Updated OpenSSL packages are now available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 465-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
March 17th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : openssl,openssl094,openssl095
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0079 CAN-2004-0081
Two vulnerabilities were discovered in openssl, an implementation of the SSL protocol, using the Codenomicon TLS Test Tool. More information can be found in the following NISCC Vulnerability Advisory:
http://www.uniras.gov.uk/vuls/2004/224012/index.htmand this OpenSSL advisory:
http://www.openssl.org/news/secadv_20040317.txt
The next stable release (Sarge) of Debian GNU/Linux will come on 13 CDs with approximately 13500 packages.
From the Debian developer mailinglist:
These days, the next stable release of debian is being packaged. It will as usual also be released on CDs, and the current CD count is 13 binary CDs filled with approximately 13500 packages. And to distribute these packages on the 13 CDs, we need to come up with some sorting order. At the moment, some of the packages on the first and second CD is selected based on various criteria, while the rest are sorted based on their usage as reported by popularity-contest.
The Debian popularity-contest is a concept created by Avery Pennarun a few years ago. It set up a program on the hosts installing the popularity-contest package, to email the list of packages installed and in use to a central collection point. It also collect the host architecture and we plan to collect kernel version and modules used as well. The summaries are presented on http://popcon.debian.org/ and used to sort the packages on the Debian CDs.
The information can be used in other areas as well. It can detect which packages in the debian archive which aren't installed on any hosts. Such packages should probably be checked out and possibly be removed from the archive. It has already been used to check which non-free packages are actually in use, while discussing the future for non-free.
So this is an request to all of you out there, to install the popularity-contest package, say yes to participate (and verify 'PARTICIPATE=yes' in /etc/popularity-contest.conf), and give us more info on which packages are in use in Debian.
The third beta of the Debian sarge installer has been released
Debian Security Advisory DSA 464-1
Package : gdk-pixbuf
Vulnerability : broken image handling
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0111
Thomas Kristensen discovered a vulnerability in gdk-pixbuf (binary package libgdk-pixbuf2), the GdkPixBuf image library for Gtk, that can cause the surrounding application to crash. To exploit this problem, a remote attacker could send a carefully-crafted BMP file via mail, which would cause e.g. Evolution to crash but is probably not limited
to Evolution.
For the stable distribution (woody) this problem has been fixed in version 0.17.0-2woody1.
For the unstable distribution (sid) this problem has been fixed in version 0.22.0-3.
We recommend that you upgrade your libgdk-pixbuf2 package.
Debian Security Advisory DSA 463-1
Package : samba
Vulnerability : privilege escalation
Problem-Type : local
Debian-specific: no
CVE Ids : CAN-2004-0186
Debian bug : 232327
Samba, a LanManager-like file and printer server for Unix, was found to contain a vulnerability whereby a local user could use the "smbmnt" utility, which is setuid root, to mount a file share from a remote server which contained setuid programs under the control of the user. These programs could then be executed to gain privileges on the local system.
For the current stable distribution (woody) this problem has been fixed in version 2.2.3a-13.
For the unstable distribution (sid) this problem has been fixed in version 3.0.2-2.
We recommend that you update your samba package.
Debian Security Advisory DSA 462-1
Package : xitalk
Vulnerability : missing privilege release
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0151
Steve Kemp from the GNU/Linux audit project discovered a problem in xitalk, a talk intercept utility for the X Window System. A local user can exploit this problem and execute arbitrary commands under the GID utmp. This could be used by an attacker to remove traces from the utmp file.
For the stable distribution (woody) this problem has been fixed in version 1.1.11-9.1woody1.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your xitalk package.
Debian Security Advisory DSA 461-1
Package : calife
Vulnerability : buffer overflow
Problem-Type : local
Debian-specific: no
CVE Ids : CAN-2004-0188
Debian bug : 235157
Calife, a program which provides super user privileges to specific users, was found to contain a buffer overflow related to the getpass(3) library function. A local attacker could potentially exploit this vulnerability, given knowledge of a local user's password and the presence of at least one entry in /etc/calife.auth, to execute arbitrary code with root privileges.
For the current stable distribution (woody) this problem has been fixed in version 2.8.4c-1woody1.
For the unstable distribution (sid) this problem has been fixed in version 2.8.6-1.
