DSA 744-1: New fuse packages fix information disclosure

Debian 10954 Published by Philipp Esselbach 0

New fuse packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 744-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 8th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : fuse
Vulnerability : programming error
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1858
BugTraq ID : 13857
Debian Bug : 311634

Sven Tantau discovered a security problem in fuse, a filesystem in userspace, that can be exploited by malicious, local users to disclose potentially sensitive information.

The old stable distribution (woody) does not contain the fuse package.

For the stable distribution (sarge) this problem has been fixed in version 2.2.1-4sarge2.

For the unstable distribution (sid) this problem has been fixed in version 2.3.0-1.

We recommend that you upgrade your fuse package.

DSA 743-1: New ht packages fix arbitrary code execution

Debian 10954 Published by Philipp Esselbach 0

New ht packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 743-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 8th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : ht
Vulnerability : buffer overflows, integer overflows
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1545 CAN-2005-1546

Several problems have been discovered in ht, a viewer, editor and analyser for various executables, that may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-1545

Tavis Ormandy of the Gentoo Linux Security Team discovered an
integer overflow in the ELF parser.

CAN-2005-1546

The authors have discovered a buffer overflow in the PE parser.

For the old stable distribution (woody) these problems have been fixed in version 0.5.0-1woody4. For the HP Precision architecture, you are advised not to use this package anymore since we cannot provide updated packages as it doesn't compile anymore.

For the stable distribution (sarge) these problems have been fixed in version 0.8.0-2sarge4.

For the unstable distribution (sid) these problems have been fixed in version ht_0.8.0-3.

We recommend that you upgrade your ht package.

DSA 735-2: New sudo packages fix pathname validation race

Debian 10954 Published by Philipp Esselbach 0

New sudo packages are available for Debian GNU/Linux ARM and Intel ia64

-------------------------------------------------------------------------
Debian Security Advisory DSA 735-2 security@debian.org
http://www.debian.org/security/ Michael Stone
July 07, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : sudo
Vulnerability : pathname validation race
Problem type : local
Debian-specific: no
CVE Id(s) : CAN-2005-1993
Debian Bug : 315115

A local user who has been granted permission to run commands via sudo could run arbitrary commands as a privileged user due to a flaw in sudo's pathname validation. This bug only affects configurations which have restricted user configurations prior to an ALL directive in the configuration file. A workaround is to move any ALL directives to the beginning of the sudoers file; see the advisory at http://www.sudo.ws/sudo/alerts/path_race.html for more information.

For the old stable Debian distribution (woody), this problem has been fixed in version 1.6.6-1.3woody1.

For the current stable distribution (sarge), this problem has been fixed in version 1.6.8p7-1.1sarge1.

For the unstable distribution, this problem has been fixed in version 1.6.8p9-1.

The only change since DSA 735-1 is the addition of certain architectures which were not available in the original advisory.

We recommend that you upgrade your sudo package.

DSA 736-2: New spamassassin packages fix potential DOS

Debian 10954 Published by Philipp Esselbach 0

New samassassin packages are available for Debian GNU/Linux ARM and HP PA RISC

-------------------------------------------------------------------------
Debian Security Advisory DSA 736-2 security@debian.org
http://www.debian.org/security/ Michael Stone
July 07, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : spamassassin
Vulnerability : mail header parsing error
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-1266
Debian Bug : 314447

A vulnerability was recently found in the way that SpamAssassin parses certain email headers. This vulnerability could cause SpamAssassin to consume a large number of CPU cycles when processing messages containing these headers, leading to a potential denial of service (DOS) attack.

The version of SpamAssassin in the old stable distribution (woody) is not vulnerable.

For the stable distribution (sarge), this problem has been fixed in version 3.0.3-2. Note that packages are not yet ready for certain architectures; these will be released as they become available.

For the unstable distribution (sid), this problem has been fixed in version 3.0.4-1.

The only change since DSA 736-1 is the addition of packages for certain architectures that were not available at the time of the original advisory.

We recommend that you upgrade your sarge or sid spamassassin package.

DSA 742-1: New cvs packages fix arbitrary code execution

Debian 10954 Published by Philipp Esselbach 0

A cvs update has been released for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 742-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 7th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : cvs
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0753
Debian Bug : 305254

Derek Price, the current maintainer of CVS, discovered a buffer overflow in the CVS server, that serves the popular Concurrent Versions System, which could lead to the execution of arbitrary code.

For the old stable distribution (woody) this problem has been fixed in
version 1.11.1p1debian-12.

For the stable distribution (sarge) this problem has been fixed in
version 1.12.9-13.

For the unstable distribution (sid) this problem has been fixed in
version 1.12.9-13.

We recommend that you upgrade your cvs package.

