Debian 9858 Published by

The following two security updates are available for Debian GNU/Linux:

- [DSA-2117-1] New apr-util packages fix denial of service
- [DSA-2116-1] New freetype packages integer overflow



[SECURITY] [DSA-2117-1] New apr-util packages fix denial of service
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2117-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
October 4, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : apr-util
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-1623

APR-util is part of the Apache Portable Runtime library which is used
by projects such as Apache httpd and Subversion.

Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
in a denial of service.

This upgrade fixes this issue. After the upgrade, any running apache2
server processes need to be restarted.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.12+dfsg-8+lenny5.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.9+dfsg-4.

We recommend that you upgrade your apr-util packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
Size/MD5 checksum: 658687 4ef3e41037fe0cdd3a0d107335a008eb
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.dsc
Size/MD5 checksum: 1531 3c280d9325eccb5b202f797dfe4b0fec
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.diff.gz
Size/MD5 checksum: 23557 ccbe052945c3c7a7abb083a5780e63fa

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_alpha.deb
Size/MD5 checksum: 90912 f01833decf4c09cb19900ad830537656
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_alpha.deb
Size/MD5 checksum: 157332 c768e904368992a886bab995d06be691
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_alpha.deb
Size/MD5 checksum: 147422 1f0111e3b3d573c860d72fb7d8f0e8b5

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_amd64.deb
Size/MD5 checksum: 133214 02ecc9426d426a0b07fad57d8548a552
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_amd64.deb
Size/MD5 checksum: 80190 bc013109f72a0550ab75a3cbcea4c8e3
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_amd64.deb
Size/MD5 checksum: 148128 a9074ac6c50448c01a8b79a1b43fd71a

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_arm.deb
Size/MD5 checksum: 71238 0f14138790b33ed5312d1bd9c64b1f00
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_arm.deb
Size/MD5 checksum: 124300 360c36286adba8e4590d3d788edc861b
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_arm.deb
Size/MD5 checksum: 139246 1221f6cb3918a1b4fea98aac628f1eaa

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_armel.deb
Size/MD5 checksum: 125562 e438c52ef68ba41152adf433bc21d616
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_armel.deb
Size/MD5 checksum: 70018 364da2335ced6c3219f8e6ce206b66e3
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_armel.deb
Size/MD5 checksum: 139230 76e5e253b409ce658a5be6362344fff5

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_hppa.deb
Size/MD5 checksum: 83802 c410f61265b32634094ad350d0d4aeb5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_hppa.deb
Size/MD5 checksum: 138764 b467ed9dc49f4379e6db88d45e4ef233
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_hppa.deb
Size/MD5 checksum: 143056 952388a55397fad1995bc02367571482

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_i386.deb
Size/MD5 checksum: 141614 edd53fa18ff076d2dff72b40a9651d14
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_i386.deb
Size/MD5 checksum: 73984 2aa25fcf6479e34bdce90f1b989dfa4f
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_i386.deb
Size/MD5 checksum: 121060 788336d970df93d381088228298e4f4d

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_ia64.deb
Size/MD5 checksum: 110820 789ad31d3dc20ebc5e7a3d1d791087c5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_ia64.deb
Size/MD5 checksum: 136570 67db51e6841ba527c27cd8608f203760
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_ia64.deb
Size/MD5 checksum: 169058 def2319fc7c98c667ff63fab83ba848a

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mips.deb
Size/MD5 checksum: 137656 65b830e995d0e1df9e5dd3ded8d70384
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mips.deb
Size/MD5 checksum: 74498 dbae966eba410854729e65f1b923616f
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mips.deb
Size/MD5 checksum: 147726 0a00e22703d26b6cb7d9c3b378f628ac

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mipsel.deb
Size/MD5 checksum: 144892 99888c01ccac0d9faa3a5550b15fba7a
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mipsel.deb
Size/MD5 checksum: 74218 8231602412144f158ab4d1250df32cfe
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mipsel.deb
Size/MD5 checksum: 136538 e0bb514608d43f8c8b2316f631e7e297