Debian Security Advisory DSA 459-1
Package : kdelibs, kdelibs-crypto
Vulnerability : cookie path traversal
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0592
A vulnerability was discovered in KDE where the path restrictions on cookies could be bypassed using encoded relative path components (e.g., "/../"). This means that a cookie which should only be sent by the browser to an application running at /app1, the browser could inadvertently include it with a request sent to /app2 on the same server.
For the current stable distribution (woody) this problem has been fixed in kdelibs version 4:2.2.2-6woody3 and kdelibs-crypto version 4:2.2.2-13.woody.9.
For the unstable distribution (sid) this problem was fixed in kdelibs version 4:3.1.3-1.
Debian Security Advisory DSA 460-1
Package : sysstat
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE Ids : CAN-2004-0108
Alan Cox discovered that the isag utility (which graphically displays data collected by the sysstat tools), creates a temporary file without taking proper precautions. This vulnerability could allow a local attacker to overwrite files with the privileges of the user invoking
isag.
For the current stable distribution (woody) this problem has been fixed in version 5.0.1-1.
For the unstable distribution (sid) this problem will be fixed soon.
Debian Security Advisory DSA 458-1
Package : python2.2
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0150
Sebastian Schmidt discovered a buffer overflow bug in Python's getaddrinfo function, which could allow an IPv6 address, supplied by a remote attacker via DNS, to overwrite memory on the stack.
This bug only exists in python 2.2 and 2.2.1, and only when IPv6 support is disabled. The python2.2 package in Debian woody meets these conditions (the 'python' package does not).
Debian Security Advisory DSA 457-1
Package : wu-ftpd
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0148 CAN-2004-0185
Two vulnerabilities were discovered in wu-ftpd:
CAN-2004-0148 - Glenn Stewart discovered that users could bypass the directory access restrictions imposed by the restricted-gid option by changing the permissions on their home directory. On a subsequent login, when access to the user's home directory was denied, wu-ftpd would fall back to the root directory.
CAN-2004-0185 - A buffer overflow existed in wu-ftpd's code which deals with S/key authentication.
---------------------------------------------------------------------------
Debian Security Advisory DSA 456-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 6th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc
Vulnerability : failing function and TLB flush
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0077
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.
---------------------------------------------------------------------------
Debian Security Advisory DSA 455-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 3rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : libxml, libxml2
Vulnerability : buffer overflows
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0110
libxml2 is a library for manipulating XML files.
Yuuichi Teranishi discovered a flaw in libxml, the GNOME XML library. When fetching a remote resource via FTP or HTTP, the library uses special parsing routines which can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml1 or libxml2 that parses remote resources and allows the attacker to craft the URL, then this flaw could be used to execute arbitrary code.
For the stable distribution (woody) this problem has been fixed in version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2.
For the unstable distribution (sid) this problem has been fixed in version 1.8.17-5 of libxml and version 2.6.6-1 of libxml2.
We recommend that you upgrade your libxml1 and libxml2 packages.
Saw over at DistroWatch that Adamantix 1.0.3 has been released
Backports.org has released a backport of MySQL 4.0.18 for Debian GNU/Linux 3.0
Backports.org has released a backport of Mozilla Firefox 0.8 for Debian GNU/Linux 3.0
FSU.hu has released new Debian GNU/Linux 3.1 Sarge (testing) and Debian GNU/Linux SID 20040218 (unstable) CD/DVD images
Debian GNU/Linux 3.1 "Sarge" (testing) CD images:
#1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 DVD images:
#1 #2 Package overview Debian GNU/Linux 20040218 "Sid" (unstable) CD images:
#1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 #14 DVD images:
#1 #2 Package overview
Debian Planet reports that XFree86 4.3.0 is finally in Debian SID (unstable)
Backports.org has released a backport of Kernel 2.6.2 for Debian GNU/Linux 3.0
Here the apt sources:
# Kernel 2.6.2
deb http://www.backports.org/debian stable kernel-image-2.6.2-i386
deb-src http://www.backports.org/debian stable kernel-image-2.6.2-i386
deb http://www.backports.org/debian stable kernel-source-2.6.2
deb-src http://www.backports.org/debian stable kernel-source-2.6.2
deb http://www.backports.org/debian stable kernel-build-2.6-1
deb-src http://www.backports.org/debian stable kernel-build-2.6-1
The harddisk installer is missing on the
c't release of Knoppix 3.4.
To install Knoppix on the hardisk, open a shell window and run:
wget ftp://ftp.heise.de/pub/ct/projekte/knoppix/knoppix-inst.sh
chmod a+x knoppix-inst.sh
sudo ./knoppix-inst.sh
