The OVAL Repository5.102015-09-03T10:41:12.813-04:00DSA-1802 squirrelmail -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0squirrelmailSeveral remote vulnerabilities have been discovered in SquirrelMail, a webmail application. The Common Vulnerabilities and Exposures project identifies the following problems: Cross site scripting was possible through a number of pages which allowed an attacker to steal sensitive session data. Code injection was possible when SquirrelMail was configured to use the map_yp_alias function to authenticate users. This is not the default. It was possible to hijack an active user session by planting a specially crafted cookie into the user's browser. Specially crafted HTML emails could use the CSS positioning feature to place email content over the SquirrelMail user interface, allowing for phishing.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1762 icu -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0icuIt was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to crossite scripting attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1748 libsoup -- integer overflowDebian GNU/Linux 4.0libsoupIt was discovered that libsoup, an HTTP library implementation in C, handles large strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1892 dovecot -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0dovecotIt was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1737 wesnoth -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0wesnothSeveral security issues have been discovered in wesnoth, a fantasy turn-based strategy game. The Common Vulnerabilities and Exposures project identifies the following problems: Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data. Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1898 openswan -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0openswanIt was discovered that the pluto daemon in openswan, an implementation of IPSEC and IKE, could crash when processing a crafted X.509 certificate.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1598 libtk-img -- buffer overflowDebian GNU/Linux 4.0libtk-imgIt was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1743 libtk-img -- buffer overflowsDebian GNU/Linux 5.0Debian GNU/Linux 4.0libtk-imgTwo buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libtk-img is prone to a buffer overflow via specially crafted multi-frame interlaced GIF files. It was discovered that libtk-img is prone to a buffer overflow via specially crafted GIF files with certain subimage sizes.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1593 tomcat5.5 -- missing input sanitisingDebian GNU/Linux 4.0tomcat5.5It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1688 courier-authlib -- SQL injectionDebian GNU/Linux 4.0courier-authlibTwo SQL injection vulnerabilities have been found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database interface (CVE-2008-2667).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1445 maradns -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1maradnsMichael Krieger and Sam Trenholme discovered a programming error in MaraDNS, a simple security-aware Domain Name Service server, which might lead to denial of service through malformed DNS packets. For the old stable distribution (sarge), this problem has been fixed in version 1.0.27-2. For the stable distribution (etch), this problem has been fixed in version 1.2.12.04-1etch2. For the unstable distribution (sid), this problem has been fixed in version 1.2.12.08-1. We recommend that you upgrade your maradns package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1590 samba -- buffer overflowDebian GNU/Linux 4.0sambaAlin Rad Pop discovered that Samba contained a buffer overflow condition when processing certain responses received while acting as a client, leading to arbitrary code execution (CVE-2008-1105).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1731 ndiswrapper -- buffer overflowDebian GNU/Linux 4.0ndiswrapperAnders Kaseorg discovered that ndiswrapper suffers from buffer overflows via specially crafted wireless network traffic, due to incorrectly handling long ESSIDs. This could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1676 flamethrower (0.1.8-1+etch1) -- insecure temp file generationDebian GNU/Linux 4.0flamethrower (0.1.8-1+etch1)Dmitry E. Oboukhov discovered that flamethrower creates predictable temporary filenames, which may lead to a local denial of service through a symlink attack.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1735 znc -- missing input sanitisationDebian GNU/Linux 4.0zncIt was discovered that znc, an IRC proxy/bouncer, does not properly sanitise input contained in configuration change requests to the webadmin interface. This allows authenticated users to elevate their privileges and indirectly execute arbitrary commands (CVE-2009-0759).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1595 xorg-server -- several vulnerabilitiesDebian GNU/Linux 4.0xorg-serverSeveral local vulnerabilities have been discovered in the X Window system. The Common Vulnerabilities and Exposures project identifies the following problems: Lack of validation of the parameters of the SProcSecurityGenerateAuthorization and SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption. An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space. An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow. An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server. Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1568 b2evolution -- insufficient input sanitisingDebian GNU/Linux 4.0b2evolution"unsticky" discovered that b2evolution, a blog engine, performs insufficient input sanitising, allowing for cross site scripting.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1672 imlib2 -- buffer overflowDebian GNU/Linux 4.0imlib2Julien Danjou and Peter De Wachter discovered that a buffer overflow in the XPM loader of Imlib2, a powerful image loading and rendering library, might lead to arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1446 wireshark -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: The RPL dissector could be tricked into an infinite loop. The CIP dissector could be tricked into excessive memory allocation. For the old stable distribution (sarge), these problems have been fixed in version 0.10.10-2sarge11. (In Sarge Wireshark used to be called Ethereal). For the stable distribution (etch), these problems have been fixed in version 0.99.4-5.etch.2. For the unstable distribution (sid), these problems have been fixed in version 0.99.7-1. We recommend that you upgrade your wireshark packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1850 libmodplug -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0libmodplugSeveral vulnerabilities have been discovered in libmodplug, the shared libraries for mod music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libmodplug is prone to an integer overflow when processing a MED file with a crafted song comment or song name. It was discovered that libmodplug is prone to a buffer overflow in the PATinst function, when processing a long instrument name.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1852 fetchmail -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0fetchmailIt was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services)SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1803 nsd, nsd3 -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0nsdnsd3Ilja van Sprundel discovered that a buffer overflow in NSD, an authoritative name service daemon, allowed to crash the server by sending a crafted packet, creating a denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1597 mt-daapd -- multiple vulnerabilitiesDebian GNU/Linux 4.0mt-daapdThree vulnerabilities have been discovered in the mt-daapd DAAP audio server (also known as the Firefly Media Server). The Common Vulnerabilities and Exposures project identifies the following three problems: Insufficient validation and bounds checking of the Authorization: HTTP header enables a heap buffer overflow, potentially enabling the execution of arbitrary code. Format string vulnerabilities in debug logging within the authentication of XML-RPC requests could enable the execution of arbitrary code. An integer overflow weakness in the handling of HTTP POST variables could allow a heap buffer overflow and potentially arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1935 gnutls13 gnutls26 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0gnutls13gnutls26Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a "\0" character in a domain name in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (CVE-2009-2730) In addition, with this update, certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptographically secure. It only affects the oldstable distribution (etch).(CVE-2009-2409)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1682 squirrelmail -- insufficient input sanitisingDebian GNU/Linux 4.0squirrelmailIvan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1894 newt -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0newtMiroslav Lichvar discovered that newt, a windowing toolkit, is prone to a buffer overflow in the content processing code, which can lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1890 wxwindows2.4 wxwidgets2.6 wxwidgets2.8 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0wxwindows2.4wxwidgets2.6wxwidgets2.8Tielei Wang has discovered an integer overflow in wxWidgets, the wxWidgets Cross-platform C++ GUI toolkit, which allows the execution of arbitrary code via a crafted JPEG file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1851 gst-plugins-bad0.10 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0gst-plugins-bad0.10It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the "bad" set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1558 xulrunner -- programming errorDebian GNU/Linux 4.0xulrunnerIt was discovered that crashes in the Javascript engine of xulrunner, the Gecko engine library, could potentially lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1779 apt -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0aptTwo vulnerabilities have been discovered in APT, the well-known dpkg frontend. The Common Vulnerabilities and Exposures project identifies the following problems: In time zones where daylight savings time occurs at midnight, the apt cron.daily script fails, stopping new security updates from being applied automatically. A repository that has been signed with an expired or revoked OpenPGP key would still be considered valid by APT.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1891 changetrack -- shell command executionDebian GNU/Linux 5.0Debian GNU/Linux 4.0changetrackMarek Grzybowski discovered that changetrack, a program to monitor changes to (configuration) files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1771 clamav -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0clamavSeveral vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Attackers can cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. (no CVE Id yet) Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1819 vlc -- several vulnerabilitiesDebian GNU/Linux 4.0vlcSeveral vulnerabilities have been discovered in vlc, a multimedia player and streamer. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that multiple integer overflows in the MP4 demuxer, Real demuxer and Cinepak codec can lead to the execution of arbitrary code. Drew Yao discovered that the Cinepak codec is prone to a memory corruption, which can be triggered by a crafted Cinepak file. Luigi Auriemma discovered that it is possible to execute arbitrary code via a long subtitle in an SSA file. It was discovered that vlc is prone to a search path vulnerability, which allows local users to perform privilege escalations. Alin Rad Pop discovered that it is possible to execute arbitrary code when opening a WAV file containing a large fmt chunk. Pinar Yanarda discovered that it is possible to execute arbitrary code when opening a crafted mmst link. Tobias Klein discovered that it is possible to execute arbitrary code when opening a crafted .ty file. Tobias Klein discovered that it is possible to execute arbitrary code when opening an invalid CUE image file with a crafted header.SecPod TeamDRAFTINTERIMACCEPTEDEndrigo AntoniniINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1559 phpgedview -- insufficient input sanitisingDebian GNU/Linux 4.0phpgedviewIt was discovered that phpGedView, an application to provide online access to genealogical data, performed insufficient input sanitising on some parameters, making it vulnerable to cross site scripting.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1560 kronolith2 -- insufficient input sanitisingDebian GNU/Linux 4.0kronolith2"The-0utl4w" discovered that the Kronolith, calendar component for the Horde Framework, didn't properly sanitise URL input, leading to a cross-site scripting vulnerability in the add event screen.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1527 debian-goodies -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1debian-goodiesThomas de Grenier de Latour discovered that the checkrestart tool in the debian-goodies suite of utilities, allowed local users to gain privileges via shell metacharacters in the name of the executable file for a running process.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1511 libicu -- variousDebian GNU/Linux 4.0libicuSeveral local vulnerabilities have been discovered in libicu, International Components for Unicode, The Common Vulnerabilities and Exposures project identifies the following problems: libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1642 horde3 -- crossite scriptingDebian GNU/Linux 4.0horde3Will Drewry discovered that Horde allows remote attackers to send an email with a crafted MIME attachment filename attribute to perform crossite scripting.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1775 php-json-ext -- denial of serviceDebian GNU/Linux 4.0php-json-extIt was discovered that php-json-ext, a JSON serialiser for PHP, is prone to a denial of service attack, when receiving a malformed string via the json_decode function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1673 wireshark -- several vulnerabilitiesDebian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in network traffic analyzer Wireshark. The Common Vulnerabilities and Exposures project identifies the following problems: The GSM SMS dissector is vulnerable to denial of service. The PANA and KISMET dissectors are vulnerable to denial of service. The RMI dissector could disclose system memory. The packet reassembling module is vulnerable to denial of service. The zlib uncompression module is vulnerable to denial of service. The Bluetooth ACL dissector is vulnerable to denial of service. The PRP and MATE dissectors are vulnerable to denial of service. The Q931 dissector is vulnerable to denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1550 suphp -- programming errorDebian GNU/Linux 4.0suphpIt was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1636 linux-2.6.24 -- denial of service/information leakDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or leak sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems: Tobias Klein reported a locally exploitable data leak in the snd_seq_oss_synth_make_info() function. This may allow local users to gain access to sensitive information. Zoltan Sogor discovered a coding error in the VFS that allows local users to exploit a kernel memory leak resulting in a denial of service. Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. Eugene Teo reported a missing bounds check in the SCTP subsystem. By exploiting an integer overflow in the SCTP_AUTH_KEY handling code, remote attackers may be able to cause a denial of service in the form of a kernel panic. Kel Modderman reported an issue in the tmpfs filesystem that allows local users to crash a system by triggering a kernel BUG() assertion. Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance function which can be exploited by local users to crash a system, resulting in a denial of service. Vlad Yasevich reported several NULL pointer reference conditions in the SCTP subsystem that can be triggered by entering sctp-auth codepaths when the AUTH feature is inactive. This may allow attackers to cause a denial of service condition via a system panic. Johann Dahm and David Richter reported an issue in the nfsd subsystem that may allow remote attackers to cause a denial of service via a buffer overflow.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1515 libnet-dns-perl -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1libnet-dns-perlSeveral remote vulnerabilities have been discovered in libnet-dns-perl. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libnet-dns-perl generates very weak transaction IDs when sending queries (CVE-2007-3377). This update switches transaction ID generation to the Perl random generator, making prediction attacks more difficult. Compression loops in domain names resulted in an infinite loop in the domain name expander written in Perl (CVE-2007-3409). The Debian package uses an expander written in C by default, but this vulnerability has been addressed nevertheless. Decoding malformed A records could lead to a crash (via an uncaught Perl exception) of certain applications using libnet-dns-perl (CVE-2007-6341).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1677 cupsys -- integer overflowDebian GNU/Linux 4.0cupsysAn integer overflow has been discovered in the image validation code of cupsys, the Common UNIX Printing System. An attacker could trigger this bug by supplying a malicious graphic that could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1933 cups -- missing input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0cupsAaron Siegel discovered that the web interface of cups, the Common UNIX Printing System, is prone to cross-site scripting attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1522 unzip -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1unzipTavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution (CVE-2008-0888).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1448 eggdrop -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1eggdropIt was discovered that eggdrop, an advanced IRC robot, was vulnerable to a buffer overflow which could result in a remote user executing arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1936 libgd2 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0libgd2Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: Kees Cook discovered a buffer overflow in libgd2's font renderer. An attacker could cause denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. This issue only affects the oldstable distribution (etch). Tomas Hoger discovered a boundary error in the "_gdGetColors()" function. An attacker could conduct a buffer overflow or buffer over-read attacks via a crafted GD file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1784 freetype -- integer overflowsDebian GNU/Linux 5.0Debian GNU/Linux 4.0freetypeTavis Ormandy discovered several integer overflows in FreeType, a library to process and access font files, resulting in heap- or stack-based buffer overflows leading to application crashes or the execution of arbitrary code via a crafted font file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1675 phpmyadmin -- insufficient input sanitisingDebian GNU/Linux 4.0phpmyadminMasako Oono discovered that phpMyAdmin, a web-based administration interface for MySQL, insufficiently sanitises input allowing a remote attacker to gather sensitive data through cross site scripting, provided that the user uses the Internet Explorer web browser. This update also fixes a regression introduced in DSA 1641, that broke changing of the language and encoding in the login screen.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1606 poppler -- programming errorDebian GNU/Linux 4.0popplerIt was discovered that poppler, a PDF rendering library, did not properly handle embedded fonts in PDF files, allowing attackers to execute arbitrary code via a crafted font object.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1772 udev -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0udevSebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1683 streamripper -- buffer overflowDebian GNU/Linux 4.0streamripperMultiple buffer overflows involving HTTP header and playlist parsing have been discovered in streamripper (CVE-2007-4337, CVE-2008-4829). For the stable distribution (etch), these problems have been fixed in version 1.61.27-1+etch1. For the unstable distribution (sid) and the testing distribution (lenny), these problems have been fixed in version 1.63.5-2. We recommend that you upgrade your streamripper package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1938 php-mail -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0php-mailIt was discovered that php-mail, a PHP PEAR module for sending email, has insufficient input sanitising, which might be used to obtain sensitive data from the system that uses php-mail.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1740 yaws -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0yawsIt was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1644 mplayer -- integer overflowDebian GNU/Linux 4.0mplayerFelipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable to several integer overflows in the Real video stream demuxing code. These flaws could allow an attacker to cause a denial of service (a crash) or potentially execution of arbitrary code by supplying a maliciously crafted video file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1858 imagemagick -- multiple vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0imagemagickSeveral vulnerabilities have been discovered in the imagemagick image manipulation programs which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple integer overflows in XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). Off-by-one error allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a "\0" character to an out-of-bounds address. It affects only the oldstable distribution (etch). A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only to oldstable (etch). Heap-based buffer overflow in the PCX coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption. It affects only to oldstable (etch). Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1454 freetype -- integer overflowDebian GNU/Linux 4.0freetypeGreg MacManus discovered an integer overflow in the font handling of libfreetype, a FreeType 2 font engine, which might lead to denial of service or possibly the execution of arbitrary code if a user is tricked into opening a malformed font. For the old stable distribution (sarge) this problem will be fixed soon. For the stable distribution (etch), this problem has been fixed in version 2.2.1-5+etch2. For the unstable distribution (sid), this problem has been fixed in version 2.3.5-1. We recommend that you upgrade your freetype packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1580 phpgedview -- programming errorDebian GNU/Linux 4.0phpgedviewIt was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error. Note: this problem was a fundamental design flaw in the interface (API) to connect phpGedView with external programs like content management systems. Resolving this problem was only possible by completely reworking the API, which is not considered appropriate for a security update. Since these are peripheral functions probably not used by the large majority of package users, it was decided to remove these interfaces. If you require that interface nonetheless, you are advised to use a version of phpGedView backported from Debian Lenny, which has a completely redesigned API.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1934 apache2 -- multiple issuesDebian GNU/Linux 5.0Debian GNU/Linux 4.0apache2A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations (the information in the changelog of the updated packages is slightly inaccurate): As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or virtual host level. A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this issue. In addition, this update fixes the following issues in Apache's mod_proxy_ftp: Insufficient input validation in the mod_proxy_ftp module allowed remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. Insufficient input validation in the mod_proxy_ftp module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server. The oldstable distribution (etch), these problems have been fixed in version 2.2.3-4+etch11.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1825 nagios2, nagios3 -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0nagios2nagios3It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1463 postgresql-7.4 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1postgresql-7.4Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at http://www.postgresql.org/about/news.905. For the old stable distribution (sarge), some of these problems have been fixed in version 7.4.7-6sarge6 of the postgresql package. Please note that the fix for CVE-2007-6600 and for the handling of regular expressions haven’t been backported due to the intrusiveness of the fix. We recommend to upgrade to the stable distribution if these vulnerabilities affect your setup. For the stable distribution (etch), these problems have been fixed in version 7.4.19-0etch1. The unstable distribution (sid) no longer contains postgres-7.4. We recommend that you upgrade your postgresql-7.4 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1732 squid3 -- denial of serviceDebian GNU/Linux 4.0squid3Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion error in squid3, a full featured Web Proxy cache, which could lead to a denial of service attack.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1584 libfishsound -- buffer overflowDebian GNU/Linux 4.0libfishsoundIt was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn't correctly handle negative values in a particular header field. This could allow malicious files to execute arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1607 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities. Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context of signed JAR archives. "moz_bug_r_a4" discovered that XUL documents can escalate privileges by accessing the pre-compiled "fastload" file. "moz_bug_r_a4" discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceweasel itself is not affected, but some addons are. Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. Masahiro Yamada discovered that file URLS in directory listings were insufficiently escaped. John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings secure connections. Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1582 peercast -- buffer overflowDebian GNU/Linux 4.0peercastNico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execute arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1812 apr-util -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0apr-utilApr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. Two denial of service vulnerabilities have been found in apr-util: "kcope" discovered a flaw in the handling of internal XML entities in the apr_xml_* interface that can be exploited to use all available memory. This denial of service can be triggered remotely in the Apache mod_dav and mod_dav_svn modules. (No CVE id yet) Matthew Palmer discovered an underflow flaw in the apr_strmatch_precompile function that can be exploited to cause a daemon crash. The vulnerability can be triggered (1) remotely in mod_dav_svn for Apache if the "SVNMasterURI" directive is in use, (2) remotely in mod_apreq2 for Apache or other applications using libapreq2, or (3) locally in Apache by a crafted ".htaccess" file. Other exploit paths in other applications using apr-util may exist. If you use Apache, or if you use svnserver in standalone mode, you need to restart the services after you upgraded the libaprutil1 package. The oldstable distribution (etch), these problems have been fixed in version 1.2.7+dfsg-2+etch2.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1645 lighttpd -- variousDebian GNU/Linux 4.0lighttpdSeveral local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: A memory leak in the http_request_parse function could be used by remote attackers to cause lighttpd to consume memory, and cause a denial of service attack. Inconsistant handling of URL patterns could lead to the disclosure of resources a server administrator did not anticipate when using rewritten URLs. Upon filesystems which don't handle case-insensitive paths differently it might be possible that unanticipated resources could be made available by mod_userdir.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1767 multipath-tools -- insecure file permissionsDebian GNU/Linux 5.0Debian GNU/Linux 4.0multipath-toolsIt was discovered that multipathd of multipath-tools, a tool-chain to manage disk multipath device maps, uses insecure permissions on its unix domain control socket which enables local attackers to issue commands to multipathd prevent access to storage devices or corrupt file system data.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1609 lighttpd -- variousDebian GNU/Linux 4.0lighttpdSeveral local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1630 linux-2.6 -- denial of service/information leakDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems: Dirk Nehring discovered a vulnerability in the IPsec code that allows remote users to cause a denial of service by sending a specially crafted ESP packet. Tavis Ormandy discovered a vulnerability that allows local users to access uninitialised kernel memory, possibly leaking sensitive data. This issue is specific to the amd64-flavour kernel images. Andi Kleen discovered an issue where uninitialised kernel memory was being leaked to userspace during an exception. This issue may allow local users to gain access to sensitive data. Only the amd64-flavour Debian kernel images are affected. Alan Cox discovered an issue in multiple tty drivers that allows local users to trigger a denial of service (NULL pointer dereference) and possibly obtain elevated privileges. Gabriel Campana discovered an integer overflow in the sctp code that can be exploited by local users to cause a denial of service. Miklos Szeredi reported a missing privilege check in the do_change_type() function. This allows local, unprivileged users to change the properties of mount points. Tobias Klein reported a locally exploitable data leak in the snd_seq_oss_synth_make_info() function. This may allow local users to gain access to sensitive information. Zoltan Sogor discovered a coding error in the VFS that allows local users to exploit a kernel memory leak resulting in a denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1766 krb5 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0krb5Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identified the following problems: The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information. Under certain conditions the SPNEGO GSS-API mechanism references a null pointer which crashes the application using the library. An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program. Under certain conditions the ASN.1 decoder of the MIT krb5 implementation frees an uninitialised pointer which could lead to denial of service and possibly arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1461 libxml2 -- missing input validationDebian GNU/Linux 4.0Debian GNU/Linux 3.1libxml2Brad Fitzpatrick discovered that the UTF-8 decoding functions of libxml2, the GNOME XML library, validate UTF-8 correctness insufficiently, which may lead to denial of service by forcing libxml2 into an infinite loop. For the old stable distribution (sarge), this problem has been fixed in version 2.6.16-7sarge1. For the stable distribution (etch), this problem has been fixed in version 2.6.27.dfsg-2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libxml2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1917 mimetex -- several vulnerabilitiesDebian GNU/Linux 4.0mimetexSeveral vulnerabilities have been discovered in mimetex, a lightweight alternative to MathML. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Evans and Damien Miller, discovered multiple stack-based buffer overflow. An attacker could execute arbitrary code via a TeX file with long picture, circle, input tags. Chris Evans discovered that mimeTeX contained certain directives that may be unsuitable for handling untrusted user input. A remote attacker can obtain sensitive information.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1544 pdns-recursor -- design flawDebian GNU/Linux 4.0pdns-recursorAmit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (CVE-2008-1637 and CVE-2008-3217)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1729 gst-plugins-bad0.10 -- several vulnerabilitiesDebian GNU/Linux 4.0gst-plugins-bad0.10Several vulnerabilities have been found in gst-plugins-bad0.10, a collection of various GStreamer plugins. The Common Vulnerabilities and Exposures project identifies the following problems: Tobias Klein discovered a buffer overflow in the quicktime stream demuxer (qtdemux), which could potentially lead to the execution of arbitrary code via crafted .mov files. Tobias Klein discovered an array index error in the quicktime stream demuxer (qtdemux), which could potentially lead to the execution of arbitrary code via crafted .mov files. Tobias Klein discovered a buffer overflow in the quicktime stream demuxer (qtdemux) similar to the issue reported in CVE-2009-0386, which could also lead to the execution of arbitrary code via crafted .mov files.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1478 mysql-dfsg-5.0 -- buffer overflowsDebian GNU/Linux 4.0mysql-dfsg-5.0Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code. The old stable distribution (sarge) doesn't contain mysql-dfsg-5.0.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1464 syslog-ng -- null pointer dereferenceDebian GNU/Linux 4.0syslog-ngOriol Carreras discovered that syslog-ng, a next generation logging daemon can be tricked into dereferencing a NULL pointer through malformed timestamps, which can lead to denial of service and the disguise of a subsequent attack, which would otherwise be logged. The old stable distribution (sarge) is not affected. For the stable distribution (etch), this problem has been fixed in version 2.0.0-1etch1. For the unstable distribution (sid), this problem has been fixed in version 2.0.6-1. We recommend that you upgrade your syslog-ng package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1656 cupsys -- several vulnerabilitiesDebian GNU/Linux 4.0cupsysSeveral local vulnerabilities have been discovered in the Common UNIX Printing System. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that insufficient bounds checking in the SGI image filter may lead to the execution of arbitrary code. It was discovered that an integer overflow in the Postscript conversion tool texttops may lead to the execution of arbitrary code. It was discovered that insufficient bounds checking in the HPGL filter may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1872 linux-2.6 -- denial of service/privilege escalation/information leakDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation or a leak of sensitive memory. The Common Vulnerabilities and Exposures project identifies the following problems: Herbert Xu discovered an issue in the way UDP tracks corking status that could allow local users to cause a denial of service (system crash). Tavis Ormandy and Julien Tinnes discovered that this issue could also be used by local users to gain elevated privileges. Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1853 memcached -- heap-based buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0memcachedRonald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached (on etch with root privileges).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1765 horde3 -- Multiple vulnerabilitiesDebian GNU/Linux 4.0horde3Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1789 php5 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in the PHP5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well: The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand() or mt_rand() as part of a protection. A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny): Cross-site scripting (XSS) vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. The JSON_parser function allows a denial of service (segmentation fault) via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package: Let PHP use the system timezone database instead of the embedded timezone database which is out of date. From the source tarball, the unused "dbase" module has been removed which contained licensing problems.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1722 libpam-heimdal -- programming errorDebian GNU/Linux 4.0libpam-heimdalDerek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1506 iceape -- several vulnerabilitiesDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. hong and Gregory Fleischer discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in Javascript handling, which could allow privilege escalation. Justin Dolske discovered that the password storage mechanism could be abused by malicious web sites to corrupt existing saved passwords. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure and potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (by disabling dialog elements until a timeout is reached) could be bypassed by window focus changes through Javascript. It was discovered that malformed content declarations of saved attachments could prevent a user in the opening local files with a .txt file name, resulting in minor denial of service. Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with div elements. The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1911 pygresql -- missing escape functionDebian GNU/Linux 5.0Debian GNU/Linux 4.0pygresqlIt was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1854 apr, apr-util -- heap buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0aprapr-utilMatt Lewis discovered that the memory management code in the Apache Portable Runtime (APR) library does not guard against a wrap-around during size computations. This could cause the library to return a memory area, which smaller than requested, resulting a heap overflow and possibly arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1541 openldap2.3 -- several vulnerabilitiesDebian GNU/Linux 4.0openldap2.3Several remote vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. The Common Vulnerabilities and Exposures project identifies the following problems: Thomas Sesselmann discovered that slapd could be crashed by a malformed modify requests. Toby Blade discovered that incorrect memory handling in slapo-pcache could lead to denial of service through crafted search requests. It was discovered that a programming error in the interface to the BDB storage backend could lead to denial of service through crafted modify requests. It was discovered that a programming error in the interface to the BDB storage backend could lead to denial of service through crafted modrdn requests.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1508 diatheke -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1diathekeDan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1641 phpmyadmin -- several vulnerabilitiesDebian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administrate MySQL databases over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Remote authenticated users could execute arbitrary code on the host running phpMyAdmin through manipulation of a script parameter. Crossite scripting through the setup script was possible in rare circumstances. Protection has been added against remote websites loading phpMyAdmin into a frameset. Cross site request forgery allowed remote attackers to create a new database, but not perform any other action on it.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1551 python2.4 -- several vulnerabilitiesDebian GNU/Linux 4.0python2.4Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure. It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. This issue is also tracked as CVE-2008-1679 due to an initially incomplete patch. Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code. Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1679 awstats -- cross-site scriptingDebian GNU/Linux 4.0awstatsMorgan Todd discovered a cross-site scripting vulnerability in awstats, a log file analyzer, involving the "config" request parameter (and possibly others; CVE-2008-3714).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1650 openldap2.3 -- denial of serviceDebian GNU/Linux 4.0openldap2.3Cameron Hotchkies discovered that the OpenLDAP server slapd, a free implementation of the Lightweight Directory Access Protocol, could be crashed by sending malformed ASN1 requests.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1721 libpam-krb5 -- several vulnerabilitiesDebian GNU/Linux 4.0libpam-krb5Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from enviromnent variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control. Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1855 subversion -- heap overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0subversionMatt Lewis discovered that Subversion performs insufficient input validation of svndiff streams. Malicious servers could cause heap overflows in clients, and malicious clients with commit access could cause heap overflows in servers, possibly leading to arbitrary code execution in both cases.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1723 phpmyadmin -- insufficient input sanitisingDebian GNU/Linux 4.0phpmyadminMichael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1687 linux-2.6 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Tavis Ormandy reported a local DoS and potential privilege escalation in the Virtual Dynamic Shared Objects (vDSO) implementation. Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1633 slash -- SQL Injection, Cross-Site ScriptingDebian GNU/Linux 4.0slashIt has been discovered that Slash, the Slashdot Like Automated Storytelling Homepage suffers from two vulnerabilities related to insufficient input sanitation, leading to execution of SQL commands (CVE-2008-2231) and cross-site scripting (CVE-2008-2553).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1685 uw-imap -- buffer overflows, null pointer dereferenceDebian GNU/Linux 4.0uw-imapTwo vulnerabilities have been found in uw-imap, an IMAP implementation. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that several buffer overflows can be triggered via a long folder extension argument to the tmail or dmail program. This could lead to arbitrary code execution (CVE-2008-5005). It was discovered that a NULL pointer dereference could be triggered by a malicious response to the QUIT command leading to a denial of service (CVE-2008-5006).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1671 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh discovered that a buffer overflow in the http-index-format parser could lead to arbitrary code execution. Liu Die Yu discovered an information leak through local shortcut files. Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution. Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. It was discovered that crashes in the layout engine could lead to arbitrary code execution. It was discovered that crashes in the Javascript engine could lead to arbitrary code execution. It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. moz_bug_r_a4 discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. Collin Jackson discovered that the -moz-binding property bypasses security checks on codebase principals. Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1780 libdbd-pg-perl -- several vulnerabilitiesDebian GNU/Linux 4.0libdbd-pg-perlTwo vulnerabilities have been discovered in libdbd-pg-perl, the DBI driver module for PostgreSQL database access (DBD::Pg). A heap-based buffer overflow may allow attackers to execute arbitrary code through applications which read rows from the database using the pg_getline and getline functions. (More common retrieval methods, such as selectall_arrayref and fetchrow_array, are not affected.) A memory leak in the routine which unquotes BYTEA values returned from the database allows attackers to cause a denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1542 libcairo -- integer overflowDebian GNU/Linux 4.0libcairoPeter Valchev (Google Security) discovered a series of integer overflow weaknesses in Cairo, a vector graphics rendering library used by many other applications. If an application uses cairo to render a maliciously crafted PNG image, the vulnerability allows the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1866 kdegraphics -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0kdegraphicsTwo security issues have been discovered in kdegraphics, the graphics apps from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the KSVG animation element implementation suffers from a null pointer dereference flaw, which could lead to the execution of arbitrary code. It was discovered that the KSVG animation element implementation is prone to a use-after-free flaw, which could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1500 splitvt -- privilege escalationDebian GNU/Linux 4.0splitvtMike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing xprop. This could allow any local user to gain the privileges of group utmp.