The OVAL Repository 5.9 2012-01-27T05:04:43.827-05:00 Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 squirrelmail Several remote vulnerabilities have been discovered in SquirrelMail, a webmail application. The Common Vulnerabilities and Exposures project identifies the following problems: Cross site scripting was possible through a number of pages which allowed an attacker to steal sensitive session data. Code injection was possible when SquirrelMail was configured to use the map_yp_alias function to authenticate users. This is not the default. It was possible to hijack an active user session by planting a specially crafted cookie into the user's browser. Specially crafted HTML emails could use the CSS positioning feature to place email content over the SquirrelMail user interface, allowing for phishing. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 icu It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to crosssite scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 dovecot It was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 opensc b.badrignans discovered that OpenSC, a set of smart card utilities, could store private data on a smart card without proper access restrictions. Only blank cards initialised with OpenSC are affected by this problem. This update only improves creating new private data objects, but cards already initialised with such private data objects need to be modified to repair the access control conditions on such cards. Instructions for a variety of situations can be found at the OpenSC web site: http://www.opensc-project.org/security.html The oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Christian Borntraeger discovered an issue effecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all of kernel memory. Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users. Duane Griffin provided a fix for an issue in the eCryptfs subsystem which allows local users to cause a denial of service (fault or memory corruption). Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service (oops) by reading 0 bytes from a sysfs entry. Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) during a resize operation. Sami Liedes reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when accessing a specially crafted corrupt filesystem. David Maciejak reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem. David Maciejak reported an additional issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting attacks, which allows the injection of arbitrary Java or HTML code. The oldstable distribution (etch) does not contain mahara. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wesnoth Several security issues have been discovered in wesnoth, a fantasy turn-based strategy game. The Common Vulnerabilities and Exposures project identifies the following problems: Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data. Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openswan It was discovered that the pluto daemon in openswan, an implementation of IPSEC and IKE, could crash when processing a crafted X.509 certificate. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xmltooling Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libtk-img Two buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libtk-img is prone to a buffer overflow via specially crafted multi-frame interlaced GIF files. It was discovered that libtk-img is prone to a buffer overflow via specially crafted GIF files with certain subimage sizes. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cyrus-sasl2 cyrus-sasl2-heimdal James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation: Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable. Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin Several vulnerabilities have been discovered in Pidgin, a graphical multi-protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in the Jabber file transfer code may lead to denial of service or the execution of arbitrary code. Memory corruption in an internal library may lead to denial of service. The patch provided for the security issue tracked as CVE-2008-2927 - integer overflows in the MSN protocol handler - was found to be incomplete. The old stable distribution (etch) is affected under the source package name gaim. However, due to build problems the updated packages couldn't be released along with the stable version. It will be released once the build problem is resolved. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libmodplug Several vulnerabilities have been discovered in libmodplug, the shared libraries for mod music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libmodplug is prone to an integer overflow when processing a MED file with a crafted song comment or song name. It was discovered that libmodplug is prone to a buffer overflow in the PATinst function, when processing a long instrument name. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a sensitive memory leak. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. Roland McGrath discovered an issue on amd64 kernels with CONFIG_SECCOMP enabled. By making a specially crafted syscall, local users can bypass access restrictions. Jiri Olsa discovered that a local user can cause a denial of service (system hang) using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. Mikulas Patocka reported an issue in the console subsystem that allows a local user to cause memory corruption by selecting a small number of 3-byte UTF-8 characters. Igor Zhbanov reported that nfsd was not properly dropping CAP_MKNOD, allowing users to create device nodes on file systems exported with root_squash. Dan Carpenter reported a coding issue in the selinux subsystem that allows local users to bypass certain networking checks when running with compat_net=1. Shaohua Li reported an issue in the AGP subsystem they may allow local users to read sensitive kernel memory due to a leak of uninitialized memory. Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops. Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data. Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to reach processes outside of the current process namespace. Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 fetchmail It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nsd nsd3 Ilja van Sprundel discovered that a buffer overflow in NSD, an authoritative name service daemon, allowed to crash the server by sending a crafted packet, creating a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gnutls13 gnutls26 Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a "\0" character in a domain name in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (CVE-2009-2730) In addition, with this update, certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. It only affects the oldstable distribution (etch).(CVE-2009-2409) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 newt Miroslav Lichvar discovered that newt, a windowing toolkit, is prone to a buffer overflow in the content processing code, which can lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wxwindows2.4 wxwidgets2.6 wxwidgets2.8 Tielei Wang has discovered an integer overflow in wxWidgets, the wxWidgets Cross-platform C++ GUI toolkit, which allows the execution of arbitrary code via a crafted JPEG file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gst-plugins-bad0.10 It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the "bad" set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apt Two vulnerabilities have been discovered in APT, the well-known dpkg frontend. The Common Vulnerabilities and Exposures project identifies the following problems: In time zones where daylight savings time occurs at midnight, the apt cron.daily script fails, stopping new security updates from being applied automatically. A repository that has been signed with an expired or revoked OpenPGP key would still be considered valid by APT. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 psi Jesus Olmos Gonzalez discovered that an integer overflow in the PSI Jabber client may lead to remote denial of service. The old stable distribution (etch) is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ctorrent Michael Brooks discovered that ctorrent, a text-mode bittorrent client, does not verify the length of file paths in torrent files. An attacker can exploit this via a crafted torrent that contains a long file path to execute arbitrary code with the rights of the user opening the file. The oldstable distribution (etch) does not contain ctorrent. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 changetrack Marek Grzybowski discovered that changetrack, a program to monitor changes to (configuration) files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 clamav Several vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Attackers can cayse a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. (no CVE Id yet) Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cscope Matt Murphy discovered that cscope, a source code browsing tool, does not verify the length of file names sourced in include statements, which may potentially lead to the execution of arbitrary code through specially crafted source code files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 websvn Bas van Schaik discovered that WebSVN, a tool to view Subversion repositories over the web, did not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content. The old stable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cups Aaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libgd2 Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: Kees Cook discovered a buffer overflow in libgd2"s font renderer. An attacker could cause denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. This issue only affects the oldstable distribution (etch). Tomas Hoger discovered a boundary error in the "_gdGetColors()" function. An attacker could conduct a buffer overflow or buffer over-read attacks via a crafted GD file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 freetype Tavis Ormandy discovered several integer overflows in FreeType, a library to process and access font files, resulting in heap- or stack-based buffer overflows leading to application crashes or the execution of arbitrary code via a crafted font file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin It was discovered that incorrect pointer handling in the purple library, an internal component of the multi-protocol instant messaging client Pidgin, could lead to denial of service or the execution of arbitrary code through malformed contact requests. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 udev Sebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php-mail It was discovered that php-mail, a PHP PEAR module for sending email, has insufficient input sanitising, which might be used to obtain sensitive data from the system that uses php-mail. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 yaws It was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 imagemagick Several vulnerabilities have been discovered in the imagemagick image manipulation programs which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple integer overflows in XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). Off-by-one error allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a "\0" character to an out-of-bounds address. It affects only the oldstable distribution (etch). A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only to oldstable (etch). Heap-based buffer overflow in the PCX coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption. It affects only to oldstable (etch). Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mldonkey It has been discovered that mldonkey, a client for several P2P networks, allows attackers to download arbitrary files using crafted requests to the HTTP console. The old stable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apache2 A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations (the information in the changelog of the updated packages is slightly inaccurate): As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or virtual host level. A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this issue. In addition, this update fixes the following issues in Apache's mod_proxy_ftp: Insufficient input validation in the mod_proxy_ftp module allowed remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. Insufficient input validation in the mod_proxy_ftp module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server. The oldstable distribution (etch), these problems have been fixed in version 2.2.3-4+etch11. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nagios2 nagios3 It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apr-util Apr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. Two denial of service vulnerabilities have been found in apr-util: "kcope" discovered a flaw in the handling of internal XML entities in the apr_xml_* interface that can be exploited to use all available memory. This denial of service can be triggered remotely in the Apache mod_dav and mod_dav_svn modules. (No CVE id yet) Matthew Palmer discovered an underflow flaw in the apr_strmatch_precompile function that can be exploited to cause a daemon crash. The vulnerability can be triggered (1) remotely in mod_dav_svn for Apache if the "SVNMasterURI" directive is in use, (2) remotely in mod_apreq2 for Apache or other applications using libapreq2, or (3) locally in Apache by a crafted ".htaccess" file. Other exploit paths in other applications using apr-util may exist. If you use Apache, or if you use svnserve in standalone mode, you need to restart the services after you upgraded the libaprutil1 package. The oldstable distribution (etch), these problems have been fixed in version 1.2.7+dfsg-2+etch2. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 multipath-tools It was discovered that multipathd of multipath-tools, a tool-chain to manage disk multipath device maps, uses insecure permissions on its unix domain control socket which enables local attackers to issue commands to multipathd prevent access to storage devices or corrupt file system data. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 tunapie Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. The Common Vulnerabilities and Exposures project identifies the following problems: Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ejabberd It was discovered that ejabberd, a distributed, fault-tolerant Jabber/XMPP server, does not sufficiently sanitise MUC logs, allowing remote attackers to perform cross-site scripting (XSS) attacks. The oldstable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara Two vulnerabilities have been discovered in mahara, an electronic portfolio, weblog, and resume builder. The Common Vulnerabilities and Exposures project identifies the following problems: Ruslan Kabalin discovered a issue with resetting passwords, which could lead to a privilege escalation of an institutional administrator account. Sven Vetsch discovered a cross-site scripting vulnerability via the resume fields. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 krb5 Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identified the following problems: The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information. Under certain conditions the SPNEGO GSS-API mechanism references a null pointer which crashes the application using the library. An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program. Under certain conditions the the ASN.1 decoder of the MIT krb5 implementation frees an uninitialized pointer which could lead to denial of service and possibly arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ocsinventory-agent It was discovered that the ocsinventory-agent which is part of the ocsinventory suite, a hardware and software configuration indexing service, is prone to an insecure perl module search path. As the agent is started via cron and the current directory (/ in this case) is included in the default perl module path the agent scans every directory on the system for its perl modules. This enables an attacker to execute arbitrary code via a crafted ocsinventory-agent perl module placed on the system. The oldstable distribution (etch) does not contain ocsinventory-agent. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 nspr Several vulnerabilities have been discovered in the NetScape Portable Runtime Library, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: A programming error in the string handling code may lead to the execution of arbitrary code. An integer overflow in the Base64 decoding functions may lead to the execution of arbitrary code. The old stable distribution (etch) doesn't contain nspr. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ipplan It was discovered that ipplan, a web-based IP address manager and tracker, does not sufficiently escape certain input parameters, which allows remote attackers to conduct cross-site scripting attacks. The oldstable distribution (etch) does not contain ipplan. