DSA 761-1: New heartbeat packages fix insecure temporary files

Debian 10954 Published by Philipp Esselbach 0

New heartbeat packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 761-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 19th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : heartbeat
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-2231

Eric Romang discovered several insecure temporary file creations in heartbeat, the subsystem for High-Availability Linux.

For the old stable distribution (woody) these problems have been fixed in version 0.4.9.0l-7.3.

For the stable distribution (sarge) these problems have been fixed in version 1.2.3-9sarge2.

For the unstable distribution (sid) these problems have been fixed in version 1.2.3-12.

We recommend that you upgrade your heartbeat package.

DSA 760-1: New ekg packages fix several vulnerabilities

Debian 10954 Published by Philipp Esselbach 0

New ekg packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 760-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 18th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : ekg
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1850 CAN-2005-1851 CAN-2005-1916
Debian Bug : 317027 318059

Several vulnerabilities have been discovered in ekg, a console Gadu Gadu client, an instant messaging program. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

CAN-2005-1850

Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file creation in contributed scripts.

CAN-2005-1851

Marcin Owsiany and Wojtek Kaniewski discovered potential shell command injection in a contributed script.

CAN-2005-1916

Eric Romang discovered insecure temporary file creation and arbitrary command execution in a contributed script that can be exploited by a local attacker.

The old stable distribution (woody) does not contain an ekg package.

For the stable distribution (sarge) these problems have been fixed in version 1.5+20050411-4.

For the unstable distribution (sid) these problems have been fixed in version 1.5+20050712+1.6rc2-1.

We recommend that you upgrade your ekg package.

DSA 759-1: New phppgadmin packages

Debian 10954 Published by Philipp Esselbach 0

New phppgadmin packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 759-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 18th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : phppgadmin
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2256
BugTraq ID : 14142

A vulnerability has been discovered in phppgadmin, a set of PHP scripts to administrate PostgreSQL over the WWW, that can lead to disclose sensitive information. Successful exploitation requires that "magic_quotes_gpc" is disabled.

the old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 3.5.2-5.

For the unstable distribution (sid) this problem has been fixed in version 3.5.4.

We recommend that you upgrade your phppgadmin package.

DSA 758-1: New heimdal packages fix arbitrary code execution

Debian 10954 Published by Philipp Esselbach 0

New heimdal packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 758-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 18th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : heimdal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2040

A buffer overflow has been discovered in the telnet server from Heimdal, a free implementation of Kerberos 5, that could lead to the execution of arbitrary code.

For the old stable distribution (woody) this problem has been fixed in version 0.4e-7.woody.10.

For the stable distribution (sarge) this problem has been fixed in version 0.6.3-10sarge1.

For the unstable distribution (sid) this problem has been fixed in version 0.6.3-11.

We recommend that you upgrade your heimdal packages.

DSA 757-1: New krb5 packages fix multiple vulnerabilities

Debian 10954 Published by Philipp Esselbach 0

New krb5 packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 757-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 17, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : krb5
Vulnerability : remote code execution, denial of service
Problem type : buffer overflow, double-free memory
Debian-specific: no
CVE Id : CAN-2005-1689 CAN-2005-1174 CAN-2005-1175

Daniel Wachdorf reported two problems in the MIT krb5 distribution used for network authentication. First, the KDC program from the krb5-kdc package can corrupt the heap by trying to free memory which has already been freed on receipt of a certain TCP connection. This vulnerability can cause the KDC to crash, leading to a denial of service. [CAN-2005-1174] Second, under certain rare circumstances this type of request can lead to a buffer overflow and remote code execution. [CAN-2005-1175]

Additionally, Magnus Hagander reported another problem in which the krb5_recvauth function can in certain circumstances free previously freed memory, potentially leading to the execution of remote code. [CAN-2005-1689]

All of these vulnerabilities are believed difficult to exploit, and no exploits have yet been discovered.

For the old stable distribution (woody), these problems have been fixed in version 1.2.4-5woody10. Note that woody's KDC does not have TCP support and is not vulnerable to CAN-2005-1174.

For the stable distribution (sarge), these problems have been fixed in version 1.3.6-2sarge2.

For the unstable distribution (sid), these problems have been fixed in version 1.3.6-4.

We recommend that you upgrade your krb5 package.

DSA 746-1: New packages fix remote command execution in phpgroupware

Debian 10954 Published by Philipp Esselbach 0

A phpgroupware update is avaialble for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 746-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 13, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : phpgroupware
Vulnerability : remote command execution
Problem type : input validation error
Debian-specific: no
CVE Id(s) : CAN-2005-1921

A vulnerability had been identified in the xmlrpc library included with phpgroupware, a web-based application including email, calendar and other groupware functionality. This vulnerability could lead to the execution of arbitrary commands on the server running phpgroupware.