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1859 libxml2 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0libxml2Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml2, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1864 linux-2.6.24 -- privilege escalationDebian GNU/Linux 4.0linux-2.6.24A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialised in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1711 typo3-src -- several vulnerabilitiesDebian GNU/Linux 4.0typo3-srcSeveral remotely exploitable vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: Chris John Riley discovered that the TYPO3-wide used encryption key is generated with an insufficiently random seed resulting in low entropy, which makes it easier for attackers to crack this key. Marcus Krause discovered that TYPO3 is not invalidating a supplied session on authentication which allows an attacker to take over a victims session via a session fixation attack. Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various arguments and user supplied strings used in the indexed search system extension, adodb extension test scripts or the workspace module. Mads Olesen discovered a remote command injection vulnerability in the indexed search system extension which allows attackers to execute arbitrary code via a crafted file name which is passed unescaped to various system tools that extract file content for the indexing. Because of CVE-2009-0255, please make sure that besides installing this update, you also create a new encryption key after the installation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1897 horde3 -- insufficient input sanitisationDebian GNU/Linux 5.0Debian GNU/Linux 4.0horde3Stefan Esser discovered that Horde, a web application framework providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME, and more, is insufficiently validating and escaping user provided input. The Horde_Form_Type_image form element allows to reuse a temporary filename on reuploads which are stored in a hidden HTML field and then trusted without prior validation. An attacker can use this to overwrite arbitrary files on the system or to upload PHP code and thus execute arbitrary code with the rights of the webserver.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1470 horde3 -- missing input sanitisingDebian GNU/Linux 4.0horde3Ulf Hauml rnhammar discovered that the HTML filter of the Horde web application framework performed insufficient input sanitising, which may lead to the deletion of emails if a user is tricked into viewing a malformed email inside the Imp client. This update also provides backported bugfixes to the cross-site scripting filter and the user management API from the latest Horde release 3.1.6. The old stable distribution (sarge) is not affected. An update to Etch is recommended, though.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1547 openoffice.org -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1openoffice.orgSeveral security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: Several bugs have been discovered in the way OpenOffice.org parses Quattro Pro files that may lead to a overflow in the heap potentially leading to the execution of arbitrary code. Specially crafted EMF files can trigger a buffer overflow in the heap that may lead to the execution of arbitrary code. A bug has been discovered in the processing of OLE files that can cause a buffer overflow in the heap potentially leading to the execution of arbitrary code. Recently reported problems in the ICU library are fixed in separate libicu packages with DSA 1511 against which OpenOffice.org is linked.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1583 gnome-peercast -- buffer overflowDebian GNU/Linux 4.0gnome-peercastSeveral remote vulnerabilities have been discovered in GNOME PeerCast, the GNOME interface to PeerCast, a P2P audio and video streaming server. The Common Vulnerabilities and Exposures project identifies the following problems: Luigi Auriemma discovered that PeerCast is vulnerable to a heap overflow in the HTTP server code, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request. Nico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execute arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1718 boinc -- incorrect API usageDebian GNU/Linux 4.0boincIt was discovered that the core client for the BOINC distributed computing infrastructure performs incorrect validation of the return values of OpenSSL's RSA functions.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1455 libarchive1 -- denial of serviceDebian GNU/Linux 4.0libarchive1Several local/remote vulnerabilities have been discovered in libarchive1, a single library to read/write tar, cpio, pax, zip, iso9660 archives. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that libarchive1 would miscompute the length of a buffer resulting in a buffer overflow if yet another type of corruption occurred in a pax extension header. It was discovered that if an archive prematurely ended within a pax extension header the libarchive1 library could enter an infinite loop. If an archive prematurely ended within a tar header, immediately following a pax extension header, libarchive1 could dereference a NULL pointer. The old stable distribution (sarge), does not contain this package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1599 dbus -- programming errorDebian GNU/Linux 4.0dbusHavoc Pennington discovered that DBus, a simple interprocess messaging system, performs insufficient validation of security policies, which might allow local privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1592 linux-2.6 -- heap overflowDebian GNU/Linux 4.0linux-2.6Two vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems: Wei Wang from McAfee reported a potential heap overflow in the ASN.1 decode code that is used by the SNMP NAT and CIFS subsystem. Exploitation of this issue may lead to arbitrary code execution. This issue is not believed to be exploitable with the pre-built kernel images provided by Debian, but it might be an issue for custom images built from the Debian-provided source package. Brandon Edwards of McAfee Avert labs discovered an issue in the DCCP subsystem. Due to missing feature length checks it is possible to cause an overflow that may result in remote arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1787 linux-2.6.24 -- denial of service/privilege escalation/information leakDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Bryn M. Reeves reported a denial of service in the NFS filesystem. Local users can trigger a kernel BUG() due to a race condition in the do_setlk function. Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. Helge Deller discovered a denial of service condition that allows local users on PA-RISC systems to crash a system by attempting to unwind a stack contiaining userspace addresses. Alan Cox discovered a lack of minimum timeouts on SG_IO requests, which allows local users of systems using ATA to cause a denial of service by forcing drives into PIO mode. Vlad Malov reported an issue on 64-bit MIPS systems where a local user could cause a system crash by crafing a malicious binary which makes o32 syscalls with a number less than 4000. Zvonimir Rakamaric reported an off-by-one error in the ib700wdt watchdog driver which allows local users to cause a buffer underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl call. Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. Christian Borntraeger discovered an issue effecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all of kernel memory. Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users, permitting remote code execution. Duane Griffin provided a fix for an issue in the eCryptfs subsystem which allows local users to cause a denial of service (fault or memory corruption). Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service (oops) by reading 0 bytes from a sysfs entry. Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) during a resize operation. Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. Jiri Olsa discovered that a local user can cause a denial of service (system hang) using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. Mikulas Patocka reported an issue in the console subsystem that allows a local user to cause memory corruption by selecting a small number of 3-byte UTF-8 characters. Shaohua Li reported an issue in the AGP subsystem that may allow local users to read sensitive kernel memory due to a leak of uninitialized memory. Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops. Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data. Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to reach processes outside of the current process namespace. Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1861 libxml -- several vulnerabilitiesDebian GNU/Linux 4.0libxmlRauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1680 clamav -- buffer overflow, stack consumptionDebian GNU/Linux 4.0clamavMoritz Jodeit discovered that ClamAV, an anti-virus solution, suffers from an off-by-one-error in its VBA project file processing, leading to a heap-based buffer overflow and potentially arbitrary code execution (>CVE-2008-5050). Ilja van Sprundel discovered that ClamAV contains a denial of service condition in its JPEG file processing because it does not limit the recursion depth when processing JPEG thumbnails (CVE-2008-5314).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1920 nginx -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0nginxA denial of service vulnerability has been found in nginx, a small and efficient web server. Jasson Bell discovered that a remote attacker could cause a denial of service (segmentation fault) by sending a crafted request.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1502 wordpress -- several vulnerabilitiesDebian GNU/Linux 4.0wordpressSeveral remote vulnerabilities have been discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a ".." (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. Wordpress is not present in the oldstable distribution (sarge).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1594 imlib2 -- buffer overflowsDebian GNU/Linux 4.0imlib2Stefan Cornelius discovered two buffer overflows in Imlib’s - a powerful image loading and rendering library - image loaders for PNM and XPM images, which may result in the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1466 xfree86 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1xfree86The X.org fix for CVE-2007-6429 introduced a regression in the MIT-SHM extension, which prevented the start of a few applications. This update provides updated packages for the xfree86 version included in Debian old stable (sarge) in addition to the fixed packages for Debian stable (etch), which were provided in DSA 1466-2. For reference the original advisory text below: Several local vulnerabilities have been discovered in the X.Org X server. The Common Vulnerabilities and Exposures project identifies the following problems: regenrecht discovered that missing input sanitising within the XFree86-Misc extension may lead to local privilege escalation. It was discovered that error messages of security policy file handling may lead to a minor information leak disclosing the existence of files otherwise inaccessible to the user. regenrecht discovered that missing input sanitising within the XInput-Misc extension may lead to local privilege escalation. regenrecht discovered that missing input sanitising within the TOG-CUP extension may lead to disclosure of memory contents. regenrecht discovered that integer overflows in the EVI and MIT-SHM extensions may lead to local privilege escalation. It was discovered that insufficient validation of PCF fonts could lead to local privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDMaria KedovskayaINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1747 glib2.0 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0glib2.0Diego Pettenograve discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1501 dspam -- programming errorDebian GNU/Linux 4.0dspamTobias Gruuml Tzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line. This allowed a local attacker to read the contents of the dspam database, such as emails. The old stable distribution (sarge) does not contain the dspam package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1724 moodle -- several vulnerabilitiesDebian GNU/Linux 4.0moodleSeveral vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the information stored in the log tables was not properly sanitised, which could allow attackers to inject arbitrary web code. It was discovered that certain input via the "Login as" function was not properly sanitised leading to the injection of arbitrary web script. Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1658 dbus -- programming errorDebian GNU/Linux 4.0dbusColin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1818 gforge -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0gforgeLaurent Almeras and Guillaume Smet have discovered a possible SQL injection vulnerability and cross-site scripting vulnerabilities in gforge, a collaborative development tool. Due to insufficient input sanitising, it was possible to inject arbitrary SQL statements and use several parameters to conduct cross-site scripting attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1777 git-core -- file permission errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0git-corePeter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. This issue only affects the DEC Alpha and MIPS (big and little endian) architectures.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1566 cpio -- programming errorDebian GNU/Linux 4.0cpioDmitry Levin discovered a vulnerability in path handling code used by the cpio archive utility. The weakness could enable a denial of service (crash) or potentially the execution of arbitrary code if a vulnerable version of cpio is used to extract or to list the contents of a maliciously crafted archive.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1452 wzdftpd -- denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 3.1wzdftpdk1tk4t discovered that wzdftpd, a portable, modular, small and efficient ftp server, did not correctly handle the receipt of long usernames. This could allow remote users to cause the daemon to exit.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1710 ganglia-monitor-core -- buffer overflowDebian GNU/Linux 4.0ganglia-monitor-coreSpike Spiegel discovered a stack-based buffer overflow in gmetad, the meta-daemon for the ganglia cluster monitoring toolkit, which could be triggered via a request with long path names and might enable arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1601 wordpress -- several vulnerabilitiesDebian GNU/Linux 4.0wordpressSeveral remote vulnerabilities have been discovered in Wordpress, the weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information. The XML-RPC implementation, when registration is enabled, allows remote attackers to edit posts of other blog users.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1524 krb5 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1krb5Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identifies the following problems: An unauthenticated remote attacker may cause a krb4-enabled KDC to crash, expose information, or execute arbitrary code. Successful exploitation of this vulnerability could compromise the Kerberos key database and host security on the KDC host. An unauthenticated remote attacker may cause a krb4-enabled KDC to expose information. It is theoretically possible for the exposed information to include secret key data on some platforms. An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. In versions of MIT Kerberos shipped by Debian, this bug can only be triggered in configurations that allow large numbers of open file descriptors in a process.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1603 bind9 -- DNS cache poisoningDebian GNU/Linux 4.0bind9Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. Note that this security update changes BIND network behavior in a fundamental way, and the following steps are recommended to ensure a smooth upgrade. 1. Make sure that your network configuration is compatible with source port randomization. If you guard your resolver with a stateless packet filter, you may need to make sure that no non-DNS services listen on the 1024--65535 UDP port range and open it at the packet filter. For instance, packet filters based on etch's Linux 2.6.18 kernel only support stateless filtering of IPv6 packets, and therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED rules, networking changes are likely not required.) 2. Install the BIND 9 upgrade, using "apt-get update" followed by "apt-get install bind9". Verify that the named process has been restarted and answers recursive queries. (If all queries result in timeouts, this indicates that networking changes are necessary; see the first step.) 3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form right after the "listening on IPv6 interface" and "listening on IPv4 interface" messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration, or replace the port numbers contained within them with "*" sign (e.g., replace "port 53" with "port *"). For additional certainty, use tcpdump or some other network monitoring tool to check for varying UDP source ports. If there is a NAT device in front of your resolver, make sure that it does not defeat the effect of source port randomization. 4. If you cannot activate source port randomization, consider configuring BIND 9 to forward queries to a resolver which can, possibly over a VPN such as OpenVPN to create the necessary trusted network link. (Use BIND's forward-only mode in this case.) Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1. The updated bind9 packages contain changes originally scheduled for the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug #449148).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1640 python-django -- several vulnerabilitiesDebian GNU/Linux 4.0python-djangoSimon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorised modification of data through cross site request forgery. This is possible regardless of the Django plugin to prevent cross site request forgery being enabled. The Common Vulnerabilities and Exposures project identifies this issue as CVE-2008-3909. In this update the affected feature is disabled; this is in accordance with upstream’s preferred solution for this situation. This update takes the opportunity to also include a relatively minor denial of service attack in the internationalisation framework, known as CVE-2007-5712.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1450 util-linux -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1util-linuxIt was discovered that util-linux, miscellaneous system utilities, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1786 acpid -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0acpidIt was discovered that acpid, a daemon for delivering ACPI events, is prone to a denial of service attack by opening a large number of UNIX sockets, which are not closed properly.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1487 libexif -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1libexifSeveral vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed image. The Common Vulnerabilities and Exposures project identifies the following problems: Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. Meder Kydyraliev discovered an infinite loop, which may result in denial of service. Victor Stinner discovered an integer overflow, which may result in denial of service or potentially the execution of arbitrary code. This update also fixes two potential NULL pointer deferences.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1867 kdelibs -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0kdelibsSeveral security issues have been discovered in kdelibs, core libraries from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets (CSS) attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1638 openssh -- denial of serviceDebian GNU/Linux 4.0opensshIt has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability (CVE-2008-4109). The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051), but the patch backported to the version released with etch was incorrect. Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a "[net]" process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability. It is possible to trigger this denial of service condition by accident.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1647 php5 -- several vulnerabilitiesDebian GNU/Linux 4.0php5Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: Buffer overflow in the imageloadfont function allows a denial of service or code execution through a crafted font file. Buffer overflow in the memnstr function allows a denial of service or code execution via a crafted delimiter parameter to the explode function. Denial of service is possible in the FastCGI module by a remote attacker by making a request with multiple dots before the extension.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1770 imp4 -- Insufficient input sanitisingDebian GNU/Linux 4.0imp4Several vulnerabilities have been found in imp4, a webmail component for the horde framework. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that imp4 suffers from a cross-site scripting (XSS) attack via the user field in an IMAP session, which allows attackers to inject arbitrary HTML code. It was discovered that imp4 is prone to several cross-site scripting (XSS) attacks via several vectors in the mail code allowing attackers to inject arbitrary HTML code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1600 sympa -- dosDebian GNU/Linux 4.0sympaIt was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1654 libxml2 -- buffer overflowDebian GNU/Linux 4.0libxml2It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1655 linux-2.6.24 -- denial of service/information leak/privilege escalationDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a leak of sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems: Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations. Olaf Kirch discovered an issue with the i915 driver that may allow local users to cause memory corruption by use of an ioctl with insufficient privilege restrictions. Eugene Teo discovered two issues in the SCTP subsystem which allow local users to obtain access to sensitive memory when the SCTP-AUTH extension is enabled.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1811 cups, cupsys -- null ptr dereferenceDebian GNU/Linux 5.0Debian GNU/Linux 4.0cupscupsysAnibal Sacco discovered that cups, a general printing system for UNIX systems, suffers from null pointer dereference because of its handling of two consecutive IPP packets with certain tag attributes that are treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers to perform denial of service attacks by crashing the cups daemon.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1871 wordpress -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0wordpressSeveral vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. It was discovered that the administrator interface is prone to a cross-site scripting attack. It was discovered that remote attackers can gain privileges via certain direct requests. It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1556 perl -- heap buffer overflowDebian GNU/Linux 4.0perlIt has been discovered that the Perl interpreter may encounter a buffer overflow condition when compiling certain regular expressions containing Unicode characters. This also happens if the offending characters are contained in a variable reference protected by the \Q...\E quoting construct. When encountering this condition, the Perl interpreter typically crashes, but arbitrary code execution cannot be ruled out.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1462 hplip -- missing input sanitisingDebian GNU/Linux 4.0hplipKees Cook discovered that the hpssd tool of the HP Linux Printing and Imaging System (HPLIP) performs insufficient input sanitising of shell meta characters, which may result in local privilege escalation to the hplip user. The old stable distribution (sarge) is not affected by this problem. For the stable distribution (etch), this problem has been fixed in version 1.6.10-3etch1. For the unstable distribution (sid), this problem has been fixed in version 1.6.10-4.3. We recommend that you upgrade your hplip packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1567 blender -- buffer overrunDebian GNU/Linux 4.0blenderStefan Cornelius discovered a vulnerability in the Radiance High Dynamic Range (HDR) image parser in Blender, a 3D modelling application. The weakness could enable a stack-based buffer overflow and the execution of arbitrary code if a maliciously-crafted HDR file is opened, or if a directory containing such a file is browsed via Blender's image-open dialog.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1643 feta -- insecure temp file handlingDebian GNU/Linux 4.0fetaDmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1937 gforge -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0gforgeIt was discovered that gforge, collaborative development tool, is prone to a cross-site scripting attack via the helpname parameter. Beside fixing this issue, the update also introduces some additional input sanitising. However, there are no known attack vectors. The oldstable distribution (etch), these problems have been fixed in version 4.5.14-22etch12.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1578 php4 -- several vulnerabilitiesDebian GNU/Linux 4.0php4Several vulnerabilities have been discovered in PHP version 4, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: The session_start function allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from various parameters. A denial of service was possible through a malicious script abusing the glob() function. Certain maliciously constructed input to the wordwrap() function could lead to a denial of service attack. Large len values of the stspn() or strcspn() functions could allow an attacker to trigger integer overflows to expose memory or cause denial of service. The escapeshellcmd API function could be attacked via incomplete multibyte chars.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1562 iceape -- programming errorDebian GNU/Linux 4.0iceapeIt was discovered that crashes in the JavaScript engine of Iceape, an unbranded version of the Seamonkey internet suite could potentially lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1610 gaim -- integer overflowDebian GNU/Linux 4.0gaimIt was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1782 mplayer -- several vulnerabilitiesDebian GNU/Linux 4.0mplayerSeveral vulnerabilities have been discovered in mplayer, a movie player for Unix-like systems. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that multiple buffer overflows could lead to the execution of arbitrary code. It was discovered that watching a malformed TwinVQ file could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1546 gnumeric -- integer overflowDebian GNU/Linux 4.0gnumericThilo Pfennig and Morten Welinder discovered several integer overflow weaknesses in Gnumeric, a GNOME spreadsheet application. These vulnerabilities could result in the execution of arbitrary code through the opening of a maliciously crafted Excel spreadsheet.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1833 dhcp3 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0dhcp3Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1652 ruby1.9 -- several vulnerabilitiesDebian GNU/Linux 4.0ruby1.9Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. The Common Vulnerabilities and Exposures project identifies the following problems: Keita Yamaguchi discovered that several safe level restrictions are insufficiently enforced. Christian Neukirchen discovered that the WebRick module uses inefficient algorithms for HTTP header splitting, resulting in denial of service through resource exhaustion. It was discovered that the dl module doesn't perform taintness checks. Luka Treiber and Mitja Kolsek discovered that recursively nested XML entities can lead to denial of service through resource exhaustion in rexml. Tanaka Akira discovered that the resolv module uses sequential transaction IDs and a fixed source port for DNS queries, which makes it more vulnerable to DNS spoofing attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1516 dovecot -- privilege escalationDebian GNU/Linux 4.0dovecotPrior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory on the server (for example, through an SSH login) could read and also delete via a symbolic link mailboxes owned by other users for which they do not have direct access (CVE-2008-1199). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (CVE-2008-1218). Note that applying this update requires manual action: The configuration setting mail_extra_groups = mail has been replaced with mail_privileged_group = mail. The update will show a configuration file conflict in /etc/dovecot/dovecot.conf. It is recommended that you keep the currently installed configuration file, and change the affected line. For your reference, the sample configuration (without your local changes) will have been written to /etc/dovecot/dovecot.conf.dpkg-new. If your current configuration uses mail_extra_groups with a value different from mail, you may have to resort to the mail_access_groups configuration directive.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1622 newsx -- buffer overflowDebian GNU/Linux 4.0newsxIt was discovered that newsx, an NNTP news exchange utility, was affected by a buffer overflow allowing remote attackers to execute arbitrary code via a news article containing a large number of lines starting with a period.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1517 ldapscripts -- programming errorDebian GNU/Linux 4.0ldapscriptsDon Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing. The old stable distribution (sarge) does not contain an ldapscripts package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1804 ipsec-tools -- null pointer dereference, memory leaksDebian GNU/Linux 5.0Debian GNU/Linux 4.0ipsec-toolsSeveral remote vulnerabilities have been discovered in racoon, the Internet Key Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures project identified the following problems: Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets that contain no payload. This results in the daemon crashing which can be used for denial of service attacks. Various memory leaks in the X.509 certificate authentication handling and the NAT-Traversal keepalive implementation can result in memory exhaustion and thus denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1507 turba2 -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1turba2Peter Paul Elfferich discovered that turba2, a contact management component for horde framework, did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1899 strongswan -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0strongswanSeveral remote vulnerabilities have been discovered in strongswan, an implementation of the IPSEC and IKE protocols. The Common Vulnerabilities and Exposures project identifies the following problems: The charon daemon can crash when processing certain crafted IKEv2 packets. (The old stable distribution (etch) was not affected by these two problems because it lacks IKEv2 support.) The pluto daemon could crash when processing a crafted X.509 certificate.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1921 expat -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0expatPeter Valchev discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1615 xulrunner -- several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. moz_bug_r_a4 discovered several cross-site scripting vulnerabilities. Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context of signed JAR archives. moz_bug_r_a4 discovered that XUL documents can escalate privileges by accessing the pre-compiled fastload file. moz_bug_r_a4 discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceweasel itself is not affected, but some addons are. Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. Masahiro Yamada discovered that file URLs in directory listings were insufficiently escaped. John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofing of secure connections. Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code. Billy Rios discovered that passing an URL containing a pipe symbol to Iceweasel can lead to Chrome privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1801 ntp -- buffer overflowsDebian GNU/Linux 5.0Debian GNU/Linux 4.0ntpSeveral remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1557 phpmyadmin -- insufficient input sanitisingDebian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, an application to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems: Attackers with CREATE table permissions were allowed to read arbitrary files readable by the webserver via a crafted HTTP POST request. The PHP session data file stored the username and password of a logged in user, which in some setups can be read by a local user. Cross site scripting and SQL injection were possible by attackers that had permission to create cookies in the same cookie domain as phpMyAdmin runs in.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1611 afuse -- privilege escalationDebian GNU/Linux 4.0afuseAnders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1763 openssl -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0opensslIt was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1826 eggdrop -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0eggdropSeveral vulnerabilities have been discovered in eggdrop, an advanced IRC robot. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that eggdrop is vulnerable to a buffer overflow, which could result in a remote user executing arbitrary code. The previous DSA (DSA-1448-1) did not fix the issue correctly. It was discovered that eggdrop is vulnerable to a denial of service attack, that allows remote attackers to cause a crash via a crafted PRIVMSG.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1923 libhtml-parser-perl -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0libhtml-parser-perlA denial of service vulnerability has been found in libhtml-parser-perl, a collection of modules to parse HTML in text documents which is used by several other projects like e.g. SpamAssassin. Mark Martinec discovered that the decode_entities() function will get stuck in an infinite loop when parsing certain HTML entities with invalid UTF-8 characters. An attacker can use this to perform denial of service attacks by submitting crafted HTML to an application using this functionality.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1457 dovecot -- programming errorDebian GNU/Linux 4.0dovecotIt was discovered that Dovecot, a POP3 and IMAP server, only when used # Remark: "base" refers to a variable(?!) and should not contain something as # base = %r! with LDAP authentication and base contains variables, could allow a user to log in to the account of another user with the same password. The old stable distribution (sarge) is not affected. For the stable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch3. For the unstable distribution (sid), this problem has been fixed in version 1.0.10-1. We recommend that you upgrade your dovecot packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1531 policyd-weight -- insecure temporary filesDebian GNU/Linux 4.0policyd-weightChris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitrary files from the local system.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1577 gforge -- insecure temporary filesDebian GNU/Linux 4.0gforgeStephen Gran and Mark Hymers discovered that some scripts run by GForge, a collaborative development tool, open files in write mode in a potentially insecure manner. This may be exploited to overwrite arbitrary files on the local system.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1488 phpbb2 -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1phpbb2Several remote vulnerabilities have been discovered in phpBB, a web based bulletin board. The Common Vulnerabilities and Exposures project identifies the following problems: Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page. Cross site request forgery enabled an attacker to perform various actions on behalf of a logged in user. (Applies to sarge only.) A negative start parameter could allow an attacker to create invalid output. (Applies to sarge only.) Redirection targets were not fully checked, leaving room for unauthorised external redirections via a phpBB forum. (Applies to sarge only.) An authenticated forum administrator may upload files of any type by using specially crafted filenames. (Applies to sarge only.)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1588 linux-2.6 -- denial of serviceDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: Johannes Bauer discovered an integer overflow condition in the hrtimer subsystem on 64-bit systems. This can be exploited by local users to trigger a denial of service (DoS) by causing the kernel to execute an infinite loop. Jan Kratochvil reported a local denial of service condition that permits local users on systems running the amd64 flavor kernel to cause a system crash. Paul Harks discovered a memory leak in the Simple Internet Transition (SIT) code used for IPv6 over IPv4 tunnels. This can be exploited by remote users to cause a denial of service condition. David Miller and Jan Lieskovsky discovered issues with the virtual address range checking of mmaped regions on the sparc architecture that may be exploited by local users to cause a denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1616 clamav -- denial of serviceDebian GNU/Linux 4.0clamavDamian Put discovered a vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. In some configurations, such as when clamav is used in combination with mail servers, this could cause a system to fail open, facilitating a follow-on viral attack. A previous version of this advisory referenced packages that were built incorrectly and omitted the intended correction. This issue was fixed in packages referenced by the -2 revision of the advisory. The Common Vulnerabilities and Exposures project identifies this weakness as CVE-2008-2713 and CVE-2008-3215.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1829 sork-passwd-h3 -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0sork-passwd-h3It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1844 linux-2.6.24 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Julien Tinnes and Tavis Ormandy reported an issue in the Linux personality code. Local users can take advantage of a setuid binary that can either be made to dereference a NULL pointer or drop privileges and return control to the user. This allows a user to bypass mmap_min_addr restrictions which can be exploited to execute arbitrary code. Mikulas Patocka discovered an issue in sparc64 kernels that allows local users to cause a denial of service (crash) by reading the /proc/iomem file. Miklos Szeredi reported an issue in the ocfs2 filesystem. Local users can create a denial of service (filesystem deadlock) using a particular sequence of splice system calls. Ramon de Carvalho Valle discovered two issues with the eCryptfs layered filesystem using the fsfuzzer utility. A local user with permissions to perform an eCryptfs mount may modify the contents of an eCryptfs file, overflowing the stack and potentially gaining elevated privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1715 moin -- insufficient input sanitisingDebian GNU/Linux 4.0moinIt was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260). Another cross-site scripting vulnerability was discovered in the antispam feature (CVE-2009-0312).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1696 icedove -- several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. (MFSA 2008-37) It was discovered that crashes in the Javascript engine could potentially lead to the execution of arbitrary code. (MFSA 2008-20) "moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed. (MFSA 2008-38) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling. (MFSA 2008-41) Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. (MFSA 2008-43) It was discovered that a directory traversal allows attackers to read arbitrary files via a certain character. (MFSA 2008-44) It was discovered that a directory traversal allows attackers to bypass security restrictions and obtain sensitive information. (MFSA 2008-44) It was discovered that a buffer overflow could be triggered via a long header in a news article, which could lead to arbitrary code execution. (MFSA 2008-46) Liu Die Yu and Boris Zbarsky discovered an information leak through local shortcut files. (MFSA 2008-47, MFSA 2008-59) Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. (MFSA 2008-48) Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. (MFSA 2008-50) It was discovered that crashes in the layout engine could lead to arbitrary code execution. (MFSA 2008-52) It was discovered that crashes in the Javascript engine could lead to arbitrary code execution. (MFSA 2008-52) It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. (MFSA 2008-55) "moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. (MFSA 2008-56) Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents. (MFSA 2008-58) Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1471 libvorbis -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1libvorbisSeveral vulnerabilities were found in the Vorbis General Audio Compression Codec, which may lead to denial of service or the execution of arbitrary code, if a user is tricked into opening a malformed Ogg Audio file with an application linked against libvorbis.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1554 roundup -- insufficient input sanitisingDebian GNU/Linux 4.0roundupRoundup, an issue tracking system, fails to properly escape HTML input, allowing an attacker to inject client-side code (typically JavaScript) into a document that may be viewed in the victim's browser.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1476 pulseaudio -- programming errorDebian GNU/Linux 4.0pulseaudioMarcus Meissner discovered that the PulseAudio sound server performed insufficient checks when dropping privileges, which could lead to local privilege escalation. The old stable distribution (sarge) doesn't contain pulseaudio.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1591 libvorbis -- several vulnerabilitiesDebian GNU/Linux 4.0libvorbisSeveral local (remote) vulnerabilities have been discovered in libvorbis, a library for the Vorbis general-purpose compressed audio codec. The Common Vulnerabilities and Exposures project identifies the following problems: libvorbis does not properly handle a zero value which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow. Integer overflow in libvorbis allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. Integer overflow in libvorbis allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file which triggers a heap overflow.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1813 evolution-data-server -- Several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0evolution-data-serverSeveral vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1570 kazehakase -- variousDebian GNU/Linux 4.0kazehakaseAndrews Salomon reported that kazehakase, a GTK+-based web browser that allows pluggable rendering engines, contained an embedded copy of the PCRE library in its source tree which was compiled in and used in preference to the system-wide version of this library. The PCRE library has been updated to fix the security issues reported against it in previous Debian Security Advisories. This update ensures that kazehakase uses that supported library, and not its own embedded and insecure version.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1880 openoffice.org -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0openoffice.orgSeveral vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in an integer underflow that may lead to heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. A vulnerability has been discovered in the parser of EMF files of OpenOffice/Go-oo 2.x and 3.x that can be triggered by a specially crafted document and lead to the execution of arbitrary commands the privileges of the user running OpenOffice.org/Go-oo. This vulnerability does not exist in the packages for oldstable, testing and unstable.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1760 openswan -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0openswanTwo vulnerabilities have been discovered in openswan, an IPSec implementation for linux. The Common Vulnerabilities and Exposures project identifies the following problems: Dmitry E. Oboukhov discovered that the livetest tool is using temporary files insecurely, which could lead to a denial of service attack. Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1525 asterisk -- several vulnerabilitiesDebian GNU/Linux 4.0asteriskSeveral remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. This update also fixes a format string vulnerability, which can only be triggered through configuration files under control of the local administrator. In later releases of Asterisk this issue is remotely exploitable and tracked as CVE-2008-1333. The status of the old stable distribution (sarge) is currently being investigated. If affected, an update will be released through security.debian.org.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1555 iceweasel -- programming errorDebian GNU/Linux 4.0iceweaselIt was discovered that crashes in the Javascript engine of Iceweasel, an unbranded version of the Firefox browser, could potentially lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1484 xulrunner -- several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. hong and Gregory Fleischer discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in JavaScript handling, which could allow privilege escalation. Justin Dolske discovered that the password storage mechanism could be abused by malicious web sites to corrupt existing saved passwords. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which could lead to information disclosure or potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (which disable dialog elements until a timeout is reached) could be bypassed by window focus changes through JavaScript. It was discovered that malformed content declarations of saved attachments could prevent a user from opening local files with a .txt file name, resulting in minor denial of service. Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with div elements. The old stable distribution (sarge) doesn't contain xulrunner.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1526 xwine -- several vulnerabilitiesDebian GNU/Linux 4.0xwineSteve Kemp from the Debian Security Audit project discovered several local vulnerabilities in xwine, a graphical user interface for the WINE emulator. The Common Vulnerabilities and Exposures project identifies the following problems: The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1481 python-cherrypy -- missing input sanitisingDebian GNU/Linux 4.0python-cherrypyIt was discovered that a directory traversal vulnerability in CherryPy, a pythonic, object-oriented web development framework, may lead to denial of service by deleting files through malicious session IDs in cookies. The old stable distribution (sarge) doesn't contain python-cherrypy.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1814 libsndfile -- heap-based buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0libsndfileTwo vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. The Common Vulnerabilities and Exposures project identified the following problems: Tobias Klein discovered that the VOC parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted VOC header. The vendor discovered that the AIFF parsing routines suffer of a heap-based buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker via a crafted AIFF header. In both cases the overflowing data is not completely attacker controlled but still leads to application crashes or under some circumstances might still lead to arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1686 no-ip -- buffer overflowDebian GNU/Linux 4.0no-ipA buffer overflow has been discovered in the HTTP parser of the No-IP.com Dynamic DNS update client, which may result in the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1896 opensaml, shibboleth-sp -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0opensamlshibboleth-spSeveral vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignored key usage constraints.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1865 linux-2.6 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialised in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1482 squid -- programming errorDebian GNU/Linux 4.0squidIt was discovered that malformed cache update replies against the Squid WWW proxy cache could lead to the exhaustion of system memory, resulting in potential denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1447 tomcat5.5 -- several vulnerabilitiesDebian GNU/Linux 4.0tomcat5.5Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that single quotes (') in cookies were treated as a delimiter, which could lead to an information leak. It was discovered that the character sequence \' in cookies was handled incorrectly, which could lead to an information leak. It was discovered that the host manager servlet performed insufficient input validation, which could lead to a cross-site scripting attack. It was discovered that the JULI logging component did not restrict its target path, resulting in potential denial of service through file overwrites. It was discovered that the WebDAV servlet is vulnerable to absolute path traversal. The old stable distribution (sarge) doesn't contain tomcat5.5. For the stable distribution (etch), these problems have been fixed in version 5.5.20-2etch1. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your tomcat5.5 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1453 tomcat5 -- several vulnerabilitiesDebian GNU/Linux 4.0tomcat5Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that single quotes (') in cookies were treated as a delimiter, which could lead to an information leak. It was discovered that the character sequence \' in cookies was handled incorrectly, which could lead to an information leak. It was discovered that the WebDAV servlet is vulnerable to absolute path traversal. The old stable distribution (sarge) doesn't contain tomcat5. For the stable distribution (etch), these problems have been fixed in version 5.0.30-12etch1. The unstable distribution (sid) no longer contains tomcat5. We recommend that you upgrade your tomcat5 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1537 xpdf -- several vulnerabilitiesDebian GNU/Linux 4.0xpdfAlin Rad Pop (Secunia) discovered a number of vulnerabilities in xpdf, a set of tools for display and conversion of Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following three problems: Inadequate DCT stream validation allows an attacker to corrupt memory and potentially execute arbitrary code by supplying a maliciously crafted PDF file. An integer overflow vulnerability in DCT stream handling could allow an attacker to overflow a heap buffer, enabling the execution of arbitrary code. A buffer overflow vulnerability in xpdf's CCITT image compression handlers allows overflow on the heap, allowing an attacker to execute arbitrary code by supplying a maliciously crafted CCITTFaxDecode filter.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1589 libxslt -- buffer overflowDebian GNU/Linux 4.0libxsltIt was discovered that libxslt, an XSLT processing runtime library, could be coerced into executing arbitrary code via a buffer overflow when an XSL style sheet file with a long XSLT "transformation match" condition triggered a large number of steps.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1620 python2.5 -- several vulnerabilitiesDebian GNU/Linux 4.0python2.5Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure. It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. This issue is also tracked as CVE-2008-1679 due to an initially incomplete patch. Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code. Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1681 linux-2.6.24 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. Wei Yongjun reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel panic. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. Johannes Berg reported a remote DoS issue in the libertas wireless driver, which can be triggered by a specially crafted beacon/probe response. Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1483 net-snmp -- design errorDebian GNU/Linux 4.0net-snmpThe SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1576 openssh -- predictable random number generatorDebian GNU/Linux 4.0opensshThe recently announced vulnerability in Debian's openssl package (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied. 1. Install the security updates This update contains a dependency on the openssl update and will automatically install a corrected version of the libssl0.9.8 package, and a new package openssh-blacklist. Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3). OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step. 2. Update OpenSSH known_hosts files The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this: In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message. It is recommended that you use a trustworthy channel to exchange the server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on the server; its fingerprint can be printed using the command: ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub In addition to user-specific known_hosts files, there may be a system-wide known hosts file /etc/ssh/ssh_known_hosts. This is file is used both by the ssh client and by sshd for the hosts.equiv functionality. This file needs to be updated as well. 3. Check all OpenSSH user keys The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of certainty that the key was generated on an unaffected system. Check whether your key is affected by running the ssh-vulnkey tool, included in the security update. By default, ssh-vulnkey will check the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), your authorised_keys file (~/.ssh/authorised_keys and ~/.ssh/authorised_keys2), and the system's host keys (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). To check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): ssh-vulnkey To check all keys on your system: sudo ssh-vulnkey -a To check a key in a non-standard location: ssh-vulnkey /path/to/key If ssh-vulnkey says "Unknown (no blacklist information)", then it has no information about whether that key is affected. In this case, you can examine the modification time (mtime) of the file using "ls -l". Keys generated before September 2006 are not affected. Keep in mind that, although unlikely, backup procedures may have changed the file date back in time (or the system clock may have been incorrectly set). If in doubt, generate a new key and remove the old one from any servers. 4. Regenerate any affected user keys OpenSSH keys used for user authentication must be manually regenerated, including those which may have since been transferred to a different system after being generated. New keys can be generated using ssh-keygen, e.g.: 5. Update authorised_keys files (if necessary) Once the user keys have been regenerated, the relevant public keys must be propagated to any authorised_keys files (and authorised_keys2 files, if applicable) on remote systems. Be sure to delete the lines containing old keys from those files. In addition to countermeasures to mitigate the randomness vulnerability, this OpenSSH update fixes several other vulnerabilities: CVE-2008-1483: Timo Juhani Lindfors discovered that, when using X11 forwarding, the SSH client selects an X11 forwarding port without ensuring that it can be bound on all address families. If the system is configured with IPv6 (even if it does not have working IPv6 connectivity), this could allow a local attacker on the remote server to hijack X11 forwarding. CVE-2007-4752: Jan Pechanec discovered that ssh falls back to creating a trusted X11 cookie if creating an untrusted cookie fails, potentially exposing the local display to a malicious remote server when using X11 forwarding.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1513 lighttpd -- information disclosureDebian GNU/Linux 4.0lighttpdIt was discovered that lighttpd, a fast webserver with minimal memory footprint, would display the source to CGI scripts if their execution failed in some circumstances.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1573 rdesktop -- several vulnerabilitiesDebian GNU/Linux 4.0rdesktopSeveral remote vulnerabilities have been discovered in rdesktop, a Remote Desktop Protocol client. The Common Vulnerabilities and Exposures project identifies the following problems: Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1720 typo3-src -- several vulnerabilitiesDebian GNU/Linux 4.0typo3-srcSeveral remote vulnerabilities have been discovered in the TYPO3 web content management framework. Marcus Krause and Michael Stucki from the TYPO3 security team discovered that the jumpUrl mechanism discloses secret hashes enabling a remote attacker to bypass access control by submitting the correct value as a URL parameter and thus being able to read the content of arbitrary files. Jelmer de Hen and Dmitry Dulepov discovered multiple cross-site scripting vulnerabilities in the backend user interface allowing remote attackers to inject arbitrary web script or HTML. As it is very likely that your encryption key has been exposed we strongly recommend to change your encyption key via the install tool after installing the update.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1634 wordnet -- stack and heap overflowsDebian GNU/Linux 4.0wordnetRob Holland discovered several programming errors in WordNet, an electronic lexical database of the English language. These flaws could allow arbitrary code execution when used with untrusted input, for example when WordNet is in use as a back end for a web application.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1631 libxml2 -- denial of serviceDebian GNU/Linux 4.0libxml2Andreas Solberg discovered that libxml2, the GNOME XML library, could be forced to recursively evaluate entities, until available CPU and memory resources were exhausted.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1530 cupsys -- Several vulnerabilitiesDebian GNU/Linux 4.0cupsysSeveral local/remote vulnerabilities have been discovered in cupsys, the Common Unix Printing System. The Common Vulnerabilities and Exposures project identifies the following problems: Heap-based buffer overflow in CUPS, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions. Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly the execution of arbitrary code via crafted packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1586 xine-lib -- multiple vulnerabilitiesDebian GNU/Linux 4.0xine-libMultiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player. The Common Vulnerabilities and Exposures project identifies the following three problems: Integer overflow vulnerabilities exist in xine's FLV, QuickTime, RealMedia, MVE and CAK demuxers, as well as the EBML parser used by the Matroska demuxer. These weaknesses allow an attacker to overflow heap buffers and potentially execute arbitrary code by supplying a maliciously crafted file of those types. Insufficient input validation in the Speex implementation used by this version of xine enables an invalid array access and the execution of arbitrary code by supplying a maliciously crafted Speex file. Inadequate bounds checking in the NES Sound Format (NSF) demuxer enables a stack buffer overflow and the execution of arbitrary code through a maliciously crafted NSF file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1648 mon -- insecure temporary filesDebian GNU/Linux 4.0monDmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1579 netpbm-free -- insufficient input sanitisingDebian GNU/Linux 4.0netpbm-freeA vulnerability was discovered in the GIF reader implementation in netpbm-free, a suite of image manipulation utilities. Insufficient input data validation could allow a maliciously-crafted GIF file to overrun a stack buffer, potentially permitting the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1657 qemu -- insecure temporary filesDebian GNU/Linux 4.0qemuDmitry E. Oboukhov discovered that the qemu-make-debian-root script in qemu, fast processor emulator, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1773 cups -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0cupsIt was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1910 mysql-ocaml -- missing escape functionDebian GNU/Linux 5.0Debian GNU/Linux 4.0mysql-ocamlIt was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1505 alsa-driver -- kernel memory leakDebian GNU/Linux 4.0Debian GNU/Linux 3.1alsa-driverTakashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1912 camlimages -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0camlimagesIt was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1532 xulrunner -- several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1697 iceape -- several vulnerabilitiesDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in Iceape an unbranded version of the Seamonkey internet suite. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. (MFSA 2008-37) It was discovered that a buffer overflow in MIME decoding can lead to the execution of arbitrary code. (MFSA 2008-26) It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. (MFSA 2008-34) Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-21) Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-21) "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities. (MFSA 2008-22) Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context or signed JAR archives. (MFSA 2008-23) "moz_bug_r_a4" discovered that XUL documements can escalate privileges by accessing the pre-compiled "fastload" file. (MFSA 2008-24) "moz_bug_r_a4" discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceape itself is not affected, but some addons are. (MFSA 2008-25) Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. (MFSA 2008-27) Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. (MFSA 2008-29) Masahiro Yamada discovered that file URLs in directory listings were insufficiently escaped. (MFSA 2008-30) John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings of secure connections. (MFSA 2008-31) It was discovered that URL shortcut files could be used to bypass the same-origin restrictions. This issue does not affect current Iceape, but might occur with additional extensions installed. (MFSA 2008-32) Greg McManus discovered a crash in the block reflow code, which might allow the execution of arbitrary code. (MFSA 2008-33) Billy Rios discovered that passing an URL containing a pipe symbol to Iceape can lead to Chrome privilege escalation. (MFSA 2008-35) "moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed. (MFSA 2008-38) "moz_bug_r_a4" discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. (MFSA 2008-39) Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. (MFSA 2008-40) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41) Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling. (MFSA 2008-41) Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. (MFSA 2008-42) Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. (MFSA 2008-43) Boris Zbarsky discovered that resource: URLs allow directory traversal when using URL-encoded slashes. (MFSA 2008-44) Georgi Guninski discovered that resource: URLs could bypass local access restrictions. (MFSA 2008-44) Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory. (MFSA 2008-45) It was discovered that a buffer overflow could be triggered via a long header in a news article, which could lead to arbitrary code execution. (MFSA 2008-46) Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. (MFSA 2008-48) It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution. (MFSA 2008-49) Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. (MFSA 2008-50) It was discovered that crashes in the layout engine could lead to arbitrary code execution. (MFSA 2008-52) Justin Schuh discovered that a buffer overflow in http-index-format parser could lead to arbitrary code execution. (MFSA 2008-54) It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. (MFSA 2008-55) "moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. (MFSA 2008-56) Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents. (MFSA 2008-58) Liu Die Yu discovered an information leak through local shortcut files. (MFSA 2008-59) Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1486 gnatsweb -- cross-site scriptingDebian GNU/Linux 4.0gnatswebr0t discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitise the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or JavaScript code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1689 proftpd-dfsg -- missing input validationDebian GNU/Linux 4.0proftpd-dfsgMaksymilian Arciemowicz of securityreason.com reported that ProFTPD is vulnerable to cross-site request forgery (CSRF) attacks and executes arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1571 openssl -- predictable random number generatorDebian GNU/Linux 4.0opensslLuciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since that date propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. A detector for known weak key material will be published at: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz (OpenPGP signature) Instructions how to implement key rollover for various packages will be published at: http://www.debian.org/security/key-rollover/ This web site will be continuously updated to reflect new and updated instructions on key rollovers for packages using SSL certificates. Popular packages not affected will also be listed. In addition to this critical change, two other vulnerabilities have been fixed in the openssl package which were originally scheduled for release with the next etch point release: OpenSSL's DTLS (Datagram TLS, basically SSL over UDP) implementation did not actually implement the DTLS specification, but a potentially much weaker protocol, and contained a vulnerability permitting arbitrary code execution (CVE-2007-4995). A side channel attack in the integer multiplication routines is also addressed (CVE-2007-3108).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1540 lighttpd -- denial of serviceDebian GNU/Linux 4.0lighttpdIt was discovered that lighttpd, a fast webserver with minimal memory footprint, didn't correctly handle SSL errors. This could allow a remote attacker to disconnect all active SSL connections.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1575 linux-2.6 -- denial of serviceDebian GNU/Linux 4.0linux-2.6A vulnerability has been discovered in the Linux kernel that may lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problem: Alexander Viro discovered a race condition in the fcntl code that may permit local users on multi-processor systems to execute parallel code paths that are otherwise prohibited and gain re-ordered access to the descriptor table.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1545 rsync -- integer overflowDebian GNU/Linux 4.0rsyncSebastian Krahmer discovered that an integer overflow in rsync"s code for handling extended attributes may lead to arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1691 moodle -- several vulnerabilitiesDebian GNU/Linux 4.0moodleSeveral remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution. Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276). Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023). Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755). SQL injection issue in the hotpot module (MSA-08-0010). An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1719 gnutls13 -- design flawDebian GNU/Linux 4.0gnutls13Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine. (CVE-2008-4989) In addition, this update tightens the checks for X.509v1 certificates which causes GNUTLS to reject certain certificate chains it accepted before. (In certificate chain processing, GNUTLS does not recognize X.509v1 certificates as valid unless explicitly requested by the application.)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1928 linux-2.6.24 -- privilege escalation/denial of service/sensitive memory leakDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp"N" device is found, remote attackers can cause a denial of service by consuming large amounts of system memory. Loic Minier discovered an issue in the eCryptfs filesystem. A local user can cause a denial of service (kernel oops) by causing a dentry value to go negative. Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops). Jan Beulich discovered the existence of a sensitive kernel memory leak. Systems running the "amd64" kernel do not properly sanitise registers for 32-bit processes. Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory. Eric Dumazet reported an instance of uninitialised kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. CVE-2009-3238 Linus Torvalds provided a change to the get_random_int() function to increase its randomness. Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. Jiri Pirko discovered a typo in the initialisation of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service (IOMMU space exhaustion and system crash) by transmitting a large amount of jumbo frames. Ben Hutchings discovered an issue in the DRM manager for ATI Rage 128 graphics adapters. Local users may be able to exploit this vulnerability to cause a denial of service (NULL pointer dereference). Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1901 mediawiki1.7 -- several vulnerabilitiesDebian GNU/Linux 4.0mediawiki1.7Several vulnerabilities have been discovered in mediawiki1.7, a website engine for collaborative work. The Common Vulnerabilities and Exposures project identifies the following problems: David Remahl discovered that mediawiki1.7 is prone to a cross-site scripting attack. David Remahl discovered that mediawiki1.7, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page. David Remahl discovered that mediawiki1.7 is prone to a cross-site request forgery vulnerability in the Special:Import feature. It was discovered that mediawiki1.7 is prone to a cross-site scripting attack in the web-based installer.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1651 ruby1.8 -- several vulnerabilitiesDebian GNU/Linux 4.0ruby1.8Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. The Common Vulnerabilities and Exposures project identifies the following problems: Keita Yamaguchi discovered that several safe level restrictions are insufficiently enforced. Christian Neukirchen discovered that the WebRick module uses inefficient algorithms for HTTP header splitting, resulting in denial of service through resource exhaustion. It was discovered that the dl module doesn't perform taintness checks. Luka Treiber and Mitja Kolsek discovered that recursively nested XML entities can lead to denial of service through resource exhaustion in rexml. Tanaka Akira discovered that the resolv module uses sequential transaction IDs and a fixed source port for DNS queries, which makes it more vulnerable to DNS spoofing attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1665 libcdaudio -- heap overflowDebian GNU/Linux 4.0libcdaudioIt was discovered that a heap overflow in the CDDB retrieval code of libcdaudio, a library for controlling a CD-ROM when playing audio CDs, may result in the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1498 libimager-perl -- buffer overflowDebian GNU/Linux 4.0libimager-perlIt was discovered that libimager-perl, a Perl extension for generating 24-bit images, did not correctly handle 8-bit compressed images, which could allow the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1849 xml-security-c -- design flawDebian GNU/Linux 5.0Debian GNU/Linux 4.0xml-security-cIt was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This update implements the proposed workaround in the C++ version of the Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the original HMAC output, whichever is greater.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1628 pdns -- DNS response spoofingDebian GNU/Linux 4.0pdnsBrian Dowling discovered that the PowerDNS authoritative name server does not respond to DNS queries which contain certain characters, increasing the risk of successful DNS spoofing (CVE-2008-3337). This update changes PowerDNS to respond with SERVFAIL responses instead.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1703 bind9 -- interpretation conflictDebian GNU/Linux 4.0bind9It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function, which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1902 elinks -- buffer overflowDebian GNU/Linux 4.0elinksJakub Wilk discovered an off-by-one buffer overflow in the charset handling of elinks, a feature-rich text-mode WWW browser, which might lead to the execution of arbitrary code if the user is tricked into opening a malformed HTML page.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1553 ikiwiki -- cross-site request forgeryDebian GNU/Linux 4.0ikiwikiIt has been discovered that ikiwiki, a Wiki implementation, does not guard password and content changes against cross-site request forgery (CSRF) attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1670 enscript -- buffer overflowsDebian GNU/Linux 4.0enscriptSeveral vulnerabilities have been discovered in Enscript, a converter from ASCII text to Postscript, HTML or RTF. The Common Vulnerabilities and Exposures project identifies the following problems: Ulf Harnhammer discovered that a buffer overflow may lead to the execution of arbitrary code. Kees Cook and Tomas Hoger discovered that several buffer overflows may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1918 phpmyadmin -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability in the PDF schema generator functionality allows remote attackers to execute arbitrary SQL commands. This issue does not apply to the version in Debian 4.0 Etch. Additionally, extra fortification has been added for the web based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user. See README.Debian for details on how to enable the setup.php script if and when you need it.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1618 ruby1.9 -- several vulnerabilitiesDebian GNU/Linux 4.0ruby1.9Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1653 linux-2.6 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Joe Jin reported a local denial of service vulnerability that allows system users to trigger an oops due to an improperly initialised data structure. Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations. The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1512 evolution -- format string attackDebian GNU/Linux 4.0Debian GNU/Linux 3.1evolutionUlf Haumlrnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1796 libwmf -- pointer use-after-freeDebian GNU/Linux 5.0Debian GNU/Linux 4.0libwmfTavis Ormandy discovered that the embedded GD library copy in libwmf, a library to parse windows metafiles (WMF), makes use of a pointer after it was already freed. An attacker using a crafted WMF file can cause a denial of service or possibly the execute arbitrary code via applications using this library.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1608 mysql-dfsg-5.0 -- authorisation bypassDebian GNU/Linux 4.0mysql-dfsg-5.0Sergei Golubchik discovered that MySQL, a widely-deployed database server, did not properly validate optional data or index directory paths given in a CREATE TABLE statement, nor would it (under proper conditions) prevent two databases from using the same paths for data or index files. This permits an authenticated user with authorisation to create tables in one database to read, write or delete data from tables subsequently created in other databases, regardless of other GRANT authorisations. The Common Vulnerabilities and Exposures project identifies this weakness as CVE-2008-2079.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1761 moodle -- missing input sanitisationDebian GNU/Linux 5.0Debian GNU/Linux 4.0moodleChristian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn't check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Note that this doesn't affect installations that only use the mimetex environment.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1639 twiki -- command executionDebian GNU/Linux 4.0twikiIt was discovered that twiki, a web based collaboration platform, didn't properly sanitise the image parameter in its configuration script. This could allow remote users to execute arbitrary commands upon the system, or read any files which were readable by the webserver user.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1485 icedove -- several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in JavaScript handling, which could allow privilege escalation. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure and potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (by disabling dialog elements until a timeout is reached) could be bypassed by window focus changes through JavaScript. The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1585 speex -- integer overflowDebian GNU/Linux 4.0speexIt was discovered that speex, the Speex codec command line tools, did not correctly deal with negative offsets in a particular header field. This could allow a malicious file to execute arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1919 smarty -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0smartySeveral remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1904 wget -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0wgetDaniel Stenberg discovered that wget, a network utility to retrieve files from the Web using HTTP(S) and FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1489 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor and tgirmann discovered crashes in the JavaScript engine, which might allow the execution of arbitrary code. hong and Gregory Fleischer discovered that file input focus vulnerabilities in the file upload control could allow information disclosure of local files. moz_bug_r_a4 and Boris Zbarsky discovered several vulnerabilities in JavaScript handling, which could allow privilege escalation. Justin Dolske discovered that the password storage mechanism could be abused by malicious web sites to corrupt existing saved passwords. Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory traversal vulnerability in chrome: URI handling could lead to information disclosure. David Bloom discovered a race condition in the image handling of designMode elements, which can lead to information disclosure and potentially the execution of arbitrary code. Michal Zalewski discovered that timers protecting security-sensitive dialogs (by disabling dialog elements until a timeout is reached) could be bypassed by window focus changes through JavaScript. It was discovered that malformed content declarations of saved attachments could prevent a user from opening local files with a .txt file name, resulting in minor denial of service. Martin Straka discovered that insecure stylesheet handling during redirects could lead to information disclosure. Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing protections could be bypassed with div elements. The Mozilla products from the old stable distribution (sarge) are no longer supported with security updates.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1837 dbus -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0dbusIt was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1759 strongswan -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0strongswanGerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1877 mysql-dfsg-5.0 -- denial of service/execution of arbitrary codeDebian GNU/Linux 5.0Debian GNU/Linux 4.0mysql-dfsg-5.0In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities in the dispatch_command() function in libmysqld/sql_parse.cc in mysqld allow remote authenticated users to cause a denial of service (daemon crash) and potentially the execution of arbitrary code via format string specifiers in a database name in a COM_CREATE_DB or COM_DROP_DB request.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1742 libsndfile -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0libsndfileAlan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1667 python2.4 -- several vulnerabilitiesDebian GNU/Linux 4.0python2.4Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems: David Remahl discovered several integer overflows in the stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule modules. Justin Ferguson discovered that incorrect memory allocation in the unicode_resize() function can lead to buffer overflows. Several integer overflows were discovered in various Python core modules. Several integer overflows were discovered in the PyOS_vsnprintf() function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1694 xterm -- design flawDebian GNU/Linux 4.0xtermPaul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences (CVE-2008-2383). As an additional precaution, this security update also disables font changing, user-defined keys, and X property changes through escape sequences.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1943 openldap openldap2.3 -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0openldapopenldap2.3It was discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, when OpenSSL is used, does not properly handle a "\0" character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1521 lighttpd -- file disclosureDebian GNU/Linux 4.0lighttpdJulien Cayzac discovered that under certain circumstances lighttpd, a fast webserver with minimal memory footprint, might allow the reading of arbitrary files from the system. This problem could only occur with a non-standard configuration.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1692 php-xajax -- insufficient input sanitisingDebian GNU/Linux 4.0php-xajaxIt was discovered that php-xajax, a library to develop Ajax applications, did not sufficiently sanitise URLs, which allows attackers to perform cross-site scripting attacks by using malicious URLs. For the stable distribution (etch) this problem has been fixed in version 0.2.4-2+etch1. For the testing (lenny) and unstable (sid) distributions this problem has been fixed in version 0.2.5-1. We recommend that you upgrade your php-xajax package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1474 exiv2 -- integer overflowDebian GNU/Linux 4.0exiv2Meder Kydyraliev discovered an integer overflow in the thumbnail handling of libexif, the EXIF/IPTC metadata manipulation library, which could result in the execution of arbitrary code. The old stable distribution (sarge) doesn't contain exiv2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1492 wml -- insecure temporary filesDebian GNU/Linux 4.0wmlFrank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to a local denial of service by overwriting files. The old stable distribution (sarge) is not affected.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1514 moin -- several vulnerabilitiesDebian GNU/Linux 4.0moinSeveral remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: A cross-site-scripting vulnerability has been discovered in attachment handling. Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. A cross-site-scripting vulnerability has been discovered in the login code. A cross-site-scripting vulnerability has been discovered in attachment handling. A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. The macro code validates access control lists insufficiently, which could lead to information disclosure.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1940 php5 -- multiple issuesDebian GNU/Linux 5.0Debian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems: The following issues have been fixed in both the stable (lenny) and the oldstable (etch) distributions: CVE-2009-2687, CVE-2009-3292. The exif module did not properly handle malformed jpeg files, allowing an attacker to cause a segfault, resulting in a denial of service. The php_openssl_apply_verification_policy() function did not properly perform certificate validation. Bogdan Calin discovered that a remote attacker could cause a denial of service by uploading a large number of files in using multipart/ form-data requests, causing the creation of a large number of temporary files. To address this issue, the max_file_uploads option introduced in PHP 5.3.1 has been backported. This option limits the maximum number of files uploaded per request. The default value for this new option is 50. See NEWS.Debian for more information. The following issue has been fixed in the stable (lenny) distribution: A flaw in the ini_restore() function could lead to a memory disclosure, possibly leading to the disclosure of sensitive data. In the oldstable (etch) distribution, this update also fixes a regression introduced by the fix for CVE-2008-5658 in DSA-1789-1 (bug #527560).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1572 php5 -- several vulnerabilitiesDebian GNU/Linux 4.0php5Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter. Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier. Stack-based buffer overflow in the FastCGI SAPI. The escapeshellcmd API function could be attacked via incomplete multibyte chars.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1581 gnutls13 -- several vulnerabilitiesDebian GNU/Linux 4.0gnutls13Several remote vulnerabilities have been discovered in GNUTLS, an implementation of the SSL/TLS protocol suite. NOTE: The libgnutls13 package, which provides the GNUTLS library, does not contain logic to automatically restart potentially affected services. You must restart affected services manually (mainly Exim, using /etc/init.d/exim4 restart) after applying the update, to make the changes fully effective. Alternatively, you can reboot the system. The Common Vulnerabilities and Exposures project identifies the following problems: A pre-authentication heap overflow involving oversized session resumption data may lead to arbitrary code execution. Repeated client hellos may result in a pre-authentication denial of service condition due to a null pointer dereference. Decoding cipher padding with an invalid record length may cause GNUTLS to read memory beyond the end of the received record, leading to a pre-authentication denial of service condition.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1499 pcre3 -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1pcre3It was discovered that specially crafted regular expressions involving codepoints greater than 255 could cause a buffer overflow in the PCRE library (CVE-2008-0674).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1883 nagios2 -- missing input sanitisingDebian GNU/Linux 4.0nagios2Several vulnerabilities have been found in nagios2, a host/service/network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: Several cross-site scripting issues via several parameters were discovered in the CGI scripts, allowing attackers to inject arbitrary HTML code. In order to cover the different attack vectors, these issues have been assigned CVE-2008-1360.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1706 amarok -- integer overflowsDebian GNU/Linux 4.0amarokTobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1494 linux-2.6 -- missing access checksDebian GNU/Linux 4.0linux-2.6The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600). In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163). The old stable distribution (sarge) is not affected by this problem.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1458 openafs -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1openafsA race condition in the OpenAFS fileserver allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock. For the old stable distribution (sarge), this problem has been fixed in version 1.3.81-3sarge3. For the stable distribution (etch), this problem has been fixed in version 1.4.2-6etch1. We recommend that you upgrade your openafs packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1893 cyrus-imapd-2.2 kolab-cyrus-imapd -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0cyrus-imapd-2.2kolab-cyrus-imapdIt was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. The update introduced by DSA 1881-1 was incomplete and the issue has been given an additional CVE id due to its complexity.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1660 clamav -- null pointer dereference, resource exhaustionDebian GNU/Linux 4.0clamavSeveral denial-of-service vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Insufficient checking for out-of-memory conditions results in null pointer dereferences (CVE-2008-3912). Incorrect error handling logic leads to memory leaks (CVE-2008-3913) and file descriptor leaks (CVE-2008-3914).SecPod TeamDRAFTINTERIMACCEPTEDJerome AthiasINTERIMSergey ArtykhovACCEPTEDACCEPTEDDSA-1783 mysql-dfsg-5.0 -- multiple vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0mysql-dfsg-5.0Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application. The Common Vulnerabilities and Exposures project identifies the following two problems: Kay Roepke reported that the MySQL server would not properly handle an empty bit-string literal in an SQL statement, allowing an authenticated remote attacker to cause a denial of service (a crash) in mysqld. This issue affects the oldstable distribution (etch), but not the stable distribution (lenny). Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, "mysql --html ..."). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a web site.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1690 avahi -- assert errorsDebian GNU/Linux 4.0avahiTwo denial of service conditions were discovered in avahi, a Multicast DNS implementation. Huge Dias discovered that the avahi daemon aborts with an assert error if it encounters a UDP packet with source port 0 (CVE-2008-5081). It was discovered that the avahi daemon aborts with an assert error if it receives an empty TXT record over D-Bus (CVE-2007-3372).