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 memcached Ronald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached (on etch with root privileges). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php5 Several remote vulnerabilities have been discovered in the PHP5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well: The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny): Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package: Let PHP use the system timezone database instead of the embedded timezone database which is out of date. From the source tarball, the unused "dbase" module has been removed which contained licensing problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 pygresql It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apr apr-util Matt Lewis discovered that the memory management code in the Apache Portable Runtime (APR) library does not guard against a wrap-around during size computations. This could cause the library to return a memory area which smaller than requested, resulting a heap overflow and possibly arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Juan Pablo Lopez Yacubian discovered that incorrect handling of invalid URLs could be used for spoofing the location bar and the SSL certificate status of a web page. Xulrunner is no longer supported for the old stable distribution (etch). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 subversion Matt Lewis discovered that Subversion performs insufficient input validation of svndiff streams. Malicious servers could cause heap overflows in clients, and malicious clients with commit access could cause heap overflows in servers, possibly leading to arbitrary code execution in both cases. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drupal6 Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 kdegraphics Two security issues have been discovered in kdegraphics, the graphics apps from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the KSVG animation element implementation suffers from a null pointer dereference flaw, which could lead to the execution of arbitrary code. It was discovered that the KSVG animation element implementation is prone to a use-after-free flaw, which could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libxml2 Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml2, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN. The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and allows an attacker to execute arbitrary code. Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 horde3 Stefan Esser discovered that Horde, a web application framework providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME, and more, is insufficiently validating and escaping user provided input. The Horde_Form_Type_image form element allows to reuse a temporary filename on reuploads which are stored in a hidden HTML field and then trusted without prior validation. An attacker can use this to overwrite arbitrary files on the system or to upload PHP code and thus execute arbitrary code with the rights of the webserver. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 samba Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems: The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. The old stable distribution (etch) is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nginx A denial of service vulnerability has been found in nginx, a small and efficient web server. Jasson Bell discovered that a remote attacker could cause a denial of service (segmentation fault) by sending a crafted request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 nss Several vulnerabilities have been discovered in the Network Security Service libraries. The Common Vulnerabilities and Exposures project identifies the following problems: Moxie Marlinspike discovered that a buffer overflow in the regular expression parser could lead to the execution of arbitrary code. Dan Kaminsky discovered that NULL characters in certificate names could lead to man-in-the-middle attacks by tricking the user into accepting a rogue certificate. Certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. The old stable distribution (etch) doesn't contain nss. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 slurm-llnl It was discovered that the Simple Linux Utility for Resource Management (SLURM), a cluster job management and scheduling system, did not drop the supplemental groups. These groups may be system groups with elevated privileges, which may allow a valid SLURM user to gain elevated privileges. The old stable distribution (etch) does not contain a slurm-llnl package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 glib2.0 Diego Pettenograve discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gforge Laurent Almeras and Guillaume Smet have discovered a possible SQL injection vulnerability and cross-site scripting vulnerabilities in gforge, a collaborative development tool. Due to insufficient input sanitising, it was possible to inject arbitrary SQL statements and use several parameters to conduct cross-site scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 git-core Peter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. This issue only affects the DEC Alpha and MIPS (big and little endian) architectures. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mantis It was discovered that the Debian Mantis package, a web based bug tracking system, installed the database credentials in a file with world-readable permissions onto the local filesystem. This allows local users to acquire the credentials used to control the Mantis database. This updated package corrects this problem for new installations and will carefully try to update existing ones. Administrators can check the permissions of the file /etc/mantis/config_db.php to see if they are safe for their environment. The old stable distribution (etch) does not contain a mantis package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 acpid It was discovered that acpid, a daemon for delivering ACPI events, is prone to a denial of service attack by opening a large number of UNIX sockets, which are not closed properly. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 kdelibs Several security issues have been discovered in kdelibs, core libraries from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets (CSS) attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Jan Beulich discovered an issue in Xen where local guest users may cause a denial of service (oops). This update also fixes a regression introduced by the fix for CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on systems with SELinux enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cups cupsys Anibal Sacco discovered that cups, a general printing system for UNIX systems, suffers from null pointer dereference because of its handling of two consecutive IPP packets with certain tag attributes that are treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers to perform denial of service attacks by crashing the cups daemon. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wordpress Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. It was discovered that the administrator interface is prone to a cross-site scripting attack. It was discovered that remote attackers can gain privileges via certain direct requests. It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 amule Sam Hocevar discovered that amule, a client for the eD2k and Kad networks, does not properly sanitise the filename, when using the preview function. This could lead to the injection of arbitrary commands passed to the video player. The oldstable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gforge It was discovered that gforge, collaborative development tool, is prone to a cross-site scripting attack via the helpname parameter. Beside fixing this issue, the update also introduces some additional input sanitising. However, there are no known attack vectors. The oldstable distribution (etch), these problems have been fixed in version 4.5.14-22etch12. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 dhcp3 Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ipsec-tools Several remote vulnerabilities have been discovered in racoon, the Internet Key Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures project identified the following problems: Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets that contain no payload. This results in the daemon crashing which can be used for denial of service attacks. Various memory leaks in the X.509 certificate authentication handling and the NAT-Traversal keepalive implementation can result in memory exhaustion and thus denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 strongswan Several remote vulnerabilities have been discovered in strongswan, an implementation of the IPSEC and IKE protocols. The Common Vulnerabilities and Exposures project identifies the following problems: The charon daemon can crash when processing certain crafted IKEv2 packets. (The old stable distribution (etch) was not affected by these two problems because it lacks IKEv2 support.) The pluto daemon could crash when processing a crafted X.509 certificate. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 libtorrent-rasterbar It was discovered that the Rasterbar Bittorrent library performed insufficient validation of path names specified in torrent files, which could lead to denial of service by overwriting files. The old stable distribution (etch) doesn't include libtorrent-rasterbar. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 expat Peter Valchev discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 fckeditor Vinny Guido discovered that multiple input sanitising vulnerabilities in Fckeditor, a rich text web editor component, may lead to the execution of arbitrary code. The old stable distribution (etch) doesn't contain fckeditor. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ntp Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openssl It was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 openjdk-6 Several vulnerabilities have been identified in OpenJDK, an implementation of the Java SE platform. Creation of large, temporary fonts could use up available disk space, leading to a denial of service condition. Several vulnerabilities existed in the embedded LittleCMS library, exploitable through crafted images: a memory leak, resulting in a denial of service condition (CVE-2009-0581), heap-based buffer overflows, potentially allowing arbitrary code execution (CVE-2009-0723, CVE-2009-0733), and a null-pointer dereference, leading to denial of service (CVE-2009-0793). The LDAP server implementation (in com.sun.jdni.ldap) did not properly close sockets if an error was encountered, leading to a denial-of-service condition. The LDAP client implementation (in com.sun.jdni.ldap) allowed malicious LDAP servers to execute arbitrary code on the client. The HTTP server implementation (sun.net.httpserver) contained an unspecified denial of service vulnerability. Several issues in Java Web Start have been addressed. The Debian packages currently do not support Java Web Start, so these issues are not directly exploitable, but the relevant code has been updated nevertheless. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 icedove Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: The execution of arbitrary code might be possible via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables. (MFSA 2009-10) It is possible to execute arbitrary code via vectors related to the layout engine. (MFSA 2009-01) It is possible to execute arbitrary code via vectors related to the JavaScript engine. (MFSA 2009-01) Bjoern Hoehrmann and Moxie Marlinspike discovered a possible spoofing attack via Unicode box drawing characters in internationalized domain names. (MFSA 2009-15) Memory corruption and assertion failures have been discovered in the layout engine, leading to the possible execution of arbitrary code. (MFSA 2009-07) The layout engine allows the execution of arbitrary code in vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection. (MFSA 2009-07) The JavaScript engine is prone to the execution of arbitrary code via several vectors. (MFSA 2009-07) The layout engine allows the execution of arbitrary code via vectors related to gczeal. (MFSA 2009-07) Georgi Guninski discovered that it is possible to obtain xml data via an issue related to the nsIRDFService. (MFSA 2009-09) The browser engine is prone to a possible memory corruption via several vectors. (MFSA 2009-14) The browser engine is prone to a possible memory corruption via the nsSVGElement::BindToTree function. (MFSA 2009-14) Gregory Fleischer discovered that it is possible to bypass the Same Origin Policy when opening a Flash file via the view-source: scheme. (MFSA 2009-17) The possible arbitrary execution of code was discovered via vectors involving "double frame construction." (MFSA 2009-24) Several issues were discovered in the browser engine as used by icedove, which could lead to the possible execution of arbitrary code. (MFSA 2009-24) Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential man-in-the-middle attack, when using a proxy due to insufficient checks on a certain proxy response. (MFSA 2009-27) moz_bug_r_a4 discovered that it is possible to execute arbitrary JavaScript with chrome privileges due to an error in the garbage collection implementation. (MFSA 2009-29) moz_bug_r_a4 reported that it is possible for scripts from page content to run with elevated privileges and thus potentially executing arbitrary code with the object's chrome privileges. (MFSA 2009-32) Bernd Jendrissek discovered a potentially exploitable crash when viewing a multipart/alternative mail message with a text/enhanced part. (MFSA 2009-33) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 eggdrop Several vulnerabilities have been discovered in eggdrop, an advanced IRC robot. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that eggdrop is vulnerable to a buffer overflow, which could result in a remote user executing arbitrary code. The previous DSA (DSA-1448-1) did not fix the issue correctly. It was discovered that eggdrop is vulnerable to a denial of service attack, that allows remote attackers to cause a crash via a crafted PRIVMSG. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libhtml-parser-perl A denial of service vulnerability has been found in libhtml-parser-perl, a collection of modules to parse HTML in text documents which is used by several other projects like e.g. SpamAssassin. Mark Martinec discovered that the decode_entities() function will get stuck in an infinite loop when parsing certain HTML entities with invalid UTF-8 characters. An attacker can use this to perform denial of service attacks by submitting crafted HTML to an application using this functionality. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 sork-passwd-h3 It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 nss-ldapd Leigh James discovered that nss-ldapd, an NSS module for using LDAP as a naming service, by default creates the configuration file /etc/nss-ldapd.conf world-readable which could leak the configured LDAP password if one is used for connecting to the LDAP server. The old stable distribution (etch) doesn't contain nss-ldapd. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 evolution-data-server Several vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 iceweasel Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: "moz_bug_r_a4" discovered that a programming error in the FeedWriter module could lead to the execution of Javascript code with elevated privileges. Prateek Saxena discovered a cross-site scripting vulnerability in the MozSearch plugin interface. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openoffice.org Several vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in an integer underflow that may lead to heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. A vulnerability has been discovered in the parser of EMF files of OpenOffice/Go-oo 2.x and 3.x that can be triggered by a specially crafted document and lead to the execution of arbitrary commands the privileges of the user running OpenOffice.org/Go-oo. This vulnerability does not exist in the packages for oldstable, testing and unstable. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openswan Two vulnerabilities have been discovered in openswan, an IPSec implementation for linux. The Common Vulnerabilities and Exposures project identifies the following problems: Dmitry E. Oboukhov discovered that the livetest tool is using temporary files insecurely, which could lead to a denial of service attack. Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libsndfile Two vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. The Common Vulnerabilities and Exposures project identified the following problems: Tobias Klein discovered that the VOC parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted VOC header. The vendor discovered that the AIFF parsing routines suffer of a heap-based buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker via a crafted AIFF header. In both cases the overflowing data is not completely attacker controlled but still leads to application crashes or under some circumstances might still lead to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 opensaml shibboleth-sp Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignored key usage constraints. