The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
The Debian Security Team has published a new security update for Debian GNU/Linux. Here the announcement:
New amd64 packages are available for Debian GNU/Linux 3.1
---------------------------------------------------------------------------
Debian Security Advisory DSA 773-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 11th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : several
Vulnerability : several
Problem-Type : local and remote
Debian-specific: no
This advisory adds security support for the stable amd64 distribution. It covers all security updates since the release of sarge, which were missing updated packages for the not yet official amd64 port. Future security advisories will include updates for this port as well.
---------------------------------------------------------------------------
Debian Security Advisory DSA 773-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 11th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : several
Vulnerability : several
Problem-Type : local and remote
Debian-specific: no
This advisory adds security support for the stable amd64 distribution. It covers all security updates since the release of sarge, which were missing updated packages for the not yet official amd64 port. Future security advisories will include updates for this port as well.
A new apt-cacher package is available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 772-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 3rd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : apt-cacher
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: yes
CVE ID : CAN-2005-1854
Eduard Bloch discovered a bug in apt-cacher, a caching system for Debian package and source files, that could allow remote attackers to execute arbitrary commands on the caching host as user www-data.
The old stable distribution (woody) does not contain this package.
For the stable distribution (sarge) this problem has been fixed in version 0.9.4sarge1.
For the unstable distribution (sid) this problem has been fixed in version 0.9.10.
We recommend that you upgrade your apt-cacher package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 772-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 3rd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : apt-cacher
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: yes
CVE ID : CAN-2005-1854
Eduard Bloch discovered a bug in apt-cacher, a caching system for Debian package and source files, that could allow remote attackers to execute arbitrary commands on the caching host as user www-data.
The old stable distribution (woody) does not contain this package.
For the stable distribution (sarge) this problem has been fixed in version 0.9.4sarge1.
For the unstable distribution (sid) this problem has been fixed in version 0.9.10.
We recommend that you upgrade your apt-cacher package.
New pdns packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 771-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 1st, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : pdns
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2301 CAN-2005-2302
Debian Bug : 318798
Several problems have been discovered in pdns, a versatile nameserver that can lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:
CAN-2005-2301
Norbert Sendetzky and Jan de Groot discoverd that the LDAP backend did not properly escape all queries, allowing it to fail and not answer queries anymore.
CAN-2005-2302
Wilco Baan discovered that queries from clients without recursion permission can temporarily blank out domains to clients with recursion permitted. This enables outside users to blank out a domain temporarily to normal users.
The old stable distribution (woody) does not contain pdns packages.
For the stable distribution (sarge) these problems have been fixed in version 2.9.17-13sarge1.
For the unstable distribution (sid) these problems have been fixed in version 2.9.18-1.
We recommend that you upgrade your pdns package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 771-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 1st, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : pdns
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2301 CAN-2005-2302
Debian Bug : 318798
Several problems have been discovered in pdns, a versatile nameserver that can lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:
CAN-2005-2301
Norbert Sendetzky and Jan de Groot discoverd that the LDAP backend did not properly escape all queries, allowing it to fail and not answer queries anymore.
CAN-2005-2302
Wilco Baan discovered that queries from clients without recursion permission can temporarily blank out domains to clients with recursion permitted. This enables outside users to blank out a domain temporarily to normal users.
The old stable distribution (woody) does not contain pdns packages.
For the stable distribution (sarge) these problems have been fixed in version 2.9.17-13sarge1.
For the unstable distribution (sid) these problems have been fixed in version 2.9.18-1.
We recommend that you upgrade your pdns package.
New gopher packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 770-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 29th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : gopher
Vulnerability : insecure tmpfile creating
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1853
John Goerzen discovered that gopher, a client for the Gopher Distributed Hypertext protocol, creates temporary files in an insecure fashion.
For the old stable distribution (woody) this problem has been fixed in version 3.0.3woody3.
For the stable distribution (sarge) this problem has been fixed in version 3.0.7sarge1.
For the unstable distribution (sid) this problem has been fixed in version 3.0.9.
We recommend that you upgrade your gopher package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 770-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 29th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : gopher
Vulnerability : insecure tmpfile creating
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1853
John Goerzen discovered that gopher, a client for the Gopher Distributed Hypertext protocol, creates temporary files in an insecure fashion.
For the old stable distribution (woody) this problem has been fixed in version 3.0.3woody3.
For the stable distribution (sarge) this problem has been fixed in version 3.0.7sarge1.
For the unstable distribution (sid) this problem has been fixed in version 3.0.9.
We recommend that you upgrade your gopher package.
New gaim packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 769-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 29th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : gaim
Vulnerability : memory alignment bug
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2370
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
The old stable distribution (woody) does not seem to be affected by this problem.
For the stable distribution (sarge) this problem has been fixed in version 1.2.1-1.4.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your gaim package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 769-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 29th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : gaim
Vulnerability : memory alignment bug
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2370
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
The old stable distribution (woody) does not seem to be affected by this problem.
For the stable distribution (sarge) this problem has been fixed in version 1.2.1-1.4.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your gaim package.