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1456 fail2ban -- programming errorDebian GNU/Linux 4.0fail2banDaniel B. Cid discovered that fail2ban, a tool to block IP addresses that cause login failures, is too liberal about parsing SSH log files, allowing an attacker to block any IP address. The old stable distribution (sarge) doesn't contain fail2ban. For the stable distribution (etch), this problem has been fixed in version 0.7.5-2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.8.0-4. We recommend that you upgrade your fail2ban package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1799 qemu -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0qemuSeveral vulnerabilities have been discovered in the QEMU processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems: Ian Jackson discovered that range checks of file operations on emulated disk devices were insufficiently enforced. It was discovered that an error in the format auto detection of removable media could lead to the disclosure of files in the host system. A buffer overflow has been found in the emulation of the Cirrus graphics adaptor.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1612 ruby1.8 -- several vulnerabilitiesDebian GNU/Linux 4.0ruby1.8Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrarySecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1914 mapserver -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0mapserverSeveral vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems: Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages. A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages. Due to missing input validation when saving map files under certain conditions it is possible to perform directory traversal attacks and to create arbitrary files. NOTE: Unless the attacker is able to create directories in the image path or there is already a readable directory this doesn't affect installations on Linux as the fopen() syscall will fail in case a sub path is not readable. It was discovered that mapserver is vulnerable to a stack-based buffer overflow when processing certain GET parameters. An attacker can use this to execute arbitrary code on the server via crafted id parameters. An integer overflow leading to a heap-based buffer overflow when processing the Content-Length header of an HTTP request can be used by an attacker to execute arbitrary code via crafted POST requests containing negative Content-Length values. An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1534 iceape -- several vulnerabilitiesDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. Georgi, Tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1841 git-core -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0git-coreIt was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1793 kdegraphics -- multiple vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0kdegraphicskpdf, a Portable Document Format (PDF) viewer for KDE, is based on the xpdf program and thus suffers from similar flaws to those described in DSA-1790. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple buffer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Multiple integer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Integer overflow in the JBIG2 decoder in kpdf has unspecified impact related to "g*allocn." The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialised memory. The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Multiple "input validation flaws" in the JBIG2 decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. Integer overflow in the JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 MMR decoder in kpdf allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. The old stable distribution (etch), these problems have been fixed in version 4:3.5.5-3etch3.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1842 openexr -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0openexrSeveral vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered integer overflows in the preview and compression code. Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. A buffer overflow was discovered in the compression code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1509 koffice -- multiple vulnerabilitiesDebian GNU/Linux 4.0kofficeSeveral vulnerabilities have been discovered in xpdf code that is embedded in koffice, an integrated office suite for KDE. These flaws could allow an attacker to execute arbitrary code by inducing the user to import a specially crafted PDF document. The Common Vulnerabilities and Exposures project identifies the following problems: Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow. Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. Updates for the old stable distribution (sarge) will be made available as soon as possible.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1944 request-tracker3.4 request-tracker3.6 -- session hijackDebian GNU/Linux 5.0Debian GNU/Linux 4.0request-tracker3.4request-tracker3.6Mikal Gule discovered that request-tracker, an extensible trouble-ticket tracking system, is prone to an attack, where an attacker with access to the same domain can hijack a user's RT session.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1519 horde3 -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1horde3It was discovered that the Horde web application framework permits arbitrary file inclusion by a remote attacker through the theme preference parameter.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1860 ruby1.8, ruby1.9 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0ruby1.8ruby1.9Several vulnerabilities have been discovered in Ruby. The Common Vulnerabilities and Exposures project identifies the following problems: The return value from the OCSP_basic_verify function was not checked properly, allowing continued use of a revoked certificate. An issue in parsing BigDecimal numbers can result in a denial-of-service condition (crash). The following matrix identifies fixed versions: We recommend that you upgrade your Ruby packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1552 mplayer -- missing input sanitisingDebian GNU/Linux 4.0mplayerIt was discovered that the MPlayer movie player performs insufficient input sanitising on SDP session data, leading to potential execution of arbitrary code through a malformed multimedia stream.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1449 loop-aes-utils -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1loop-aes-utilsIt was discovered that loop-aes-utils, tools for mounting and manipulating filesystems, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1495 nagios-plugins -- buffer overflowsDebian GNU/Linux 4.0Debian GNU/Linux 3.1nagios-pluginsSeveral local/remote vulnerabilities have been discovered in two of the plugins for the Nagios network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow has been discovered in the parser for HTTP Location headers (present in the check_http module). A buffer overflow has been discovered in the check_snmp module.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1465 apt-listchanges -- programming errorDebian GNU/Linux 4.0apt-listchangesFelipe Sateler discovered that apt-listchanges, a package change history notification tool, used unsafe paths when importing its python libraries. This could allow the execution of arbitrary shell commands if the root user executed the command in a directory which other local users may write to.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1475 gforge -- missing input sanitisingDebian GNU/Linux 4.0gforgeJoseacute Ramoacuten Palanco discovered that a cross site scripting vulnerability in GForge, a collaborative development tool, allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user's session. The old stable distribution (sarge) is not affected by this problem.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1564 wordpress -- multiple vulnerabilitiesDebian GNU/Linux 4.0wordpressSeveral remote vulnerabilities have been discovered in WordPress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: Insufficient input sanitising allowed for remote attackers to redirect visitors to external websites. Multiple cross-site scripting vulnerabilities allowed remote authenticated administrators to inject arbitrary web script or HTML. SQL injection vulnerability allowed allowed remote authenticated administrators to execute arbitrary SQL commands. WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data. Insufficient input sanitising caused an attacker with a normal user account to access the administrative interface.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1460 postgresql-8.1 -- several vulnerabilitiesDebian GNU/Linux 4.0postgresql-8.1Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. Tavis Ormandy and Will Drewry discovered that a bug in the handling of back-references inside the regular expressions engine could lead to an out of bounds read, resulting in a crash. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked into an infinite loop, resulting in denial of service. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Tavis Ormandy and Will Drewry discovered that the optimizer for regular expression could be tricked massive resource consumption. This constitutes only a security problem if an application using PostgreSQL processes regular expressions from untrusted sources. Functions in index expressions could lead to privilege escalation. For a more in depth explanation please see the upstream announce available at http://www.postgresql.org/about/news.905. The old stable distribution (sarge), doesn't contain postgresql-8.1. For the stable distribution (etch), these problems have been fixed in version postgresql-8.1 8.1.11-0etch1. For the unstable distribution (sid), these problems have been fixed in version 8.2.6-1 of postgresql-8.2. We recommend that you upgrade your postgresql-8.1 (8.1.11-0etch1) package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1781 ffmpeg-debian -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0ffmpeg-debianSeveral vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that using a crafted STR file can lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1613 libgd2 -- multiple vulnerabilitiesDebian GNU/Linux 4.0libgd2Multiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: Grayscale PNG files containing invalid tRNS chunk CRC values could cause a denial of service (crash), if a maliciously crafted image is loaded into an application using libgd. An array indexing error in libgd's GIF handling could induce a denial of service (crash with heap corruption) if exceptionally large color index values are supplied in a maliciously crafted GIF image file. The imagearc() and imagefilledarc() routines in libgd allow an attacker in control of the parameters used to specify the degrees of arc for those drawing functions to perform a denial of service attack (excessive CPU consumption). Multiple integer overflows exist in libgd's image resizing and creation routines; these weaknesses allow an attacker in control of the parameters passed to those routines to induce a crash or execute arbitrary code with the privileges of the user running an application or interpreter linked against libgd2.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1596 typo3 -- several vulnerabilitiesDebian GNU/Linux 4.0typo3Several remote vulnerabilities have been discovered in the TYPO3 content management framework. Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user. User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks, which is exposed when specific plugins are in use.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1857 camlimages -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0camlimagesTielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1 addressed the issue with PNG images.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1832 camlimages -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0camlimagesTielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1543 vlc -- several vulnerabilitiesDebian GNU/Linux 4.0vlcLuigi Auriemma, Alin Rad Pop, Reacute mi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc. The Common Vulnerabilities and Exposures project identifies the following eight problems: A buffer overflow vulnerability in subtitle handling allows an attacker to execute arbitrary code through the opening of a maliciously crafted MicroDVD, SSA or Vplayer file. A format string vulnerability in the HTTP-based remote control facility of the vlc application allows a remote, unauthenticated attacker to execute arbitrary code. Insecure argument validation allows a remote attacker to overwrite arbitrary files writable by the user running vlc, if a maliciously crafted M3U playlist or MP3 audio file is opened. Heap buffer overflows in RTSP stream and session description protocol (SDP) handling allow an attacker to execute arbitrary code if a maliciously crafted RTSP stream is played. Insufficient integer bounds checking in SDP handling allows the execution of arbitrary code through a maliciously crafted SDP stream ID parameter in an RTSP stream. Insufficient integrity checking in the MP4 demuxer allows a remote attacker to overwrite arbitrary memory and execute arbitrary code if a maliciously crafted MP4 file is opened. An integer overflow vulnerability in MP4 handling allows a remote attacker to cause a heap buffer overflow, inducing a crash and possibly the execution of arbitrary code if a maliciously crafted MP4 file is opened.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1900 postgresql-7.4, postgresql-8.1, postgresql-8.3, postgresql-8.4 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0postgresql-7.4postgresql-8.1postgresql-8.3postgresql-8.4Several vulnerabilities have been discovered in PostgreSQL, an SQL database system. The Common Vulnerabilities and Exposures project identifies the following problems: Authenticated users can shut down the backend server by re-LOAD-ing libraries in $libdir/plugins, if any libraries are present there. (The old stable distribution (etch) is not affected by this issue.) Authenticated non-superusers can gain database superuser privileges if they can create functions and tables due to incorrect execution of functions in functional indexes. If PostgreSQL is configured with LDAP authentication, and the LDAP configuration allows anonymous binds, it is possible for a user to authenticate themselves with an empty password. (The old stable distribution (etch) is not affected by this issue.) In addition, this update contains reliability improvements which do not target security issues.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1810 libapache-mod-jk -- information disclosureDebian GNU/Linux 5.0Debian GNU/Linux 4.0libapache-mod-jkAn information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated requests very quickly, one client could obtain a response intended for another client. The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1443 tcpreen -- buffer overflowsDebian GNU/Linux 4.0tcpreenIt was discovered that several buffer overflows in tcpreen, a tool for monitoring a TCP connection, may lead to denial of service. The old stable distribution (sarge) doesn't contain tcpreen. For the stable distribution (etch), this problem has been fixed in version 1.4.3-0.1etch1. For the unstable distribution (sid), this problem has been fixed in version 1.4.3-0.3. We recommend that you upgrade your tcpreen package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1847 bind9 -- improper assertDebian GNU/Linux 5.0Debian GNU/Linux 4.0bind9It was discovered that the BIND DNS server terminates when processing a specially crafted dynamic DNS update. This vulnerability affects all BIND servers which serve at least one DNS zone authoritatively, as a master, even if dynamic updates are not enabled. The default Debian configuration for resolvers includes several authoritative zones, too, so resolvers are also affected by this issue unless these zones have been removed.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1629 postfix -- programming errorDebian GNU/Linux 4.0postfixSebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable: For a detailed treating of the issue, please refer to the upstream author's announcement.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1698 gforge -- insufficient input sanitisingDebian GNU/Linux 4.0gforgeIt was discovered that GForge, a collaborative development tool, insufficiently sanitises some input allowing a remote attacker to perform SQL injection.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1565 linux-2.6 -- several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0. Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1746 ghostscript -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0ghostscriptTwo security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems: Jan Lieskovsky discovered multiple integer overflows in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. Jan Lieskovsky discovered insufficient upper-bounds checks on certain variable sizes in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1491 tk8.4 -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1tk8.4It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1451 mysql-dfsg-5.0 -- several vulnerabilitiesDebian GNU/Linux 4.0mysql-dfsg-5.0Several local/remote vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the privilege validation for the source table of CREATE TABLE LIKE statements was insufficiently enforced, which might lead to information disclosure. This is only exploitable by authenticated users. It was discovered that symbolic links were handled insecurely during the creation of tables with DATA DIRECTORY or INDEX DIRECTORY statements, which might lead to denial of service by overwriting data. This is only exploitable by authenticated users. It was discovered that queries to data in a FEDERATED table can lead to a crash of the local database server, if the remote server returns information with less columns than expected, resulting in denial of service. The old stable distribution (sarge) doesn't contain mysql-dfsg-5.0. For the stable distribution (etch), these problems have been fixed in version 5.0.32-7etch4. For the unstable distribution (sid), these problems have been fixed in version 5.0.51-1. We recommend that you upgrade your mysql-dfsg-5.0SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1477 yarssr -- missing input sanitisingDebian GNU/Linux 4.0yarssrDuncan Gilmore discovered that yarssr, an RSS aggregator and reader, performs insufficient input sanitising, which could result in the execution of arbitrary shell commands if a malformed feed is read. Due to a technical limitation of the archive management scripts, the fix for the old stable distribution (sarge) needs to be postponed by a few days.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1716 vnc4 -- integer overflowDebian GNU/Linux 4.0vnc4It was discovered that xvnc4viewer, a virtual network computing client software for X, is prone to an integer overflow via a malicious encoding value that could lead to arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1707 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1666 libxml2 -- several vulnerabilitiesDebian GNU/Linux 4.0libxml2Several vulnerabilities have been discovered in the GNOME XML library. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that missing input sanitising in the xmlBufferResize() function may lead to an infinite loop, resulting in denial of service. Drew Yao discovered that an integer overflow in the xmlSAX2Characters() function may lead to denial of service or the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1659 libspf2 -- buffer overflowDebian GNU/Linux 4.0libspf2Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (CVE-2008-2469). Note that the SPF configuration template in Debian's Exim configuration recommends to use libmail-spf-query-perl, which does not suffer from this issue.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1709 shadow -- race conditionDebian GNU/Linux 4.0shadowPaul Szabo discovered that login, the system login tool, did not correctly handle symlinks while setting up tty permissions. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1678 perl -- design flawsDebian GNU/Linux 4.0perlPaul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1714 rt2570 -- integer overflowDebian GNU/Linux 4.0rt2570It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2570-source/README.DebianSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1794 linux-2.6 -- denial of service/privilege escalation/information leakDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation, or information leak. The Common Vulnerabilities and Exposures project identifies the following problems: Bryn M. Reeves reported a denial of service in the NFS filesystem. Local users can trigger a kernel BUG() due to a race condition in the do_setlk function. Helge Deller discovered a denial of service condition that allows local users on PA-RISC to crash the system by attempting to unwind a stack containing userspace addresses. Vlad Malov reported an issue on 64-bit MIPS where a local user could cause a system crash by crafting a malicious binary which makes o32 syscalls with a number less than 4000. Zvonimir Rakamaric reported an off-by-one error in the ib700wdt watchdog driver which allows local users to cause a buffer underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl call. Flavio Leitner discovered that a local user can cause a denial of service by generating large amounts of traffic on a large SMP system, resulting in soft lockups. Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. Christian Borntraeger discovered an issue effecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all available kernel memory. Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users, permitting remote code execution. Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service (oops) by reading 0 bytes from a sysfs entry. Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. Jiri Olsa discovered that a local user can cause a denial of service (system hang) using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. Shaohua Li reported an issue in the AGP subsystem that may allow local users to read sensitive kernel memory due to a leak of uninitialised memory. Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialised kernel memory that may contain sensitive data. Trond Myklebust reported an issue in the encode_lookup() function in the nfs server subsystem that allows local users to cause a denial of service (oops in encode_lookup()) by use of a long filename. Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1533 exiftags -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1exiftagsChristian Schmid and Meder Kydyraliev (Google Security) discovered a number of vulnerabilities in exiftags, a utility for extracting EXIF metadata from JPEG images. The Common Vulnerabilities and Exposures project identified the following three problems: Inadequate EXIF property validation could lead to invalid memory accesses if executed on a maliciously crafted image, potentially including heap corruption and the execution of arbitrary code. Flawed data validation could lead to integer overflows, causing other invalid memory accesses, also with the potential for memory corruption or arbitrary code execution. Cyclical EXIF image file directory (IFD) references could cause a denial of service (infinite loop).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1538 alsaplayer -- buffer overrunDebian GNU/Linux 4.0alsaplayerErik Sjoumllund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application. Successful exploitation of this vulnerability through the opening of a maliciously crafted Vorbis file could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1493 sdl-image1.2 -- buffer overflowsDebian GNU/Linux 4.0Debian GNU/Linux 3.1sdl-image1.2Several local/remote vulnerabilities have been discovered in the image loading library for the Simple DirectMedia Layer 1.2. The Common Vulnerabilities and Exposures project identifies the following problems: Gynvael Coldwind discovered a buffer overflow in GIF image parsing, which could result in denial of service and potentially the execution of arbitrary code. It was discovered that a buffer overflow in IFF ILBM image parsing could result in denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1549 clamav -- buffer overflowsDebian GNU/Linux 4.0clamavSeveral remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: Damian Put discovered that a buffer overflow in the handler for PeSpin binaries may lead to the execution of arbitrary code. Alin Rad Pop discovered that a buffer overflow in the handler for Upack PE binaries may lead to the execution of arbitrary code. Damian Put and Thomas Pollet discovered that a buffer overflow in the handler for WWPack-compressed PE binaries may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1520 smarty -- insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 3.1smartyIt was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1510 gs-esp gs-gpl -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1gs-espgs-gplChris Evans discovered a buffer overflow in the color space handling code of the Ghostscript PostScript/PDF interpreter, which might result in the execution of arbitrary code if a user is tricked into processing a malformed file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1469 flac -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1flacSean de Regge and Greg Linares discovered multiple heap and stack based buffer overflows in FLAC, the Free Lossless Audio Codec, which could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1624 liebxslt -- buffer overflowsDebian GNU/Linux 4.0libxsltChris Evans discovered that a buffer overflow in the RC4 functions of libexslt may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1536 xine-lib -- several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 3.1xine-libSeveral local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content. The Common Vulnerabilities and Exposures project identifies the following problems: The DMO_VideoDecoder_Open function does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code (applies to sarge only). Array index error in the sdpplin_parse function allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter. Array index vulnerability in libmpdemux/demux_audio.c might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow (applies to etch only). Buffer overflow in the Matroska demuxer allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Matroska file with invalid frame sizes.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1472 xine-lib -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1xine-libLuigi Auriemma discovered that the Xine media player library performed insufficient input sanitising during the handling of RTSP streams, which could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1619 python-dns -- DNS response spoofingDebian GNU/Linux 4.0python-dnsMultiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery. The Common Vulnerabilities and Exposures project identifies this class of weakness as CVE-2008-1447 and this specific instance in PyDNS as CVE-2008-4099.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1882 xapian-omega -- missing input sanitisationDebian GNU/Linux 5.0Debian GNU/Linux 4.0xapian-omegaIt was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1602 pcre3 -- buffer overflowDebian GNU/Linux 4.0pcre3Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular Expression library, may encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading to arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1669 xulrunner -- several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. "moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could by bypassed. "moz_bug_r_a4" discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. "moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling. Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. Gareth Heyes discovered that some Unicode surrogate characters are ignored by the HTML parser. Boris Zbarsky discovered that resource: URls allow directory traversal when using URL-encoded slashes. Georgi Guninski discovered that resource: URLs could bypass local access restrictions. Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory. Liu Die Yu discovered an information leak through local shortcut files. Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions. It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution. Jesse Ruderman discovered that a programming error in the window.__proto__.__proto__ object could lead to arbitrary code execution. It was discovered that crashes in the layout engine could lead to arbitrary code execution. It was discovered that crashes in the Javascript engine could lead to arbitrary code execution. Justin Schuh discovered that a buffer overflow in http-index-format parser could lead to arbitrary code execution. It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code. "moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed. Collin Jackson discovered that the -moz-binding property bypasses security checks on codebase principals. Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1701 openssl, openssl097 -- interpretation conflictDebian GNU/Linux 4.0opensslopenssl097It was discovered that OpenSSL does not properly verify DSA signatures on X.509 certificates due to an API misuse, potentially leading to the acceptance of incorrect X.509 certificates as genuine (CVE-2008-5077).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1569 cacti -- insufficient input sanitisingDebian GNU/Linux 4.0cactiIt was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1473 scponly -- design flawDebian GNU/Linux 4.0Debian GNU/Linux 3.1scponlyJoachim Breitner discovered that Subversion support in scponly is inherently insecure, allowing execution of arbitrary commands. Further investigation showed that rsync and Unison support suffer from similar issues. This set of issues has been assigned CVE-2007-6350. In addition, it was discovered that it was possible to invoke scp with certain options that may lead to the execution of arbitrary commands (CVE-2007-6415). This update removes Subversion, rsync and Unison support from the scponly package, and prevents scp from being invoked with the dangerous options.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1713 rt2500 -- integer overflowDebian GNU/Linux 4.0rt2500It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2500-source/README.DebianSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1693 phppgadmin -- several vulnerabilitiesDebian GNU/Linux 4.0phppgadminSeveral remote vulnerabilities have been discovered in phpPgAdmin, a tool to administrate PostgreSQL database over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via the server parameter. Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via PHP_SELF. Directory traversal vulnerability allows remote attackers to read arbitrary files via _language parameter. For the stable distribution (etch), these problems have been fixed in version 4.0.1-3.1etch2. For the unstable distribution (sid), these problems have been fixed in version 4.2.1-1.1. We recommend that you upgrade your phppgadmin package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1790 xpdf -- multiple vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0xpdfSeveral vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialised memory. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1528 serendipity -- insufficient input sanitisingDebian GNU/Linux 4.0serendipityPeter Huumlwe and Hanno Bouml ck discovered that Serendipity, a weblog manager, did not properly sanitise input to several scripts which allowed cross site scripting. The old stable distribution (sarge) does not contain a serendipity package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1926 typo3-src -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0typo3-srcSeveral remote vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: The Backend subcomponent allows remote authenticated users to determine an encryption key via crafted input to a form field. Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent allow remote authenticated users to inject arbitrary web script or HTML. The Backend subcomponent allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters. The Backend subcomponent, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent allows remote authenticated users to execute arbitrary SQL commands. Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script. Cross-site scripting (XSS) vulnerability in the Frontend Login Box (aka felogin) subcomponent allows remote attackers to inject arbitrary web script or HTML. The Install Tool subcomponent allows remote attackers to gain access by using only the password's md5 hash as a credential. Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent allows remote attackers to inject arbitrary web script or HTML.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1708 git-core -- shell command injectionDebian GNU/Linux 4.0git-coreIt was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality (CVE-2008-5916). Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server (CVE-2008-5516, CVE-2008-5517).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1523 ikiwiki -- cross-site scriptingDebian GNU/Linux 4.0ikiwikiJosh Triplett discovered that ikiwiki did not block Javascript in URLs, leading to cross-site scripting vulnerabilities (CVE-2008-0808, CVE-2008-0809). The old stable distribution (sarge) did not contain an ikiwiki package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1768 openafs -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0openafsTwo vulnerabilities were discovered in the client part of OpenAFS, a distributed file system. An attacker with control of a file server or the ability to forge RX packets may be able to execute arbitrary code in kernel mode on an OpenAFS client, due to a vulnerability in XDR array decoding. An attacker with control of a file server or the ability to forge RX packets may crash OpenAFS clients because of wrongly handled error return codes in the kernel module. Note that in order to apply this security update, you must rebuild the OpenAFS kernel module. Be sure to also upgrade openafs-modules-source, build a new kernel module for your system following the instructions in /usr/share/doc/openafs-client/README.modules.gz, and then either stop and restart openafs-client or reboot the system to reload the kernel module.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1925 proftpd-dfsg -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0proftpd-dfsgIt has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1916 kdelibs -- insufficient input validationDebian GNU/Linux 4.0kdelibsDan Kaminsky and Moxie Marlinspike discovered that kdelibs, core libraries from the official KDE release, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1574 icedove -- several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1738 curl -- arbitrary file accessDebian GNU/Linux 5.0Debian GNU/Linux 4.0curlDavid Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and scp:// URLs - depending on the setup - an untrusted server could use that to expose local files, overwrite local files or even execute arbitrary code via a malicious URL redirect. This update introduces a new option called CURLOPT_REDIR_PROTOCOLS which by default does not include the scp and file protocol handlers.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1884 nginx -- buffer underflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0nginxChris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. An attacker can use this to execute arbitrary code with the rights of the worker process (www-data on Debian) or possibly perform denial of service attacks by repeatedly crashing worker processes via a specially crafted URL in an HTTP request.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1518 backup-manager -- programming errorDebian GNU/Linux 4.0Debian GNU/Linux 3.1backup-managerMicha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1617 refpolicy -- incompatible policyDebian GNU/Linux 4.0refpolicyIn DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard "domain" port (53). The incompatibility affects both the "targeted" and "strict" policy packages supplied by this version of refpolicy. This update to the refpolicy packages grants the ability to bind to arbitrary UDP ports to named_t processes. When installed, the updated packages will attempt to update the bind policy module on systems where it had been previously loaded and where the previous version of refpolicy was 0.0.20061018-5 or below. Because the Debian refpolicy packages are not yet designed with policy module upgradeability in mind, and because SELinux-enabled Debian systems often have some degree of site-specific policy customization, it is difficult to assure that the new bind policy can be successfully upgraded. To this end, the package upgrade will not abort if the bind policy update fails. The new policy module can be found at /usr/share/selinux/refpolicy-targeted/bind.pp after installation. Administrators wishing to use the bind service policy can reconcile any policy incompatibilities and install the upgrade manually thereafter. A more detailed discussion of the corrective procedure may be found on http://wiki.debian.org/SELinux/Issues/BindPortRandomization. For the stable distribution (etch), this problem has been fixed in version 0.0.20061018-5.1+etch1. The unstable distribution (sid) is not affected, as subsequent refpolicy releases have incorporated an analogous change. We recommend that you upgrade your refpolicy packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1649 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. moz_bug_r_a4 discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could by bypassed. moz_bug_r_a4 discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation. Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop. moz_bug_r_a4 discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. moz_bug_r_a4 discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers. Olli Pettay and moz_bug_r_a4 discovered a Chrome privilege escalation vulnerability in XSLT handling. Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string. Gareth Heyes discovered that some Unicode surrogate characters are ignored by the HTML parser. Boris Zbarsky discovered that resource: URLs allow directory traversal when using URL-encoded slashes. Georgi Guninski discovered that resource: URLs could bypass local access restrictions. Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1479 linux-2.6 -- several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an "amd64" flavor kernel. Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. Bill Roman of Datalight noticed a coding error in the linux VFS subsystem that, under certain conditions, can allow local users to remove directories for which they should not have removal privileges. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-17etch1. We recommend that you upgrade your kernel packages immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1909 postgresql-ocaml -- missing escape functionDebian GNU/Linux 5.0Debian GNU/Linux 4.0postgresql-ocamlIt was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1704 xulrunner -- several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1848 znc -- directory traversalDebian GNU/Linux 5.0Debian GNU/Linux 4.0zncIt was discovered that znc, an IRC proxy, did not properly process certain DCC requests, allowing attackers to upload arbitrary files.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1662 mysql-dfsg-5.0 -- authorisation bypassDebian GNU/Linux 4.0mysql-dfsg-5.0A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access. The Common Vulnerabilities and Exposures project identifies this vulnerability as CVE-2008-4098. Note that a closely aligned issue, identified as CVE-2008-4097, was prevented by the update announced in DSA-1608-1. This new update supersedes that fix and mitigates both potential attack vectors.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1661 openoffice.org -- several vulnerabilitiesDebian GNU/Linux 4.0openoffice.orgSeveral vulnerabilities have been discovered in the OpenOffice.org office suite: The SureRun Security team discovered a bug in the WMF file parser that can be triggered by manipulated WMF files and can lead to heap overflows and arbitrary code execution. An anonymous researcher working with the iDefense discovered a bug in the EMF file parser that can be triggered by manipulated EMF files and can lead to heap overflows and arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1664 ekg -- missing input sanitisingDebian GNU/Linux 4.0ekgIt was discovered that ekg, a console Gadu Gadu client performs insufficient input sanitising in the code to parse contact descriptions, which may result in denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1632 tiff -- buffer underflowDebian GNU/Linux 4.0tiffDrew Yao discovered that libTIFF, a library for handling the Tagged Image File Format, is vulnerable to a programming error allowing malformed tiff files to lead to a crash or execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1539 mapserver -- several vulnerabilitiesDebian GNU/Linux 4.0mapserverChris Schmidt and Daniel Morissette discovered two vulnerabilities in mapserver, a development environment for spatial and mapping applications. The Common Vulnerabilities and Exposures project identifies the following two problems: Lack of input sanitising and output escaping in the CGI mapserver's template handling and error reporting routines leads to cross-site scripting vulnerabilities. Missing bounds checking in mapserver's template handling leads to a stack-based buffer overrun vulnerability, allowing a remote attacker to execute arbitrary code with the privileges of the CGI or httpd user.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1468 tomcat5.5 -- several vulnerabilitiesDebian GNU/Linux 4.0tomcat5.5Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems: Olaf Kock discovered that HTTPS encryption was insufficiently enforced for single-sign-on cookies, which could result in information disclosure. It was discovered that the Manager and Host Manager web applications performed insufficient input sanitising, which could lead to cross site scripting. This update also adapts the tomcat5.5-webapps package to the tightened JULI permissions introduced in the previous tomcat5.5 DSA. However, it should be noted, that the tomcat5.5-webapps is for demonstration and documentation purposes only and should not be used for production systems. The old stable distribution (sarge) doesn't contain tomcat5.5.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1834 apache2 -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0apache2A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. This issue did not affect Debian 4.0 "etch". A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. A similar flaw related to HEAD requests for compressed content was also fixed. The oldstable distribution (etch), these problems have been fixed in version 2.2.3-4+etch9.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1733 vim -- several vulnerabilitiesDebian GNU/Linux 4.0vimSeveral vulnerabilities have been found in vim, an enhanced vi editor. The Common Vulnerabilities and Exposures project identifies the following problems: Jan Minar discovered that vim did not properly sanitise inputs before invoking the execute or system functions inside vim scripts. This could lead to the execution of arbitrary code. Jan Minar discovered that the tar plugin of vim did not properly sanitise the filenames in the tar archive or the name of the archive file itself, making it prone to arbitrary code execution. Jan Minar discovered that the zip plugin of vim did not properly sanitise the filenames in the zip archive or the name of the archive file itself, making it prone to arbitrary code execution. Jan Minar discovered that the netrw plugin of vim did not properly sanitise the filenames or directory names it is given. This could lead to the execution of arbitrary code. Ben Schmidt discovered that vim did not properly escape characters when performing keyword or tag lookups. This could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1942 wireshark -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: A NULL pointer dereference was found in the RADIUS dissector. A NULL pointer dereference was found in the DCERP/NT dissector. An integer overflow was discovered in the ERF parser. This update also includes fixes for three minor issues (CVE-2008-1829, CVE-2009-2562, CVE-2009-3241), which were scheduled for the next stable point update. Also CVE-2009-1268 was fixed for Etch. Since this security update was issued prior to the release of the point update, the fixes were included.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1824 phpmyadmin -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross site scripting vulnerability in the export page allow for an attacker that can place crafted cookies with the user to inject arbitrary web script or HTML. Static code injection allows for a remote attacker to inject arbitrary code into phpMyAdmin via the setup.php script. This script is in Debian under normal circumstances protected via Apache authentication. However, because of a recent worm based on this exploit, we are patching it regardless, to also protect installations that somehow still expose the setup.php script.