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Martijn Wargers, Jesse Ruderman and Josh Soref discovered crashes in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman discovered crashes in the layout engine, which might allow the execution of arbitrary code. Gary Kwong, and Timothee Groleau discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. It was discovered that incorrect memory management in the DOM element handling may lead to the execution of arbitrary code. Georgi Guninski discovered a violation of the same-origin policy through RDFXMLDataSource and cross-domain redirects. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 silc-client/silc-toolkit Several vulnerabilities have been discovered in the software suite for the SILC protocol, a network protocol designed to provide end-to-end security for conferencing services. The Common Vulnerabilities and Exposures project identifies the following problems: An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases. Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings. CVE-2008-7160 An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases. silc-server doesn't need an update as it uses the shared library provided by silc-toolkit. silc-client/silc-toolkit in the oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 proftpd-dfsg Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cups It was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-ocaml It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 camlimages It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 auth2db It was discovered that auth2db, an IDS logger, log viewer and alert generator, is prone to an SQL injection vulnerability, when used with multibyte character encodings. The oldstable distribution (etch) doesn't contain auth2db. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 djbdns Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain Name System server, does not constrain offsets in the required manner, which allows remote attackers with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain. The old stable distribution (etch) does not contain djbdns. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers, Daniel Banchero, David Keeler and Boris Zbarsky reported crashes in layout engine, which might allow the execution of arbitrary code. Carsten Book reported a crash in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman and Sid Stamm discovered spoofing vulnerability in the file download dialog. Gregory Fleischer discovered a bypass of the same-origin policy using the document.getSelection() function. "moz_bug_r_a4" discovered a privilege escalation to Chrome status in the XPCOM utility XPCVariant::VariantDataToJS. "regenrecht" discovered a buffer overflow in the GIF parser, which might lead to the execution of arbitrary code. Marco C. discovered that a programming error in the proxy auto configuration code might lead to denial of service or the execution of arbitrary code. Jeremy Brown discovered that the filename of a downloaded file which is opened by the user is predictable, which might lead to tricking the user into a malicious file if the attacker has local access to the system. Paul Stone discovered that history information from web forms could be stolen. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 bugzilla Max Kanat-Alexander, Bradley Baetz, and Fr?Å d?Å ric Buclin discovered an SQL injection vulnerability in the Bug.create WebService function in Bugzilla, a web-based bug tracking system, which allows remote attackers to execute arbitrary SQL commands. The oldstable distribution (etch) isn't affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 xml-security-c It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This update implements the proposed workaround in the C++ version of the Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the original HMAC output, whichever is greater. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 phpmyadmin Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability in the PDF schema generator functionality allows remote attackers to execute arbitrary SQL commands. This issue does not apply to the version in Debian 4.0 Etch. Additionally, extra fortification has been added for the web based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user. See README.Debian for details on how to enable the setup.php script if and when you need it. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 dnsmasq Several remote vulnerabilities have been discovered in the TFTP component of dnsmasq. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in TFTP processing may enable arbitrary code execution to attackers which are permitted to use the TFTP service. Malicious TFTP clients may crash dnsmasq, leading to denial of service. The old stable distribution is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libwmf Tavis Ormandy discovered that the embedded GD library copy in libwmf, a library to parse windows metafiles (WMF), makes use of a pointer after it was already freed. An attacker using a crafted WMF file can cause a denial of service or possibly the execute arbitrary code via applications using this library. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 moodle Christian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn't check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Note that this doesn't affect installations that only use the mimetex environment. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 smarty Several remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wget Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using HTTP(S) and FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 dbus It was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 strongswan Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-dfsg-5.0 In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities in the dispatch_command() function in libmysqld/sql_parse.cc in mysqld allow remote authenticated users to cause a denial of service (daemon crash) and potentially the execution of arbitrary code via format string specifiers in a database name in a COM_CREATE_DB or COM_DROP_DB request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libsndfile Alan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openldap openldap2.3 It was discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, when OpenSSL is used, does not properly handle a "\0" character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim's computer. Security researcher Nils reported via TippingPoint's Zero Day Initiative that the XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim's computer. Note that after installing these updates, you will need to restart any packages using xulrunner, typically iceweasel or epiphany. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 samba Several vulnerabilities have been discovered in samba, an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file and printer sharing with other operating systems and more. The Common Vulnerabilities and Exposures project identifies the following problems: The mount.cifs utility is missing proper checks for file permissions when used in verbose mode. This allows local users to partly disclose the content of arbitrary files by specifying the file as credentials file and attempting to mount a samba share. A reply to an oplock break notification which samba doesn't expect could lead to the service getting stuck in an infinite loop. An attacker can use this to perform denial of service attacks via a specially crafted SMB request. A lack of error handling in case no home directory was configured/specified for the user could lead to file disclosure. In case the automated [homes] share is enabled or an explicit share is created with that username, samba fails to enforce sharing restrictions which results in an attacker being able to access the file system from the root directory. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php5 Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems: The following issues have been fixed in both the stable (lenny) and the oldstable (etch) distributions: CVE-2009-2687, CVE-2009-3292. The exif module did not properly handle malformed jpeg files, allowing an attacker to cause a segfault, resulting in a denial of service. The php_openssl_apply_verification_policy() function did not properly perform certificate validation. Bogdan Calin discovered that a remote attacker could cause a denial of service by uploading a large number of files in using multipart/ form-data requests, causing the creation of a large number of temporary files. To address this issue, the max_file_uploads option introduced in PHP 5.3.1 has been backported. This option limits the maximum number of files uploaded per request. The default value for this new option is 50. See NEWS.Debian for more information. The following issue has been fixed in the stable (lenny) distribution: A flaw in the ini_restore() function could lead to a memory disclosure, possibly leading to the disclosure of sensitive data. In the oldstable (etch) distribution, this update also fixes a regression introduced by the fix for CVE-2008-5658 in DSA-1789-1 (bug #527560). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 moin It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks when renaming attachements or performing other sub-actions. The oldstable distribution (etch) is not vulnerable. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cyrus-imapd-2.2 kolab-cyrus-imapd It was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. The update introduced by DSA 1881-1 was incomplete and the issue has been given an additional CVE id due to its complexity. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-dfsg-5.0 Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application. The Common Vulnerabilities and Exposures project identifies the following two problems: Kay Roepke reported that the MySQL server would not properly handle an empty bit-string literal in an SQL statement, allowing an authenticated remote attacker to cause a denial of service (a crash) in mysqld. This issue affects the oldstable distribution (etch), but not the stable distribution (lenny). Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, "mysql --html ..."). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a web site. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 qemu Several vulnerabilities have been discovered in the QEMU processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems: Ian Jackson discovered that range checks of file operations on emulated disk devices were insufficiently enforced. It was discovered that an error in the format auto detection of removable media could lead to the disclosure of files in the host system. A buffer overflow has been found in the emulation of the Cirrus graphics adaptor. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Several issues in the browser engine have been discovered, which can result in the execution of arbitrary code. (MFSA 2009-24) It is possible to execute arbitrary code via vectors involving "double frame construction." (MFSA 2009-24) Jesse Ruderman and Adam Hauner discovered a problem in the JavaScript engine, which could lead to the execution of arbitrary code. (MFSA 2009-24) Pavel Cvrcek discovered a potential issue leading to a spoofing attack on the location bar related to certain invalid unicode characters. (MFSA 2009-25) Gregory Fleischer discovered that it is possible to read arbitrary cookies via a crafted HTML document. (MFSA 2009-26) Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential man-in-the-middle attack, when using a proxy due to insufficient checks on a certain proxy response. (MFSA 2009-27) Jakob Balle and Carsten Eiram reported a race condition in the NPObjWrapper_NewResolve function that can be used to execute arbitrary code. (MFSA 2009-28) moz_bug_r_a4 discovered that it is possible to execute arbitrary JavaScript with chrome privileges due to an error in the garbage-collection implementation. (MFSA 2009-29) Adam Barth and Collin Jackson reported a potential privilege escalation when loading a file::resource via the location bar. (MFSA 2009-30) Wladimir Palant discovered that it is possible to bypass access restrictions due to a lack of content policy check, when loading a script file into a XUL document. (MFSA 2009-31) moz_bug_r_a4 reported that it is possible for scripts from page content to run with elevated privileges and thus potentially executing arbitrary code with the object's chrome privileges. (MFSA 2009-32) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mapserver Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems: Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages. A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages. Due to missing input validation when saving map files under certain conditions it is possible to perform directory traversal attacks and to create arbitrary files. NOTE: Unless the attacker is able to create directories in the image path or there is already a readable directory this doesn't affect installations on Linux as the fopen() syscall will fail in case a sub path is not readable. It was discovered that mapserver is vulnerable to a stack-based buffer overflow when processing certain GET parameters. An attacker can use this to execute arbitrary code on the server via crafted id parameters. An integer overflow leading to a heap-based buffer overflow when processing the Content-Length header of an HTTP request can be used by an attacker to execute arbitrary code via crafted POST requests containing negative Content-Length values. An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 git-core It was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 kdegraphics kpdf, a Portable Document Format (PDF) viewer for KDE, is based on the xpdf program and thus suffers from similar flaws to those described in DSA-1790. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple buffer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Multiple integer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Integer overflow in the JBIG2 decoder in kpdf has unspecified impact related to "g*allocn." The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Multiple "input validation flaws" in the JBIG2 decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. Integer overflow in the JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 MMR decoder in kpdf allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. The old stable distribution (etch), these problems have been fixed in version 3.5.5-3etch3. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openexr Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered integer overflows in the preview and compression code. Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. A buffer overflow was discovered in the compression code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ikiwiki Josh Triplett discovered that the blacklist for potentially harmful TeX code of the teximg module of the Ikiwiki wiki compiler was incomplete, resulting in information disclosure. The old stable distribution (etch) is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drupal6 Multiple vulnerabilities have been discovered in drupal, a web content management system. The Common Vulnerabilities and Exposures project identifies the following problems: pod.Edge discovered a cross-site scripting vulnerability due that can be triggered when some browsers interpret UTF-8 strings as UTF-7 if they appear before the generated HTML document defines its Content-Type. This allows a malicious user to execute arbitrary javascript in the context of the web site if they're allowed to post content. Moritz Naumann discovered an information disclosure vulnerability. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a cross-site request forgery attack against the submitted form. The old stable distribution (etch) does not contain drupal and is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 request-tracker3.4 request-tracker3.6 Mikal Gule discovered that request-tracker, an extensible trouble-ticket tracking system, is prone to an attack, where an attacker with access to the same domain can hijack a user's RT session. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ruby1.8 ruby1.9 Several vulnerabilities have been discovered in Ruby. The Common Vulnerabilities and Exposures project identifies the following problems: The return value from the OCSP_basic_verify function was not checked properly, allowing continued use of a revoked certificate. An issue in parsing BigDecimal numbers can result in a denial-of-service condition (crash). The following matrix identifies fixed versions: We recommend that you upgrade your Ruby packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ffmpeg-debian Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that using a crafted STR file can lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 camlimages Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1 addressed the issue with PNG images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Martijn Wargers, Arno Renevier, Jesse Ruderman, Olli Pettay and Blake Kaplan disocvered several issues in the browser engine that could potentially lead to the execution of arbitrary code. (MFSA 2009-34) monarch2020 reported an integer overflow in a base64 decoding function. (MFSA 2009-34) Christophe Charron reported a possibly exploitable crash occuring when multiple RDF files were loaded in a XUL tree element. (MFSA 2009-34) Yongqian Li reported that an unsafe memory condition could be created by specially crafted document. (MFSA 2009-34) Peter Van der Beken, Mike Shaver, Jesse Ruderman, and Carsten Book discovered several issues in the JavaScript engine that could possibly lead to the execution of arbitrary JavaScript. (MFSA 2009-34) Attila Suszter discovered an issue related to a specially crafted Flash object, which could be used to run arbitrary code. (MFSA 2009-35) PenPal discovered that it is possible to execute arbitrary code via a specially crafted SVG element. (MFSA 2009-37) Blake Kaplan discovered a flaw in the JavaScript engine that might allow an attacker to execute arbitrary JavaScript with chrome privileges. (MFSA 2009-39) moz_bug_r_a4 discovered an issue in the JavaScript engine that could be used to perform cross-site scripting attacks. (MFSA 2009-40) SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 camlimages Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 postgresql-7.4 postgresql-8.1 postgresql-8.3 postgresql-8.4 Several vulnerabilities have been discovered in PostgreSQL, an SQL database system. The Common Vulnerabilities and Exposures project identifies the following problems: Authenticated users can shut down the backend server by re-LOAD-ing libraries in $libdir/plugins, if any libraries are present there. (The old stable distribution (etch) is not affected by this issue.) Authenticated non-superusers can gain database superuser privileges if they can create functions and tables due to incorrect execution of functions in functional indexes. If PostgreSQL is configured with LDAP authentication, and the LDAP configuration allows anonymous binds, it is possible for a user to authenticate themselves with an empty password. (The old stable distribution (etch) is not affected by this issue.) In addition, this update contains reliability improvements which do not target security issues. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 squid3 It was discovered that squid3, a high-performance proxy caching server for web clients, is prone to several denial of service attacks. Due to incorrect bounds checking and insufficient validation while processing response and request data an attacker is able to crash the squid daemon via crafted requests or responses. The squid package in the oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libapache-mod-jk An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated requests very quickly, one client could obtain a response intended for another client. The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 bind9 It was discovered that the BIND DNS server terminates when processing a specially crafted dynamic DNS update. This vulnerability affects all BIND servers which serve at least one DNS zone authoritatively, as a master, even if dynamic updates are not enabled. The default Debian configuration for resolvers includes several authoritative zones, too, so resolvers are also affected by this issue unless these zones have been removed. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara It was discovered that mahara, an electronic portfolio, weblog, and resume builder is prone to several cross-site scripting attacks, which allow an attacker to inject arbitrary HTML or script code and steal potential sensitive data from other users. The oldstable distribution (etch) does not contain mahara. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ghostscript Two security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems: Jan Lieskovsky discovered multiple integer overflows in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. Jan Lieskovsky discovered insufficient upper-bounds checks on certain variable sizes in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 weechat Sebastien Helleu discovered that an error in the handling of color codes in the weechat IRC client could cause an out-of-bounds read of an internal color array. This can be used by an attacker to crash user clients via a crafted PRIVMSG command. The weechat version in the oldstable distribution (etch) is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 systemtap Erik Sjoelund discovered that a race condition in the stap tool shipped by Systemtap, an instrumentation system for Linux 2.6, allows local privilege escalation for members of the stapusr group. The old stable distribution (etch) isn't affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman discovered crashes in the layout engine, which might allow the execution of arbitrary code. Daniel Holbert, Jesse Ruderman, Olli Pettay and "toshi" discovered crashes in the layout engine, which might allow the execution of arbitrary code. Josh Soref, Jesse Ruderman and Martin Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman discovered a crash in the Javascript engine, which might allow the execution of arbitrary code. Carsten Book and "Taral" discovered crashes in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman discovered that the user interface for installing/ removing PCKS #11 securiy modules wasn't informative enough, which might allow social engineering attacks. It was discovered that incorrect pointer handling in the XUL parser could lead to the execution of arbitrary code. Juan Pablo Lopez Yacubian discovered that incorrent rendering of some Unicode font characters could lead to spoofing attacks on the location bar. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 rails Brian Mastenbrook discovered that rails, the MVC ruby based framework geared for web application development, is prone to cross-site scripting attacks via malformed strings in the form helper. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kvm Several vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Webb discovered an off-by-one bug limiting KVM's VNC passwords to 7 characters. This flaw might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. It was discovered that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. The oldstable distribution (etch) does not contain kvm. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 xapian-omega It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 xpdf Several vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 typo3-src Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: The Backend subcomponent allows remote authenticated users to determine an encryption key via crafted input to a form field. Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent allow remote authenticated users to inject arbitrary web script or HTML. The Backend subcomponent allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters. The Backend subcomponent, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent allows remote authenticated users to execute arbitrary SQL commands. Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script. Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent allows remote attackers to inject arbitrary web script or HTML. The Install Tool subcomponent allows remote attackers to gain access by using only the password's md5 hash as a credential. Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent allows remote attackers to inject arbitrary web script or HTML. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openafs Two vulnerabilities were discovered in the client part of OpenAFS, a distributed file system. An attacker with control of a file server or the ability to forge RX packets may be able to execute arbitrary code in kernel mode on an OpenAFS client, due to a vulnerability in XDR array decoding. An attacker with control of a file server or the ability to forge RX packets may crash OpenAFS clients because of wrongly handled error return codes in the kernel module. Note that in order to apply this security update, you must rebuild the OpenAFS kernel module. Be sure to also upgrade openafs-modules-source, build a new kernel module for your system following the instructions in /usr/share/doc/openafs-client/README.modules.gz, and then either stop and restart openafs-client or reboot the system to reload the kernel module. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 proftpd-dfsg It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 curl David Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and scp:// URLs - depending on the setup - an untrusted server could use that to expose local files, overwrite local files or even execute arbitrary code via a malicious URL redirect. This update introduces a new option called CURLOPT_REDIR_PROTOCOLS which by default does not include the scp and file protocol handlers. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 nginx Chris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. An attacker can use this to execute arbitrary code with the rights of the worker process (www-data on Debian) or possibly perform denial of service attacks by repeatedly crashing worker processes via a specially crafted URL in an HTTP request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pulseaudio Tavis Ormandy and Julien Tinnes discovered that the pulseaudio daemon does not drop privileges before re-executing itself, enabling local attackers to increase their privileges. The old stable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Notice: Debian 5.0.4, the next point release of Debian "lenny", will include a new default value for the mmap_min_addr tunable. This change will add an additional safeguard against a class of security vulnerabilities known as "NULL pointer dereference" vulnerabilities, but it will need to be overridden when using certain applications. Additional information about this change, including instructions for making this change locally in advance of 5.0.4 (recommended), can be found at: http://wiki.debian.org/mmap_min_addr. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Eric Dumazet reported an instance of uninitialized kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. Linus Torvalds provided a change to the get_random_int() function to increase its randomness. Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. Jiri Pirko discovered a typo in the initialization of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. Ben Hutchings discovered an issue in the DRM manager for ATI Rage 128 graphics adapters. Local users may be able to exploit this vulnerability to cause a denial of service (NULL pointer dereference). Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang). David Wagner reported an overflow in the KVM subsystem on i386 systems. This issue is exploitable by local users with access to the /dev/kvm device file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Notice: Debian 5.0.4, the next point release of Debian "lenny", will include a new default value for the mmap_min_addr tunable. This change will add an additional safeguard against a class of security vulnerabilities known as "NULL pointer dereference" vulnerabilities, but it will need to be overridden when using certain applications. Additional information about this change, including instructions for making this change locally in advance of 5.0.4 (recommended), can be found at: http://wiki.debian.org/mmap_min_addr. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Eric Paris provided several fixes to increase the protection provided by the mmap_min_addr tunable against NULL pointer dereference vulnerabilities. Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp "N" device is found, remote attackers can cause a denial of service by consuming large amounts of system memory. Loic Minier discovered an issue in the eCryptfs filesystem. A local user can cause a denial of service (kernel oops) by causing a dentry value to go negative. Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops). Jan Beulich discovered the existence of a sensitive kernel memory leak. Systems running the "amd64" kernel do not properly sanitize registers for 32-bit processes. Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory. Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. Jan Kiszka noticed that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service (IOMMU space exhaustion and system crash) by transmitting a large amount of jumbo frames. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 postgresql-ocaml It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 znc It was discovered that znc, an IRC proxy, did not properly process certain DCC requests, allowing attackers to upload arbitrary files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pango1.0 Marc Schoenefeld discovered an improper input sanitization in Pango, a library for layout and rendering of text, leading to array indexing error. If a local user was tricked into loading a specially-crafted font file in an application, using the Pango font rendering library, it could lead to denial of service . SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 dkim-milter It was discovered that dkim-milter, an implementation of the DomainKeys Identified Mail protocol, may crash during DKIM verification if it encounters a specially-crafted or revoked public key record in DNS. The old stable distribution (etch) does not contain dkim-milter packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apache2 A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. This issue did not affect Debian 4.0 "etch". A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. A similar flaw related to HEAD requests for compressed content was also fixed. The oldstable distribution (etch), these problems have been fixed in version 2.2.3-4+etch9. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ejabberd It was discovered that in ejabberd, a distributed XMPP/Jabber server written in Erlang, a problem in ejabberd_c2s.erl allows remote authenticated users to cause a denial of service by sending a large number of c2s messages; that triggers an overload of the queue, which in turn causes a crash of the ejabberd daemon. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 wireshark Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: A NULL pointer dereference was found in the RADIUS dissector. A NULL pointer dereference was found in the DCERP/NT dissector. An integer overflow was discovered in the ERF parser. This update also includes fixes for three minor issues (CVE-2008-1829, CVE-2009-2562, CVE-2009-3241), which were scheduled for the next stable point update. Also CVE-2009-1268 was fixed for Etch. Since this security update was issued prior to the release of the point update, the fixes were included. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 webcit Wilfried Goesgens discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution (CVE-2009-0364). SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 phpmyadmin Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross site scripting vulnerability in the export page allow for an attacker that can place crafted cookies with the user to inject arbitrary web script or HTML. Static code injection allows for a remote attacker to inject arbitrary code into phpMyAdmin via the setup.php script. This script is in Debian under normal circumstances protected via Apache authentication. However, because of a recent worm based on this exploit, we are patching it regardless, to also protect installations that somehow still expose the setup.php script. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 unbound It was discovered that Unbound, a DNS resolver, does not properly check cryptographic signatures on NSEC3 records. As a result, zones signed with the NSEC3 variant of DNSSEC lose their cryptographic protection. The old stable distribution does not contain an unbound package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 moin Several vulnerabilities have been discovered in moin, a python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple security issues in MoinMoin related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured. MoinMoin does not properly sanitize user profiles. The default configuration of cfg.packagepages_actions_excluded in MoinMoin does not prevent unsafe package actions. In addition, this update fixes an error when processing hierarchical ACLs, which can be exploited to access restricted sub-pages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 network-manager/network-manager-applet It was discovered that network-manager-applet, a network management framework, lacks some dbus restriction rules, which allows local users to obtain sensitive information. If you have locally modified the /etc/dbus-1/system.d/nm-applet.conf file, then please make sure that you merge the changes from this fix when asked during upgrade. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ldns Stefan Kaltenbrunner discovered that ldns, a library and set of utilities to facilitate DNS programming, did not correctly implement a buffer boundary check in its RR DNS record parser. This weakness could enable overflow of a heap buffer if a maliciously-crafted record is parsed, potentially allowing the execution of arbitrary code. The scope of compromise will vary with the context in which ldns is used, and could present either a local or remote attack vector. The old stable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 otrs2 It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise input data that is used on SQL queries, which might be used to inject arbitrary SQL to, for example, escalate privileges on a system that uses otrs2. The oldstable distribution is not affected. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 wireshark Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: A format string vulnerability was discovered in the PROFINET dissector. The dissector for the Check Point High-Availability Protocol could be forced to crash. Malformed Tektronix files could lead to a crash. The old stable distribution (etch), is only affected by the CPHAP crash, which doesn't warrant an update on its own. The fix will be queued up for an upcoming security update or a point release. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kde4libs Several security issues have been discovered in kde4libs, core libraries for all KDE 4 applications. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets (CSS) attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website. The oldstable distribution (etch) does not contain kde4libs. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 tiff Several vulnerabilities have been discovered in the library for the Tag Image File Format (TIFF). The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that malformed TIFF images can lead to a crash in the decompression code, resulting in denial of service. Andrea Barisani discovered several integer overflows, which can lead to the execution of arbitrary code if malformed images are passed to the rgb2ycbcr or tiff2rgba tools. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gforge Sylvain Beucler discovered that gforge, a collaborative development tool, is prone to a symlink attack, which allows local users to perform a denial of service attack by overwriting arbitrary files. The oldstable distribution (etch), this problem has been fixed in version 4.5.14-22etch13. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kdebase Sebastian Krahmer discovered that a race condition in the KDE Desktop Environment"s KDM display manager, allow a local user to elevate privileges to root. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 samba Two local vulnerabilities have been discovered in samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems: Ronald Volgers discovered that a race condition in mount.cifs allows local users to mount remote filesystems over arbitrary mount points. Jeff Layton discovered that missing input sanitising in mount.cifs allows denial of service by corrupting /etc/mtab. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openssl openssl097 Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they're no longer considered cryptographically secure. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gzip Several vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems: Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 icu It was discovered that the ICU unicode library performed incorrect processing of invalid multibyte sequences, resulting in potential bypass of security mechanisms. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 graphicsmagick Several vulnerabilities have been discovered in graphicsmagick, a collection of image processing tool, which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple integer overflows in XInitImage function in xwd.c for GraphicsMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only oldstable (etch). Multiple vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via vectors in the AVI, AVS, DCM, EPT, FITS, MTV, PALM, RLA, and TGA decoder readers; and the GetImageCharacteristics function in magick/image.c, as reachable from a crafted PNG, JPEG, BMP, or TIFF file. Multiple heap-based buffer underflows in the ReadPALMImage function in coders/palm.c in GraphicsMagick before 1.2.3 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PALM image. Heap-based buffer overflow in the DecodeImage function in coders/pict.c in GraphicsMagick before 1.1.14, and 1.2.x before 1.2.3, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PICT image. Multiple vulnerabilities in GraphicsMagick allow remote attackers to cause a denial of service (crash) via vectors in XCF and CINEON images. Vulnerability in GraphicsMagick allows remote attackers to cause a denial of service (crash) via vectors in DPX images. Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libtool It was discovered that ltdl, a system-independent dlopen wrapper for GNU libtool, can be tricked to load and run modules from an arbitrary directory, which might be used to execute arbitrary code with the privileges of the user running an application that uses libltdl. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Joseph Malicki reported that the dbg_lvl sysfs attribute for the megaraid_sas device driver had world-writable permissions, permitting local users to modify logging settings. Lennert Buytenhek reported a race in the mac80211 subsystem that may allow remote users to cause a denial of service on a system connected to the same wireless network. Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel gigabit network adapters which allow remote users to bypass packet filters using specially crafted ethernet frames. Andi Kleen reported a defect which allows local users to gain read access to memory reachable by the kernel when the print-fatal-signals option is enabled. This option is disabled by default. Florian Westphal reported a lack of capability checking in the ebtables netfilter subsystem. If the ebtables module is loaded, local users can add and modify ebtables rules. Al Viro reported several issues with the mmap/mremap system calls that allow local users to cause a denial of service or obtain elevated privileges. Gleb Natapov discovered issues in the KVM subsystem where missing permission checks permit a user in a guest system to denial of service a guest or gain escalated privileges with the guest. Mathias Krause reported an issue with the load_elf_binary code on the amd64 flavor kernels that allows local users to cause a denial of service . Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service of the host system. Sebastian Krahmer discovered an issue in the netlink connector subsystem that permits local users to allocate large amounts of system memory resulting in a denial of service . Ramon de Carvalho Valle discovered an issue in the sys_move_pages interface, limited to amd64, ia64 and powerpc64 flavors in Debian. Local users can exploit this issue to cause a denial of service or gain access to sensitive kernel memory. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 python-crypto Mike Wiacek discovered that a buffer overflow in the ARC2 implementation of Python Crypto, a collection of cryptographic algorithms and protocols for Python allows denial of service and potentially the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Alin Rad Pop discovered that incorrect memory handling in the HTML parser could lead to the execution of arbitrary code. Hidetake Jo discovered that the same-origin policy can be bypassed through window.dialogArguments. Henri Sivonen, Boris Zbarsky, Zack Weinberg, Bob Clary, Martijn Wargers and Paul Nickerson reported crashes in layout engine, which might allow the execution of arbitrary code. Orlando Barrera II discovered that incorrect memory handling in the implementation of the web worker API could lead to the execution of arbitrary code. Georgi Guninski discovered that the same origin policy can be bypassed through specially crafted SVG documents. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ikiwiki Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a wiki compiler, performs insufficient input sanitization on data:image/svg+xml URIs. As these can contain script code this can be used by an attacker to conduct cross-site scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 gst-plugins-good0.10 It has been discovered that gst-plugins-good0.10, the GStreamer plugins from the "good" set, are prone to an integer overflow, when processing a large PNG file. This could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 krb5 It was discovered that krb5, a system for authenticating users and services on a network, is prone to integer underflow in the AES and RC4 decryption operations of the crypto library. A remote attacker can cause crashes, heap corruption, or, under extraordinarily unlikely conditions, arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mediawiki Several vulnerabilities have been discovered in mediawiki, a web-based wiki engine. The following issues have been identified: Insufficient input sanitization in the CSS validation code allows editors to display external images in wiki pages. This can be a privacy concern on public wikis as it allows attackers to gather IP addresses and other information by linking these images to a web server under their control. Insufficient permission checks have been found in thump.php which can lead to disclosure of image files that are restricted to certain users . SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 polipo Several denial of service vulnerabilities have been discovered in polipo, a small, caching web proxy. The Common Vulnerabilities and Exposures project identifies the following problems: A malicous remote sever could cause polipo to crash by sending an invalid Cache-Control header. A malicous client could cause polipo to crash by sending a large Content-Length value. This upgrade also fixes some other bugs that could lead to a daemon crash or an infinite loop and may be triggerable remotely. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 zope2.10/zope2.9 Several remote vulnerabilities have been discovered in the zope, a feature-rich web application server written in python, that could lead to arbitrary code execution in the worst case. The Common Vulnerabilities and Exposures project identified the following problems: Due to a programming error an authorization method in the StorageServer component of ZEO was not used as an internal method. This allows a malicious client to bypass authentication when connecting to a ZEO server by simply calling this authorization method. The ZEO server doesn't restrict the callables when unpickling data received from a malicious client which can be used by an attacker to execute arbitrary python code on the server by sending certain exception pickles. This also allows an attacker to import any importable module as ZEO is importing the module containing a callable specified in a pickle to test for a certain flag. The update also limits the number of new object ids a client can request to 100 as it would be possible to consume huge amounts of resources by requesting a big batch of new object ids. No CVE id has been assigned to this. The oldstable distribution (etch), this problem has been fixed in version 2.9.6-4etch2 of zope2.9. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman and Ehsan Akhgari discovered crashes in the layout engine, which might allow the execution of arbitrary code. It was discovered that incorrect memory handling in the XUL event handler might allow the execution of arbitrary code. It was discovered that incorrect memory handling in the XUL event handler might allow the execution of arbitrary code. It was discovered that incorrect memory handling in the plugin code might allow the execution of arbitrary code. Paul Stone discovered that forced drag-and-drop events could lead to Chrome privilege escalation. It was discovered that a programming error in the XMLHttpRequestSpy module could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 quagga It was discovered that Quagga, an IP routing daemon, could no longer process the Internet routing table due to broken handling of multiple 4-byte AS numbers in an AS path. If such a prefix is received, the BGP daemon crashes with an assert failure, leading to a denial of service. The old stable distribution (etch) is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 lcms Several security issues have been discovered in lcms, a color management library. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. Chris Evans discovered the lack of upper-bounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 vlc tixxDZ discovered a vulnerability in vlc, the multimedia player and streamer. Missing data validation in vlc"s real data transport implementation enable an integer underflow and consequently an unbounded buffer operation. A maliciously crafted stream could thus enable an attacker to execute arbitrary code. No Common Vulnerabilities and Exposures project identifier is available for this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 jasper It was discovered that the JasPer JPEG-2000 runtime library allowed an attacker to create a crafted input file that could lead to denial of service and heap corruption. Besides addressing this vulnerability, this updates also addresses a regression introduced in the security fix for CVE-2008-3521, applied before Debian Lenny"s release, that could cause errors when reading some JPEG input files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 proftpd-dfsg The security update for proftpd-dfsg in DSA-1727-1 caused a regression with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution (etch) is not affected by the security issues. For reference the original advisory follows. Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. The oldstable distribution (etch) is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ntp Robin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets. An unexpected NTP mode 7 packet with spoofed IP data can lead ntpd to reply with a mode 7 response to the spoofed address. This may result in the service playing packet ping-pong with other ntp servers or even itself which causes CPU usage and excessive disk use due to logging. An attacker can use this to conduct denial of service attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 php5 Several remote vulnerabilities have been discovered in PHP 5, an hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems: The htmlspecialchars function does not properly handle invalid multi-byte sequences. Memory corruption via session interruption. In the stable distribution , this update also includes bug fixes that were to be included in a stable point release as version 5.2.6.dfsg.1-1+lenny5. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 roundup It was discovered that roundup, an issue tracker with a command-line, web and email interface, allows users to edit resources in unauthorized ways, including granting themselves admin rights. This update introduces stricter access checks, actually enforcing the configured permissions and roles. This means that the configuration may need updating. In addition, user registration via the web interface has been disabled; use the program "roundup-admin" from the command line instead. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 poppler Several integer overflows, buffer overflows and memory allocation errors were discovered in the Poppler PDF rendering library, which may lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed PDF document. An update for the old stable distribution (etch) will be issued soon as version 0.4.5-5.1etch4. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libvorbis Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drupal6 Several vulnerabilities have been found in drupal6, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: Gerhard Killesreiter discovered a flaw in the way user signatures are handled. It is possible for a user to inject arbitrary code via a crafted user signature. (SA-CORE-2009-007) Mark Piper, Sven Herrmann and Brandon Knight discovered a cross-site scripting issue in the forum module, which could be exploited via the tid parameter. (SA-CORE-2009-007) Sumit Datta discovered that certain drupal6 pages leak sensitive information such as user credentials. (SA-CORE-2009-007) Several design flaws in the OpenID module have been fixed, which could lead to cross-site request forgeries or privilege escalations. Also, the file upload function does not process all extensions properly leading to the possible execution of arbitrary code. (SA-CORE-2009-008) The oldstable distribution (etch) does not contain drupal6. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 bind9 Michael Sinatra discovered that the DNS resolver component in BIND does not properly check DNS records contained in additional sections of DNS responses, leading to a cache poisoning vulnerability. This vulnerability is only present in resolvers which have been configured with DNSSEC trust anchors, which is still rare. Note that this update contains an internal ABI change, which means that all BIND-related packages must be updated at the same time . In the unlikely event that you have compiled your own software against libdns, you must recompile this programs, too. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 acpid It was discovered that acpid, the Advanced Configuration and Power Interface event daemon, on the oldstable distribution creates its log file with weak permissions, which might expose sensitive information or might be abused by a local user to consume all free disk space on the same partition of the file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 squid/squid3 Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy. The Common Vulnerabilities and Exposures project identifies the following problems: Bastian Blank discovered that it is possible to cause a denial of service via a crafted auth header with certain comma delimiters. Tomas Hoger discovered that it is possible to cause a denial of service via invalid DNS header-only packets. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 chrony Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563. The Common Vulnerabilities and Exposures project identifies the following problems: chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorized hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. The client logging facility of chronyd doesn"t limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorized hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Two vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Philipp Reisner reported an issue in the connector subsystem which allows unprivileged users to send netlink packets. This allows local users to manipulate settings for uvesafb devices which are normally reserved for privileged users. Jermome Marchand reported an issue in the futex subsystem that allows a local user to force an invalid futex state which results in a denial of service . This update also includes fixes for regressions introduced by previous updates. See the referenced Debian bug pages for details. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libxerces2-java It was discovered that libxerces2-java, a validating XML parser for Java, does not properly process malformed XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting (XSS) attacks because of missing input sanitization of the introduction text field in user profiles and any text field in a user view. The oldstable distribution (etch) does not contain mahara. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drbd8 A local vulnerability has been discovered in drbd8. Philipp Reisner fixed an issue in the drbd kernel module that allows local users to send netlink packets to perform actions that should be restricted to users with CAP_SYS_ADMIN privileges. This is a similar issue to those described by CVE-2009-3725. This update also fixes an ABI compatibility issue which was introduced by linux-2.6 . The prebuilt drbd module packages listed in this advisory require a linux-image package version 2.6.26-21lenny3 or greater. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 phpmyadmin Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 curl It was discovered that curl, a client and library to get files from servers using HTTP, HTTPS or FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 apache2 It was discovered that the Apache web server did not properly handle the "Options=" parameter to the AllowOverride directive: In the stable distribution (lenny), local users could (via .htaccess) enable script execution in Server Side Includes even in configurations where the AllowOverride directive contained only Options=IncludesNoEXEC. In the oldstable distribution (etch), local users could (via .htaccess) enable script execution in Server Side Includes and CGI script execution in configurations where the AllowOverride directive contained any "Options=" value. The oldstable distribution (etch), this problem has been fixed in version 2.2.3-4+etch8. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mediawiki It was discovered that mediawiki, a website engine for collaborative work, is vulnerable to a Cross-Site Request Forgery login attack, which could be used to conduct phishing or similar attacks to users via affected mediawiki installations. Note that the fix used breaks the login API and may require clients using it to be updated. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kvm Matt T. Yourst discovered an issue in the kvm subsystem. Local users with permission to manipulate /dev/kvm can cause a denial of service (hang) by providing an invalid cr3 value to the KVM_SET_SREGS call. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 hybserv Julien Cristau discovered that hybserv, a daemon running IRC services for IRCD-Hybrid, is prone to a denial of service attack via the commands option. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 devscripts Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 pango1.0 Will Drewry discovered that pango, a system for layout and rendering of internationalized text, is prone to an integer overflow via long glyphstrings. This could cause the execution of arbitrary code when displaying crafted data through an application using the pango library. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 webkit Several vulnerabilities have been discovered in WebKit, a Web content engine library for Gtk+. The Common Vulnerabilities and Exposures project identifies the following problems: Array index error in the insertItemBefore method in WebKit, allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the SVGTransformList, SVGStringList, SVGNumberList, SVGPathSegList, SVGPointList, or SVGLengthList SVGList object, which triggers memory corruption. The JavaScript garbage collector in WebKit does not properly handle allocation failures, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document that triggers write access to an "offset of a NULL pointer." Use-after-free vulnerability in WebKit, allows remote attackers to execute arbitrary code or cause a denial of service by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers." WebKit does not initialize a pointer during handling of a Cascading Style Sheets attr function call with a large numerical argument, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document. WebKit does not properly initialize memory for Attr DOM objects, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document. WebKit does not prevent remote loading of local Java applets, which allows remote attackers to execute arbitrary code, gain privileges, or obtain sensitive information via an APPLET or OBJECT element. WebKit do not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document. Cross-site scripting vulnerability in Web Inspector in WebKit allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes. WebKit allows remote attackers to spoof the browser"s display of the host name, security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property. CRLF injection vulnerability in WebKit allows remote attackers to inject HTTP headers and bypass the Same Origin Policy via a crafted HTML document, related to cross-site scripting attacks that depend on communication with arbitrary web sites on the same server through use of XMLHttpRequest without a Host header. Cross-site scripting vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via vectors involving access to frame contents after completion of a page transition. WebKit allows remote attackers to read images from arbitrary web sites via a CANVAS element with an SVG image, related to a "cross-site image capture issue." WebKit does not properly handle redirects, which allows remote attackers to read images from arbitrary web sites via vectors involving a CANVAS element and redirection, related to a "cross-site image capture issue." WebKit does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct "clickjacking" attacks via a crafted HTML document. Cross-site scripting vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via an event handler that triggers script execution in the context of the next loaded document. WebKit allows remote attackers to cause a denial of service via a web page containing an HTMLSelectElement object with a large length attribute, related to the length property of a Select object. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 tdiary It was discovered that tdiary, a communication-friendly weblog system, is prone to a cross-site scripting vulnerability due to insufficient input sanitising in the TrackBack transmission plugin. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cups Ronald Volgers discovered that the lppasswd component of the cups suite, the Common UNIX Printing System, is vulnerable to format string attacks due to insecure use of the LOCALEDIR environment variable. An attacker can abuse this behaviour to execute arbitrary code via crafted localization files and triggering calls to _cupsLangprintf. This works as the lppasswd binary happens to be installed with setuid 0 permissions. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cyrus-imapd-2.2 It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof() operator an attacker is able to pass a negative length to snprintf() calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 shibboleth-sp shibboleth-sp2 opensaml2 Matt Elder discovered that Shibboleth, a federated web single sign-on system is vulnerable to script injection through redirection URLs SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 trac-git Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries. The old stable distribution does not contain a trac-git package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 php-net-ping It was discovered that php-net-ping, a PHP PEAR module to execute ping independently of the Operating System, performs insufficient input sanitising, which might be used to inject arguments or execute arbitrary commands on a system that uses php-net-ping. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 apache2 Two issues have been found in the Apache HTTPD web server: mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service. A flaw in the core subrequest process code was found, which could lead to a daemon crash or disclosure of sensitive information if the headers of a subrequest were modified by modules such as mod_headers. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pdns-recursor It was discovered that pdns-recursor, the PowerDNS recursive name server, contains several vulnerabilities: A buffer overflow can be exploited to crash the daemon, or potentially execute arbitrary code. A cache poisoning vulnerability may allow attackers to trick the server into serving incorrect DNS data. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 python2.4 python2.5 Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy in the interpreter for the Python language, does not properly process malformed or crafted XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file. In addition, this update fixes an integer overflow in the hashlib module in python2.5. This vulnerability could allow an attacker to defeat cryptographic digests. It only affects the oldstable distribution . SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kvm Several local vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: Gleb Natapov discovered issues in the KVM subsystem where missing permission checks permit a user in a guest system to denial of service a guest or gain escalated privileges with the guest. Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service of the host system. Paolo Bonzini found a bug in KVM that can be used to bypass proper permission checking while loading segment selectors. This potentially allows privileged guest users to execute privileged instructions on the host system. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 lighttpd Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 typo3-src Several remote vulnerabilities have been discovered in the TYPO3 web content management framework: Cross-site scripting vulnerabilities have been discovered in both the frontend and the backend. Also, user data could be leaked. More details can be found in the Typo3 security advisory. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 phpldapadmin It was discovered that phpLDAPadmin, a web based interface for administering LDAP servers, doesn"t sanitize an internal variable, which allows remote attackers to include and execute arbitrary local files. The oldstable distribution is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ircd-hybrid/ircd-ratbox David Leadbeater discovered an integer underflow that could be triggered via the LINKS command and can lead to a denial of service or the execution of arbitrary code . This issue affects both, ircd-hybrid and ircd-ratbox. It was discovered that the ratbox IRC server is prone to a denial of service attack via the HELP command. The ircd-hybrid package is not vulnerable to this issue . SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 libpng Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: libpng does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file. libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service via a crafted PNG file SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 moin Jamie Strandboge discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize the page name in "Despam" action, allowing remote attackers to perform cross-site scripting attacks. In addition, this update fixes a minor issue in the "textcha" protection, it could be trivially bypassed by blanking the "textcha-question" and "textcha-answer" form fields. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 drupal6 Several vulnerabilities have been discovered in drupal6, a fully-featured content management framework. A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed. The API function drupal_goto is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL. Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the "administer languages" permission. Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 wireshark Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: A NULL pointer dereference was found in the SMB/SMB2 dissectors. Several buffer overflows were found in the LWRES dissector. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 horde3 Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration file. It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators. It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 transmission Dan Rosenberg discovered that Transmission, a lightwight client for the Bittorrent filesharing protocol, performs insufficient sanitising of file names specified in .torrent files. This could lead to the overwrite of local files with the privileges of the user running Transmission if the user is tricked into opening a malicious torrent file. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 python-django The forms library of python-django, a high-level Python web development framework, is using a badly chosen regular expression when validating email addresses and URLs. An attacker can use this to perform denial of service attacks (100% CPU consumption) due to bad backtracking via a specially crafted email address or URL which is validated by the django forms library. python-django in the oldstable distribution (etch), is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: David James discovered that the window.opener property allows Chrome privilege escalation. Jordi Chanel discovered a spoofing vulnerability of the URL location bar using the document.location property. Jonathan Morgan discovered that the icon indicating a secure connection could be spoofed through the document.location property. Takehiro Takahashi discovered that the NTLM implementaion is vulnerable to reflection attacks. Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel and Olli Pettay discovered crashes in the layout engine, which might allow the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 linux-2.6 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Julien Tinnes and Tavis Ormandy reported an issue in the Linux personality code. Local users can take advantage of a setuid binary that can either be made to dereference a NULL pointer or drop privileges and return control to the user. This allows a user to bypass mmap_min_addr restrictions which can be exploited to execute arbitrary code. Matt T. Yourst discovered an issue in the kvm subsystem. Local users with permission to manipulate /dev/kvm can cause a denial of service (hang) by providing an invalid cr3 value to the KVM_SET_SREGS call. Ramon de Carvalho Valle discovered two issues with the eCryptfs layered filesystem using the fsfuzzer utility. A local user with permissions to perform an eCryptfs mount may modify the contents of a eCryptfs file, overflowing the stack and potentially gaining elevated privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 aria2 It was discovered that aria2, a high speed download utility, is prone to a buffer overflow in the DHT routing code, which might lead to the execution of arbitrary code. The oldstable distribution is not affected by this problem. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ffmpeg-debian Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder, which also provides a range of multimedia libraries used in applications like MPlayer: Various programming errors in container and codec implementations may lead to denial of service or the execution of arbitrary code if the user is tricked into opening a malformed media file or stream. The implementations of the following affected codecs and container formats have been updated: SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 lintian Multiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems" control files were not sanitised before using them in certain operations that could lead to directory traversals. An attacker could exploit these vulnerabilities to overwrite arbitrary files or disclose system information. Multiple check scripts and the Lintian::Schedule module were using user-provided input as part of the sprintf/printf format string. File names were not properly escaped when passing them as arguments to certain commands, allowing the execution of other commands as pipes or as a set of shell commands. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 audiofile Max Kellermann discovered a heap-based buffer overflow in the handling of ADPCM WAV files in libaudiofile. This flaw could result in a denial of service or possibly execution of arbitrary code via a crafted WAV file. The old stable distribution , this problem will be fixed in version 0.2.6-6+etch1. The packages for the oldstable distribution are not included in this advisory. An update will be released soon. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 php5 Auke van Slooten discovered that PHP 5, an hypertext preprocessor, crashes when processing invalid XML-RPC requests. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xpdf Several vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format files. The Common Vulnerabilities and Exposures project identifies the following problems: Integer overflow in SplashBitmap::SplashBitmap which might allow remote attackers to execute arbitrary code or an application crash via a crafted PDF document. NULL pointer dereference or heap-based buffer overflow in Splash::drawImage which might allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted PDF document. Integer overflow in the PSOutputDev::doImageL1Sep which might allow remote attackers to execute arbitrary code via a crafted PDF document. Integer overflow in the ObjectStream::ObjectStream which might allow remote attackers to execute arbitrary code via a crafted PDF document. Integer overflow in the ImageStream::ImageStream which might allow remote attackers to cause a denial of service via a crafted PDF document. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 cacti Several vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters. This issue only affects the oldstable version of cacti. It was discovered that cacti is prone to several cross-site scripting attacks via different vectors. It has been discovered that cacti allows authenticated administrator users to gain access to the host system by executing arbitrary commands via the "Data Input Method" for the "Linux - Get Memory Usage" setting. There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain "safe" commands. For the moment, we recommend that such access is only given to trusted users and that the options "Data Input" and "User Administration" are otherwise deactivated. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kvm Several vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered an Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function. This allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. It was discovered that the handle_dr function in the KVM subsystem does not properly verify the Current Privilege Level before accessing a debug register, which allows guest OS users to cause a denial of service on the host OS via a crafted application. It was discovered that the do_insn_fetch function in the x86 emulator in the KVM subsystem tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service on the host OS via unspecified manipulations related to SMP support. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 firefox-sage It was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitise the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 squidguard It was discovered that in squidguard, a URL redirector/filter/ACL plugin for squid, several problems in src/sgLog.c and src/sgDiv.c allow remote users to either: SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 openssl It was discovered that a significant memory leak could occur in OpenSSL, related to the reinitialization of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd server in a configuration where mod_ssl, mod_php5, and the php5-curl extension are loaded. The old stable distribution is not affected by this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 asterisk Several vulnerabilities have been discovered in asterisk, an Open Source PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: It is possible to determine valid login names via probing, due to the IAX2 response from asterisk . It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled . It is possible to determine a valid SIP username via multiple crafted REGISTER messages . It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk . It was discovered that it is possible to perform a denial of service attack via RTP comfort noise payload with a long data length . The current version in oldstable is not supported by upstream anymore and is affected by several security issues. Backporting fixes for these and any future issues has become unfeasible and therefore we need to drop our security support for the version in oldstable. We recommend that all asterisk users upgrade to the stable distribution . SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 qt4-x11 Several vulnerabilities have been discovered in qt4-x11, a cross-platform C++ application framework. The Common Vulnerabilities and Exposures project identifies the following problems: Array index error in the insertItemBefore method in WebKit, as used in qt4-x11, allows remote attackers to execute arbitrary code. The JavaScript garbage collector in WebKit, as used in qt4-x11 does not properly handle allocation failures, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document that triggers write access to an "offset of a NULL pointer. Use-after-free vulnerability in WebKit, as used in qt4-x11, allows remote attackers to execute arbitrary code or cause a denial of service by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs. WebKit in qt4-x11 does not initialize a pointer during handling of a Cascading Style Sheets attr function call with a large numerical argument, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document. The XSL stylesheet implementation in WebKit, as used in qt4-x11 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD. WebKit in qt4-x11 does not properly initialize memory for Attr DOM objects, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document. WebKit in qt4-x11 does not prevent remote loading of local Java applets, which allows remote attackers to execute arbitrary code, gain privileges, or obtain sensitive information via an APPLET or OBJECT element. The XSLT functionality in WebKit, as used in qt4-x11 does not properly implement the document function, which allows remote attackers to read arbitrary local files and files from different security zones. WebKit in qt4-x11 does not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted HTML document. qt4-x11 does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. The oldstable distribution is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: Moxie Marlinspike discovered that Unicode box drawing characters inside of internationalised domain names could be used for phishing attacks. Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman and Gary Kwong reported crashes in the layout engine, which might allow the execution of arbitrary code. Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman and Gary Kwong reported crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov and Bob Clary discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Igor Bukanov and Bob Clary discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Daniel Veditz discovered that the Content-Disposition: header is ignored within the jar: URI scheme. Gregory Fleischer discovered that the same-origin policy for Flash files is inproperly enforced for files loaded through the view-source scheme, which may result in bypass of cross-domain policy restrictions. Cefn Hoile discovered that sites, which allow the embedding of third-party stylesheets are vulnerable to cross-site scripting attacks through XBL bindings. "moz_bug_r_a4" discovered bypasses of the same-origin policy in the XMLHttpRequest Javascript API and the XPCNativeWrapper. Paolo Amadini discovered that incorrect handling of POST data when saving a web site with an embedded frame may lead to information disclosure. It was discovered that Iceweasel allows Refresh: headers to redirect to Javascript URIs, resulting in cross-site scripting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 dpkg William Grant discovered that the dpkg-source component of dpkg, the low-level infrastructure for handling the installation and removal of Debian software packages, is vulnerable to path traversal attacks. A specially crafted Debian source package can lead to file modification outside of the destination directory when extracting the package content. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 openoffice.org Several vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that macro security settings were insufficiently enforced for VBA macros. It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This also affects the integrated libxmlsec library. Sebastian Apelt discovered that an integer overflow in the XPM import code may lead to the execution of arbitrary code. Sebastian Apelt and Frank Reissner discovered that a buffer overflow in the GIF import code may lead to the execution of arbitrary code. Nicolas Joly discovered multiple vulnerabilities in the parser for Word document files, which may lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pulseaudio Dan Rosenberg discovered that the PulseAudio sound server creates a temporary directory with a predictable name. This allows a local attacker to create a Denial of Service condition or possibly disclose sensitive information to unprivileged users. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cacti It was discovered that Cacti, a frontend to rrdtool for monitoring systems and services missed input sanitising, making an SQL injection attack possible. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 maildrop Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 egroupware Nahuel Grisolia discovered two vulnerabilities in Egroupware, a web-based groupware suite: Missing input sanitising in the spellchecker integration may lead to the execution of arbitrary commands and a cross-site scripting vulnerability was discovered in the login page. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 fuse Dan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace. A local attacker, with access to use FUSE, could unmount arbitrary locations, leading to a denial of service. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 postgresql-7.4 postgresql-8.1 postgresql-8.3 Several vulnerabilities have been discovered in PostgreSQL, a database server. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that PostgreSQL did not properly verify the Common Name attribute in X.509 certificates, enabling attackers to bypass the TLS protection on client-server connections, by relying on a certificate from a trusted CA which contains an embedded NUL byte in the Common Name . Authenticated database users could elevate their privileges by creating specially-crafted index functions . The following matrix shows fixed source package versions for the respective distributions. In addition to these security fixes, the updates contain reliability improvements and fix other defects. We recommend that you upgrade your PostgreSQL packages. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ganeti It was discovered that ganeti, a virtual server cluster manager, does not validate the path of scripts passed as arguments to certain commands, which allows local or remote users to execute arbitrary commands on a host acting as a cluster master. The oldstable distribution does not include ganeti. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 netpbm-free Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 ajaxterm It was discovered that ajaxterm, a web-based terminal, generates weak and predictable session IDs, which might be used to hijack a session or cause a denial of service attack on a system that uses ajaxterm. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kdelibs Maksymilian Arciemowicz discovered a buffer overflow in the internal string routines of the KDE core libraries, which could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 phpgroupware Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems: A local file inclusion vulnerability allows remote attackers to execute arbitrary PHP code and include arbitrary local files. Multiple SQL injection vulnerabilities allows remote attackers to execute arbitrary SQL commands. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 mysql-dfsg-5.0 Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: Domas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service via a crafted statement. Sergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory. Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service by establishing an SSL connection and sending an X.509 client certificate with a crafted name field. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libthai Tim Starling discovered that libthai, a set of Thai language support routines, is vulnerable of integer/heap overflow. This vulnerability could allow an attacker to run arbitrary code by sending a very long string. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mplayer tixxDZ discovered a vulnerability in the mplayer movie player. Missing data validation in mplayer"s real data transport implementation enable an integer underflow and consequently an unbounded buffer operation. A maliciously crafted stream could thus enable an attacker to execute arbitrary code. No Common Vulnerabilities and Exposures project identifier is available for this issue. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 expat Jan Lieskovsky discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 glibc eglibc Christoph Pleger has discovered that the GNU C Library and its derivatives add information from the passwd.adjunct.byname map to entries in the passwd map, which allows local users to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 dokuwiki Several vulnerabilities have been discovered in dokuwiki, a standards compliant simple to use wiki. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that an internal variable is not properly sanitized before being used to list directories. This can be exploited to list contents of arbitrary directories. It was discovered that the ACL Manager plugin doesn"t properly check the administrator permissions. This allow an attacker to introduce arbitrary ACL rules and thus gaining access to a closed Wiki. It was discovered that the ACL Manager plugin doesn"t have protections against cross-site request forgeries . This can be exploited to change the access control rules by tricking a logged in administrator into visiting a malicious web site. The oldstable distribution is not affected by these problems. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 imlib2 It was discovered that imlib2, a library to load and process several image formats, did not properly process various image file types. Several heap and stack based buffer overflows - partly due to integer overflows - in the ARGB, BMP, JPEG, LBM, PNM, TGA and XPM loaders can lead to the execution of arbitrary code via crafted image files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 krb5 Sol Jerome discovered that kadmind service in krb5, a system for authenticating users and services on a network, allows remote authenticated users to cause a denial of service via a request from a kadmin client that sends an invalid API version number. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 spamass-milter A missing input sanitization in spamass-milter, a milter used to filter mail through spamassassin, was discovered. This allows a remote attacker to inject and execute arbitrary shell commands. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 sendmail It was discovered that sendmail, a Mail Transport Agent, does not properly handle a "\0" character in a Common Name field of an X.509 certificate. This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 iscsitarget Florent Daigniere discovered multiple format string vulnerabilities in Linux SCSI target framework allow remote attackers to cause a denial of service in the ietd daemon. The flaw could be trigger by sending a carefully-crafted Internet Storage Name Service request. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 curl Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl"s maximum limit for a fixed buffer size and do not perform any sanity checks themselves. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 icedove Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: Dan Kaminsky and Moxie Marlinspike discovered that icedove does not properly handle a "\0" character in a domain name in the subject"s Common Name field of an X.509 certificate . Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names . monarch2020 discovered an integer overflow in a base64 decoding function . Josh Soref discovered a crash in the BinHex decoder . Carsten Book reported a crash in the JavaScript engine . Ludovic Hirlimann reported a crash indexing some messages with attachments, which could lead to the execution of arbitrary code . SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 phpgroupware Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems: An SQL injection vulnerability was found in the authentication module. Multiple directory traversal vulnerabilities were found in the addressbook module. The authentication module is affected by cross-site scripting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 moodle Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple cross-site request forgery vulnerabilities have been discovered. It has been discovered that the LAMS module is prone to the disclosure of user account information. The Glossary module has an insufficient access control mechanism. Moodle does not properly check permissions when the MNET service is enabled, which allows remote authenticated servers to execute arbitrary MNET functions. The login/index_form.html page links to an HTTP page instead of using an SSL secured connection. Moodle stores sensitive data in backup files, which might make it possible for attackers to obtain them. It has been discovered that the SCORM module is prone to an SQL injection. Additionally, an SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 libtheora Bob Clary, Dan Kaminsky and David Keeler discovered that in libtheora, a video library part of the Ogg project, several flaws allow context-dependent attackers via a large and specially crafted media file, to cause a denial of service , and possibly arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pidgin Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: Crafted nicknames in the XMPP protocol can crash Pidgin remotely. Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft"s servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 libpng Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: The png_handle_tRNS function allows attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value. Certain chunk handlers allow attackers to cause a denial of service (crash) via crafted pCAL, sCAL, tEXt, iTXt, and ztXT chunking in PNG images, which trigger out-of-bounds read operations. libpng allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. The png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords. A memory leak in the png_handle_tEXt function allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file. libpng allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 4.0 Debian 4.0 is installed SecPod Team DRAFT INTERIM ACCEPTED Preeti Subramanian INTERIM ACCEPTED Chandan S INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 freetype Robert Swiecki discovered several vulnerabilities in the FreeType font library, which could lead to the execution of arbitrary code if a malformed font file is processed. Also, several buffer overflows were found in the included demo programs. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: "wushi" discovered that incorrect pointer handling in the frame processing code could lead to the execution of arbitrary code. "Nils" discovered that an integer overflow in DOM node parsing could lead to the execution of arbitrary code. Ilja von Sprundel discovered that incorrect parsing of Content-Disposition headers could lead to cross-site scripting. Microsoft engineers discovered that incorrect memory handling in the interaction of browser plugins could lead to the execution of arbitrary code. Martin Barbella discovered that an integer overflow in XSLT node parsing could lead to the execution of arbitrary code. Olli Pettay, Martijn Wargers, Justin Lebar, Jesse Ruderman, Ben Turner, Jonathan Kew and David Humphrey discovered crashes in the layout engine, which might allow the execution of arbitrary code. "boardraider" and "stedenon" discovered crashes in the layout engine, which might allow the execution of arbitrary code. Bob Clary, Igor Bukanov, Gary Kwong and Andreas Gal discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 krb5 Shawn Emery discovered that in MIT Kerberos 5 , a system for authenticating users and services on a network, a null pointer dereference flaw in the Generic Security Service Application Program Interface library could allow an authenticated remote attacker to crash any server application using the GSS-API authentication mechanism, by sending a specially-crafted GSS-API token with a missing checksum field. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 zonecheck It was discovered that in zonecheck, a tool to check DNS configurations, the CGI does not perform sufficient sanitation of user input; an attacker can take advantage of this and pass script code in order to perform cross-site scripting attacks. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 ncompress Aki Helin discovered an integer underflow in ncompress, the original Lempel-Ziv compress/uncompress programs. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mahara Several vulnerabilities were discovered in mahara, an electronic portfolio, weblog, and resume builder. The following Common Vulnerabilities and Exposures project ids identify them: Multiple pages performed insufficient input sanitising, making them vulnerable to cross-site scripting attacks. Multiple forms lacked protection against cross-site request forgery attacks, therefore making them vulnerable. Gregor Anzelj discovered that it was possible to accidentally configure an installation of mahara that allows access to another user"s account without a password. Certain Internet Explorer-specific cross-site scripting vulnerabilities were discovered in HTML Purifier, of which a copy is included in the mahara package. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 barnowl It has been discovered that barnowl, a curses-based tty Jabber, IRC, AIM and Zephyr client, is prone to a buffer overflow via its "CC:" handling, which could lead to the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 znc It was discovered that znc, an IRC bouncer, is vulnerable to denial of service attacks via a NULL pointer dereference when traffic statistics are requested while there is an unauthenticated connection. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kdegraphics Several local vulnerabilities have been discovered in KPDF, a PDF viewer for KDE, which allow the execution of arbitrary code or denial of service if a user is tricked into opening a crafted PDF document. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 openoffice.org It was discovered that OpenOffice.org, a full-featured office productivity suite that provides a near drop-in replacement for Microsoft® Office, is not properly handling python macros embedded in an office document. This allows an attacker to perform user-assisted execution of arbitrary code in certain use cases of the python macro viewer component. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 kvirc Two security issues have been discovered in the DCC protocol support code of kvirc, a KDE-based next generation IRC client, which allow the overwriting of local files through directory traversal and the execution of arbitrary code through a format string attack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 libmikmod Dyon Balding discovered buffer overflows in the MikMod sound library, which could lead to the execution of arbitrary code if a user is tricked into opening malformed Impulse Tracker or Ultratracker sound files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 sudo Anders Kaseorg and Evan Broder discovered a vulnerability in sudo, a program designed to allow a sysadmin to give limited root privileges to users, that allows a user with sudo permissions on certain programs to use those programs with an untrusted value of PATH. This could possibly lead to certain intended restrictions being bypassed, such as the secure_path setting. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 bind9 Several cache-poisoning vulnerabilities have been discovered in BIND. These vulnerabilities apply only if DNSSEC validation is enabled and trust anchors have been installed, which is not the default. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0097 BIND does not properly validate DNSSEC NSEC records, which allows remote attackers to add the Authenticated Data flag to a forged NXDOMAIN response for an existing domain. When processing crafted responses containing CNAME or DNAME records, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. When processing certain responses containing out-of-bailiwick data, BIND is subject to a DNS cache poisoning vulnerability, provided that DNSSEC validation is enabled and trust anchors have been installed. In addition, this update introduce a more conservative query behavior in the presence of repeated DNSSEC validation failures, addressing the "roll over and die" phenomenon. The new version also supports the cryptographic algorithm used by the upcoming signed ICANN DNS root , and the NSEC3 secure denial of existence algorithm used by some signed top-level domains. This update is based on a new upstream version of BIND 9, 9.6-ESV-R1. Because of the scope of changes, extra care is recommended when installing the update. Due to ABI changes, new Debian packages are included, and the update has to be installed using "apt-get dist-upgrade" . SecPod Team DRAFT INTERIM ACCEPTED Pavel Kankovsky INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mysql-dfsg-5.0 Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: MySQL allows local users to delete the data and index files of another user"s MyISAM table via a symlink attack in conjunction with the DROP TABLE command. MySQL failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This allows an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server"s file system. MySQL could be tricked to read packets indefinitely if it received a packet larger than the maximum size of one packet. This results in high CPU usage and thus denial of service conditions. MySQL was susceptible to a buffer-overflow attack due to a failure to perform bounds checking on the table name argument of a COM_FIELD_LIST command packet. By sending long data for the table name, a buffer is overflown, which could be exploited by an authenticated user to inject malicious code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 mlmmj Florian Streibelt reported a directory traversal flaw in the way the Mailing List Managing Made Joyful mailing list manager processed users" requests originating from the administrator web interface without enough input validation. A remote, authenticated attacker could use these flaws to write and/or delete arbitrary files. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pmount Dan Rosenberg discovered that pmount, a wrapper around the standard mount program which permits normal users to mount removable devices without a matching /etc/fstab entry, creates files in /var/lock insecurely. A local attacker could overwrite arbitrary files utilising a symlink attack. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 cacti Stefan Esser discovered that cacti, a front-end to rrdtool for monitoring systems and services, is not properly validating input passed to the rra_id parameter of the graph.php script. Due to checking the input of $_REQUEST but using $_GET input in a query an unauthenticated attacker is able to perform SQL injections via a crafted rra_id $_GET value and an additional valid rra_id $_POST or $_COOKIE value. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 postgresql-8.3 Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: Tim Bunce discovered that the implementation of the procedural language PL/Perl insufficiently restricts the subset of allowed code, which allows authenticated users the execution of arbitrary Perl code. Tom Lane discovered that the implementation of the procedural language PL/Tcl insufficiently restricts the subset of allowed code, which allows authenticated users the execution of arbitrary Tcl code. It was discovered that an unprivileged user could reset superuser-only parameter settings. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 python-cjson Matt Giuca discovered a buffer overflow in python-cjson, a fast JSON encoder/decoder for Python. This allows a remote attacker to cause a denial of service through a specially-crafted Python script. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 gnupg2 It was discovered that GnuPG 2 uses a freed pointer when verifying a signature or importing a certificate with many Subject Alternate Names, potentially leading to arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 aria2 A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 dvipng Dan Rosenberg discovered that in dvipng, a utility that converts DVI files to PNG graphics, several array index errors allow context-dependent attackers, via a specially crafted DVI file, to cause a denial of service , and possibly arbitrary code execution. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 samba Jun Mao discovered that Samba, an implementation of the SMB/CIFS protocol for Unix systems, is not properly handling certain offset values when processing chained SMB1 packets. This enables an unauthenticated attacker to write to an arbitrary memory location resulting in the possibility to execute arbitrary code with root privileges or to perform denial of service attacks by crashing the samba daemon. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 xulrunner Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Wladimir Palant discovered that security checks in XML processing were insufficiently enforced. Chris Evans discovered that insecure CSS handling could lead to reading data across domain boundaries. Aki Helin discovered a buffer overflow in the internal copy of libpng, which could lead to the execution of arbitrary code. "regenrecht" discovered that incorrect memory handling in DOM parsing could lead to the execution of arbitrary code. Jesse Ruderman, Ehsan Akhgari, Mats Palmgren, Igor Bukanov, Gary Kwong, Tobias Markus and Daniel Holbert discovered crashes in the layout engine, which might allow the execution of arbitrary code. "JS3" discovered an integer overflow in the plugin code, which could lead to the execution of arbitrary code. Jordi Chancel discovered that the location could be spoofed to appear like a secured page. "regenrecht" discovered that incorrect memory handling in XUL parsing could lead to the execution of arbitrary code. Soroush Dalili discovered an information leak in script processing. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 libpng Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered a buffer overflow in libpng which allows remote attackers to execute arbitrary code via a PNG image that triggers an additional data row. It was discovered a memory leak in libpng which allows remote attackers to cause a denial of service via a PNG image containing malformed Physical Scale chunks SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 pcsc-lite It was discovered that PCSCD, a daemon to access smart cards, was vulnerable to a buffer overflow allowing a local attacker to elevate his privileges to root. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 wireshark Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer. It was discovered that null pointer dereferences, buffer overflows and infinite loops in the SMB, SMB PIPE, ASN1.1 and SigComp dissectors could lead to denial of service or the execution of arbitrary code. SecPod Team DRAFT INTERIM ACCEPTED ACCEPTED Debian GNU/Linux 5.0 Debian 5.0 is installed SecPod Team DRAFT INTERIM ACCEPTED Preeti Subramanian INTERIM ACCEPTED Chandan S INTERIM ACCEPTED ACCEPTED