New xine-ui packages has been released for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 477-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 6th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : xine-ui
Vulnerability : insecure temporary file creation
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0372
Bugtraq ID : 9939
Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
This update also removes the bug reporting facility since bug reports can't be processed upstream anymore.
For the stable distribution (woody) this problem has been fixed in version 0.9.8-5.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your xine-ui package.
A heimdal packages has been released for Debian GNU/Linux
- --------------------------------------------------------------------------
Debian Security Advisory DSA 476-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
April 6th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : heimdal
Vulnerability : cross-realm
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0371
According to a security advisory from the heimdal project:
http://www.pdc.kth.se/heimdal/advisory/2004-04-01/
heimdal, a suite of software implementing the Kerberos protocol, has "a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path."
For the current stable distribution (woody) this problem has been fixed in version 0.4e-7.woody.8.1.
For the unstable distribution (sid), this problem has been fixed in version 0.6.1-1.
We recommend that you update your heimdal package.
A Linux kernel 2.4.18 (hppa) update has been released for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 475-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 5th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : kernel-image-2.4.17-hppa
Vulnerability : several vulnerabilities
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077
Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PA-RISC kernel 2.4.18 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update:
CAN-2003-0961:
An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23.
CAN-2003-0985:
Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24.
CAN-2004-0077:
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
Please note that the source package has to include a lot of updates in order to compile the package, which wasn't possible with the old source package.
For the stable distribution (woody) these problems have been fixed in version 62.1 of kernel-image-2.4.18-hppa.
For the unstable distribution (sid) these problems have been fixed in version 2.4.25-1 of kernel-image-2.4.25-hppa.
We recommend that you upgrade your Linux kernel packages immediately.
New squid packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 474-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
April 3rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : squid
Problem-Type : ACL bypass
Debian-specific: no
CVE Ids : CAN-2004-0189
A vulnerability was discovered in squid, an Internet object cache, whereby access control lists based on URLs could be bypassed (CAN-2004-0189). Two other bugs were also fixed with patches squid-2.4.STABLE7-url_escape.patch (a buffer overrun which does not appear to be exploitable) and squid-2.4.STABLE7-url_port.patch (a potential denial of service).
For the stable distribution (woody) these problems have been fixed in version 2.4.6-2woody2.
For the unstable distribution (sid) these problems have been fixed in version 2.5.5-1.
We recommend that you update your squid package.
New oftpd packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 473-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
April 3rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : oftpd
Problem-Type : denial of service
Debian-specific: no
CVE Ids : CAN-2004-0376
Debian bug : 216871
A vulnerability was discovered in oftpd, an anonymous FTP server, whereby a remote attacker could cause the oftpd process to crash by specifying a large value in a PORT command.
For the stable distribution (woody) this problem has been fixed in version 0.3.6-6.
For the unstable distribution (sid) these problems have been fixed in version 20040304-1.
We recommend that you update your oftpd package.
A fte update has been released for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 472-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
April 3rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : fte
Vulnerability : several
Problem-Type : buffer overflows
Debian-specific: no
CVE Ids : CAN-2003-0648
Debian bug : #203871
Steve Kemp and Jaguar discovered a number of buffer overflow vulnerabilities in vfte, a version of the fte editor which runs on the Linux console, found in the package fte-console. This program is setuid root in order to perform certain types of low-level operations on the console.
Due to these bugs, setuid privilege has been removed from vfte, making it only usable by root. We recommend using the terminal version (in the fte-terminal package) instead, which runs on any capable terminal including the Linux console.
For the stable distribution (woody) these problems have been fixed in version 0.49.13-15woody1.
For the unstable distribution (sid) these problems have been fixed in version 0.50.0-1.1.
We recommend that you update your fte package.
Another sysstat update is available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 460-2 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
April 3rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : sysstat
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE Ids : CAN-2004-0108
Alan Cox discovered that the isag utility (which graphically displays data collected by the sysstat tools), creates a temporary file without taking proper precautions. This vulnerability could allow a local attacker to overwrite files with the privileges of the user invoking isag.
The update used in DSA 460-1 did not fix every occurrence of the bug. DSA 460-2 includes a more complete fix.
For the current stable distribution (woody) this problem has been fixed in version 4.0.4-1woody2.
For the unstable distribution (sid) this problem has been fixed in version 5.0.2-1.
We recommend that you update your sysstat package.
New interchange packages are available for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 471-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 2nd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : interchange
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0374
A vulnerability was discovered recently in Interchange, an e-commerce and general HTTP database display system. This vulnerability can be exploited by an attacker to expose the content of arbitrary variables. An attacker may learn SQL access information for your Interchange application and use this information to read and manipulate sensitive data.