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1621 icedove -- several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that a buffer overflow in MIME decoding can lead to the execution of arbitrary code. It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. "moz_bug_r_a4" discovered that XUL documents can escalate privileges by accessing the pre-compiled "fastload" file. "moz_bug_r_a4" discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceweasel itself is not affected, but some addons are. Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings secure connections. Greg McManus discovered discovered a crash in the block reflow code, which might allow the execution of arbitrary code. For the stable distribution (etch), these problems have been fixed in version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1. Packages for s390 are not yet available and will be provided later. For the unstable distribution (sid), these problems have been fixed in version 2.0.0.16-1. We recommend that you upgrade your icedove package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1955 network-manager/network-manager-applet -- information disclosureDebian GNU/Linux 5.0Debian GNU/Linux 4.0network-manager/network-manager-appletIt was discovered that network-manager-applet, a network management framework, lacks some dbus restriction rules, which allows local users to obtain sensitive information. If you have locally modified the /etc/dbus-1/system.d/nm-applet.conf file, then please make sure that you merge the changes from this fix when asked during upgrade.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1444 php5 -- several vulnerabilitiesDebian GNU/Linux 4.0php5It was discovered that the patch for CVE-2007-4659 could lead to regressions in some scenarios. The fix has been reverted for now, a revised update will be provided in a future PHP DSA. For reference the original advisory below: Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that the session_start() function allowed the insertion of attributes into the session cookie. Mattias Bengtsson and Philip Olausson discovered that a programming error in the implementation of the wordwrap() function allowed denial of service through an infinite loop. Stanislav Malyshev discovered that a format string vulnerability in the money_format() function could allow the execution of arbitrary code. Stefan Esser discovered that execution control flow inside the zend_alter_ini_entry() function is handled incorrectly in case of a memory limit violation. Gerhard Wagner discovered an integer overflow inside the chunk_split() function. Rasmus Lerdorf discovered that incorrect parsing of multibyte sequences may lead to disclosure of memory contents. It was discovered that the output_add_rewrite_var() function could leak session ID information, resulting in information disclosure. This update also fixes two bugs from the PHP 5.2.4 release which don't have security impact according to the Debian PHP security policy (CVE-2007-4657 and CVE-2007-4662), but which are fixed nonetheless. The old stable distribution (sarge) doesn't contain php5. For the stable distribution (etch), these problems have been fixed in version 5.2.0-8+etch10. For the unstable distribution (sid), these problems have been fixed in version 5.2.4-1, with the exception of CVE-2007-5898 and CVE-2007-5899, which will be fixed soon. Please note that Debian's version of PHP is hardened with the Suhosin patch beginning with version 5.2.4-1, which renders several vulnerabilities ineffective. We recommend that you upgrade your php5 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-2005 linux-2.6.24 -- privilege escalation/denial of service/sensitive memory leakDebian GNU/Linux 4.0linux-2.6.24NOTE: This kernel update marks the final planned kernel security update for the 2.6.24 kernel in the Debian release "etch". Although security support for "etch" officially ended on Feburary 15th, 2010, this update was already in preparation before that date. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Steve Beattie and Kees Cook reported an information leak in the maps and smaps files available under /proc. Local users may be able to read this data for setuid processes while the ELF binary is being loaded. Eric Paris provided several fixes to increase the protection provided by the mmap_min_addr tunable against NULL pointer dereference vulnerabilities. Dave Jones reported an issue in the gdth SCSI driver. A missing check for negative offsets in an ioctl call could be exploited by local users to create a denial of service or potentially gain elevated privileges. Trond Myklebust reported an issue where a malicious NFS server could cause a denial of service condition on its clients by returning incorrect attributes during an open call. Joe Malicki discovered an issue in the megaraid_sas driver. Insufficient permissions on the sysfs dbg_lvl interface allow local users to modify the debug logging behavior. Roel Kluin discovered an issue in the hfc_usb driver, an ISDN driver for Colognechip HFC-S USB chip. A potential read overflow exists which may allow remote users to cause a denial of service condition. Amerigo Wang discovered an issue in the HFS filesystem that would allow a denial of service by a local user who has sufficient privileges to mount a specially crafted filesystem. Anana V. Avati discovered an issue in the fuse subsystem. If the system is sufficiently low on memory, a local user can cause the kernel to dereference an invalid pointer resulting in a denial of service and potentially an escalation of privileges. Jay Fenlason discovered an issue in the firewire stack that allows local users to cause a denial of service by making a specially crafted ioctl call. Ted Ts’o discovered an issue in the ext4 filesystem that allows local users to cause a denial of service. For this to be exploitable, the local user must have sufficient privileges to mount a filesystem. Fabian Yamaguchi reported issues in the e1000 and e1000e drivers for Intel gigabit network adapters which allow remote users to bypass packet filters using specially crafted Ethernet frames. Andi Kleen reported a defect which allows local users to gain read access to memory reachable by the kernel when the print-fatal-signals option is enabled. This option is disabled by default. Florian Westphal reported a lack of capability checking in the ebtables netfilter subsystem. If the ebtables module is loaded, local users can add and modify ebtables rules. Al Viro reported several issues with the mmap/mremap system calls that allow local users to cause a denial of service or obtain elevated privileges. Sebastian Krahmer discovered an issue in the netlink connector subsystem that permits local users to allocate large amounts of system memory resulting in a denial of service. Ramon de Carvalho Valle discovered an issue in the sys_move_pages interface, limited to amd64, ia64 and powerpc64 flavors in Debian. Local users can exploit this issue to cause a denial of service or gain access to sensitive kernel memory. Jermome Marchand reported an issue in the futex subsystem that allows a local user to force an invalid futex state which results in a denial of service .SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1623 dnsmasq -- DNS cache poisoningDebian GNU/Linux 4.0dnsmasqDan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's dnsmasq packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. This update also switches the random number generator to Dan Bernstein's SURF.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1695 ruby1.8, ruby1.9 -- memory leakDebian GNU/Linux 4.0ruby1.8ruby1.9The regular expression engine of Ruby, a scripting language, contains a memory leak which can be triggered remotely under certain circumstances, leading to a denial of service condition (CVE-2008-3443). In addition, this security update addresses a regression in the REXML XML parser of the ruby1.8 package; the regression was introduced in DSA-1651-1.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1835 tiff -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0tiffSeveral vulnerabilities have been discovered in the library for the Tag Image File Format (TIFF). The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that malformed TIFF images can lead to a crash in the decompression code, resulting in denial of service. Andrea Barisani discovered several integer overflows, which can lead to the execution of arbitrary code if malformed images are passed to the rgb2ycbcr or tiff2rgba tools.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1945 gforge -- symlink attackDebian GNU/Linux 5.0Debian GNU/Linux 4.0gforgeSylvain Beucler discovered that gforge, a collaborative development tool, is prone to a symlink attack, which allows local users to perform a denial of service attack by overwriting arbitrary files. The oldstable distribution (etch), this problem has been fixed in version 4.5.14-22etch13.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1888 openssl, openssl097 -- cryptographic weaknessDebian GNU/Linux 5.0Debian GNU/Linux 4.0opensslopenssl097Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they're no longer considered cryptographically secure.SecPod TeamDRAFTINTERIMACCEPTEDACCEPTEDDSA-1974 gzip -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0gzipSeveral vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems: Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1548 xpdf -- several vulnerabilitiesDebian GNU/Linux 4.0xpdfKees Cook discovered a vulnerability in xpdf, a set of tools for display and conversion of Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following problem: Xpdf's handling of embedded fonts lacks sufficient validation and type checking. If a maliciously crafted PDF file is opened, the vulnerability may allow the execution of arbitrary code with the privileges of the user running xpdf.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1889 icu -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0icuIt was discovered that the ICU unicode library performed incorrect processing of invalid multibyte sequences, resulting in potential bypass of security mechanisms.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1627 opensc -- programming errorDebian GNU/Linux 4.0openscChaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. If the PIN on your card is still the same you always had, there's a reasonable chance that this vulnerability has not been exploited. This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised with OpenSC. Users of other smart cards and USB crypto tokens, or cards that have been initialised with some software other than OpenSC, are not affected. After upgrading the package, running pkcs15-tool -T will show you whether the card is fine or vulnerable. If the card is vulnerable, you need to update the security setting using: pkcs15-tool -T -U.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1903 graphicsmagick -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0graphicsmagickSeveral vulnerabilities have been discovered in graphicsmagick, a collection of image processing tool, which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: Multiple integer overflows in XInitImage function in xwd.c for GraphicsMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only oldstable (etch). Multiple vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via vectors in the AVI, AVS, DCM, EPT, FITS, MTV, PALM, RLA, and TGA decoder readers; and the GetImageCharacteristics function in magick/image.c, as reachable from a crafted PNG, JPEG, BMP, or TIFF file. Multiple heap-based buffer underflows in the ReadPALMImage function in coders/palm.c in GraphicsMagick before 1.2.3 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PALM image. Heap-based buffer overflow in the DecodeImage function in coders/pict.c in GraphicsMagick before 1.1.14, and 1.2.x before 1.2.3, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PICT image. Multiple vulnerabilities in GraphicsMagick allow remote attackers to cause a denial of service (crash) via vectors in XCF and CINEON images. Vulnerability in GraphicsMagick allows remote attackers to cause a denial of service (crash) via vectors in DPX images. Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1958 libtool -- privilege escalationDebian GNU/Linux 5.0Debian GNU/Linux 4.0libtoolIt was discovered that ltdl, a system-independent dlopen wrapper for GNU libtool, can be tricked to load and run modules from an arbitrary directory, which might be used to execute arbitrary code with the privileges of the user running an application that uses libltdl.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1614 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. Billy Rios discovered that passing an URL containing a pipe symbol to Iceweasel can lead to Chrome privilege escalation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1839 gst-plugins-good0.10 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0gst-plugins-good0.10It has been discovered that gst-plugins-good0.10, the GStreamer plugins from the "good" set, are prone to an integer overflow, when processing a large PNG file. This could lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1969 krb5 -- integer underflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0krb5It was discovered that krb5, a system for authenticating users and services on a network, is prone to integer underflow in the AES and RC4 decryption operations of the crypto library. A remote attacker can cause crashes, heap corruption, or, under extraordinarily unlikely conditions, arbitrary code execution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1699 zaptel -- array index errorDebian GNU/Linux 4.0zaptelAn array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396).SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1497 clamav -- several vulnerabilitiesDebian GNU/Linux 4.0clamavSeveral vulnerabilities have been discovered in the Clam anti-virus toolkit, which may lead to the execution of arbitrary or local denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that temporary files are created insecurely, which may result in local denial of service by overwriting files. Silvio Cesare discovered an integer overflow in the parser for PE headers. The version of clamav in the old stable distribution (sarge) is no longer supported with security updates.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1863 zope2.10/zope2.9 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0zope2.10/zope2.9Several remote vulnerabilities have been discovered in the zope, a feature-rich web application server written in python, that could lead to arbitrary code execution in the worst case. The Common Vulnerabilities and Exposures project identified the following problems: Due to a programming error an authorisation method in the StorageServer component of ZEO was not used as an internal method. This allows a malicious client to bypass authentication when connecting to a ZEO server by simply calling this authorisation method. The ZEO server doesn't restrict the callables when unpickling data received from a malicious client which can be used by an attacker to execute arbitrary python code on the server by sending certain exception pickles. This also allows an attacker to import any importable module as ZEO is importing the module containing a callable specified in a pickle to test for a certain flag. The update also limits the number of new object ids a client can request to 100 as it would be possible to consume huge amounts of resources by requesting a big batch of new object ids. No CVE id has been assigned to this. The oldstable distribution (etch), this problem has been fixed in version 2.9.6-4etch2 of zope2.9.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1459 gforge -- insufficient input validationDebian GNU/Linux 4.0Debian GNU/Linux 3.1gforgeIt was discovered that Gforge, a collaborative development tool, did not properly sanitise some CGI parameters, allowing SQL injection in scripts related to RSS exports. For the old stable distribution (sarge), this problem has been fixed in version 3.1-31sarge5. For the stable distribution (etch), this problem has been fixed in version 4.5.14-22etch4. For the unstable distribution (sid), this problem has been fixed in version 4.6.99+svn6330-1. We recommend that you upgrade your gforge packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1668 hf -- programming errorDebian GNU/Linux 4.0hfSteve Kemp discovered that hf, an amateur-radio protocol suite using a soundcard as a modem, insecurely tried to execute an external command which could lead to the elevation of privileges for local users.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1563 asterisk -- programming errorDebian GNU/Linux 4.0asteriskJoel R. Voss discovered that the IAX2 module of Asterisk, a free software PBX and telephony toolkit performs insufficient validation of IAX2 protocol messages, which may lead to denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1745 lcms -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0lcmsSeveral security issues have been discovered in lcms, a color management library. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. Chris Evans discovered the lack of upper-bounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1700 lasso -- incorrect API usageDebian GNU/Linux 4.0lassoIt was discovered that Lasso, a library for Liberty Alliance and SAML protocols performs incorrect validation of the return value of OpenSSL's DSA_verify() function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1561 ldm -- programming errorDebian GNU/Linux 4.0ldmChristian Herzog discovered that within the Linux Terminal Server Project, it was possible to connect to X on any LTSP client from any host on the network, making client windows and keystrokes visible to that host. NOTE: most ldm installs are likely to be in a chroot environment exported over NFS, and will not be upgraded merely by upgrading the server itself. For example, on the i386 architecture, to upgrade ldm will likely require:SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1535 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: Peter Brodersen and Alexander Klink discovered that the autoselection of SSL client certificates could lead to users being tracked, resulting in a loss of privacy. moz_bug_r_a4 discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. moz_bug_r_a4 discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback and moz_bug_r_a4 discovered that incorrect principal handling could lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. georgi, tgirmann and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. Gregory Fleischer discovered that HTTP Referrer headers were handled incorrectly in combination with URLs containing Basic Authentication credentials with empty usernames, resulting in potential Cross-Site Request Forgery attacks. Gregory Fleischer discovered that web content fetched through the jar: protocol can use Java to connect to arbitrary ports. This is only an issue in combination with the non-free Java plugin. Chris Thomas discovered that background tabs could generate XUL popups overlaying the current tab, resulting in potential spoofing attacks. The Mozilla products from the old stable distribution (sarge) are no longer supported.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1637 git-core -- buffer overflowDebian GNU/Linux 4.0git-coreMultiple vulnerabilities have been identified in git-core, the core of the git distributed revision control system. Improper path length limitations in git's diff and grep functions, in combination with maliciously crafted repositories or changes, could enable a stack buffer overflow and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies this vulnerability as CVE-2008-3546.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1635 freetype -- multiple vulnerabilitiesDebian GNU/Linux 4.0freetypeSeveral local vulnerabilities have been discovered in freetype, a FreeType 2 font engine, which could allow the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: An integer overflow allows context-dependent attackers to execute arbitrary code via a crafted set of values within the Private dictionary table in a Printer Font Binary (PFB) file. The handling of an invalid number of axes field in the PFB file could trigger the freeing of arbitrary memory locations, leading to memory corruption. Multiple off-by-one errors allowed the execution of arbitrary code via malformed tables in PFB files, or invalid SHC instructions in TTF files.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1948 ntp -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0ntpRobin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets. An unexpected NTP mode 7 packet with spoofed IP data can lead ntpd to reply with a mode 7 response to the spoofed address. This may result in the service playing packet ping-pong with other ntp servers or even itself which causes CPU usage and excessive disk use due to logging. An attacker can use this to conduct denial of service attacks.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1754 roundup -- insufficient access checksDebian GNU/Linux 5.0Debian GNU/Linux 4.0roundupIt was discovered that roundup, an issue tracker with a command-line, web and email interface, allows users to edit resources in unauthorised ways, including granting themselves admin rights. This update introduces stricter access checks, actually enforcing the configured permissions and roles. This means that the configuration may need updating. In addition, user registration via the web interface has been disabled; use the program "roundup-admin" from the command line instead.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1939 libvorbis -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0libvorbisLucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1946 belpic -- cryptographic weaknessDebian GNU/Linux 4.0belpicIt was discovered that belpic, the belgian eID PKCS11 library, does not properly check the result of an OpenSSL function for verifying cryptographic signatures, which could be used to bypass the certificate validation.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1961 bind9 -- DNS cache poisoningDebian GNU/Linux 5.0Debian GNU/Linux 4.0bind9Michael Sinatra discovered that the DNS resolver component in BIND does not properly check DNS records contained in additional sections of DNS responses, leading to a cache poisoning vulnerability. This vulnerability is only present in resolvers which have been configured with DNSSEC trust anchors, which is still rare. Note that this update contains an internal ABI change, which means that all BIND-related packages must be updated at the same time. In the unlikely event that you have compiled your own software against libdns, you must recompile this programs, too.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1960 acpid -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0acpidIt was discovered that acpid, the Advanced Configuration and Power Interface event daemon, on the oldstable distribution creates its log file with weak permissions, which might expose sensitive information or might be abused by a local user to consume all free disk space on the same partition of the file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1991 squid/squid3 -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0squid/squid3Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy. The Common Vulnerabilities and Exposures project identifies the following problems: Bastian Blank discovered that it is possible to cause a denial of service via a crafted auth header with certain comma delimiters. Tomas Hoger discovered that it is possible to cause a denial of service via invalid DNS header-only packets.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1626 httrack -- buffer overflowDebian GNU/Linux 4.0httrackJoan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1674 jailer -- insecure temp file generationDebian GNU/Linux 4.0jailerJavier Fernandez-Sanguino Pena discovered that updatejail, a component of the chroot maintenance tool Jailer, creates a predictable temporary file name, which may lead to local denial of service through a symlink attack.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1992 chrony -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0chronySeveral vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563. The Common Vulnerabilities and Exposures project identifies the following problems: chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorised hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. The client logging facility of chronyd doesn’t limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorised hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1984 libxerces2-java -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0libxerces2-javaIt was discovered that libxerces2-java, a validating XML parser for Java, does not properly process malformed XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1869 curl -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0curlIt was discovered that curl, a client and library to get files from servers using HTTP, HTTPS or FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1816 apache2 -- insufficient security checkDebian GNU/Linux 5.0Debian GNU/Linux 4.0apache2It was discovered that the Apache web server did not properly handle the "Options=" parameter to the AllowOverride directive: In the stable distribution (lenny), local users could (via .htaccess) enable script execution in Server Side Includes even in configurations where the AllowOverride directive contained only Options=IncludesNoEXEC. In the oldstable distribution (etch), local users could (via .htaccess) enable script execution in Server Side Includes and CGI script execution in configurations where the AllowOverride directive contained any "Options=" value. The oldstable distribution (etch), this problem has been fixed in version 2.2.3-4+etch8.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1878 devscripts -- missing input sanitationDebian GNU/Linux 5.0Debian GNU/Linux 4.0devscriptsRaphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1798 pango1.0 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0pango1.0Will Drewry discovered that pango, a system for layout and rendering of internationalised text, is prone to an integer overflow via long glyphstrings. This could cause the execution of arbitrary code when displaying crafted data through an application using the pango library.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1587 mtr -- buffer overflowDebian GNU/Linux 4.0mtrAdam Zabrocki discovered that under certain circumstances mtr, a full screen ncurses and X11 traceroute tool, could be tricked into executing arbitrary code via overly long reverse DNS records.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1646 squid -- array bounds checkDebian GNU/Linux 4.0squidA weakness has been discovered in squid, a caching proxy server. The flaw was introduced upstream in response to CVE-2007-6239, and announced by Debian in DSA-1482-1. The flaw involves an over-aggressive bounds check on an array resize, and could be exploited by an authorised client to induce a denial of service condition against squid.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1490 tk8.3 -- buffer overflowDebian GNU/Linux 4.0Debian GNU/Linux 3.1tk8.3It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDebian GNU/Linux 3.1 is installedDebian GNU/Linux 3.1Debian GNU/Linux 3.1 (sarge) is installedSecPod TeamDRAFTINTERIMACCEPTEDPreeti SubramanianINTERIMACCEPTEDChandan SINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1881 cyrus-imapd-2.2 -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0cyrus-imapd-2.2It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof() operator an attacker is able to pass a negative length to snprintf() calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1947 shibboleth-sp, shibboleth-sp2, opensaml2 -- missing input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0shibboleth-spshibboleth-sp2opensaml2Matt Elder discovered that Shibboleth, a federated web single sign-on system is vulnerable to script injection through redirection URLsSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1625 cupsys -- buffer overflowsDebian GNU/Linux 4.0cupsysSeveral remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems: Buffer overflows in the HP-GL input filter allowed to possibly run arbitrary code through crafted HP-GL files. Buffer overflow in the GIF filter allowed to possibly run arbitrary code through crafted GIF files. Integer overflows in the PNG filter allowed to possibly run arbitrary code through crafted PNG files.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1684 lcms -- multiple vulnerabilitiesDebian GNU/Linux 4.0lcmsTwo vulnerabilities have been found in lcms, a library and set of commandline utilities for image color management. The Common Vulnerabilities and Exposures project identifies the following problems: Inadequate enforcement of fixed-length buffer limits allows an attacker to overflow a buffer on the stack, potentially enabling the execution of arbitrary code when a maliciously-crafted image is opened. An integer sign error in reading image gamma data could allow an attacker to cause an under-sized buffer to be allocated for subsequent image data, with unknown consequences potentially including the execution of arbitrary code if a maliciously-crafted image is opened.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1717 devil -- buffer overflowDebian GNU/Linux 4.0devilStefan Cornelius discovered a buffer overflow in devil, a cross-platform image loading and manipulation toolkit, which could be triggered via a crafted Radiance RGBE file. This could potentially lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1949 php-net-ping -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0php-net-pingIt was discovered that php-net-ping, a PHP PEAR module to execute ping independently of the Operating System, performs insufficient input sanitising, which might be used to inject arguments or execute arbitrary commands on a system that uses php-net-ping.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1712 rt2400 -- integer overflowDebian GNU/Linux 4.0rt2400It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2400-source/README.DebianSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1705 netatalk -- missing input sanitisingDebian GNU/Linux 4.0netatalkIt was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1977 python2.4 python2.5 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0python2.4 python2.5Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy in the interpreter for the Python language, does not properly process malformed or crafted XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file. In addition, this update fixes an integer overflow in the hashlib module in python2.5. This vulnerability could allow an attacker to defeat cryptographic digests. It only affects the oldstable distribution.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1987 lighttpd -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0lighttpdLi Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1480 poppler -- several vulnerabilitiesDebian GNU/Linux 4.0popplerAlin Rad Pop discovered several buffer overflows in the Poppler PDF library, which could allow the execution of arbitrary code if a malformed PDF file is opened. The old stable distribution (sarge) doesn't contain poppler.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1702 ntp -- interpretation conflictDebian GNU/Linux 4.0ntpIt has been discovered that NTP, an implementation of the Network Time Protocol, does not properly check the result of an OpenSSL function for verifying cryptographic signatures, which may ultimately lead to the acceptance of unauthenticated time information. (Note that cryptographic authentication of time servers is often not enabled in the first place.)SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1966 horde3 -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0horde3Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration file. It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators. It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1663 net-snmp -- several vulnerabilitiesDebian GNU/Linux 4.0net-snmpSeveral vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. The Common Vulnerabilities and Exposures project identifies the following problems: Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets. John Kortink reported a buffer overflow in the __snprint_value function in snmp_get causing a denial of service and potentially allowing the execution of arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). It was reported that an integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c allows remote attackers to cause a denial of service attack via a crafted SNMP GETBULK request.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1979 lintian -- multiple vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0lintianMultiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems" control files were not sanitised before using them in certain operations that could lead to directory traversals. An attacker could exploit these vulnerabilities to overwrite arbitrary files or disclose system information. Multiple check scripts and the Lintian::Schedule module were using user-provided input as part of the sprintf/printf format string. File names were not properly escaped when passing them as arguments to certain commands, allowing the execution of other commands as pipes or as a set of shell commands.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1954 cacti -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0cactiSeveral vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters. This issue only affects the oldstable version of cacti. It was discovered that cacti is prone to several cross-site scripting attacks via different vectors. It has been discovered that cacti allows authenticated administrator users to gain access to the host system by executing arbitrary commands via the "Data Input Method" for the "Linux - Get Memory Usage" setting. There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain "safe" commands. For the moment, we recommend that such access is only given to trusted users and that the options "Data Input" and "User Administration" are otherwise deactivated.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1951 firefox-sage -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0firefox-sageIt was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitise the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1496 mplayer -- buffer overflowsDebian GNU/Linux 4.0mplayerSeveral buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files. Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing. Adam Bozanich discovered a buffer overflow in the CDDB access code. Adam Bozanich discovered a buffer overflow in URL parsing. The old stable distribution (sarge) doesn't contain mplayer.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1995 openoffice.org -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0openoffice.orgSeveral vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that macro security settings were insufficiently enforced for VBA macros. It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This also affects the integrated libxmlsec library. Sebastian Apelt discovered that an integer overflow in the XPM import code may lead to the execution of arbitrary code. Sebastian Apelt and Frank Reissner discovered that a buffer overflow in the GIF import code may lead to the execution of arbitrary code. Nicolas Joly discovered multiple vulnerabilities in the parser for Word document files, which may lead to the execution of arbitrary code.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1981 maildrop -- privilege escalationDebian GNU/Linux 5.0Debian GNU/Linux 4.0maildropChristoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1989 fuse -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0fuseDan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace. A local attacker, with access to use FUSE, could unmount arbitrary locations, leading to a denial of service.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1964 postgresql-7.4, postgresql-8.1, postgresql-8.3 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0postgresql-7.4postgresql-8.1postgresql-8.3Several vulnerabilities have been discovered in PostgreSQL, a database server. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that PostgreSQL did not properly verify the Common Name attribute in X.509 certificates, enabling attackers to bypass the TLS protection on client-server connections, by relying on a certificate from a trusted CA which contains an embedded NUL byte in the Common Name. Authenticated database users could elevate their privileges by creating specially-crafted index functions. The following matrix shows fixed source package versions for the respective distributions. In addition to these security fixes, the updates contain reliability improvements and fix other defects. We recommend that you upgrade your PostgreSQL packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-2003 linux-2.6 -- privilege escalation/denial of serviceDebian GNU/Linux 4.0linux-2.6NOTE: This kernel update marks the final planned kernel security update for the 2.6.18 kernel in the Debian release "etch". Although security support for "etch" officially ended on Feburary 15th, 2010, this update was already in preparation before that date. A final update that includes fixes for these issues in the 2.6.24 kernel is also in preparation and will be released shortly. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: Dave Jones reported an issue in the gdth SCSI driver. A missing check for negative offsets in an ioctl call could be exploited by local users to create a denial of service or potentially gain elevated privileges. Trond Myklebust reported an issue where a malicious NFS server could cause a denial of service condition on its clients by returning incorrect attributes during an open call. Roel Kluin discovered an issue in the hfc_usb driver, an ISDN driver for Colognechip HFC-S USB chip. A potential read overflow exists which may allow remote users to cause a denial of service condition. Amerigo Wang discovered an issue in the HFS filesystem that would allow a denial of service by a local user who has sufficient privileges to mount a specially crafted filesystem. Anana V. Avati discovered an issue in the fuse subsystem. If the system is sufficiently low on memory, a local user can cause the kernel to dereference an invalid pointer resulting in a denial of service and potentially an escalation of privileges. Fabian Yamaguchi reported an issue in the e1000 driver for Intel gigabit network adapters which allow remote users to bypass packet filters using specially crafted ethernet frames. Florian Westphal reported a lack of capability checking in the ebtables netfilter subsystem. If the ebtables module is loaded, local users can add and modify ebtables rules. Sebastian Krahmer discovered an issue in the netlink connector subsystem that permits local users to allocate large amounts of system memory resulting in a denial of service. Ramon de Carvalho Valle discovered an issue in the sys_move_pages interface, limited to amd64, ia64 and powerpc64 flavors in Debian. Local users can exploit this issue to cause a denial of service or gain access to sensitive kernel memory. Jermome Marchand reported an issue in the futex subsystem that allows a local user to force an invalid futex state which results in a denial of service. This update also fixes a regression introduced by a previous security update that caused problems booting on certain s390 systems.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1994 ajaxterm -- weak session IDsDebian GNU/Linux 5.0Debian GNU/Linux 4.0ajaxtermIt was discovered that ajaxterm, a web-based terminal, generates weak and predictable session IDs, which might be used to hijack a session or cause a denial of service attack on a system that uses ajaxterm.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1997 mysql-dfsg-5.0 -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0mysql-dfsg-5.0Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: Domas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service via a crafted statement. Sergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory. Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service by establishing an SSL connection and sending an X.509 client certificate with a crafted name field.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1971 libthai -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0libthaiTim Starling discovered that libthai, a set of Thai language support routines, is vulnerable of integer/heap overflow. This vulnerability could allow an attacker to run arbitrary code by sending a very long string.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1953 expat -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0expatJan Lieskovsky discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1973 glibc, eglibc -- information disclosureDebian GNU/Linux 5.0Debian GNU/Linux 4.0glibceglibcChristoph Pleger has discovered that the GNU C Library and its derivatives add information from the passwd.adjunct.byname map to entries in the passwd map, which allows local users to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1985 sendmail -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0sendmailIt was discovered that sendmail, a Mail Transport Agent, does not properly handle a "\0" character in a Common Name field of an X.509 certificate. This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1750 libpng -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0libpngSeveral vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: The png_handle_tRNS function allows attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value. Certain chunk handlers allow attackers to cause a denial of service (crash) via crafted pCAL, sCAL, tEXt, iTXt, and ztXT chunking in PNG images, which trigger out-of-bounds read operations. libpng allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialised memory. The png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords. A memory leak in the png_handle_tEXt function allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file. libpng allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialised pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1436-1 linux-2.6 fai-kernels user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6fai-kernelsuser-mode-linuxSeveral local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1442-1 libsndfileDebian GNU/Linux 4.0libsndfileRubert Buchholz discovered that libsndfile, a library for reading / writing audio files, performs insufficient boundary checks when processing FLAC files, which might lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1363-1 linux-2.6Debian GNU/Linux 4.0linux-2.6Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1373-1 ktorrent - directory traversal vulnerabilitiesDebian GNU/Linux 4.0ktorrentIt was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable to a directory traversal bug which potentially allowed remote users to overwrite arbitrary files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1361-1 postfix-policyd - arbitrary code executionDebian GNU/Linux 4.0postfix-policydIt was discovered that postfix-policyd, an anti-spam plugin for postfix, didn't correctly test lengths of incoming SMTP commands potentially allowing the remote execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1333-1 curlDebian GNU/Linux 4.0curlIt has been discovered that the GnuTLS certificate verification methods implemented in libcurl-gnutls, a solid, usable, and portable multi-protocol file transfer library, did not check for expired or invalid dates.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1288-2 pptpd - regressionDebian GNU/Linux 4.0pptpdIt was discovered that the PoPToP Point to Point Tunneling Server contains a programming error, which allows the tear-down of a PPTP connection through a malformed GRE packet, resulting in denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1365-2 id3lib3.8.3 - denial of serviceDebian GNU/Linux 4.0id3lib3.8.3Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1390-1 t1lib - arbitrary code executionDebian GNU/Linux 4.0t1libHamid Ebadi discovered a buffer overflow in the intT1_Env_GetCompletePath routine in t1lib, a Type 1 font rasterizer library. This flaw could allow an attacker to crash an application using the t1lib shared libraries, and potentially execute arbitrary code within such an application's security context.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1321-1 evolution-data-serverDebian GNU/Linux 4.0evolution-data-serverIt was discovered that the IMAP code in the Evolution Data Server performs insufficient sanitising of a value later used an array index, which can lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1353-1 tcpdump - integer overflowDebian GNU/Linux 4.0tcpdumpIt was discovered that an integer overflow in the BGP dissector of tcpdump, a powerful tool for network monitoring and data acquisition, may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1319-1 maradnsDebian GNU/Linux 4.0maradnsSeveral remote vulnerabilities have been discovered in MaraDNS, a simple security-aware Domain Name Service server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1331-1 php4 - several vulnerabilitiesDebian GNU/Linux 4.0php4Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1397-1 mono - buffer overflowDebian GNU/Linux 4.0monoAn integer overflow in the BigInteger data type implementation has been discovered in the free .NET runtime Mono.