions. This problem can be triggered remotely by a web server of eBay, or someone pretending to be eBay, sending certain data back. As of version 1.3.17 the program uses cURL and is not vulnerable anymore.

For the stable distribution (woody) this problem has been fixed in version 1.3.3-1woody1.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your bidwatcher package.

DSA 686-1: New gftp packages fix directory traversal vulnerability

Debian 10954 Published 2005-02-17 14:48 by Philipp Esselbach 0

New gftp packages are avialable for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 686-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 17th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : gftp
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0372

Albert Puigsech Galicia discovered a directory traversal vulnerability in a proprietary FTP client (CAN-2004-1376) which is also present in gftp, a GTK+ FTP client. A malicious server could provide a specially crafted filename that could cause arbitrary files to be overwritten or created by the client.

For the stable distribution (woody) this problem has been fixed in version 2.0.11-1woody1.

For the unstable distribution (sid) this problem has been fixed in version 2.0.18-1.

We recommend that you upgrade your gftp package.

DSA 685-1: New emacs21 packages fix arbitrary code execution

Debian 10954 Published 2005-02-17 10:45 by Philipp Esselbach 0

New emacs21 packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 685-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 17th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : emacs21
Vulnerability : format string
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0100

Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs, the well-known editor. Via connecting to a malicious POP server an attacker can execute arbitrary code under the privileges of group mail.

For the stable distribution (woody) these problems have been fixed in version 21.2-1woody3.

For the unstable distribution (sid) these problems have been fixed in version 21.3+1-9.

We recommend that you upgrade your emacs packages.

DSA 684-1: New typespeed packages

Debian 10954 Published 2005-02-16 14:26 by Philipp Esselbach 0

New typespeed packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 684-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 16th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : typespeed
Vulnerability : format string
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0105

Ulf Härnhammar from the Debian Security Audit Project discovered a problem in typespeed, a touch-typist trainer disguised as game. This could lead to a local attacker executing arbitrary code as group games.

For the stable distribution (woody) this problem has been fixed in version 0.4.1-2.3.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your typespeed package.

DSA 683-1: New postgresql packages fix arbitrary code execution

Debian 10954 Published 2005-02-15 13:12 by Philipp Esselbach 0

New postgresql packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 683-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 15th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : postgresql
Vulnerability : buffer overflows
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-0245 CAN-2005-0247

Several buffer overflows have been discovered in PL/PgSQL as part of the PostgreSQL engine which could lead to the execution of arbitrary code.

For the stable distribution (woody) these problems have been fixed in version 7.2.1-2woody8.

For the unstable distribution (sid) these problems have been fixed in version 7.4.7-2.

We recommend that you upgrade your postgresql packages.

DSA 682-1: New awstats packages fix arbitrary command execution

Debian 10954 Published 2005-02-15 05:14 by Philipp Esselbach 0

New awstats packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 682-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 15th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : awstats
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0363
Debian Bug : 294488

In addition to CAN-2005-0116 more vulnerabilities have been found in awstats, a powerful and featureful web server log analyzer with a CGI frontend. Missing input sanitising can cause arbitrary commands to be executed.

For the stable distribution (woody) this problem has been fixed in version 4.0-0.woody.2.

For the unstable distribution (sid) this problem has been fixed in version 6.2-1.2.

We recommend that you upgrade your awstats package.

DSA 681-1: New synaesthesia packages fix unauthorised file access

Debian 10954 Published 2005-02-14 15:42 by Philipp Esselbach 0

New synaesthesia packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 681-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 14th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : synaesthesia
Vulnerability : privilege escalation
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0070

Erik Sjölund and Devin Carraway discovered that synaesthesia, a program for representing sounds visually, accesses user-controlled configuration and mixer files with elevated privileges. Thus, it is possible to read arbitrary files.

For the stable distribution (woody) this problem has been fixed in version 2.1-2.1woody3.

For the testing (sarge) and unstable (sid) distribution this problem does not exist since synaesthesia is not installed setuid root anymore.

We recommend that you upgrade your synaesthesia package.

DSA 680-1: New htdig packages fix cross-site scripting vulnerability

Debian 10954 Published 2005-02-14 09:42 by Philipp Esselbach 0

New htdig packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 680-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 14th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : htdig
Vulnerability : unsanitised input
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0085

Michael Krax discovered a cross site scripting vulnerability in ht://dig, a web search system for an intranet or small internet.

For the stable distribution (woody) this problem has been fixed in version 3.1.6-3woody1.

For the unstable distribution (sid) this problem has been fixed in version 3.1.6-11.

We recommend that you upgrade your htdig package.