DSA 741-1: New bzip2 packages prevent decompression bomb

Debian 10954 Published by Philipp Esselbach 0

New bzip2 packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 741-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 7th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : bzip2
Vulnerability : infinite loop
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2005-1260
Debian Bug : 310803

Chris Evans discovered that a specially crafted archive can trigger an infinete loop in bzip2, a high-quality block-sorting file compressor. During uncompression this results in an indefinitively growing output file which will finally fill up the disk and. On systems that automatically decompress bzip2 archives this can cause a denial of service.

For the oldstable distribution (woody) this problem has been fixed in
version 1.0.2-1.woody5.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.2-7.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.2-7.

We recommend that you upgrade your bzip2 package.

DSA 740-1: New zlib packages fix denial of service

Debian 10954 Published by Philipp Esselbach 0

New zlib packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 740-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 06, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : zlib
Vulnerability : buffer overflow
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-2096

An error in the way zlib handles the inflation of certain compressed files can cause a program which uses zlib to crash when opening an invalid file.

This problem does not affect the old stable distribution (woody).

For the stable distribution (sarge), this problem has been fixed in
version 1.2.2-4.sarge.1.

For the unstable distribution, this problem has been fixed in version
1.2.2-7.

We recommend that you upgrade your clamav package.

DSA 739-1: New trac package fixes upload/download vulnerability

Debian 10954 Published by Philipp Esselbach 0

A trac security update has been released for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 739-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 6th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : trac
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no

Stefan Esser discovered an input validation flaw within Trac, a wiki and issue tracking system, that allows download/upload of files and therefore can lead to remote code execution in some configurations.

The old stable distribution (woody) does not contain the trac package.

For the stable distribution (sarge) this problem has been fixed in
version 0.8.1-3sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 0.8.4-1.

We recommend that you upgrade your trac package.

DSA 738-1: New razor packages fix potential DOS

Debian 10954 Published by Philipp Esselbach 0

New razor packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 738-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 05, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : razor
Vulnerability : email header parsing error
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-2024

A vulnerability was discovered in the way that Razor parses certain email headers that could potentially be used to crash the Razor program, causing a denial of service (DOS).

For the stable distribution (sarge), this problem has been fixed in version 2.670-1sarge2.

The old stable distribution (woody) is not affected by this issue.

We recommend that you upgrade your razor package.

DSA 737-1: New clamav packages fix potential DOS

Debian 10954 Published by Philipp Esselbach 0

New clamav packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 737-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 05, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : clamav
Vulnerability : various DOS vulnerabilities
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-1922, CAN-2005-1923, CAN-2005-2056, CAN-2005-2070

A number of potential remote DOS vulnerabilities have been identified in ClamAV. In addition to the four issues identified by CVE ID above, there are fixes for issues in libclamav/cvd.c and libclamav/message.c. Together, these issues could allow a carefully crafted message to crash a ClamAV scanner or exhaust various resources on the machine running the scanner.

For the stable distribution (sarge), these problems have been fixed in version 0.84-2.sarge.1.

We recommend that you upgrade your clamav package.

DSA 734-1: New gaim packages fix denial of service

Debian 10954 Published by Philipp Esselbach 0

A gaim security update is available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 734-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 5th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : gaim
Vulnerability : denial of service
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1269 CAN-2005-1934

Two denial of service problems have been discovered in Gaim, a multi-protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-1269

A malformed Yahoo filename can result in a crash of the application.

CAN-2005-1934

A malformed MSN message can lead to incorrect memory allocation
resulting in a crash of the application.

The old stable distribution (woody) does not seem to be affected.

For the stable distribution (sarge) these problems have been fixed in
version 1.2.1-1.3.

For the unstable distribution (sid) these problems have been fixed in
version 1.3.1-1.

We recommend that you upgrade your gaim package.

DSA 725-2: New ppxp packages fix local root exploit

Debian 10954 Published by Philipp Esselbach 0

New ppxp packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 725-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 4th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : ppxp
Vulnerability : missing privilege release
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0392

Jens Steube discovered that ppxp, yet another PPP program, does not release root privileges when opening potentially user supplied log files. This can be tricked into opening a root shell.

For the old stable distribution (woody) this problem has been
fixed in version 0.2001080415-6woody1 (DSA 725-1).

For the stable distribution (sarge) this problem has been fixed in
version 0.2001080415-10sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 0.2001080415-11.

We recommend that you upgrade your ppxp package.

DSA 736-1: New spamassassin packages fix potential DOS

Debian 10954 Published by Philipp Esselbach 0

New spamassassin packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory 736-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 01, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : spamassassin
Vulnerability : mail header parsing error
Problem type : remote DOS
Debian-specific: no
CVE Id(s) : CAN-2005-1266
Debian Bug : 314447

A vulnerability was recently found in the way that SpamAssassin parses certain email headers. This vulnerability could cause SpamAssassin to consume a large number of CPU cycles when processing messages containing these headers, leading to a potential denial of service (DOS) attack.