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1364-2 vim - several vulnerabilitiesDebian GNU/Linux 4.0vimSeveral vulnerabilities have been discovered in the vim editor.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1311-1 postgresql-7.4Debian GNU/Linux 4.0postgresql-7.4It was discovered that the PostgreSQL database performs insufficient validation of variables passed to privileged SQL statement called <q>security definers</q>, which could lead to SQL privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1341-2 bind9 - DNS cache poisoning vulnerabilityDebian GNU/Linux 4.0bind9This update provides fixed packages for the oldstable distribution (sarge). For reference the original advisory text.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1309-1 postgresql-8.1Debian GNU/Linux 4.0postgresql-8.1It was discovered that the PostgreSQL database performs insufficient validation of variables passed to privileged SQL statements, so called <q>security definers</q>, which could lead to SQL privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1301-1 gimpDebian GNU/Linux 4.0gimpA buffer overflow has been identified in Gimp's SUNRAS plugin in versions prior to 2.2.15. This bug could allow an attacker to execute arbitrary code on the victim's computer by inducing the victim to open a specially crafted RAS file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1323-1 krb5Debian GNU/Linux 4.0krb5Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1393-1 xfce4-terminal - insecure executionDebian GNU/Linux 4.0xfce4-terminalIt was discovered that xfce-terminal, a terminal emulator for the xfce environment, did not correctly escape arguments passed to the processes spawned by <q>Open Link</q>. This allowed malicious links to execute arbitrary commands upon the local system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1380-1 elinks - information disclosureDebian GNU/Linux 4.0elinksKalle Olavi Niemitalo discovered that elinks, an advanced text-mode WWW browser, sent HTTP POST data in cleartext when using an HTTPS proxy server potentially allowing private information to be disclosed.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1384-1 xen-3.0Debian GNU/Linux 4.0xen-3.0Several local vulnerabilities have been discovered in the Xen hypervisor packages which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1370-1 phpmyadmin - several vulnerabilitiesDebian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1307-1 openoffice.org - heap overflowDebian GNU/Linux 4.0openoffice.orgJohn Heasman discovered a heap overflow in the routines of OpenOffice.org that parse RTF files. A specially crafted RTF file could cause the filter to overwrite data on the heap, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1299-1 ipsec-toolsDebian GNU/Linux 4.0ipsec-toolsIt was discovered that a specially-crafted packet sent to the racoon ipsec key exchange server could cause a tunnel to crash, resulting in a denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1403-1 phpmyadmin - cross-site scriptingDebian GNU/Linux 4.0phpmyadminOmer Singer of the DigiTrust Group discovered several vulnerabilities in phpMyAdmin, an application to administrate MySQL over the WWW.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1426-1 qt-x11-free - several vulnerabilitiesDebian GNU/Linux 4.0qt-x11-freeSeveral local/remote vulnerabilities have been discovered in the Qt GUI library.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1315-1 libphp-phpmailerDebian GNU/Linux 4.0libphp-phpmailerThor Larholm discovered that libphp-phpmailer, an email transfer class for PHP, performs insufficient input validition if configured to use Sendmail. This allows the execution of arbitrary shell commands.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1371-1 phpwiki - several vulnerabilitiesDebian GNU/Linux 4.0phpwikiSeveral vulnerabilities have been discovered in phpWiki, a wiki engine written in PHP.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1313-1 mplayerDebian GNU/Linux 4.0mplayerStefan Cornelius and Reimar Doeffinger discovered that the MPlayer movie player performs insufficient boundary checks when accessing CDDB data, which might lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1386-1 wesnothDebian GNU/Linux 4.0wesnothA problem has been discovered in the processing of chat messages. Overly long messages are truncated by the server to a fixed length, without paying attention to the multibyte characters. This leads to invalid UTF-8 on clients and causes an uncaught exception. Note that both wesnoth and the wesnoth server are affected.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1405-2 zope-cmfplone - arbitrary codeDebian GNU/Linux 4.0zope-cmfploneIt was discovered that Plone, a web content management system, allows remote attackers to execute arbitrary code via specially crafted web browser cookies.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1513-1 lighttpd - information disclosureDebian GNU/Linux 4.0lighttpdIt was discovered that lighttpd, a fast webserver with minimal memory footprint, would display the source to CGI scripts if their execution failed in some circumstances.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1382-1 quaggaDebian GNU/Linux 4.0quaggaIt was discovered that BGP peers can trigger a NULL pointer dereference in the BGP daemon if debug logging is enabled, causing the BGP daemon to crash.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1420-1 zabbix - programming errorDebian GNU/Linux 4.0zabbixBas van Schaik discovered that the agentd process of Zabbix, a network monitor system, may run user-supplied commands as group id root, not zabbix, which may lead to a privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1448-1 eggdrop arbitrary code executionDebian GNU/Linux 4.0eggdropIt was discovered that eggdrop, an advanced IRC robot, was vulnerable to a buffer overflow which could result in a remote user executing arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1624-1 libxslt - arbitrary code executionDebian GNU/Linux 4.0libxsltChris Evans discovered that a buffer overflow in the RC4 functions of libexslt may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1587-1 mtr - execution of arbitrary codeDebian GNU/Linux 4.0mtrAdam Zabrocki discovered that under certain circumstances mtr, a full screen ncurses and X11 traceroute tool, could be tricked into executing arbitrary code via overly long reverse DNS records.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1542-1 libcairo - arbitrary code executionDebian GNU/Linux 4.0libcairoPeter Valchev (Google Security) discovered a series of integer overflow weaknesses in Cairo, a vector graphics rendering library used by many other applications. If an application uses cairo to render a maliciously crafted PNG image, the vulnerability allows the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1512-1 evolution - remote code executionDebian GNU/Linux 4.0evolutionUlf Härnhammar discovered that Evolution, the e-mail and groupware suite, had a format string vulnerability in the parsing of encrypted mail messages. If the user opened a specially crafted email message, code execution was possible.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1498-1 libimager-perl - buffer overflowDebian GNU/Linux 4.0libimager-perlIt was discovered that libimager-perl, a Perl extension for generating 24-bit images, did not correctly handle 8-bit compressed images, which could allow the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1396-1 iceweaselDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1325-1 evolutionDebian GNU/Linux 4.0evolutionSeveral remote vulnerabilities have been discovered in Evolution, a groupware suite with mail client and organizer.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1470-1 horde3 - missing input sanitisingDebian GNU/Linux 4.0horde3Ulf Härnhammar discovered that the HTML filter of the Horde web application framework performed insufficient input sanitising, which may lead to the deletion of emails if a user is tricked into viewing a malformed email inside the Imp client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1424-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1378-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6fai-kernelsuser-mode-linuxSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1476-1 pulseaudio - programming errorDebian GNU/Linux 4.0pulseaudioMarcus Meissner discovered that the PulseAudio sound server performed insufficient checks when dropping privileges, which could lead to local privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1413-1 mysql - multipleDebian GNU/Linux 4.0mysql-dfsg-5.0Several vulnerabilities have been found in the MySQL database packages with implications ranging from unauthorised database modifications to remotely triggered server crashes.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1496-1 mplayer - arbitrary code executionDebian GNU/Linux 4.0mplayerSeveral buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1293-1 quaggaDebian GNU/Linux 4.0quaggaPaul Jakma discovered that specially crafted UPDATE messages can trigger an out of boundary read that can result in a system crash of quagga, the BGP/OSPF/RIP routing daemon.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1434-1 mydns - denial of serviceDebian GNU/Linux 4.0mydnsIt was discovered that in MyDNS, a domain name server with database backend, the daemon could be crashed through malicious remote update requests, which may lead to denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1468-1 tomcat5.5Debian GNU/Linux 4.0tomcat5.5Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1409-3 samba - several vulnerabilities (update)Debian GNU/Linux 4.0sambaThis update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1355-1 kdegraphics - integer overflowDebian GNU/Linux 4.0kdegraphicsIt was discovered that an integer overflow in the xpdf PDF viewer may lead to the execution of arbitrary code if a malformed PDF file is opened.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1488-1 phpbb2 - several vulnerabilitiesDebian GNU/Linux 4.0phpbb2Several remote vulnerabilities have been discovered in phpBB, a web based bulletin board.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1297-1 gforge-plugin-scmcvsDebian GNU/Linux 4.0gforge-plugin-scmcvsBernhard R. Link discovered that the CVS browsing interface of Gforge, a collaborative development tool, performs insufficient escaping of URLs, which allows the execution of arbitrary shell commands with the privileges of the www-data user.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1368-1 librpcsecgss - arbitrary code executionDebian GNU/Linux 4.0librpcsecgssIt was discovered that a buffer overflow of the library for secure RPC communication over the rpcsec_gss protocol allows the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1521-1 lighttpd - arbitrary file disclosureDebian GNU/Linux 4.0lighttpdJulien Cayzac discovered that under certain circumstances lighttpd, a fast webserver with minimal memory footprint, might allow the reading of arbitrary files from the system. This problem could only occur with a non-standard configuration.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1616-2 clamav - denial of serviceDebian GNU/Linux 4.0clamavDamian Put discovered a vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. In some configurations, such as when clamav is used in combination with mail servers, this could cause a system to <q>fail open</q>, facilitating a follow-on viral attack.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1548-1 xpdfDebian GNU/Linux 4.0xpdfKees Cook discovered a vulnerability in xpdf, a set of tools for display and conversion of Portable Document Format (PDF) files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1522-1 unzip - potential code executionDebian GNU/Linux 4.0unzipTavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution (<a href="http://security-tracker.debian.org/tracker/CVE-2008-0888">CVE-2008-0888</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1544-1 pdns-recursor - cache poisoning vulnerabilityDebian GNU/Linux 4.0pdns-recursorAmit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (<a href="http://security-tracker.debian.org/tracker/CVE-2008-1637">CVE-2008-1637</a> and <a href="http://security-tracker.debian.org/tracker/CVE-2008-3217">CVE-2008-3217</a>)Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1432-1 link-grammar - buffer overflowDebian GNU/Linux 4.0link-grammarAlin Rad Pop discovered that link-grammar, Carnegie Mellon University's link grammar parser for English, performed insufficient validation within its tokenizer, which could allow a malicious input file to execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1633-1 slash - multiple vulnerabilitiesDebian GNU/Linux 4.0slashIt has been discovered that Slash, the Slashdot Like Automated Storytelling Homepage suffers from two vulnerabilities related to insufficient input sanitation, leading to execution of SQL commands (<a href="http://security-tracker.debian.org/tracker/CVE-2008-2231">CVE-2008-2231</a>) and cross-site scripting (<a href="http://security-tracker.debian.org/tracker/CVE-2008-2553">CVE-2008-2553</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1599-1 dbusDebian GNU/Linux 4.0dbusHavoc Pennington discovered that DBus, a simple interprocess messaging system, performs insufficient validation of security policies, which might allow local privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1339-1 iceape - severalDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-1303-1 lighttpd - denial of serviceDebian GNU/Linux 4.0lighttpdTwo problems were discovered with lighttpd, a fast webserver with minimal memory footprint, which could allow denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1317-1 tinymuxDebian GNU/Linux 4.0tinymuxDuskwave discovered that tinymux, a text-based multi-user virtual world server, performs insufficient boundary checks when working with user-supplied data, which might lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1327-1 gsambad - insecure temporary filesDebian GNU/Linux 4.0gsambadSteve Kemp from the Debian Security Audit project discovered that gsambad, a GTK+ configuration tool for samba, uses temporary files in an unsafe manner which may be exploited to truncate arbitrary files from the local system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1305-1 icedove - several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1418-1 cacti - SQL injectionDebian GNU/Linux 4.0cactiIt was discovered that Cacti, a tool to monitor systems and networks, performs insufficient input sanitising, which allows SQL injection.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1561-1 ltsp - information disclosureDebian GNU/Linux 4.0ltspChristian Herzog discovered that within the Linux Terminal Server Project, it was possible to connect to X on any LTSP client from any host on the network, making client windows and keystrokes visible to that host.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1655-1 linux-2.6.24 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a leak of sensitive data.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1618-1 ruby1.9 - several vulnerabilitiesDebian GNU/Linux 4.0ruby1.9Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1456-1 fail2banDebian GNU/Linux 4.0fail2banDaniel B. Cid discovered that fail2ban, a tool to block IP addresses that cause login failures, is too liberal about parsing SSH log files, allowing an attacker to block any IP address.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1277-1 xmms - severalDebian GNU/Linux 4.0xmmsMultiple errors have been found in the skin handling routines in xmms, the X Multimedia System. These vulnerabilities could allow an attacker to run arbitrary code as the user running xmms by inducing the victim to load specially crafted interface skin files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1651-1 ruby1.8 - several vulnerabilitiesDebian GNU/Linux 4.0ruby1.8Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1462-1 hplip - missing input sanitisingDebian GNU/Linux 4.0hplipKees Cook discovered that the hpssd tool of the HP Linux Printing and Imaging System (HPLIP) performs insufficient input sanitising of shell meta characters, which may result in local privilege escalation to the hplip user.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1531-2 policyd-weight - insecure temporary filesDebian GNU/Linux 4.0policyd-weightChris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitrary files from the local system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1519-1 horde3 - information disclosureDebian GNU/Linux 4.0horde3It was discovered that the Horde web application framework permits arbitrary file inclusion by a remote attacker through the <code>theme</code> preference parameter.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1446-1 wireshark denial of serviceDebian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1579-1 netpbm-free - arbitrary code executionDebian GNU/Linux 4.0netpbm-freeA vulnerability was discovered in the GIF reader implementation in netpbm-free, a suite of image manipulation utilities. Insufficient input data validation could allow a maliciously-crafted GIF file to overrun a stack buffer, potentially permitting the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1535-1 iceweaselDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1597-1 mt-daapd - several vulnerabilitiesDebian GNU/Linux 4.0mt-daapdThree vulnerabilities have been discovered in the mt-daapd DAAP audio server (also known as the Firefly Media Server).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1585-1 speex - integer overflowDebian GNU/Linux 4.0speexIt was discovered that speex, the Speex codec command line tools, did not correctly deal with negative offsets in a particular header field. This could allow a malicious file to execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1653-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0fai-kernelslinux-2.6user-mode-linuxSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1524-1 krb5 - multiple vulnerabilitiesDebian GNU/Linux 4.0krb5Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1295-1 php5Debian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1607-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1661-1 openoffice.org - several vulnerabilitiesDebian GNU/Linux 4.0openoffice.orgSeveral vulnerabilities have been discovered in the OpenOffice.org office suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1622-1 newsx - arbitrary code executionDebian GNU/Linux 4.0newsxIt was discovered that newsx, an NNTP news exchange utility, was affected by a buffer overflow allowing remote attackers to execute arbitrary code via a news article containing a large number of lines starting with a period.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1639-1 twiki - command executionDebian GNU/Linux 4.0twikiIt was discovered that twiki, a web based collaboration platform, didn't properly sanitise the image parameter in its configuration script. This could allow remote users to execute arbitrary commands upon the system, or read any files which were readable by the webserver user.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1629-2 postfix - privilege escalationDebian GNU/Linux 4.0postfixSebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1659-1 libspf2 - potential remote code executionDebian GNU/Linux 4.0libspf2Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition (<a href="http://security-tracker.debian.org/tracker/CVE-2008-2469">CVE-2008-2469</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1484-1 xulrunner - several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1408-1 kdegraphics - buffer overflow with arbitrary code executionDebian GNU/Linux 4.0kdegraphicsAlin Rad Pop discovered a buffer overflow in kpdf, which could allow the execution of arbitrary code if a malformed PDF file is displayed.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1643-1 feta - denial of serviceDebian GNU/Linux 4.0fetaDmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1645-1 lighttpd - various problemsDebian GNU/Linux 4.0lighttpdSeveral local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1351-1 bochs - buffer overflowDebian GNU/Linux 4.0bochsTavis Ormandy discovered that bochs, a highly portable IA-32 PC emulator, is vulnerable to a buffer overflow in the emulated NE2000 network device driver, which may lead to privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1591-1 libvorbis - several vulnerabilitiesDebian GNU/Linux 4.0libvorbisSeveral local (remote) vulnerabilities have been discovered in libvorbis, a library for the Vorbis general-purpose compressed audio codec.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1466-2 libxfont xfree86 xorg-server - several vulnerabilitiesDebian GNU/Linux 4.0xorg-serverThe X.org fix for <a href="http://security-tracker.debian.org/tracker/CVE-2007-6429">CVE-2007-6429</a> introduced a regression in the MIT-SHM extension, which prevented the start of a few applications. This update provides updated packages for the xfree86 version included in Debian old stable (sarge) in addition to the fixed packages for Debian stable (etch), which were provided in DSA 1466-2.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-2003-1 linux-2.6 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6NOTE: This kernel update marks the final planned kernel security update for the 2.6.18 kernel in the Debian release 'etch'. Although security support for 'etch' officially ended on Feburary 15th, 2010, this update was already in preparation before that date. A final update that includes fixes for these issues in the 2.6.24 kernel is also in preparation and will be released shortly.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1569-1 cacti - multiple vulnerabilitiesDebian GNU/Linux 4.0cactiIt was discovered that Cacti, a systems and services monitoring frontend, performed insufficient input sanitising, leading to cross site scripting and SQL injection being possible.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1388-1 dhcpDebian GNU/Linux 4.0dhcpThe patch used to correct the DHCP server buffer overflow in DSA-1388-1 was incomplete and did not adequately resolve the problem. This update to the previous advisory makes updated packages based on a newer version of the patch available.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1345-1 xulrunnerDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1647-1 php5 - several vulnerabilitiesDebian GNU/Linux 4.0php5Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1546-1 gnumericDebian GNU/Linux 4.0gnumericThilo Pfennig and Morten Welinder discovered several integer overflow weaknesses in Gnumeric, a GNOME spreadsheet application. These vulnerabilities could result in the execution of arbitrary code through the opening of a maliciously crafted Excel spreadsheet.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1985-1 sendmail - insufficient input validationDebian GNU/Linux 4.0Debian GNU/Linux 5.0sendmailIt was discovered that sendmail, a Mail Transport Agent, does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1943-1 openldap openldap2.3 - SSL certificateDebian GNU/Linux 4.0Debian GNU/Linux 5.0openldap2.3openldapIt was discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1679-1 awstats - cross-site scriptingDebian GNU/Linux 4.0awstatsMorgan Todd discovered a cross-site scripting vulnerability in awstats, a log file analyzer, involving the "config" request parameter (and possibly others; <a href="http://security-tracker.debian.org/tracker/CVE-2008-3714">CVE-2008-3714</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1601-1 wordpress - several vulnerabilitiesDebian GNU/Linux 4.0wordpressSeveral remote vulnerabilities have been discovered in Wordpress, the weblog manager.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1657-1 qemu - denial of serviceDebian GNU/Linux 4.0qemuDmitry E. Oboukhov discovered that the qemu-make-debian-root script in qemu, fast processor emulator, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1377-2 fetchmail - null pointer dereferenceDebian GNU/Linux 4.0fetchmailMatthias Andree discovered that fetchmail, an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder, can under certain circumstances attempt to dereference a NULL pointer and crash.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1571-1 openssl - predictable random number generatorDebian GNU/Linux 4.0opensslLuciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (<a href="http://security-tracker.debian.org/tracker/CVE-2008-0166">CVE-2008-0166</a>). As a result, cryptographic key material may be guessable.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1399-1 pcre3 - arbitrary code executionDebian GNU/Linux 4.0pcre3Tavis Ormandy of the Google Security Team has discovered several security issues in PCRE, the Perl-Compatible Regular Expression library, which potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1440-1 inotify-toolsDebian GNU/Linux 4.0inotify-toolsIt was discovered that a buffer overflow in the filename processing of the inotify-tools, a command-line interface to inotify, may lead to the execution of arbitrary code. This only affects the internal library and none of the frontend tools shipped in Debian.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1717-1 devil - buffer overflowDebian GNU/Linux 4.0devilStefan Cornelius discovered a buffer overflow in devil, a cross-platform image loading and manipulation toolkit, which could be triggered via a crafted Radiance RGBE file. This could potentially lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1538-1 alsaplayer - arbitrary code executionDebian GNU/Linux 4.0alsaplayerErik Sjölund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application. Successful exploitation of this vulnerability through the opening of a maliciously crafted Vorbis file could lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1281-1 clamav - several vulnerabilitiesDebian GNU/Linux 4.0clamavSeveral remote vulnerabilities have been discovered in the Clam anti-virus toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1347-1 xpdfDebian GNU/Linux 4.0xpdfIt was discovered that an integer overflow in the xpdf PDF viewer may lead to the execution of arbitrary code if a malformed PDF file is opened.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1359-1 dovecot - directory traversalDebian GNU/Linux 4.0dovecotIt was discovered that dovecot, a secure mail server that supports mbox and maildir mailboxes, when configured to use non-system-user spools and compressed folders, may allow directory traversal in mailbox names.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1409-2 samba - several vulnerabilitiesDebian GNU/Linux 4.0sambaThis update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1612-1 ruby1.8 - several vulnerabilitiesDebian GNU/Linux 4.0ruby1.8Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1526-1 xwineDebian GNU/Linux 4.0xwineSteve Kemp from the Debian Security Audit project discovered several local vulnerabilities in xwine, a graphical user interface for the WINE emulator.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1444-1 php5 several issuesDebian GNU/Linux 4.0php5It was discovered that the patch for <a href="http://security-tracker.debian.org/tracker/CVE-2007-4659">CVE-2007-4659</a> could lead to regressions in some scenarios. The fix has been reverted for now, a revised update will be provided in a future PHP DSA.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1517-1 ldapscripts - information disclosureDebian GNU/Linux 4.0ldapscriptsDon Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1673-1 wireshark - several vulnerabilitiesDebian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in network traffic analyzer Wireshark.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1480-1 poppler - several vulnerabilitiesDebian GNU/Linux 4.0popplerAlin Rad Pop discovered several buffer overflows in the Poppler PDF library, which could allow the execution of arbitrary code if a malformed PDF file is opened.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1620-1 python2.5 - several vulnerabilitiesDebian GNU/Linux 4.0python2.5Several vulnerabilities have been discovered in the interpreter for the Python language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1550-1 suphpDebian GNU/Linux 4.0suphpIt was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1428-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6fai-kernelsuser-mode-linuxSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1783-1 mysql-dfsg-5.0 - several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 5.0mysql-dfsg-5.0Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1554-1 roundup - cross-site scripting vulnerabilityDebian GNU/Linux 4.0roundupRoundup, an issue tracking system, fails to properly escape HTML input, allowing an attacker to inject client-side code (typically JavaScript) into a document that may be viewed in the victim's browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1893-1 cyrus-imapd-2.2 kolab-cyrus-imapd - arbitrary code executionDebian GNU/Linux 4.0Debian GNU/Linux 5.0cyrus-imapd-2.2kolab-cyrus-imapdIt was discovered that the SIEVE component of cyrus-imapd and kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. The update introduced by <a href="../../security/2009/dsa-1881">DSA 1881-1</a> was incomplete and the issue has been given an additional CVE id due to its complexity.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1567-1 blender - arbitrary code executionDebian GNU/Linux 4.0blenderStefan Cornelius discovered a vulnerability in the Radiance High Dynamic Range (HDR) image parser in Blender, a 3D modelling application. The weakness could enable a stack-based buffer overflow and the execution of arbitrary code if a maliciously-crafted HDR file is opened, or if a directory containing such a file is browsed via Blender's image-open dialog.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1490-1 tk8.3 - arbitrary code executionDebian GNU/Linux 4.0tk8.3It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1935-1 gnutls13 gnutls26 - SSL certificateDebian GNU/Linux 4.0Debian GNU/Linux 5.0gnutls13gnutls26Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a '\0' character in a domain name in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (<a href="http://security-tracker.debian.org/tracker/CVE-2009-2730">CVE-2009-2730</a>)Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1533-1 exiftagsDebian GNU/Linux 4.0exiftagsChristian Schmid and Meder Kydyraliev (Google Security) discovered a number of vulnerabilities in exiftags, a utility for extracting EXIF metadata from JPEG images.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1460-1 postgresql-8.1 - severalDebian GNU/Linux 4.0postgresql-8.1Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1492-1 wmlDebian GNU/Linux 4.0wmlFrank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to a local denial of service by overwriting files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1671-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1528-1 serendipity - cross site scriptingDebian GNU/Linux 4.0serendipityPeter Hüwe and Hanno Böck discovered that Serendipity, a weblog manager, did not properly sanitise input to several scripts which allowed cross site scripting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1677-1 cupsys - arbitrary code executionDebian GNU/Linux 4.0cupsysAn integer overflow has been discovered in the image validation code of cupsys, the Common UNIX Printing System. An attacker could trigger this bug by supplying a malicious graphic that could lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1464-1 syslog-ng - denial of serviceDebian GNU/Linux 4.0syslog-ngOriol Carreras discovered that syslog-ng, a next generation logging daemon can be tricked into dereferencing a NULL pointer through malformed timestamps, which can lead to denial of service and the disguise of an subsequent attack, which would otherwise be logged.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1626-1 httrack - arbitrary code executionDebian GNU/Linux 4.0httrackJoan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1573-1 rdesktop - several vulnerabilitiesDebian GNU/Linux 4.0rdesktopSeveral remote vulnerabilities have been discovered in rdesktop, a Remote Desktop Protocol client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1595-1 xorg-server - several vulnerabilitiesDebian GNU/Linux 4.0xorg-serverSeveral local vulnerabilities have been discovered in the X Window system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1665-1 libcdaudio - heap overflowDebian GNU/Linux 4.0libcdaudioIt was discovered that a heap overflow in the CDDB retrieval code of libcdaudio, a library for controlling a CD-ROM when playing audio CDs, may result in the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1575-1 linux-2.6 - denial of serviceDebian GNU/Linux 4.0linux-2.6A vulnerability has been discovered in the Linux kernel that may lead to a denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1285-1 wordpressDebian GNU/Linux 4.0wordpressCross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1733-1 vim - multiple vulnerabilitiesDebian GNU/Linux 4.0vimSeveral vulnerabilities have been found in vim, an enhanced vi editor.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1365-3 id3lib3.8.3 - denial of serviceDebian GNU/Linux 4.0id3lib3.8.3Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1422-1 e2fsprogs - arbitrary code executionDebian GNU/Linux 4.0e2fsprogsRafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, the ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1458-1 openafsDebian GNU/Linux 4.0openafsA race condition in the OpenAFS fileserver allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1502-1 wordpress - multiple vulnerabilitiesDebian GNU/Linux 4.0wordpressSeveral remote vulnerabilities have been discovered in wordpress, a weblog manager.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1510-1 gs-esp gs-gpl - arbitrary code executionDebian GNU/Linux 4.0gs-espgs-gplChris Evans discovered a buffer overflow in the color space handling code of the Ghostscript PostScript/PDF interpreter, which might result in the execution of arbitrary code if a user is tricked into processing a malformed file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1997-1 mysql-dfsg-5.0 - several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 5.0mysql-dfsg-5.0Several vulnerabilities have been discovered in the MySQL database server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1506-1 iceape - several vulnerabilitiesDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1556-2 perl - denial of serviceDebian GNU/Linux 4.0perlIt has been discovered that the Perl interpreter may encounter a buffer overflow condition when compiling certain regular expressions containing Unicode characters. This also happens if the offending characters are contained in a variable reference protected by the \Q...\E quoting construct. When encountering this condition, the Perl interpreter typically crashes, but arbitrary code execution cannot be ruled out.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1689-1 proftpd-dfsg - Cross-Site Request ForgeryDebian GNU/Linux 4.0proftpd-dfsgMaksymilian Arciemowicz of securityreason.com reported that ProFTPD is vulnerable to cross-site request forgery (CSRF) attacks and executes arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1683-1 streamripper - potential code executionDebian GNU/Linux 4.0streamripperMultiple buffer overflows involving HTTP header and playlist parsing have been discovered in streamripper (<a href="http://security-tracker.debian.org/tracker/CVE-2007-4337">CVE-2007-4337</a>, <a href="http://security-tracker.debian.org/tracker/CVE-2008-4829">CVE-2008-4829</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1609-1 lighttpd - multiple DOS issuesDebian GNU/Linux 4.0lighttpdSeveral local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1454-1 freetype - arbitrary code executionDebian GNU/Linux 4.0freetypeGreg MacManus discovered an integer overflow in the font handling of libfreetype, a FreeType 2 font engine, which might lead to denial of service or possibly the execution of arbitrary code if a user is tricked into opening a malformed font.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1691-1 moodle - several vulnerabilitiesDebian GNU/Linux 4.0moodleSeveral remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1438-1 tarDebian GNU/Linux 4.0tarSeveral vulnerabilities have been discovered in GNU Tar.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1291-2 sambaDebian GNU/Linux 4.0sambaSeveral issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1563-1 asterisk - denial of serviceDebian GNU/Linux 4.0asteriskJoel R. Voss discovered that the IAX2 module of Asterisk, a free software PBX and telephony toolkit performs insufficient validation of IAX2 protocol messages, which may lead to denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1289-1 linux-2.6Debian GNU/Linux 4.0linux-2.6Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1405-1 zope-cmfplone - arbitrary codeDebian GNU/Linux 4.0zope-cmfploneIt was discovered that Plone, a web content management system, allows remote attackers to execute arbitrary code via specially crafted web browser cookies.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1577-1 gforge - insecure temporary filesDebian GNU/Linux 4.0gforgeStephen Gran and Mark Hymers discovered that some scripts run by GForge, a collaborative development tool, open files in write mode in a potentially insecure manner. This may be exploited to overwrite arbitrary files on the local system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1474-1 exiv2 - arbitrary code executionDebian GNU/Linux 4.0exiv2Meder Kydyraliev discovered an integer overflow in the thumbnail handling of libexif, the EXIF/IPTC metadata manipulation library, which could result in the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1400-1 perl - arbitrary code executionDebian GNU/Linux 4.0perlWill Drewry and Tavis Ormandy of the Google Security Team have discovered a UTF-8 related heap overflow in Perl's regular expression compiler, probably allowing attackers to execute arbitrary code by compiling specially crafted regular expressions.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1637-1 git-core - buffer overflowDebian GNU/Linux 4.0git-coreMultiple vulnerabilities have been identified in git-core, the core of the git distributed revision control system. Improper path length limitations in git's diff and grep functions, in combination with maliciously crafted repositories or changes, could enable a stack buffer overflow and potentially the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1500-1 splitvt - privilege escalationDebian GNU/Linux 4.0splitvtMike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing <q>xprop</q>. This could allow any local user to gain the privileges of group utmp.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1515-1 libnet-dns-perl - several vulnerabilitiesDebian GNU/Linux 4.0libnet-dns-perlSeveral remote vulnerabilities have been discovered in libnet-dns-perl.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1581-1 gnutls13 - potential code executionDebian GNU/Linux 4.0gnutls13Several remote vulnerabilities have been discovered in GNUTLS, an implementation of the SSL/TLS protocol suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1540-1 lighttpdDebian GNU/Linux 4.0lighttpdIt was discovered that lighttpd, a fast webserver with minimal memory footprint, didn't correctly handle SSL errors. This could allow a remote attacker to disconnect all active SSL connections.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1589-1 libxslt - arbitrary code executionDebian GNU/Linux 4.0libxsltIt was discovered that libxslt, an XSLT processing runtime library, could be coerced into executing arbitrary code via a buffer overflow when an XSL style sheet file with a long XSLT "transformation match" condition triggered a large number of steps.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1337-1 xulrunnerDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1715-1 moin - insufficient input sanitisingDebian GNU/Linux 4.0moinIt was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (<a href="http://security-tracker.debian.org/tracker/CVE-2009-0260">CVE-2009-0260</a>). Another cross-site scripting vulnerability was discovered in the antispam feature (<a href="http://security-tracker.debian.org/tracker/CVE-2009-0312">CVE-2009-0312</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1450-1 util-linux privilege escalationDebian GNU/Linux 4.0util-linuxIt was discovered that util-linux, miscellaneous system utilities, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1687-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0fai-kernelslinux-2.6user-mode-linuxSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1628-1 pdns - DNS spoofingDebian GNU/Linux 4.0pdnsBrian Dowling discovered that the PowerDNS authoritative name server does not respond to DNS queries which contain certain characters, increasing the risk of successful DNS spoofing (<a href="http://security-tracker.debian.org/tracker/CVE-2008-3337">CVE-2008-3337</a>). This update changes PowerDNS to respond with SERVFAIL responses instead.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1343-1 fileDebian GNU/Linux 4.0fileColin Percival discovered an integer overflow in file, a file type classification tool, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1508-1 sword - arbirary shell command executionDebian GNU/Linux 4.0swordDan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1593-1 tomcat5.5Debian GNU/Linux 4.0tomcat5.5It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1357-1 koffice - integer overflowDebian GNU/Linux 4.0kofficeIt was discovered that an integer overflow in the xpdf PDF viewer may lead to the execution of arbitrary code if a malformed PDF file is opened.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1482-1 squid - programming errorDebian GNU/Linux 4.0squidIt was discovered that malformed cache update replies against the Squid WWW proxy cache could lead to the exhaustion of system memory, resulting in potential denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1415-1 tk8.4 - buffer overflowDebian GNU/Linux 4.0tk8.4It was discovered that Tk, a cross-platform graphical toolkit for Tcl, performs insufficient input validation in the code used to load GIF images, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1365-1 id3lib3.8.3Debian GNU/Linux 4.0id3lib3.8.3Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1663-1 net-snmp - several vulnerabilitiesDebian GNU/Linux 4.0net-snmpSeveral vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1283-1 php5Debian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1478-1 mysql-dfsg-5.0 - buffer overflowsDebian GNU/Linux 4.0mysql-dfsg-5.0Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1681-1 linux-2.6.24 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1906-1 clamav - end-of-life announcementDebian GNU/Linux 4.0Debian GNU/Linux 5.0clamavSecurity support for clamav, an anti-virus utility for Unix, has been discontinued for the stable distribution (lenny) and the oldstable distribution (etch). Clamav Upstream has stopped supporting the releases in etch and lenny. Also, it is not easily possible to receive signature updates for the virus scanner with our released versions anymore.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1534-2 iceape - regressionDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1603-1 bind9 - cache poisoningDebian GNU/Linux 4.0bind9Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1649-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1685-1 uw-imap - multiple vulnerabilitiesDebian GNU/Linux 4.0uw-imapTwo vulnerabilities have been found in uw-imap, an IMAP implementation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1614-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1669-1 xulrunner - several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1583-1 gnome-peercast - several vulnerabilitiesDebian GNU/Linux 4.0gnome-peercastSeveral remote vulnerabilities have been discovered in GNOME PeerCast, the GNOME interface to PeerCast, a P2P audio and video streaming server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1699-1 zaptel - privilege escalationDebian GNU/Linux 4.0zaptelAn array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (<a href="http://security-tracker.debian.org/tracker/CVE-2008-5396">CVE-2008-5396</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-1559-1 phpgedview - cross site scriptingDebian GNU/Linux 4.0phpgedviewIt was discovered that phpGedView, an application to provide online access to genealogical data, performed insufficient input sanitising on some parameters, making it vulnerable to cross site scripting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1430-1 libnss-ldap - information disclosureDebian GNU/Linux 4.0libnss-ldapIt was reported that a race condition exists in libnss-ldap, an NSS module for using LDAP as a naming service, which could cause denial of service attacks if applications use pthreads.