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_powerpc.deb
Size/MD5 checksum: 147160 87609acb8e723f45311251cfa03faa8b
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_powerpc.deb
Size/MD5 checksum: 132642 954d78228520f1a803835405fee1a9f5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_powerpc.deb
Size/MD5 checksum: 83158 1de0e929812f80a27c5b5ef505a74da3

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_s390.deb
Size/MD5 checksum: 85652 125b09d4165e3cc8faa822ceba8746e7
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_s390.deb
Size/MD5 checksum: 133244 c8ebef5c30d2b61def461d62b8ea7b23
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_s390.deb
Size/MD5 checksum: 148902 0ac9f485e20eaf0eff64845c96c63c02

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_sparc.deb
Size/MD5 checksum: 125152 d7b0e9e282c1f6532f2239a9eba4e207
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_sparc.deb
Size/MD5 checksum: 72892 a0fd31dbfcd9cf8301b274d733315162
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_sparc.deb
Size/MD5 checksum: 131960 95bb41d3245d5d0d6569d6fb045decba


These files will probably be moved into the stable distribution on
its next update.
[SECURITY] [DSA-2116-1] New freetype packages integer overflow
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2116-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
October 4, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : freetype
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2010-3311

Marc Schoenefeld has found an input stream position error in the
way the FreeType font rendering engine processed input file streams.
If a user loaded a specially-crafted font file with an application
linked against FreeType and relevant font glyphs were subsequently
rendered with the X FreeType library (libXft), it could cause the
application to crash or, possibly execute arbitrary code.

After the upgrade, all running applications and services that use
libfreetype6 should be restarted. In most cases, logging out and
in again should be enough. The script checkrestart from the
debian-goodies package or lsof may help to find out which
processes are still using the old version of libfreetype6.

For the stable distribution (lenny), these problems have been fixed in
version 2.3.7-2+lenny4.

The testing distribution (squeeze) and the unstable distribution (sid)
are not affected by this problem.

We recommend that you upgrade your freetype packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7-2+lenny4.dsc
Size/MD5 checksum: 1211 e8eb7bb3966d14fc5b66857a7300e6b2
http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7.orig.tar.gz
Size/MD5 checksum: 1567540 c1a9f44fde316470176fd6d66af3a0e8
http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7-2+lenny4.diff.gz
Size/MD5 checksum: 39401 d1d5bb90167dec40ba9c7d994ccefeef

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_alpha.deb
Size/MD5 checksum: 253790 be62a4d4ef74375620fd1ba0e4748ca2
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_alpha.udeb
Size/MD5 checksum: 296640 3fc9c9db1b1f31fea8c072f1600a0cc3
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_alpha.deb
Size/MD5 checksum: 412358 cec01c79c128cd15812695a0b0874506
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_alpha.deb
Size/MD5 checksum: 775326 410bc831483dccfc0a6c18de7e71cba9

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_amd64.deb
Size/MD5 checksum: 223156 d92fce04f6d6eb160f3a69a6170094fe
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_amd64.deb
Size/MD5 checksum: 713268 1328888db2fe01093eb46b1d136b393e
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_amd64.deb
Size/MD5 checksum: 385884 3b31b35c1268c5fe9e7d9c2f88721c4c
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_amd64.udeb
Size/MD5 checksum: 269788 8c8b189b990973dea4dc649a3ee1f375

arm architecture (ARM)

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_arm.deb
Size/MD5 checksum: 357226 e30d0721701c76d97d834f972cb6e6f4
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_arm.deb
Size/MD5 checksum: 686184 002d550193037299794065785dbbe415
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_arm.deb
Size/MD5 checksum: 205108 871c6d806eca839ffae94a99bcfb57ae
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_arm.udeb
Size/MD5 checksum: 242208 4d86dc1a4ab0c534a16e99deebc1fc74