The version of SpamAssassin in the old stable distribution (woody) is not vulnerable.

For the stable distribution (sarge), this problem has been fixed in version 3.0.3-2. Note that packages are not yet ready for certain architectures; these will be released as they become available.

For the unstable distribution (sid), this problem has been fixed in version 3.0.4-1.

We recommend that you upgrade your sarge or sid spamassassin package.

DSA 735-1: New sudo packages fix pathname validation race

Debian 10954 Published by Philipp Esselbach 0

New sudo packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory 735-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 01, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : sudo
Vulnerability : pathname validation race
Problem type : local
Debian-specific: no
CVE Id(s) : CAN-2005-1993
Debian Bug : 315115

A local user who has been granted permission to run commands via sudo could run arbitrary commands as a privileged user due to a flaw in sudo's pathname validation. This bug only affects configurations which have restricted user configurations prior to an ALL directive in the configuration file. A workaround is to move any ALL directives to the beginning of the sudoers file; see the advisory at http://www.sudo.ws/sudo/alerts/path_race.html for more information.

For the old stable Debian distribution (woody), this problem has been fixed in version 1.6.6-1.3woody1. For the current stable distribution (sarge), this problem has been fixed in version 1.6.8p7-1.1sarge1. Note that packages are not yet ready for certain architectures; these will be released as they become available.

We recommend that you upgrade your sudo package.

DSA 733-1: New crip packages fix insecure temporary files

Debian 10954 Published by Philipp Esselbach 0

New crip packages are available for Debian GNU/Linux
- --------------------------------------------------------------------------
Debian Security Advisory DSA 733-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
June 30th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : crip
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0393
CERT advisory :
BugTraq ID :
Debian Bug :

Justin Rye discovered that crip, a terminal-based ripper, encoder and tagger tool, utilises temporary files in an insecure fashion in its helper scripts.

The old stable distribution (woody) does not provide the crip package.

For the stable distribution (sarge) this problem has been fixed in version 3.5-1sarge2.

For the unstable distribution (sid) this problem has been fixed in version 3.5-1sarge2.

We recommend that you upgrade your crip package.

Debian 3.1r0 CD/DVD image problem

Debian 10954 Published by Philipp Esselbach 0

A bug has been discovered in the 3.1r0 CD/DVD images: new installs fromthese images will have a commented-out entry in /etc/apt/sources.list for "http://security.debian.org/ testing/updates" rather than an active entry for "http://security.debian.org/ stable/updates", and thus will not get security updates by default. This was due to incorrect Release files on the images.

DSA 732-1: New mailutils packages fix several vulnerabilities

Debian 10954 Published by Philipp Esselbach 0

New mailutils packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 732-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
June 3rd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : mailutils
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1520 CAN-2005-1521 CAN-2005-1522 CAN-2005-1523

"infamous41md" discovered several vulnerabilities in the GNU mailutils package which contains utilities for handling mail. These problems can lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities.

CAN-2005-1520

Buffer overflow mail header handling may allow a remote attacker to execute commands with the privileges of the targeted user.

CAN-2005-1521

Combined integer and heap overflow in the fetch routine can lead to the execution of arbitrary code.

CAN-2005-1522

Denial of service in the fetch routine.

CAN-2005-1523

Format string vulnerability can lead to the execution of arbitrary code.

For the stable distribution (woody) these problems have been fixed in version 20020409-1woody2.

For the testing distribution (sarge) these problems have been fixed in version 0.6.1-4.

For the unstable distribution (sid) these problems have been fixed in version 0.6.1-4.

We recommend that you upgrade your mailutils packages.

DSA 731-1: New krb4 packages fix arbitrary code execution

Debian 10954 Published by Philipp Esselbach 0

New krb4 packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 731-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
June 2nd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : krb4
Vulnerability : buffer overflows
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-0468 CAN-2005-0469
CERT advisories: VU#341908 VU#291924

Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-0468

Gaël Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code.

CAN-2005-0469

Gaël Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.

For the stable distribution (woody) these problems have been fixed in version 1.1-8-2.4.

For the testing distribution (sarge) these problems have been fixed in version 1.2.2-11.2.

For the unstable distribution (sid) these problems have been fixed in version 1.2.2-11.2.

We recommend that you upgrade your krb4 packages.

Debian GNU/Linux 3.0 updated (r6)

Debian 10954 Published by Philipp Esselbach 0

Debian GNU/Linux 3.0r6 has been released:

This is the sixth and final update of Debian GNU/Linux 3.0 (codename ‘woody’) which mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

Please note that this update does not produce a new version of Debian GNU/Linux 3.0 but only adds a few updated packages to it. There is no need to throw away 3.0 CDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes.

Upgrading to this revision online is usually done by pointing the ‘apt’ package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at:
http://www.debian.org/mirror/list

Previous Page

Next Page

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...