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1494-1 linux-2.6 - privilege escalationDebian GNU/Linux 4.0linux-2.6The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (<a href="http://security-tracker.debian.org/tracker/CVE-2008-0010">CVE-2008-0010</a>, <a href="http://security-tracker.debian.org/tracker/CVE-2008-0600">CVE-2008-0600</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-1693-1 phppgadmin - several vulnerabilitiesDebian GNU/Linux 4.0phppgadminSeveral remote vulnerabilities have been discovered in phpPgAdmin, a tool to administrate PostgreSQL database over the web.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1486-1 gnatsweb - cross-site scriptingDebian GNU/Linux 4.0gnatsweb<q>r0t</q> discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitise the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or JavaScript code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1984-1 libxerces2-java - denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0libxerces2-javaIt was discovered that libxerces2-java, a validating XML parser for Java, does not properly process malformed XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1565-1 linux-2.6 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1675-1 phpmyadmin - cross site scriptingDebian GNU/Linux 4.0phpmyadminMasako Oono discovered that phpMyAdmin, a web-based administration interface for MySQL, insufficiently sanitises input allowing a remote attacker to gather sensitive data through cross site scripting, provided that the user uses the Internet Explorer web browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1392-1 xulrunner - several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1631-1 libxml2 - denial of serviceDebian GNU/Linux 4.0libxml2Andreas Solberg discovered that libxml2, the GNOME XML library, could be forced to recursively evaluate entities, until available CPU and memory resources were exhausted.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1335-1 gimpDebian GNU/Linux 4.0gimpSeveral remote vulnerabilities have been discovered in Gimp, the GNU Image Manipulation Program, which might lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1472-1 xine-lib - buffer overflowDebian GNU/Linux 4.0xine-libLuigi Auriemma discovered that the Xine media player library performed insufficient input sanitising during the handling of RTSP streams, which could lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2005-1 linux-2.6.24 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6.24NOTE: This kernel update marks the final planned kernel security update for the 2.6.24 kernel in the Debian release 'etch'. Although security support for 'etch' officially ended on Feburary 15th, 2010, this update was already in preparation before that date.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-1544-2 pdns-recursor - predictable randomnessDebian GNU/Linux 4.0pdns-recursorAmit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (<a href="http://security-tracker.debian.org/tracker/CVE-2008-1637">CVE-2008-1637</a> and <a href="http://security-tracker.debian.org/tracker/CVE-2008-3217">CVE-2008-3217</a>)Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1452-1 wzdftpd denial of serviceDebian GNU/Linux 4.0wzdftpd<q>k1tk4t</q> discovered that wzdftpd, a portable, modular, small and efficient ftp server, did not correctly handle the receipt of long usernames. This could allow remote users to cause the daemon to exit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1903-1 graphicsmagick - severalDebian GNU/Linux 4.0Debian GNU/Linux 5.0graphicsmagickSeveral vulnerabilities have been discovered in graphicsmagick, a collection of image processing tool, which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1635-1 freetype - multiple vulnerabilitiesDebian GNU/Linux 4.0freetypeSeveral local vulnerabilities have been discovered in freetype, a FreeType 2 font engine, which could allow the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1552-1 mplayer - arbitrary code executionDebian GNU/Linux 4.0mplayerIt was discovered that the MPlayer movie player performs insufficient input sanitising on SDP session data, leading to potential execution of arbitrary code through a malformed multimedia stream.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1641-1 phpmyadmin - several issuesDebian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administrate MySQL databases over the web.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-1667-1 python2.4 - several vulnerabilitiesDebian GNU/Linux 4.0python2.4Several vulnerabilities have been discovered in the interpreter for the Python language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1834-1 apache2 apache2-mpm-itk - denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0apache2A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. This issue did not affect Debian 4.0 "etch".Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1338-1 iceweaselDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1328-1 unicon - buffer overflowDebian GNU/Linux 4.0uniconSteve Kemp from the Debian Security Audit project discovered that unicon-imc2, a Chinese input method library, makes unsafe use of an environmental variable, which may be exploited to execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1288-1 pptpdDebian GNU/Linux 4.0pptpdIt was discovered that the PoPToP Point to Point Tunneling Server contains a programming error, which allows the tear-down of a PPTP connection through a malformed GRE packet, resulting in denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1332-1 vlcDebian GNU/Linux 4.0vlcSeveral remote vulnerabilities have been discovered in the VideoLan multimedia player and streamer, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1274-1 file - buffer overflowDebian GNU/Linux 4.0fileAn integer underflow bug has been found in the file_printf function in file, a tool to determine file types based analysis of file content. The bug could allow an attacker to execute arbitrary code by inducing a local user to examine a specially crafted file that triggers a buffer overflow.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1308-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1342-1 xfsDebian GNU/Linux 4.0xfsIt was discovered that a race condition in the init.d script of the X Font Server allows the modification of file permissions of arbitrary files if the local administrator can be tricked into restarting the X font server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1318-1 ekgDebian GNU/Linux 4.0ekgSeveral remote vulnerabilities have been discovered in ekg, a console Gadu Gadu client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1298-1 otrs2Debian GNU/Linux 4.0otrs2It was discovered that the Open Ticket Request System performs insufficient input sanitising for the Subaction parameter, which allows the injection of arbitrary web script code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1306-1 xulrunnerDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1360-1 rsync - arbitrary code executionDebian GNU/Linux 4.0rsyncSebastian Krahmer discovered that rsync, a fast remote file copy program, contains an off-by-one error which might allow remote attackers to execute arbitrary code via long directory names.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1286-1 linux-2.6Debian GNU/Linux 4.0linux-2.6Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1282-1 php4Debian GNU/Linux 4.0php4Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1356-1 linux-2.6 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1276-1 krb5 - several vulnerabilitiesDebian GNU/Linux 4.0krb5Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1268-1 libwpd - integer overflowDebian GNU/Linux 4.0libwpdiDefense reported several integer overflow bugs in libwpd, a library for handling WordPerfect documents. Attackers were able to exploit these with carefully crafted Word Perfect files that could cause an application linked with libwpd to crash or possibly execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1314-1 open-iscsiDebian GNU/Linux 4.0open-iscsiSeveral local and remote vulnerabilities have been discovered in open-iscsi, a transport-independent iSCSI implementation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1344-1 iceweaselDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1324-1 hikiDebian GNU/Linux 4.0hikiKazuhiro Nishiyama found a vulnerability in hiki, a Wiki engine written in Ruby, which could allow a remote attacker to delete arbitrary files which are writable to the Hiki user, via a specially crafted session parameter.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1300-1 iceapeDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1310-1 libexifDebian GNU/Linux 4.0libexifA vulnerability has been discovered in libexif, a library to parse EXIF files, which allows denial of service and possible execution of arbitrary code via malformed EXIF data.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1511-1 icu - multiple problemsDebian GNU/Linux 4.0icuSeveral local vulnerabilities have been discovered in libicu, International Components for Unicode,Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1443-1 tcpreen buffer overflowsDebian GNU/Linux 4.0tcpreenIt was discovered that several buffer overflows in tcpreen, a tool for monitoring a TCP connection, may lead to denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1479-1 linux-2.6Debian GNU/Linux 4.0linux-2.6Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1423-1 sitebar - several vulnerabilitiesDebian GNU/Linux 4.0sitebarSeveral remote vulnerabilities have been discovered in sitebar, a web based bookmark manager written in PHP.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1455-1 libarchiveDebian GNU/Linux 4.0libarchiveSeveral local/remote vulnerabilities have been discovered in libarchive1, a single library to read/write tar, cpio, pax, zip, iso9660 archives.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1493-1 sdl-image1.2Debian GNU/Linux 4.0sdl-image1.2Several local/remote vulnerabilities have been discovered in the image loading library for the Simple DirectMedia Layer 1.2.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1445-1 maradns denial of serviceDebian GNU/Linux 4.0maradnsMichael Krieger and Sam Trenholme discovered a programming error in MaraDNS, a simple security-aware Domain Name Service server, which might lead to denial of service through malformed DNS packets.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1499-1 pcre3 - arbitrary code executionDebian GNU/Linux 4.0pcre3It was discovered that specially crafted regular expressions involving codepoints greater than 255 could cause a buffer overflow in the PCRE library (<a href="http://security-tracker.debian.org/tracker/CVE-2008-0674">CVE-2008-0674</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1374-1 jffnms - several vulnerabilitiesDebian GNU/Linux 4.0jffnmsSeveral vulnerabilities have been discovered in jffnms, a web-based Network Management System for IP networks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1532-1 xulrunnerDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1570-1 kazehakase - execution of arbitrary codeDebian GNU/Linux 4.0kazehakaseAndrews Salomon reported that kazehakase, a GTK+-based web browser that allows pluggable rendering engines, contained an embedded copy of the PCRE library in its source tree which was compiled in and used in preference to the system-wide version of this library.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1421-1 wesnoth - directory traversalDebian GNU/Linux 4.0wesnothA vulnerability has been discovered in Battle for Wesnoth that allows remote attackers to read arbitrary files the user running the client has access to on the machine running the game client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1656-1 cupsys - several vulnerabilitiesDebian GNU/Linux 4.0cupsysSeveral local vulnerabilities have been discovered in the Common UNIX Printing System.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1580-1 phpgedview - privilege escalationDebian GNU/Linux 4.0phpgedviewIt was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1610-1 gaim - execution of arbitrary codeDebian GNU/Linux 4.0gaimIt was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1407-1 cupsys - buffer overflow with arbitrary code executionDebian GNU/Linux 4.0cupsysAlin Rad Pop discovered that the Common UNIX Printing System is vulnerable to an off-by-one buffer overflow in the code to process IPP packets, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1441-1 peercastDebian GNU/Linux 4.0peercastLuigi Auriemma discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a heap overflow in the HTTP server code, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1507-1 turba2Debian GNU/Linux 4.0turba2Peter Paul Elfferich discovered that turba2, a contact management component for horde framework, did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1646-2 squid - array bounds checkDebian GNU/Linux 4.0squidA weakness has been discovered in squid, a caching proxy server. The flaw was introduced upstream in response to <a href="http://security-tracker.debian.org/tracker/CVE-2007-6239">CVE-2007-6239</a>, and announced by Debian in <a href="dsa-1482">DSA-1482-1</a>. The flaw involves an over-aggressive bounds check on an array resize, and could be exploited by an authorised client to induce a denial of service condition against squid.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1594-1 imlib2Debian GNU/Linux 4.0imlib2Stefan Cornelius discovered two buffer overflows in Imlib's - a powerful image loading and rendering library - image loaders for PNM and XPM images, which may result in the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1547-1 openoffice.orgDebian GNU/Linux 4.0openoffice.orgSeveral security related problems have been discovered in OpenOffice.org, the free office suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1534-1 iceapeDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1409-1 samba - several vulnerabilitiesDebian GNU/Linux 4.0sambaThis update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below:Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1320-1 clamavDebian GNU/Linux 4.0clamavSeveral remote vulnerabilities have been discovered in the Clam anti-virus toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1553-1 ikiwiki - cross-site request forgeryDebian GNU/Linux 4.0ikiwikiIt has been discovered that ikiwiki, a Wiki implementation, does not guard password and content changes against cross-site request forgery (CSRF) attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1617-1 refpolicy - incompatible policyDebian GNU/Linux 4.0refpolicyIn DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as <a href="http://security-tracker.debian.org/tracker/CVE-2008-1447">CVE-2008-1447</a>). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard 'domain' port (53). The incompatibility affects both the 'targeted' and 'strict' policy packages supplied by this version of refpolicy.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1523-1 ikiwiki - cross-site scriptingDebian GNU/Linux 4.0ikiwikiJosh Triplett discovered that ikiwiki did not block Javascript in URLs, leading to cross-site scripting vulnerabilities (<a href="http://security-tracker.debian.org/tracker/CVE-2008-0808">CVE-2008-0808</a>, <a href="http://security-tracker.debian.org/tracker/CVE-2008-0809">CVE-2008-0809</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1590-1 samba - arbitrary code executionDebian GNU/Linux 4.0sambaAlin Rad Pop discovered that Samba contained a buffer overflow condition when processing certain responses received while acting as a client, leading to arbitrary code execution (<a href="http://security-tracker.debian.org/tracker/CVE-2008-1105">CVE-2008-1105</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1447-1 tomcat5.5 several vulnerabilitiesDebian GNU/Linux 4.0tomcat5.5Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1636-1 linux-2.6.24 - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or leak sensitive data.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1340-1 clamav - null pointer dereferenceDebian GNU/Linux 4.0clamavA NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1394-1 reprepro - authentication bypassDebian GNU/Linux 4.0repreproIt was discovered that reprepro, a tool to create a repository of Debian packages, only checks the validity of known signatures when updating from a remote site, and thus does not reject packages with only unknown signatures. This allows an attacker to bypass this authentication mechanism.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1549-1 clamavDebian GNU/Linux 4.0clamavSeveral remote vulnerabilities have been discovered in the Clam anti-virus toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1369-1 gforge - SQL injectionDebian GNU/Linux 4.0gforgeSumit I. Siddharth discovered that Gforge, a collaborative development tool performs insufficient input sanitising, which allows SQL injection.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1623-1 dnsmasq - cache poisoningDebian GNU/Linux 4.0dnsmasqDan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1562-1 iceape - arbitrary code executionDebian GNU/Linux 4.0iceapeIt was discovered that crashes in the JavaScript engine of Iceape, an unbranded version of the Seamonkey internet suite could potentially lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1509-1 koffice - multiple vulnerabilitiesDebian GNU/Linux 4.0kofficeSeveral vulnerabilities have been discovered in xpdf code that is embedded in koffice, an integrated office suite for KDE. These flaws could allow an attacker to execute arbitrary code by inducing the user to import a specially crafted PDF document.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1473-1 scponly - arbitrary code executionDebian GNU/Linux 4.0scponlyJoachim Breitner discovered that Subversion support in scponly is inherently insecure, allowing execution of arbitrary commands. Further investigation showed that rsync and Unison support suffer from similar issues. This set of issues has been assigned <a href="http://security-tracker.debian.org/tracker/CVE-2007-6350">CVE-2007-6350</a>.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1483-1 net-snmp - denial of serviceDebian GNU/Linux 4.0net-snmpThe SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1690-1 avahi - denial of serviceDebian GNU/Linux 4.0avahiTwo denial of service conditions were discovered in avahi, a Multicast DNS implementation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1404-1 gallery2 - privilege escalationDebian GNU/Linux 4.0gallery2Nicklous Roberts discovered that the Reupload module of Gallery 2, a web based photo management application, allowed unauthorised users to edit Gallery's data file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1686-1 no-ip - arbitrary code executionDebian GNU/Linux 4.0no-ipA buffer overflow has been discovered in the HTTP parser of the No-IP.com Dynamic DNS update client, which may result in the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1471-1 libvorbis - several vulnerabilitiesDebian GNU/Linux 4.0libvorbisSeveral vulnerabilities were found in the Vorbis General Audio Compression Codec, which may lead to denial of service or the execution of arbitrary code, if a user is tricked into opening a malformed Ogg Audio file with an application linked against libvorbis.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1416-1 tk8.3 - buffer overflowDebian GNU/Linux 4.0tk8.3It was discovered that Tk, a cross-platform graphical toolkit for Tcl, performs insufficient input validation in the code used to load GIF images, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1648-1 mon - insecure temporary filesDebian GNU/Linux 4.0monDmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1346-1 iceapeDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1395-1 xen-3.0 - insecure temporary filesDebian GNU/Linux 4.0xen-3.0Steve Kemp from the Debian Security Audit project discovered that xen-utils, a collection of XEN administrative tools, used temporary files insecurely within the xenmon tool allowing local users to truncate arbitrary files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1592-1 linux-2.6 - overflow conditionsDebian GNU/Linux 4.0linux-2.6Two vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1481-1 python-cherrypy - missing input sanitisingDebian GNU/Linux 4.0python-cherrypyIt was discovered that a directory traversal vulnerability in CherryPy, a pythonic, object-oriented web development framework, may lead to denial of service by deleting files through malicious session IDs in cookies.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1461-1 libxml2 - denial of serviceDebian GNU/Linux 4.0libxml2Brad Fitzpatrick discovered that the UTF-8 decoding functions of libxml2, the GNOME XML library, validate UTF-8 correctness insufficiently, which may lead to denial of service by forcing libxml2 into an infinite loop.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1530-1 cupsys - multiple vulnerabilitiesDebian GNU/Linux 4.0cupsysSeveral local/remote vulnerabilities have been discovered in cupsys, the Common Unix Printing System.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1692-1 php-xajax - cross-site scriptingDebian GNU/Linux 4.0php-xajaxIt was discovered that php-xajax, a library to develop Ajax applications, did not sufficiently sanitise URLs, which allows attackers to perform cross-site scripting attacks by using malicious URLs.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1682-1 squirrelmail - cross site scriptingDebian GNU/Linux 4.0squirrelmailIvan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1560-1 kronolith2 - cross site scriptingDebian GNU/Linux 4.0kronolith2"The-0utl4w" discovered that the Kronolith, calendar component for the Horde Framework, didn't properly sanitise URL input, leading to a cross-site scripting vulnerability in the add event screen.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1518-1 backup-manager - information disclosureDebian GNU/Linux 4.0backup-managerMicha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1557-1 phpmyadmin - several vulnerabilitiesDebian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, an application to administrate MySQL over the WWW.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1598-1 libtk-img - arbitrary code executionDebian GNU/Linux 4.0libtk-imgIt was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1487-1 libexif - several vulnerabilitiesDebian GNU/Linux 4.0libexifSeveral vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed image.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1383-1 gforge - cross-site scriptingDebian GNU/Linux 4.0gforgeIt was discovered that a cross site scripting vulnerability in GForge, a collaborative development tool, allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user's session.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1602-1 pcre3 - arbitrary code executionDebian GNU/Linux 4.0pcre3Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular Expression library, may encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading to arbitrary code execution.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1412-1 ruby1.9 - possible man-in-the-middle attacksDebian GNU/Linux 4.0ruby1.9Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1252-1 vlcDebian GNU/Linux 4.0vlcKevin Finisterre discovered several format string problems in vlc, a multimedia player and streamer, that could lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1574-1 icedove - several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1379-1 openssl - arbitrary code executionDebian GNU/Linux 4.0opensslopenssl097An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1457-1 dovecotDebian GNU/Linux 4.0dovecotIt was discovered that Dovecot, a POP3 and IMAP server, only when used with LDAP authentication and <q>base</q> contains variables, could allow a user to log in to the account of another user with the same password.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1378-2 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6fai-kernelsuser-mode-linuxSeveral local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1520-1 smarty - arbitrary code executionDebian GNU/Linux 4.0smartyIt was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1555-1 iceweasel - arbitrary code executionDebian GNU/Linux 4.0iceweaselIt was discovered that crashes in the Javascript engine of Iceweasel, an unbranded version of the Firefox browser, could potentially lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1514-1 moinDebian GNU/Linux 4.0moinSeveral remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1402-1 gforge - insecure temporary filesDebian GNU/Linux 4.0gforgeSteve Kemp from the Debian Security Audit project discovered that gforge, a collaborative development tool, used temporary files insecurely which could allow local users to truncate files upon the system with the privileges of the gforge user, or create a denial of service attack.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1811-1 cups cupsys - denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0cupsyscupsAnibal Sacco discovered that cups, a general printing system for UNIX systems, suffers from null pointer dereference because of its handling of two consecutive IPP packets with certain tag attributes that are treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers to perform denial of service attacks by crashing the cups daemon.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1625-1 cupsys - arbitrary code executionDebian GNU/Linux 4.0cupsysSeveral remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1684-1 lcms - multiple vulnerabilitiesDebian GNU/Linux 4.0lcmsTwo vulnerabilities have been found in lcms, a library and set of commandline utilities for image color management.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1634-1 wordnet - arbitrary code executionDebian GNU/Linux 4.0wordnetRob Holland discovered several programming errors in WordNet, an electronic lexical database of the English language. These flaws could allow arbitrary code execution when used with untrusted input, for example when WordNet is in use as a back end for a web application.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1292-1 qt4-x11Debian GNU/Linux 4.0qt4-x11Andreas Nolden discovered a bug in the UTF8 decoding routines in qt4-x11, a C++ GUI library framework, that could allow remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1362-1 lighttpd - several vulnerabilitiesDebian GNU/Linux 4.0lighttpdSeveral vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint, which could allow the execution of arbitrary code via the overflow of CGI variables when mod_fcgi was enabled.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1608-1 mysql-dfsg-5.0 - authorisation bypassDebian GNU/Linux 4.0mysql-dfsg-5.0Sergei Golubchik discovered that MySQL, a widely-deployed database server, did not properly validate optional data or index directory paths given in a CREATE TABLE statement, nor would it (under proper conditions) prevent two databases from using the same paths for data or index files. This permits an authenticated user with authorisation to create tables in one database to read, write or delete data from tables subsequently created in other databases, regardless of other GRANT authorisations.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1322-1 wiresharkDebian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1584-1 libfishsound - integer overflowDebian GNU/Linux 4.0libfishsoundIt was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn't correctly handle negative values in a particular header field. This could allow malicious files to execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1330-1 php5 - several vulnerabilitiesDebian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1429-1 htdig - cross site scriptingDebian GNU/Linux 4.0htdigMichael Skibbe discovered that htdig, a WWW search system for an intranet or small internet, did not adequately quote values submitted to the search script, allowing remote attackers to inject arbitrary script or HTML into specially crafted links.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1372-1 xorg-server - privilege escalationDebian GNU/Linux 4.0xorg-serverAaron Plattner discovered a buffer overflow in the Composite extension of the X.org X server, which can lead to local privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1465-2 apt-listchanges - arbitrary code executionDebian GNU/Linux 4.0apt-listchangesFelipe Sateler discovered that apt-listchanges, a package change history notification tool, used unsafe paths when importing its python libraries. This could allow the execution of arbitrary shell commands if the root user executed the command in a directory which other local users may write to.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1892-1 dovecot - arbitrary code executionDebian GNU/Linux 4.0Debian GNU/Linux 5.0dovecotIt was discovered that the SIEVE component of dovecot, a mail server that supports mbox and maildir mailboxes, is vulnerable to a buffer overflow when processing SIEVE scripts. This can be used to elevate privileges to the dovecot system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1611-1 afuse - privilege escalationDebian GNU/Linux 4.0afuseAnders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1401-1 iceape - several vulnerabilitiesDebian GNU/Linux 4.0iceapeSeveral remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1572-1 php5 - several vulnerabilitiesDebian GNU/Linux 4.0php5Several vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1629-1 postfix - privilege escalationDebian GNU/Linux 4.0postfixSebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1582-1 peercast - arbitrary code executionDebian GNU/Linux 4.0peercastNico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execute arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1576-1 openssh openssh-blacklist - predictable randomnessDebian GNU/Linux 4.0opensshThe recently announced vulnerability in Debian's openssl package (<a href="/security/2008/dsa-1571">DSA-1571-1</a>, <a href="http://security-tracker.debian.org/tracker/CVE-2008-0166">CVE-2008-0166</a>) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1588-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0linux-2.6fai-kernelsuser-mode-linuxSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1449-1 loop-aes-utils privilege escalationDebian GNU/Linux 4.0loop-aes-utilsIt was discovered that loop-aes-utils, tools for mounting and manipulating filesystems, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1433-1 centericq - buffer overflowDebian GNU/Linux 4.0centericqSeveral remote vulnerabilities have been discovered in centericq, a text-mode multi-protocol instant messenger client, which could allow remote attackers to execute arbitrary code due to insufficient bounds-testing.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1642-1 horde3 - cross site scriptingDebian GNU/Linux 4.0horde3Will Drewry discovered that Horde allows remote attackers to send an email with a crafted MIME attachment filename attribute to perform cross site scripting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1501-1 dspam - information disclosureDebian GNU/Linux 4.0dspamTobias Grützmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line. This allowed a local attacker to read the contents of the dspam database, such as emails.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1586-1 xine-lib - multiple vulnerabilitiesDebian GNU/Linux 4.0xine-libMultiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1469-1 flacDebian GNU/Linux 4.0flacSean de Regge and Greg Linares discovered multiple heap and stack based buffer overflows in FLAC, the Free Lossless Audio Codec, which could lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1491-1 tk8.4 - arbitrary code executionDebian GNU/Linux 4.0tk8.4It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to a denial of service and potentially the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1302-1 freetype - integer overflowDebian GNU/Linux 4.0freetypeA problem was discovered in freetype, a FreeType2 font engine, which could allow the execution of arbitrary code via an integer overflow in specially crafted TTF files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1600-1 sympa - denial of serviceDebian GNU/Linux 4.0sympaIt was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1621-1 icedove - several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1644-1 mplayer - integer overflowsDebian GNU/Linux 4.0mplayerFelipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable to several integer overflows in the Real video stream demuxing code. These flaws could allow an attacker to cause a denial of service (a crash) or potentially execution of arbitrary code by supplying a maliciously crafted video file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1672-1 imlib2 - arbitrary code executionDebian GNU/Linux 4.0imlib2Julien Danjou and Peter De Wachter discovered that a buffer overflow in the XPM loader of Imlib2, a powerful image loading and rendering library, might lead to arbitrary code execution.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1676-1 flamethrower - denial of serviceDebian GNU/Linux 4.0flamethrowerDmitry E. Oboukhov discovered that flamethrower creates predictable temporary filenames, which may lead to a local denial of service through a symlink attack.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1658-1 dbus - denial of serviceDebian GNU/Linux 4.0dbusColin Walters discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1527-1 debian-goodies - privilege escalationDebian GNU/Linux 4.0debian-goodiesThomas de Grenier de Latour discovered that the checkrestart tool in the debian-goodies suite of utilities, allowed local users to gain privileges via shell metacharacters in the name of the executable file for a running process.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1678-1 perl - privilege escalationDebian GNU/Linux 4.0perlPaul Szabo rediscovered a vulnerability in the File::Path::rmtree function of Perl. It was possible to exploit a race condition to create setuid binaries in a directory tree or remove arbitrary files when a process is deleting this tree. This issue was originally known as <a href="http://security-tracker.debian.org/tracker/CVE-2005-0448">CVE-2005-0448</a> and <a href="http://security-tracker.debian.org/tracker/CVE-2004-0452">CVE-2004-0452</a>, which were addressed by DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1312-1 libapache-mod-jkDebian GNU/Linux 4.0libapache-mod-jkIt was discovered that the Apache 1.3 connector for the Tomcat Java servlet engine decoded request URLs multiple times, which can lead to information disclosure.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1650-1 openldap2.3 - denial of serviceDebian GNU/Linux 4.0openldap2.3Cameron Hotchkies discovered that the OpenLDAP server slapd, a free implementation of the Lightweight Directory Access Protocol, could be crashed by sending malformed ASN1 requests.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1388-3 dhcp - buffer overflowDebian GNU/Linux 4.0dhcpThe patch used to correct the DHCP server buffer overflow in DSA-1388-1 was incomplete and did not adequately resolve the problem. This update to the previous advisory makes updated packages based on a newer version of the patch available.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1680-1 clamav - potential code executionDebian GNU/Linux 4.0clamavMoritz Jodeit discovered that ClamAV, an anti-virus solution, suffers from an off-by-one-error in its VBA project file processing, leading to a heap-based buffer overflow and potentially arbitrary code execution (<a href="http://security-tracker.debian.org/tracker/CVE-2008-5050">CVE-2008-5050</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1439-1 typo3-srcDebian GNU/Linux 4.0typo3-srcHenning Pingel discovered that TYPO3, a web content management framework, performs insufficient input sanitising, making it vulnerable to SQL injection by logged-in backend users.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1376-1 kdebase - programming errorDebian GNU/Linux 4.0kdebaseiKees Huijgen discovered that under certain circumstances KDM, an X session manager for KDE, could be tricked into allowing user logins without a password.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1326-1 fireflierDebian GNU/Linux 4.0fireflierSteve Kemp from the Debian Security Audit project discovered that fireflier-server, an interactive firewall rule creation tool, uses temporary files in an unsafe manner which may be exploited to remove arbitrary files from the local system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1536-1 xine-lib - several vulnerabilitiesDebian GNU/Linux 4.0xine-libSeveral local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1459-1 gforge - SQL injectionDebian GNU/Linux 4.0gforgeIt was discovered that Gforge, a collaborative development tool, did not properly sanitise some CGI parameters, allowing SQL injection in scripts related to RSS exports.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1348-1 popplerDebian GNU/Linux 4.0popplerIt was discovered that an integer overflow in the xpdf PDF viewer may lead to the execution of arbitrary code if a malformed PDF file is opened.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1664-1 ekg - denial of serviceDebian GNU/Linux 4.0ekgIt was discovered that ekg, a console Gadu Gadu client performs insufficient input sanitising in the code to parse contact descriptions, which may result in denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1284-1 qemuDebian GNU/Linux 4.0qemuSeveral vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1316-1 emacs21Debian GNU/Linux 4.0emacs21It has been discovered that emacs, the GNU Emacs editor, will crash when processing certain types of images.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1654-1 libxml2 - execution of arbitrary codeDebian GNU/Linux 4.0libxml2It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1389-1 zoph - SQL injectionDebian GNU/Linux 4.0zophIt was discovered that zoph, a web based photo management system, performs insufficient input sanitising, which allows SQL injection.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1615-1 xulrunner - several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1296-1 php4Debian GNU/Linux 4.0php4It was discovered that the ftp extension of PHP, a server-side, HTML-embedded scripting language performs insufficient input sanitising, which permits an attacker to execute arbitrary FTP commands. This requires the attacker to already have access to the FTP server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1437-1 cupsysDebian GNU/Linux 4.0cupsysSeveral local vulnerabilities have been discovered in the Common UNIX Printing System.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1425-1 xulrunner - several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1606-1 poppler - execution of arbitrary codeDebian GNU/Linux 4.0popplerIt was discovered that poppler, a PDF rendering library, did not properly handle embedded fonts in PDF files, allowing attackers to execute arbitrary code via a crafted font object.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1564-1 wordpress - several vulnerabilitiesDebian GNU/Linux 4.0wordpressSeveral remote vulnerabilities have been discovered in WordPress, a weblog manager.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1670-1 enscript - arbitrary code executionDebian GNU/Linux 4.0enscriptSeveral vulnerabilities have been discovered in Enscript, a converter from ASCII text to Postscript, HTML or RTF.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1551-1 python2.4 - several vulnerabilitiesDebian GNU/Linux 4.0python2.4Several vulnerabilities have been discovered in the interpreter for the Python language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1543-1 vlc - several vulnerabilitiesDebian GNU/Linux 4.0vlcLuigi Auriemma, Alin Rad Pop, Rémi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1497-1 clamav - several vulnerabilitiesDebian GNU/Linux 4.0clamavSeveral vulnerabilities have been discovered in the Clam anti-virus toolkit, which may lead to the execution of arbitrary or local denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1343-2 fileDebian GNU/Linux 4.0fileColin Percival discovered an integer overflow in file, a file type classification tool, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1630-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilitiesDebian GNU/Linux 4.0fai-kernelsuser-mode-linuxlinux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1890-1 wxwidgets2.6 wxwidgets2.8 wxwindows2.4 - arbitrary code executionDebian GNU/Linux 4.0Debian GNU/Linux 5.0wxwidgets2.6wxwindows2.4wxwidgets2.8Tielei Wang has discovered an integer overflow in wxWidgets, the wxWidgets Cross-platform C++ GUI toolkit, which allows the execution of arbitrary code via a crafted JPEG file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1427-1 samba - buffer overflowDebian GNU/Linux 4.0sambaAlin Rad Pop discovered that Samba, a LanManager-like file and printer server for Unix, is vulnerable to a buffer overflow in the nmbd code which handles GETDC mailslot requests, which might lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1652-1 ruby1.9 - several vulnerabilitiesDebian GNU/Linux 4.0ruby1.9Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1495-1 nagios-plugins - severalDebian GNU/Linux 4.0nagios-pluginsSeveral local/remote vulnerabilities have been discovered in two of the plugins for the Nagios network monitoring and management system.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1367-1 krb5 - arbitrary code executionDebian GNU/Linux 4.0krb5It was discovered that a buffer overflow of the RPC library of the MIT Kerberos reference implementation allows the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1539-1 mapserver - multiple vulnerabilitiesDebian GNU/Linux 4.0mapserverChris Schmidt and Daniel Morissette discovered two vulnerabilities in mapserver, a development environment for spatial and mapping applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1545-1 rsyncDebian GNU/Linux 4.0rsyncSebastian Krahmer discovered that an integer overflow in rsync's code for handling extended attributes may lead to arbitrary code execution.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1662-1 mysql-dfsg-5.0 - authorisation bypassDebian GNU/Linux 4.0mysql-dfsg-5.0A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1280-1 aircrack-ng - buffer overflowDebian GNU/Linux 4.0aircrack-ngIt was discovered that aircrack-ng, a WEP/WPA security analysis tool, performs insufficient validation of 802.11 authentication packets, which allows the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1505-1 alsa-driver alsa-modules-i386 - kernel memory leakDebian GNU/Linux 4.0alsa-driverTakashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (<a href="http://security-tracker.debian.org/tracker/CVE-2007-4571">CVE-2007-4571</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1489-1 iceweasel - several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1453-1 tomcat5 - several vulnerabilitiesDebian GNU/Linux 4.0tomcat5Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1989-1 fuse - denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0fuseDan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace. A local attacker, with access to use FUSE, could unmount arbitrary locations, leading to a denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1431-1 ruby-gnome2 - format stringDebian GNU/Linux 4.0ruby-gnome2It was discovered that ruby-gnome2, the GNOME-related bindings for the Ruby language, didn't properly sanitise input prior to constructing dialogs. This could allow the execution of arbitrary code if untrusted input is displayed within a dialog.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1613-1 libgd2 - multiple vulnerabilitiesDebian GNU/Linux 4.0libgd2Multiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1485-2 icedove - several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1920-1 nginx – denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0nginxA denial of service vulnerability has been found in nginx, a small and efficient web server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1410-1 ruby1.8 - possible man-in-the-middle attacksDebian GNU/Linux 4.0ruby1.8Several vulnerabilities have been discovered in Ruby, an object-oriented scripting language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1541-1 openldap2.3Debian GNU/Linux 4.0openldap2.3Several remote vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1666-1 libxml2 - several vulnerabilitiesDebian GNU/Linux 4.0libxml2Several vulnerabilities have been discovered in the GNOME XML library.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1688-1 courier-authlib - SQL injectionDebian GNU/Linux 4.0courier-authlibTwo SQL injection vulnerabilities have been found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (<a href="http://security-tracker.debian.org/tracker/CVE-2008-2380">CVE-2008-2380</a>). A similar issue affects the PostgreSQL database interface (<a href="http://security-tracker.debian.org/tracker/CVE-2008-2667">CVE-2008-2667</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1674-1 jailer - denial of serviceDebian GNU/Linux 4.0jailerJavier Fernandez-Sanguino Pena discovered that updatejail, a component of the chroot maintenance tool Jailer, creates a predictable temporary file name, which may lead to local denial of service through a symlink attack.