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_armel.udeb
Size/MD5 checksum: 236558 e01e2ed47b976afb2f2cf076d774dc22
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_armel.deb
Size/MD5 checksum: 212146 b91df649946fd0fec0ec5e2af160605e
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_armel.deb
Size/MD5 checksum: 683786 7f107b637d992d5985b119509d9e22dd
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_armel.deb
Size/MD5 checksum: 353416 6cf178afdf3a4834811e9e468dbf4c5f

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_hppa.udeb
Size/MD5 checksum: 273970 c7b3ba59505abbbc513b05aa6344d2f8
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_hppa.deb
Size/MD5 checksum: 226860 4f784b27a1bdc448ef773e745ae57c8a
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_hppa.deb
Size/MD5 checksum: 725000 b2be1195d0d730de3b0212882beb5ab8
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_hppa.deb
Size/MD5 checksum: 390482 9bedead1c79c9ab100235a35cb8292fd

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_i386.udeb
Size/MD5 checksum: 254446 0711a5a4840a60609eab1600f30059cc
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_i386.deb
Size/MD5 checksum: 371210 0c0ec7ed3c5431522854a63a2472c086
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_i386.deb
Size/MD5 checksum: 198090 45eebe4364c5e521ac11a81930adb4ac
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_i386.deb
Size/MD5 checksum: 685642 61507372e1025b8541a8c40df5d79223

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_ia64.deb
Size/MD5 checksum: 332158 07f8c38bd1b9f9f0978e979c9dc41f58
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_ia64.deb
Size/MD5 checksum: 531594 1ba8db18cff071df85cdd6395041803b
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_ia64.deb
Size/MD5 checksum: 876664 edfe5969841a9ac149880160e4721bc4
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_ia64.udeb
Size/MD5 checksum: 415940 a97a09ae4359e987a1f307ccd75011a1

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_mips.deb
Size/MD5 checksum: 713372 060d1f519ca44e9f2929c6cc497f5f32
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_mips.deb
Size/MD5 checksum: 215354 9422bf4b37031064897f240e6a16e4bd
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_mips.udeb
Size/MD5 checksum: 253938 240a257d6ab5e675a8d7df4ca73d741c
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_mips.deb
Size/MD5 checksum: 371116 f2f555ec73c128068561881dba4180ac

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_mipsel.deb
Size/MD5 checksum: 712500 50aaf715f150fc91713a48c8b56fc050
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_mipsel.deb
Size/MD5 checksum: 369826 34836bde5ab656b14aab11ac2ba377d8
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_mipsel.deb
Size/MD5 checksum: 214786 47342e0e3cf8557cf03957bc3f38ccf1
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_mipsel.udeb
Size/MD5 checksum: 254202 9a9268e23a621915d184707265333d86

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_powerpc.udeb
Size/MD5 checksum: 262836 1d44f167d8f5ab27294a52ffebe6b24a
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_powerpc.deb
Size/MD5 checksum: 233042 36bc26f025938280a60c057eee8b4d93
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_powerpc.deb
Size/MD5 checksum: 708572 c4f579af34066f88cf439d7b1afb06b5
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_powerpc.deb
Size/MD5 checksum: 380014 4309a48f707cfc5a441ba51057ac9ce2

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_s390.udeb
Size/MD5 checksum: 268250 fbd854913af557572f94b970c1ee2987
http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_s390.deb
Size/MD5 checksum: 225934 7805a7ead0b6d2f9d7d5fd5fab380c62
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_s390.deb
Size/MD5 checksum: 701510 a06b2eb1f6394beb9d914e3f3a4d54e4
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_s390.deb
Size/MD5 checksum: 384504 0daf1dc1ae9b76b788d14f9ef3190071

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny4_sparc.deb
Size/MD5 checksum: 200090 e60c90c32352f007aa5b7802bbb80fef
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny4_sparc.deb
Size/MD5 checksum: 676516 98868c5cef925d1fbd114c15de7496e8
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny4_sparc.udeb
Size/MD5 checksum: 235422 c5fe1c8052ea0b30e73ace12b69116d0
http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny4_sparc.deb
Size/MD5 checksum: 352580 295ebded2e16cfd43dad6a1fb91b31a8


These files will probably be moved into the stable distribution on
its next update.