New phpbb2 packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 768-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 27th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : phpbb2
Vulnerability : missing input validation
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2161
Debian Bug : 317739
A cross-site scripting vulnerability has been detected in phpBB2, a fully featured and skinneable flat webforum software, that allows remote attackers to inject arbitrary web script or HTML via nested tags.
The old stable distribution (woody) does not contain phpbb2.
For the stable distribution (sarge) this problem has been fixed in version 2.0.13-6sarge1.
For the unstable distribution (sid) this problem has been fixed in version 2.0.13-6sarge1.
We recommend that you upgrade your phpbb2 packages.
---------------------------------------------------------------------------
Debian Security Advisory DSA 768-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 27th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : phpbb2
Vulnerability : missing input validation
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2161
Debian Bug : 317739
A cross-site scripting vulnerability has been detected in phpBB2, a fully featured and skinneable flat webforum software, that allows remote attackers to inject arbitrary web script or HTML via nested tags.
The old stable distribution (woody) does not contain phpbb2.
For the stable distribution (sarge) this problem has been fixed in version 2.0.13-6sarge1.
For the unstable distribution (sid) this problem has been fixed in version 2.0.13-6sarge1.
We recommend that you upgrade your phpbb2 packages.
New ekg update has been released for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 767-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 27th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : ekg
Vulnerability : integer overflows
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1852
Marcin Slusarz discovered two integer overflow vulnerabilities in libgadu, a library provided and used by ekg, a console Gadu Gadu client, an instant messaging program, that could lead to the execution of arbitrary code.
The library is also used by other packages such as kopete, which should be restarted to take effect of this update.
The old stable distribution (woody) does not contain an ekg package.
For the stable distribution (sarge) these problems have been fixed in version 1.5+20050411-5.
For the unstable distribution (sid) these problems have been fixed in version 1.5+20050718+1.6rc3-1.
We recommend that you upgrade your ekg package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 767-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 27th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : ekg
Vulnerability : integer overflows
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-1852
Marcin Slusarz discovered two integer overflow vulnerabilities in libgadu, a library provided and used by ekg, a console Gadu Gadu client, an instant messaging program, that could lead to the execution of arbitrary code.
The library is also used by other packages such as kopete, which should be restarted to take effect of this update.
The old stable distribution (woody) does not contain an ekg package.
For the stable distribution (sarge) these problems have been fixed in version 1.5+20050411-5.
For the unstable distribution (sid) these problems have been fixed in version 1.5+20050718+1.6rc3-1.
We recommend that you upgrade your ekg package.
New heimdal packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 765-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 22nd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : heimdal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0469
CERT advisory : VU#291924
Debian Bug : 305574
Gaƫl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. Heimdal, a free implementation of Kerberos 5, also contains such a client. This can lead to the execution of arbitrary code when connected to a malicious server.
For the old stable distribution (woody) this problem has been fixed in
version 0.4e-7.woody.11.
For the stable distribution (sarge) this problem has been fixed in
version 0.6.3-10.
For the unstable distribution (sid) this problem has been fixed in
version 0.6.3-10.
We recommend that you upgrade your heimdal package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 765-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 22nd, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : heimdal
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0469
CERT advisory : VU#291924
Debian Bug : 305574
Gaƫl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. Heimdal, a free implementation of Kerberos 5, also contains such a client. This can lead to the execution of arbitrary code when connected to a malicious server.
For the old stable distribution (woody) this problem has been fixed in
version 0.4e-7.woody.11.
For the stable distribution (sarge) this problem has been fixed in
version 0.6.3-10.
For the unstable distribution (sid) this problem has been fixed in
version 0.6.3-10.
We recommend that you upgrade your heimdal package.
New webcalendar package are avaialble for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 766-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 26th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : webcalendar
Vulnerability : authorisation failure
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2320
BugTraq ID : 14072
Debian Bug : 315671
A vulnerability has been discovered in webcalendar, a PHP based multi-user calendar, that can lead to the disclosure of sensitive information to unauthorised parties.
the old stable distribution (woody) does not contain the webcalendar package.
For the stable distribution (sarge) this problem has been fixed in
version 0.9.45-4sarge1.
For the unstable distribution (sid) this problem has been fixed in
version 0.9.45-6.
We recommend that you upgrade your webcalendar package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 766-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 26th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : webcalendar
Vulnerability : authorisation failure
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2320
BugTraq ID : 14072
Debian Bug : 315671
A vulnerability has been discovered in webcalendar, a PHP based multi-user calendar, that can lead to the disclosure of sensitive information to unauthorised parties.
the old stable distribution (woody) does not contain the webcalendar package.
For the stable distribution (sarge) this problem has been fixed in
version 0.9.45-4sarge1.
For the unstable distribution (sid) this problem has been fixed in
version 0.9.45-6.
We recommend that you upgrade your webcalendar package.
New cacti packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 764-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 21st, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : cacti
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-1524 CAN-2005-1525 CAN-2005-1526 CAN-2005-2148 CAN-2005-2149
Debian Bug : 316590 315703
Several vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems:
CAN-2005-1524
Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti.