For the stable distribution (woody) this problem has been fixed in version 4.8.3.20020306-1.woody.2.
For the unstable distribution (sid) this problem has been fixed in version 5.0.1-1.
We recommend that you upgrade your interchange package.
The GNOME 2.2 backport for Debian Woody is now being hosted on Debian's alioth server.
An updated Kernel 2.4.17 package has been released for Debian GNU/Linux
---------------------------------------------------------------------------
Debian Security Advisory DSA 470-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 1st, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : kernel-image-2.4.17-hppa
Vulnerability : several vulnerabilities
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077
Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update:
CAN-2003-0961:
An integer overflow in brk() system call (do_brk() function) forLinux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23.
CAN-2003-0985:
Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24.
CAN-2004-0077:
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
For the stable distribution (woody) these problems have been fixed in version 32.3 of kernel-image-2.4.17-hppa.
For the unstable distribution (sid) these problems have been fixed in version 2.4.25-1 of kernel-image-2.4.25-hppa.
We recommend that you upgrade your Linux kernel packages immediately.
Debian Planet reports that XFree86 4.3 is now in testing
New pam-pgsql packages for Debian GNU/Linux has been released
--------------------------------------------------------------------------
Debian Security Advisory DSA 469-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 29th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : pam-pgsql
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0366
Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements.
For the stable distribution (woody) this problem has been fixed in version 0.5.2-3woody2.
For the unstable distribution (sid) this problem has been fixed in version 0.5.2-7.1.
We recommend that you upgrade your libpam-pgsql package.
New emil packages for Debian GNU/Linux are available
---------------------------------------------------------------------------
Debian Security Advisory DSA 468-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
March 24th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : emil
Vulnerability : several
Problem-Type : local/remote
Debian-specific: no
CVE Ids : CAN-2004-0152 CAN-2004-0153
Ulf Harnhammar discovered a number of vulnerabilities in emil, a filter for converting Internet mail messages. The vulnerabilities fall into two categories:
- CAN-2004-0152 - Buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) the decode_uuencode function. These bugs could allow a carefully crafted email message to cause the execution of arbitrary code supplied with the message when it is acted upon by emil.
- CAN-2004-0153 - Format string bugs in statements which print various error messages. The exploit potential of these bugs has not been established, and is probably configuration-dependent.
For the stable distribution (woody) these problems have been fixed in version 2.1.0-beta9-11woody1.
For the unstable distribution (sid) these problems will be fixed soon.
KDE 3.2.1 for Debian GNU/Linux 3.0 has been released
New ecartis packages for Debian GNU/Linux has been released
---------------------------------------------------------------------------
Debian Security Advisory DSA 467-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
March 23rd, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : ecartis
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0781 CAN-2003-0782
Debian bug : 210444
Timo Sirainen discovered two vulnerabilities in ecartis, a mailing list manager.
- CAN-2003-0781 - Failure to validate user input could lead to disclosure of mailing list passwords
- CAN-2003-0782 - Multiple buffer overflows
For the stable distribution (woody) these problems have been fixed in version 0.129a+1.0.0-snap20020514-1.2.
For the unstable distribution (sid) these problems have been fixed in version 1.0.0+cvs.20030911.
We recommend that you update your ecartis package.
A backport of Firebox 0.8 for Debian GNU/Linux 3.0 is now available at backports.org
# Firefox 0.8
deb http://www.backports.org/debian/ woody mozilla-firefox
Backports.org has released a backport of Kernel 2.6.4 for Debian GNU/Linux 3.0
Backports.org has released an update for the openssl backport, which fixes several vulnerabilities.
# OpenSSL
deb http://www.backports.org/debian/ woody openssl
The Debian Extra CD Project has released an unofficial extra CD for Debian GNU/Linux 3.0
New Kernel 2.2.10 PowerPC packages has been released for Debian GNU/Linux
--------------------------------------------------------------------------
Debian Security Advisory DSA 466-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 18th, 2004 http://www.debian.org/security/faq
---------------------------------------------------------------------------
Package : kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus
Vulnerability : failing function and TLB flush
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0077
CERT advisory : VU#981222
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.
The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.
For the stable distribution (woody) this problem has been fixed in version 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus architecture and in version 2.2.10-2 of Linux 2.2.10 source.
For the unstable distribution (sid) this problem will be fixed soon with the 2.4.20 kernel-image package for powerpc/apus. The old 2.2.10 kernel image will be removed from Debian unstable.
You are strongly advised to switch to the fixed 2.4.17 kernel-image package for powerpc/apus from woody until the 2.4.20 kernel-image package is fixed in the unstable distribution.
We recommend that you upgrade your Linux kernel package.