The security team is continuing to investigate the version of phpgroupware included with the old stable distribution (sarge). At this time we recommend disabling phpgroupware or upgrading to the current stable distribution (sarge).

For the current stable distribution (sarge) this problem has been fixed in version 0.9.16.005-3.sarge0.

For the unstable distribution (sid) this problem has been fixed in version 0.9.16.006-1.

We recommend that you upgrade your phpgroupware package.

DSA 756-1: New squirrelmail packages fix several vulnerabilities

Debian 10954 Published by Philipp Esselbach 0

New squirrelmail packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 756-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : squirrelmail
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-1769 CAN-2005-2095
Debian Bug : 314374 317094

Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2005-1769

Martijn Brinkers discovered cross-site scripting vulnerabilities that allow remote attackers to inject arbitrary web script or HTML in the URL and e-mail messages.

CAN-2005-2095

James Bercegay of GulfTech Security discovered a vulnerability in the variable handling which could lead to attackers altering other people's preferences and possibly reading them, writing files at any location writable for www-data and cross site scripting.

For the old stable distribution (woody) these problems have been fixed in version 1.2.6-4.

For the stable distribution (sarge) these problems have been fixed in version 1.4.4-6sarge1.

For the unstable distribution (sid) these problems have been fixed in version 1.4.4-6sarge1.

We recommend that you upgrade your squirrelmail package.

DSA 755-1: New tiff packages fix arbitrary code execution

Debian 10954 Published by Philipp Esselbach 0

New tiff packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 755-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : tiff
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1544
Debian Bug : 309739

Frank Warmerdam discovered a stack-based buffer overflow in libtiff, the Tag Image File Format library for processing TIFF graphics files that can lead to the executionof arbitrary code via malformed TIFF files.

For the old stable distribution (woody) this problem has been fixed in version 3.5.5-7

For the stable distribution (sarge) this problem has been fixed in version 3.7.2-3.

For the unstable distribution (sid) this problem has been fixed in version 3.7.2-3.

We recommend that you upgrade your libtiff packages.

DSA 754-1: New centericq packages fix insecure temporary file creation

Debian 10954 Published by Philipp Esselbach 0

New centericq packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 754-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 13th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : centericq
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1914
BugTraq ID : 14144

Eric Romang discovered that centericq, a text-mode multi-protocol instant messenger client, creates some temporary files with predictable filenames and is hence vulnerable to symlink attacks by local attackers.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 4.20.0-1sarge1.

For the unstable distribution (sid) this problem has been fixed in version 4.20.0-7.

We recommend that you upgrade your centericq package.

DSA 753-1: New gedit packages fix denial of service

Debian 10954 Published by Philipp Esselbach 0

A gedit security update has been released for Debian GNU/Linux

- --------------------------------------------------------------------------
Debian Security Advisory DSA 753-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 12th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : gedit
Vulnerability : format string
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1686

A format string vulnerability has been discovered in gedit, a light-weight text editor for GNOME, that may allow attackers to cause a denial of service (application crash) via a binary file with format string specifiers in the filename. Since gedit supports opening files via "http://" URLs (through GNOME vfs) and other schemes, this might be a remotely exploitable vulnerability.

The old stable distribution (woody) is not vulnerable to this problem.

For the stable distribution (sarge) this problem has been fixed in version 2.8.3-4sarge1.

For the unstable distribution (sid) this problem has been fixed in version 2.10.3-1.

We recommend that you upgrade your gedit package.

DSA 752-1: New gzip packages fix several vulnerabilities

Debian 10954 Published by Philipp Esselbach 0

New gzip packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 752-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 11th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : gzip
Vulnerability : several
Problem-Type : local (remote)
Debian-specific: no
CVE ID : CAN-2005-0988 CAN-2005-1228
Debian Bug : 305255

Two problems have been discovered in gzip, the GNU compression utility. The Common Vulnerabilities and Exposures project identifies the following problems.

CAN-2005-0988

Imran Ghory discovered a race condition in the permissions setting code in gzip. When decompressing a file in a directory an attacker has access to, gunzip could be tricked to set the file permissions to a different file the user has permissions to.

CAN-2005-1228

Ulf Härnhammar discovered a path traversal vulnerability in gunzip. When gunzip is used with the -N option an attacker could this vulnerability to create files in an arbitrary directory with the permissions of the user.

For the oldstable distribution (woody) these problems have been fixed in version 1.3.2-3woody5.

For the stable distribution (sarge) these problems have been fixed in version 1.3.5-10.

For the unstable distribution (sid) these problems have been fixed in version 1.3.5-10.