CAN-2005-1525
Due to mising input validation cacti allows a remote attacker to insert arbitrary SQL statements.
CAN-2005-1526
Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti.
CAN-2005-2148
Stefan Esser discovered that the update for the abovely mentioned vulnerabilities does not perform proper input validation to protect against common attacks.
CAN-2005-2149
Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection.
For the old stable distribution (woody) these problems have been fixed in version 0.6.7-2.5.
For the stable distribution (sarge) these problems have been fixed in version 0.8.6c-7sarge2.
For the unstable distribution (sid) these problems have been fixed in version 0.8.6e-1.
We recommend that you upgrade your cacti package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 764-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 21st, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : cacti
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-1524 CAN-2005-1525 CAN-2005-1526 CAN-2005-2148 CAN-2005-2149
Debian Bug : 316590 315703
Several vulnerabilities have been discovered in cacti, a round-robin database (RRD) tool that helps create graphs from database information. The Common Vulnerabilities and Exposures Project identifies the following problems:
CAN-2005-1524
Maciej Piotr Falkiewicz and an anonymous researcher discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti.
CAN-2005-1525
Due to mising input validation cacti allows a remote attacker to insert arbitrary SQL statements.
CAN-2005-1526
Maciej Piotr Falkiewicz discovered an input validation bug that allows an attacker to include arbitrary PHP code from remote sites which will allow the execution of arbitrary code on the server running cacti.
CAN-2005-2148
Stefan Esser discovered that the update for the abovely mentioned vulnerabilities does not perform proper input validation to protect against common attacks.
CAN-2005-2149
Stefan Esser discovered that the update for CAN-2005-1525 allows remote attackers to modify session information to gain privileges and disable the use of addslashes to protect against SQL injection.
For the old stable distribution (woody) these problems have been fixed in version 0.6.7-2.5.
For the stable distribution (sarge) these problems have been fixed in version 0.8.6c-7sarge2.
For the unstable distribution (sid) these problems have been fixed in version 0.8.6e-1.
We recommend that you upgrade your cacti package.
New zlib packages are available for Debian GNU/Linux
-------------------------------------------------------------------------
Debian Security Advisory DSA 763-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 20, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : zlib
Vulnerability : buffer overflow
Problem type : remote DoS
Debian-specific: no
CVE ID : CAN-2005-1849
Markus Oberhumer discovered a flaw in the way zlib, a library used for file compression and decompression, handles invalid input. This flaw can cause programs which use zlib to crash when opening an invalid file.
This problem does not affect the old stable distribution (woody).
For the current stable distribution (sarge), this problem has been fixed in version 1.2.2-4.sarge.2.
For the unstable distribution (sid), this problem has been fixed in version 1.2.3-1.
We recommend that you upgrade your zlib package.
-------------------------------------------------------------------------
Debian Security Advisory DSA 763-1 security@debian.org
http://www.debian.org/security/ Michael Stone
July 20, 2005 http://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : zlib
Vulnerability : buffer overflow
Problem type : remote DoS
Debian-specific: no
CVE ID : CAN-2005-1849
Markus Oberhumer discovered a flaw in the way zlib, a library used for file compression and decompression, handles invalid input. This flaw can cause programs which use zlib to crash when opening an invalid file.
This problem does not affect the old stable distribution (woody).
For the current stable distribution (sarge), this problem has been fixed in version 1.2.2-4.sarge.2.
For the unstable distribution (sid), this problem has been fixed in version 1.2.3-1.
We recommend that you upgrade your zlib package.
New affix packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 762-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 19th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : affix
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2250 CAN-2005-2277
BugTraq ID : 14230
Debian Bug : 318327 318328
Kevin Finisterre discovered two problems in the Bluetooth FTP client from affix, user space utilities for the Affix Bluetooth protocol stack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:
CAN-2005-2250
A buffer overflow allows remote attackers to execute arbitrary code via a long filename in an OBEX file share.
CAN-2005-2277
Missing input sanitising before executing shell commands allow an attacker to execute arbitrary commands as root.
The old stable distribution (woody) is not affected by these problems.
For the stable distribution (sarge) these problems have been fixed in version 2.1.1-2.
For the unstable distribution (sid) these problems have been fixed in version 2.1.2-2.
We recommend that you upgrade your affix package.
---------------------------------------------------------------------------
Debian Security Advisory DSA 762-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 19th, 2005 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : affix
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2250 CAN-2005-2277
BugTraq ID : 14230
Debian Bug : 318327 318328
Kevin Finisterre discovered two problems in the Bluetooth FTP client from affix, user space utilities for the Affix Bluetooth protocol stack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:
CAN-2005-2250
A buffer overflow allows remote attackers to execute arbitrary code via a long filename in an OBEX file share.
CAN-2005-2277
Missing input sanitising before executing shell commands allow an attacker to execute arbitrary commands as root.
The old stable distribution (woody) is not affected by these problems.
For the stable distribution (sarge) these problems have been fixed in version 2.1.1-2.
For the unstable distribution (sid) these problems have been fixed in version 2.1.2-2.
We recommend that you upgrade your affix package.