We recommend that you upgrade your gzip package.

DSA 751-1: New squid packages fix IP spoofing vulnerability

Debian 10954 Published by Philipp Esselbach 0

New squid packages are available for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 751-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 11th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : squid
Vulnerability : IP spoofing
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1519
Debian Bug : 309504

The upstream developers have discovered a bug in the DNS lookup code of Squid, the popular WWW proxy cache. When the DNS client UDP port (assigned by the operating system at startup) is unfiltered and the network is not protected from IP spoofing, malicious users can spoof DNS lookups which could result in users being redirected to arbitrary web sites.

For the old stable distribution (woody) this problem has been fixed in version 2.4.6-2woody9.

For the stable distribution (sarge) this problem has already been fixed in version squid-2.5.9-9.

For the unstable distribution (sid) this problem has already been fixed in version squid-2.5.9-9.

We recommend that you upgrade your squid package.

DSA 750-1: New dhcpcd packages fix denial of service

Debian 10954 Published by Philipp Esselbach 0

New dhcpcd packages are avaialble for Debian GNU/Linux

---------------------------------------------------------------------------
Debian Security Advisory DSA 750-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 11th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : dhcpcd
Vulnerability : out-of-bound memory access
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1848

"infamous42md" discovered that dhcpcd, a DHCP client for automatically configuring IPv4 networking, can be tricked into reading past the end of the supplied DHCP buffer which could lead to the daemon crashing.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 1.3.22pl4-21sarge1.

For the unstable distribution (sid) this problem has been fixed in version 1.3.22pl4-22.

We recommend that you upgrade your dhcpcd package.

DSA 748-1: New ruby1.8 packages fix arbitrary command execution

Debian 10954 Published by Philipp Esselbach 0

New ruby1.8 packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 748-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 10, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ruby1.8
Vulnerability : arbitrary command execution
Problem type : bad default value
Debian-specific: no
CVE ID : CAN-2005-1992

A vulnerability has been discovered in ruby1.8 that could allow arbitrary command execution on a server running the ruby xmlrpc server.

The old stable distribution (woody) did not include ruby1.8.

This problem is fixed for the current stable distribution (sarge) in version 1.8.2-7sarge1.

This problem is fixed for the unstable distribution in version 1.8.2-8.

We recommend that you upgrade your ruby1.8 package.

DSA 749-1: New ettercap packages fix arbitrary code execution

Debian 10954 Published by Philipp Esselbach 0

New ettercap packages aare available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 749-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 10, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ettercap
Vulnerability : arbitrary code execution
Problem type : format string error
Debian-specific: no
CVE Id(s) : CAN-2005-1796

A vulnerability was discovered in the ettercap package which could allow a remote attacker to execute arbitrary code on the system running ettercap.

The old stable distribution (woody) did not include ettercap.

For the stable distribution (sarge), this problem has been fixed in version 0.7.1-1sarge1.

For the unstable distribution (sid), this problem has been fixed in version 0.7.3-1.

We recommend that you upgrade your ettercap package.

DSA 747-1: New egroupware packages fix remote command execution

Debian 10954 Published by Philipp Esselbach 0

New egroupware packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 747-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 10, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : egroupware
Vulnerability : remote command execution
Problem type : input validation error
Debian-specific: no
CVE Id(s) : CAN-2005-1921

A vulernability has been identified in the xmlrpc library included in the egroupware package. This vulnerability could lead to the execution of arbitrary commands on the server running egroupware.

The old stable distribution (woody) did not include egroupware.

For the current stable distribution (sarge), this problem is fixed in version 1.0.0.007-2.dfsg-2sarge1.

For the unstable distribution (sid), this problem is fixed in version 1.0.0.007-3.dfsg-1.

We recommend that you upgrade your egroupware package.

DSA 745-1: New drupal package fixes multiple vulnerabilities

Debian 10954 Published by Philipp Esselbach 0

New drupal packages are available for Debian GNU/Linux

-------------------------------------------------------------------------
Debian Security Advisory DSA 745-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 10, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : drupal
Vulnerability : arbitrary command execution
Problem type : input validation errors
Debian-specific: no
CVE Id(s) : CAN-2005-1921, CAN-2005-2106, CAN-2005-2116

Two input validation errors were discovered in drupal and its bundled xmlrpc module. These errors can lead to the execution of arbitrary commands on the web server running drupal.

drupal was not included in the old stable distribution (woody).

For the current stable distribution (sarge), these problems have been fixed in version 4.5.3-3.

For the unstable distribution (sid), these problems have been fixed in version 4.5.4-1.

We recommend that you upgrade your drupal package.

Previous Page

Next Page

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...