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1627-2 opensc - smart card vulnerabilityDebian GNU/Linux 4.0openscChaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1419-1 openoffice.orgDebian GNU/Linux 4.0openoffice.orghsqldbA vulnerability has been discovered in HSQLDB, the default database engine shipped with OpenOffice.org. This could result in the execution of arbitrary Java code embedded in a OpenOffice.org database document with the user's privilege. This update requires an update of both openoffice.org and hsqldb.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1370-2 phpmyadmin - several vulnerabilitiesDebian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1596-1 typo3-src - several vulnerabilitiesDebian GNU/Linux 4.0typo3-srcSeveral remote vulnerabilities have been discovered in the TYPO3 content management framework.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1373-2 ktorrent - directory traversalDebian GNU/Linux 4.0ktorrentIt was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable to a directory traversal bug which potentially allowed remote users to overwrite arbitrary files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1537-1 xpdfDebian GNU/Linux 4.0xpdfAlin Rad Pop (Secunia) discovered a number of vulnerabilities in xpdf, a set of tools for display and conversion of Portable Document Format (PDF) files.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1435-1 clamavDebian GNU/Linux 4.0clamavSeveral remote vulnerabilities have been discovered in the Clam anti-virus toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1475-1 gforge - cross site scriptingDebian GNU/Linux 4.0gforgeJosé Ramón Palanco discovered that a cross site scripting vulnerability in GForge, a collaborative development tool, allows remote attackers to inject arbitrary web script or HTML in the context of a logged in user's session.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1477-1 yarssr - missing input sanitisingDebian GNU/Linux 4.0yarssrDuncan Gilmore discovered that yarssr, an RSS aggregator and reader, performs insufficient input sanitising, which could result in the execution of arbitrary shell commands if a malformed feed is read.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1414-1 wireshark - several vulnerabilitiesDebian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service or execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1971-1 libthai - arbitrary code executionDebian GNU/Linux 4.0Debian GNU/Linux 5.0libthaiTim Starling discovered that libthai, a set of Thai language support routines, is vulnerable of integer/heap overflow. This vulnerability could allow an attacker to run arbitrary code by sending a very long string.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1375-1 openoffice.org - buffer overflowDebian GNU/Linux 4.0openoffice.orgA heap overflow vulnerability has been discovered in the TIFF parsing code of the OpenOffice.org suite. The parser uses untrusted values from the TIFF file to calculate the number of bytes of memory to allocate. A specially crafted TIFF image could trigger an integer overflow and subsequently a buffer overflow that could cause the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1558-1 xulrunner - arbitrary code executionDebian GNU/Linux 4.0xulrunnerIt was discovered that crashes in the Javascript engine of xulrunner, the Gecko engine library, could potentially lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1619-1 python-dns - DNS response spoofingDebian GNU/Linux 4.0python-dnsMultiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1668-1 hf - execution of arbitrary codeDebian GNU/Linux 4.0hfSteve Kemp discovered that hf, an amateur-radio protocol suite using a soundcard as a modem, insecurely tried to execute an external command which could lead to the elevation of privileges for local users.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1358-1 asteriskDebian GNU/Linux 4.0asteriskSeveral remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1568-1 b2evolution - cross site scriptingDebian GNU/Linux 4.0b2evolution"unsticky" discovered that b2evolution, a blog engine, performs insufficient input sanitising, allowing for cross site scripting.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1898-1 openswan - denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0openswanIt was discovered that the pluto daemon in openswan, an implementation of IPSEC and IKE, could crash when processing a crafted X.509 certificate.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1578-1 php4 - several vulnerabilitiesDebian GNU/Linux 4.0php4Several vulnerabilities have been discovered in PHP version 4, a server-side, HTML-embedded scripting language.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1566-1 cpio - programming errorDebian GNU/Linux 4.0cpioDmitry Levin discovered a vulnerability in path handling code used by the cpio archive utility. The weakness could enable a denial of service (crash) or potentially the execution of arbitrary code if a vulnerable version of cpio is used to extract or to list the contents of a maliciously crafted archive.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1632-1 tiff - arbitrary code executionDebian GNU/Linux 4.0tiffDrew Yao discovered that libTIFF, a library for handling the Tagged Image File Format, is vulnerable to a programming error allowing malformed tiff files to lead to a crash or execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1640-1 python-django - cross site request forgeryDebian GNU/Linux 4.0python-djangoSimon Willison discovered that in Django, a Python web framework, the feature to retain HTTP POST data during user reauthentication allowed a remote attacker to perform unauthorised modification of data through cross site request forgery. This is possible regardless of the Django plugin to prevent cross site request forgery being enabled.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1385-1 xfsDebian GNU/Linux 4.0xfsSean Larsson discovered that two code paths inside the X Font Server handle integer values insecurely, which may lead to the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1463-1 postgresql-7.4 - severalDebian GNU/Linux 4.0postgresql-7.4Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1406-1 horde3 - several vulnerabilitiesDebian GNU/Linux 4.0horde3Several remote vulnerabilities have been discovered in the Horde web application framework.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1381-2 linux-2.6Debian GNU/Linux 4.0linux-2.6Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1977-1 python - several vulnerabilitiesDebian GNU/Linux 4.0Debian GNU/Linux 5.0python2.4python2.5Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy in the interpreter for the Python language, does not properly process malformed or crafted XML files. (<a href="http://security-tracker.debian.org/tracker/CVE-2009-3560">CVE-2009-3560</a> <a href="http://security-tracker.debian.org/tracker/CVE-2009-3720">CVE-2009-3720</a>) This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1417-1 asterisk - SQL injectionDebian GNU/Linux 4.0asteriskTilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitising of call-related data, which may lead to SQL injection.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1387-1 librpcsecgssDebian GNU/Linux 4.0librpcsecgssIt has been discovered that the original patch for a buffer overflow in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (<a href="http://security-tracker.debian.org/tracker/CVE-2007-3999">CVE-2007-3999</a>, <a href="dsa-1368">DSA-1368-1</a>) was insufficient to protect from arbitrary code execution in some environments.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1516-1 dovecot - privilege escalationDebian GNU/Linux 4.0dovecotPrior to this update, the default configuration for Dovecot used by Debian runs the server daemons with group mail privileges. This means that users with write access to their mail directory on the server (for example, through an SSH login) could read and also delete via a symbolic link mailboxes owned by other users for which they do not have direct access (<a href="http://security-tracker.debian.org/tracker/CVE-2008-1199">CVE-2008-1199</a>). In addition, an internal interpretation conflict in password handling has been addressed proactively, even though it is not known to be exploitable (<a href="http://security-tracker.debian.org/tracker/CVE-2008-1218">CVE-2008-1218</a>).Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1290-1 squirrelmailDebian GNU/Linux 4.0squirrelmailIt was discovered that the webmail package Squirrelmail performs insufficient sanitising inside the HTML filter, which allows the injection of arbitrary web script code during the display of HTML email messages.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1364-1 vimDebian GNU/Linux 4.0vimSeveral vulnerabilities have been discovered in the vim editor.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1732-1 squid3 - denial of serviceDebian GNU/Linux 4.0squid3Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered an assertion error in squid3, a full featured Web Proxy cache, which could lead to a denial of service attack.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1525-1 asteriskDebian GNU/Linux 4.0asteriskSeveral remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1451-1 mysql-dfsg-5.0 several vulnerabilitiesDebian GNU/Linux 4.0mysql-dfsg-5.0Several local/remote vulnerabilities have been discovered in the MySQL database server.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1398-1 perdition - format string vulnerabilityDebian GNU/Linux 4.0perditionBernhard Mueller of SEC Consult has discovered a format string vulnerability in perdition, an IMAP proxy. This vulnerability could allow an unauthenticated remote user to run arbitrary code on the perdition server by providing a specially formatted IMAP tag.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1391-1 icedove - several vulnerabilitiesDebian GNU/Linux 4.0icedoveSeveral remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1366-1 clamavDebian GNU/Linux 4.0clamavSeveral remote vulnerabilities have been discovered in the Clam anti-virus toolkit.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1704-1 xulrunner - several vulnerabilitiesDebian GNU/Linux 4.0xulrunnerSeveral remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1493-2 sdl-image1.2 - arbitrary code executionDebian GNU/Linux 4.0sdl-image1.2Several local/remote vulnerabilities have been discovered in the image loading library for the Simple DirectMedia Layer 1.2.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1660-1 clamav - denial of serviceDebian GNU/Linux 4.0clamavSeveral denial-of-service vulnerabilities have been discovered in the ClamAV anti-virus toolkit:Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1938-1 php-mail - insufficient input sanitisingDebian GNU/Linux 4.0Debian GNU/Linux 5.0php-mailIt was discovered that php-mail, a PHP PEAR module for sending email, has insufficient input sanitising, which might be used to obtain sensitive data from the system that uses php-mail.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1948-1 ntp - denial of serviceDebian GNU/Linux 4.0Debian GNU/Linux 5.0ntpRobin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets.Sergey ArtykhovDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1712-1 rt2400 -- integer overflowDebian GNU/Linux 4.0rt2400It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2400-source/README. Debian For the stable distribution, this problem has been fixed in version 1.2.2+cvs20060620-4+etch1. For the upcoming stable distribution and the unstable distribution, this problem has been fixed in version 1.2.2+cvs20080623-3. We recommend that you upgrade your rt2400 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1720-1 typo3-src -- severalDebian GNU/Linux 4.0typo3-srcSeveral remote vulnerabilities have been discovered in the TYPO3 web content management framework. Marcus Krause and Michael Stucki from the TYPO3 security team discovered that the jumpUrl mechanism discloses secret hashes enabling a remote attacker to bypass access control by submitting the correct value as a URL parameter and thus being able to read the content of arbitrary files. Jelmer de Hen and Dmitry Dulepov discovered multiple cross-site scripting vulnerabilities in the backend user interface allowing remote attackers to inject arbitrary web script or HTML. As it is very likely that your encryption key has been exposed we strongly recommend to change your encyption key via the install tool after installing the update. For the stable distribution these problems have been fixed in version 4.0.2+debian-8. For the testing distribution these problems have been fixed in version 4.2.5-1+lenny1. For the unstable distribution these problems have been fixed in version 4.2.6-1. We recommend that you upgrade your typo3 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1855-1 subversion -- heap overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0subversionMatt Lewis discovered that Subversion performs insufficient input validation of svndiff streams. Malicious servers could cause heap overflows in clients, and malicious clients with commit access could cause heap overflows in servers, possibly leading to arbitrary code execution in both cases. For the old stable distribution, this problem has been fixed in version 1.4.2dfsg1-3. For the stable distribution , this problem has been fixed in version 1.5.1dfsg1-4. For the unstable distribution, this problem has been fixed in version 1.6.4dfsg-1. We recommend that you upgrade your Subversion packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1848-1 znc -- directory traversalDebian GNU/Linux 5.0Debian GNU/Linux 4.0zncIt was discovered that znc, an IRC proxy, did not properly process certain DCC requests, allowing attackers to upload arbitrary files. For the old stable distribution, this problem has been fixed in version 0.045-3+etch3. For the stable distribution, this problem has been fixed in version 0.058-2+lenny3. For the unstable distribution, this problem has been fixed in version 0.074-1. We recommend that you upgrade your znc package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1849-1 xml-security-c -- design flawDebian GNU/Linux 5.0Debian GNU/Linux 4.0xml-security-cIt was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This update implements the proposed workaround in the C++ version of the Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the original HMAC output, whichever is greater. For the old stable distribution, this problem has been fixed in version 1.2.1-3+etch1. For the stable distribution, this problem has been fixed in version 1.4.0-3+lenny2. For the unstable distribution, this problem has been fixed in version 1.4.0-4. We recommend that you upgrade your xml-security-c packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1923-1 libhtml-parser-perl -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0libhtml-parser-perlA denial of service vulnerability has been found in libhtml-parser-perl, a collection of modules to parse HTML in text documents which is used by several other projects like e.g. SpamAssassin. Mark Martinec discovered that the decode_entities function will get stuck in an infinite loop when parsing certain HTML entities with invalid UTF-8 characters. An attacker can use this to perform denial of service attacks by submitting crafted HTML to an application using this functionality. For the oldstable distribution, this problem has been fixed in version 3.55-1+etch1. For the stable distribution, this problem has been fixed in version 3.56-1+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your libhtml-parser-perl packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1716-1 vnc4 -- integer overflowDebian GNU/Linux 4.0vnc4It was discovered that xvnc4viewer, a virtual network computing client software for X, is prone to an integer overflow via a malicious encoding value that could lead to arbitrary code execution. For the stable distribution this problem has been fixed in version 4.1.1+X4.3.0-21+etch1. For the unstable distribution this problem has been fixed in version 4.1.1+X4.3.0-31. For the testing distribution this problem will be fixed soon. We recommend that you upgrade your vnc4 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1960-1 acpid -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0acpidIt was discovered that acpid, the Advanced Configuration and Power Interface event daemon, on the oldstable distribution creates its log file with weak permissions, which might expose sensible information or might be abused by a local user to consume all free disk space on the same partition of the file. For the oldstable distribution, this problem has been fixed in version 1.0.4-5etch2. The stable distribution in version 1.0.8-1lenny2 and the unstable distribution in version 1.0.10-5, have been updated to fix the weak file permissions of the log file created by older versions. We recommend that you upgrade your acpid packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1834-2 apache2 -- denial of serviceDebian GNU/Linux 4.0apache2The previous update caused a regression for apache2 in Debian 4.0 "etch". Using mod_deflate together with mod_php could cause segfaults when a client aborts a connection. This update corrects this flaw. For reference the original advisory text is below. A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. This issue did not affect Debian 4.0 "etch". A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. A similar flaw related to HEAD requests for compressed content was also fixed. The oldstable distribution, this problem has been fixed in version 2.2.3-4+etch10. The other distributions stable, testing and unstable were not affected by the regression. This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages. Updated packages for apache2-mpm-itk for the s390 architecture are not included yet. They will be released as soon as they become available. We recommend that you upgrade your apache2, apache2-mpm-itk package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1816-1 apache2 -- insufficient security checkDebian GNU/Linux 5.0Debian GNU/Linux 4.0apache2It was discovered that the Apache web server did not properly handle the "Options=" parameter to the AllowOverride directive: In the stable distribution , local users could enable script execution in Server Side Includes even in configurations where the AllowOverride directive contained only Options=IncludesNoEXEC. In the oldstable distribution , local users could enable script execution in Server Side Includes and CGI script execution in configurations where the AllowOverride directive contained any "Options=" value. For the stable distribution, this problem has been fixed in version 2.2.9-10+lenny3. The oldstable distribution, this problem has been fixed in version 2.2.3-4+etch8. For the testing distribution and the unstable distribution, this problem will be fixed in version 2.2.11-6. This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages. We recommend that you upgrade your apache2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1740-1 yaws -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0yawsIt was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header. For the stable distribution, this problem has been fixed in version 1.77-3+lenny1. For the oldstable distribution, this problem has been fixed in version 1.65-4etch1. For the testing distribution and the unstable distribution, this problem has been fixed in version 1.80-1. We recommend that you upgrade your yaws package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1847-1 bind9 -- improper assertDebian GNU/Linux 5.0Debian GNU/Linux 4.0bind9It was discovered that the BIND DNS server terminates when processing a specially crafted dynamic DNS update. This vulnerability affects all BIND servers which serve at least one DNS zone authoritatively, as a master, even if dynamic updates are not enabled. The default Debian configuration for resolvers includes several authoritative zones, too, so resolvers are also affected by this issue unless these zones have been removed. For the old stable distribution, this problem has been fixed in version 9.3.4-2etch5. For the stable distribution, this problem has been fixed in version 9.5.1.dfsg.P3-1. For the unstable distribution, this problem has been fixed in version 1:9.6.1.dfsg.P1-1. We recommend that you upgrade your bind9 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1704-2 netatalk -- arbitrary code executionDebian GNU/Linux 4.0netatalkThe update in DSA 1704-1 was incomplete as it missed to escape a few important characters which enabled an attacker to overwrite arbitrary files. It was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This is leading to arbitrary remote code execution. Note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job. For the stable distribution this problem has been fixed in version 2.0.3-4+etch2. For the unstable distribution this problem has been fixed in version 2.0.4~beta2-1.1. We recommend that you upgrade your netatalk package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1763-1 openssl -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0opensslIt was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate. For the old stable distribution, this problem has been fixed in version 0.9.8c-4etch5 of the openssl package and in version 0.9.7k-3.1etch3 of the openssl097 package. For the stable distribution, this problem has been fixed in version 0.9.8g-15+lenny1. For the unstable distribution, this problem has been fixed in version 0.9.8g-16. We recommend that you upgrade your openssl packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1745-1 lcms -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0lcmsSeveral security issues have been discovered in lcms, a color management library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0581 Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. CVE-2009-0723 Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. CVE-2009-0733 Chris Evans discovered the lack of upper-gounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. For the stable distribution, these problems have been fixed in version 1.17.dfsg-1+lenny1. For the oldstable distribution, these problems have been fixed in version 1.15-1.1+etch2. For the testing distribution and the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your lcms packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1912-1 camlimages -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0camlimagesIt was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images. For the oldstable distribution, this problem has been fixed in version 2.20-8+etch3. For the stable distribution, this problem has been fixed in version 1:2.2.0-4+lenny3. For the testing distribution and the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your camlimages package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1918-1 phpmyadmin -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3696 Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. CVE-2009-3697 SQL injection vulnerability in the PDF schema generator functionality allows remote attackers to execute arbitrary SQL commands. This issue does not apply to the version in Debian 4.0 Etch. Additionally, extra fortification has been added for the web based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user anymore. See README.Debian for details on how to enable the setup.php script if and when you need it. For the old stable distribution, these problems have been fixed in version 4:2.9.1.1-13. For the stable distribution, these problems have been fixed in version 4:2.11.8.1-5+lenny3. For the unstable distribution, these problems have been fixed in version 3.2.2.1-1. We recommend that you upgrade your phpmyadmin package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1804-1 ipsec-tools -- null pointer dereference, memory leaksDebian GNU/Linux 5.0Debian GNU/Linux 4.0ipsec-toolsSeveral remote vulnerabilities have been discovered in racoon, the Internet Key Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures project identified the following problems: Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets that contain no payload. This results in the daemon crashing which can be used for denial of service attacks. Various memory leaks in the X.509 certificate authentication handling and the NAT-Traversal keepalive implementation can result in memory exhaustion and thus denial of service. For the oldstable distribution, this problem has been fixed in version 1:0.6.6-3.1etch3. For the stable distribution, this problem has been fixed in version 1:0.7.1-1.3+lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1:0.7.1-1.5. We recommend that you upgrade your ipsec-tools packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1929-1 linux-2.6 -- privilege escalation/denial of service/sensitive memory leakDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1883 Solar Designer discovered a missing capability check in the z90crypt driver or s390 systems. This vulnerability may allow a local user to gain elevated privileges. CVE-2009-2909 Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt can result in a denial of service. CVE-2009-3001 Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. CVE-2009-3002 Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP, NET/ROM, Acorn Econet/AUN, and Controller Area Network implementations. Local users can exploit these issues to gain access to kernel memory. CVE-2009-3228 Eric Dumazet reported an instance of uninitialised kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. CVE-2009-3238 Linus Torvalds provided a change to the get_random_int function to increase its randomness. CVE-2009-3286 Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. CVE-2009-3547 Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. CVE-2009-3612 Jiri Pirko discovered a typo in the initialisation of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. CVE-2009-3621 Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service. For the oldstable distribution, this problem has been fixed in version 2.6.18.dfsg.1-26etch1. We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages. Note: Debian "etch" includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian "etch" concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or "leap-frog" fashion. The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update: Debian 4.0 fai-kernels 1.17+etch.26etch1 user-mode-linux 2.6.18-1um-2etch.26etch1SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1839-1 gst-plugins-good0.10 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0gst-plugins-good0.10It has been discovered that gst-plugins-good0.10, the GStreamer plugins from the "good" set, are prone to an integer overflow, when processing a large PNG file. This could lead to the execution of arbitrary code. For the stable distribution, this problem has been fixed in version 0.10.8-4.1~lenny2. For the oldstable distribution, this problem has been fixed in version 0.10.4-4+etch1. Packages for the s390 and hppa architectures will be released once they are available. For the testing distribution and the unstable distribution, this problem has been fixed in version 0.10.15-2. We recommend that you upgrade your gst-plugins-good0.10 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1961-1 bind9 -- DNS cache poisoningDebian GNU/Linux 5.0Debian GNU/Linux 4.0bind9Michael Sinatra discovered that the DNS resolver component in BIND does not properly check DNS records contained in additional sections of DNS responses, leading to a cache poisoning vulnerability. This vulnerability is only present in resolvers which have been configured with DNSSEC trust anchors, which is still rare. Note that this update contains an internal ABI change, which means that all BIND-related packages must be updated at the same time. In the unlikely event that you have compiled your own software against libdns, you must recompile this program, too. For the old stable distribution, this problem has been fixed in version 1:9.3.4-2etch6. For the stable distribution, this problem has been fixed in version 1:9.5.1.dfsg.P3-1+lenny1. For the unstable distribution and the testing distribution, this problem has been fixed in version 9.6.1.dfsg.P2-1. We recommend that you upgrade your bind9 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1718-1 boinc -- incorrect API usageDebian GNU/Linux 4.0boincIt was discovered that the core client for the BOINC distributed computing infrastructure performs incorrect validation of the return values of OpenSSL's RSA functions. For the stable distribution, this problem has been fixed in version 5.4.11-4+etch1. For the upcoming stable distribution, this problem has been fixed in version 6.2.14-3. For the unstable distribution, this problem has been fixed in version 6.2.14-3. We recommend that you upgrade your boinc packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1721-1 libpam-krb5 -- severalDebian GNU/Linux 4.0libpam-krb5Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0360 Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from enviromnent variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control. CVE-2009-0361 Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation. For the stable distribution, these problems have been fixed in version 2.6-1etch1. For the upcoming stable distribution, these problems have been fixed in version 3.11-4. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your libpam-krb5 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1888-1 openssl, openssl097 -- cryptographic weaknessDebian GNU/Linux 5.0Debian GNU/Linux 4.0opensslopenssl097Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they’re no longer considered cryptographically secure. For the stable distribution, this problem has been fixed in version 0.9.8g-15+lenny5. For the old stable distribution, this problem has been fixed in version 0.9.8c-4etch9 for openssl and version 0.9.7k-3.1etch5 for openssl097. The OpenSSL 0.9.8 update for oldstable also provides updated packages for multiple denial of service vulnerabilities in the Datagram Transport Layer Security implementation. These fixes were already provided for Debian stable in a previous point update. The OpenSSL 0.9.7 package from oldstable is not affected. For the unstable distribution, this problem has been fixed in version 0.9.8k-5. We recommend that you upgrade your openssl packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1824-1 phpmyadmin -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0phpmyadminSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1150 Cross site scripting vulnerability in the export page allow for an attacker that can place crafted cookies with the user to inject arbitrary web script or HTML. CVE-2009-1151 Static code injection allows for a remote attacker to inject arbitrary code into phpMyAdmin via the setup.php script. This script is in Debian under normal circumstances protected via Apache authentication. However, because of a recent worm based on this exploit, we are patching it regardless, to also protect installations that somehow still expose the setup.php script. For the old stable distribution, these problems have been fixed in version 4:2.9.1.1-11. For the stable distribution, these problems have been fixed in version 4:2.11.8.1-5+lenny1. For the unstable distribution, these problems have been fixed in version 3.1.3.1-1. We recommend that you upgrade your phpmyadmin package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1897-1 horde3 -- insufficient input sanitisationDebian GNU/Linux 5.0Debian GNU/Linux 4.0horde3Stefan Esser discovered that Horde, a web application framework providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME, and more, is insufficiently validating and escaping user provided input. The Horde_Form_Type_image form element allows to reuse a temporary filename on reuploads which are stored in a hidden HTML field and then trusted without prior validation. An attacker can use this to overwrite arbitrary files on the system or to upload PHP code and thus execute arbitrary code with the rights of the webserver. For the oldstable distribution, this problem has been fixed in version 3.1.3-4etch6. For the stable distribution, this problem has been fixed in version 3.2.2+debian0-2+lenny1. For the testing distribution, this problem has been fixed in version 3.3.5+debian0-1. For the unstable distribution, this problem has been fixed in version 3.3.5+debian0-1. We recommend that you upgrade your horde3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1861-1 libxml -- severalDebian GNU/Linux 4.0libxmlRauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document. For the oldstable distribution, this problem has been fixed in version 1.8.17-14+etch1. The stable, testing and unstable distribution do not contain libxml anymore but libxml2 for which DSA-1859-1 has been released. We recommend that you upgrade your libxml packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1754-1 roundup -- insufficient access checksDebian GNU/Linux 5.0Debian GNU/Linux 4.0roundupIt was discovered that roundup, an issue tracker with a command-line, web and email interface, allows users to edit resources in unauthorised ways, including granting themselves admin rights. This update introduces stricter access checks, actually enforcing the configured permissions and roles. This means that the configuration may need updating. In addition, user registration via the web interface has been disabled; use the program "roundup-admin" from the command line instead. For the old stable distribution, this problem has been fixed in version 1.2.1-10+etch1. For the stable distribution, this problem has been fixed in version 1.4.4-4+lenny1. We recommend that you upgrade your roundup package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1900-1 postgresql-7.4, postgresql-8.1, postgresql-8.3, postgresql-8.4 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0postgresql-7.4postgresql-8.1postgresql-8.3postgresql-8.4Several vulnerabilities have been discovered in PostgreSQL, an SQL database system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3229 Authenticated users can shut down the backend server by re-LOAD-ing libraries in $libdir/plugins, if any libraries are present there. CVE-2009-3230 Authenticated non-superusers can gain database superuser privileges if they can create functions and tables due to incorrect execution of functions in functional indexes. CVE-2009-3231 If PostgreSQL is configured with LDAP authentication, and the LDAP configuration allows anonymous binds, it is possible for a user to authenticate themselves with an empty password. In addition, this update contains reliability improvements which do not target security issues. For the old stable distribution, these problems have been fixed in version 1:7.4.26-0etch1 of the postgresql-7.4 source package, and version 8.1.18-0etch1 of the postgresql-8.1 source package. For the stable distribution, these problems have been fixed in version 8.3.8-0lenny1 of the postgresql-8.3 source package. For the unstable distribution, these problems have been fixed in version 8.3.8-1 of the postgresql-8.3 source package, and version 8.4.1-1 of the postgresql-8.4 source package. We recommend that you upgrade your PostgreSQL packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1901-1 mediawiki1.7 -- several vulnerabilitiesDebian GNU/Linux 4.0mediawiki1.7Several vulnerabilities have been discovered in mediawiki1.7, a website engine for collaborative work. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5249 David Remahl discovered that mediawiki1.7 is prone to a cross-site scripting attack. CVE-2008-5250 David Remahl discovered that mediawiki1.7, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page. CVE-2008-5252 David Remahl discovered that mediawiki1.7 is prone to a cross-site request forgery vulnerability in the Special:Import feature. CVE-2009-0737 It was discovered that mediawiki1.7 is prone to a cross-site scripting attack in the web-based installer. For the oldstable distribution, these problems have been fixed in version 1.7.1-9etch1 for mediawiki1.7, and mediawiki is not affected. The stable distribution does not include mediawiki1.7, and these problems have been fixed in version 1:1.12.0-2lenny3 for mediawiki which was already included in the lenny release. The unstable and testing distributions do not include mediawiki1.7, and these problems have been fixed in version 1:1.14.0-1 for mediawiki. We recommend that you upgrade your mediawiki1.7 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1883-1 nagios2 -- missing input sanitisingDebian GNU/Linux 4.0nagios2Several vulnerabilities have been found in nagios2, ahost/service/network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems: Several cross-site scripting issues via several parameters were discovered in the CGI scripts, allowing attackers to inject arbitrary HTML code. In order to cover the different attack vectors, these issues have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360. For the oldstable distribution, these problems have been fixed in version 2.6-2+etch4. The stable distribution does not include nagios2 and nagios3 is not affected by these problems. The testing distribution and the unstable distribution do not contain nagios2 and nagios3 is not affected by these problems. We recommend that you upgrade your nagios2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1780-1 libdbd-pg-perl -- severalDebian GNU/Linux 4.0libdbd-pg-perlTwo vulnerabilities have been discovered in libdbd-pg-perl, the DBI driver module for PostgreSQL database access. CVE-2009-0663 A heap-based buffer overflow may allow attackers to execute arbitrary code through applications which read rows from the database using the pg_getline and getline functions. CVE-2009-1341 A memory leak in the routine which unquotes BYTEA values returned from the database allows attackers to cause a denial of service. For the old stable distribution, these problems have been fixed in version 1.49-2+etch1. For the stable distribution and the unstable distribution, these problems have been fixed in version 2.1.3-1 before the release of lenny. We recommend that you upgrade your libdbd-pg-perl package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1761-1 moodle -- missing input sanitisationDebian GNU/Linux 5.0Debian GNU/Linux 4.0moodleChristian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn’t check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Note that this doesn’t affect installations that only use the mimetex environment. For the oldstable distribution, this problem has been fixed in version 1.6.3-2+etch3. For the stable distribution, this problem has been fixed in version 1.8.2.dfsg-3+lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.8.2.dfsg-5. We recommend that you upgrade your moodle packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1789-1 php5 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable version of php5 prior to the release of lenny. This update now addresses them for etch aswell: CVE-2008-2107 / CVE-2008-2108 The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand or mt_rand as part of a protection. CVE-2008-5557 A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. CVE-2008-5624 The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. CVE-2008-5658 Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains sequences. This update also addresses the following three vulnerabilities for both oldstable and stable: CVE-2008-5814 Cross-site scripting vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. CVE-2009-0754 When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. CVE-2009-1271 the JSON_parser function allows a denial of service via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package: * Let PHP use the system timezone database instead of the embedded timezone database which is out of date. * From the source tarball, the unused "dbase" module has been removed which contained licensing problems. For the old stable distribution, these problems have been fixed in version 5.2.0+dfsg-8+etch15. For the stable distribution, these problems have been fixed in version 5.2.6.dfsg.1-1+lenny3. For the unstable distribution, these problems have been fixed in version 5.2.9.dfsg.1-1. We recommend that you upgrade your php5 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1700-1 lasso -- incorrect API usageDebian GNU/Linux 4.0lassoIt was discovered that Lasso, a library for Liberty Alliance and SAML protocols performs incorrect validation of the return value of OpenSSL’s DSA_verify function. For the stable distribution, this problem has been fixed in version 0.6.5-3+etch1. For the upcoming stable distribution and the unstable distribution , this problem has been fixed in version 2.2.1-2. We recommend that you upgrade your lasso package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1794-1 linux-2.6 -- denial of service/privilege escalation/information leakDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation, or information leak. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4307 Bryn M. Reeves reported a denial of service in the NFS filesystem. Local users can trigger a kernel BUG due to a race condition in the do_setlk function. CVE-2008-5395 Helge Deller discovered a denial of service condition that allows local users on PA-RISC to crash the system by attempting to unwind a stack containing userspace addresses. CVE-2008-5701 Vlad Malov reported an issue on 64-bit MIPS where a local user could cause a system crash by crafting a malicious binary which makes o32 syscalls with a number less than 4000. CVE-2008-5702 Zvonimir Rakamaric reported an off-by-one error in the ib700wdt watchdog driver which allows local users to cause a buffer underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl call. CVE-2008-5713 Flavio Leitner discovered that a local user can cause a denial of service by generating large amounts of traffic on a large SMP system, resulting in soft lockups. CVE-2009-0028 Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. CVE-2009-0029 Christian Borntraeger discovered an issue affecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. CVE-2009-0031 Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all available kernel memory. CVE-2009-0065 Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users, permitting remote code execution. CVE-2009-0322 Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service by reading 0 byts from a sysfs entry. CVE-2009-0675 Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. CVE-2009-0676 Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. CVE-2009-0834 Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. CVE-2009-0859 Jiri Olsa discovered that a local user can cause a denial of service using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. CVE-2009-1192 Shaohua Li reported an issue in the AGP subsystem they may allow local users to read sensitive kernel memory due to a leak of uninitialised memory. CVE-2009-1265 Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialised kernel memory that may contain sensitive data. CVE-2009-1336 Trond Myklebust reported an issue in the encode_lookup function in the nfs server subsystem that allows local users to cause a denial of service by use of a long filename. CVE-2009-1337 Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. CVE-2009-1439 Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. For the oldstable distribution, this problem has been fixed in version 2.6.18.dfsg.1-24etch2. We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or "leap-frog" fashion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1859-1 libxml2 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0libxml2Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml2, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed. Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document. For the oldstable distribution, this problem has been fixed in version 2.6.27.dfsg-6+etch1. For the stable distribution, this problem has been fixed in version 2.6.32.dfsg-5+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your libxml2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1729-1 gst-plugins-bad0.10 -- several vulnerabilitiesDebian GNU/Linux 4.0gst-plugins-bad0.10Several vulnerabilities have been found in gst-plugins-bad0.10, a collection of various GStreamer plugins. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0386 Tobias Klein discovered a buffer overflow in the quicktime stream demuxer, which could potentially lead to the execution of arbitrary code via crafted .mov files. CVE-2009-0387 Tobias Klein discovered an array index error in the quicktime stream demuxer, which could potentially lead to the execution of arbitrary code via crafted .mov files. CVE-2009-0397 Tobias Klein discovered a buffer overflow in the quicktime stream demuxer similar to the issue reported in CVE-2009-0386, which could also lead to the execution of arbitrary code via crafted .mov files. For the stable distribution, these problems have been fixed in version 0.10.8-4.1~lenny1 of gst-plugins-good0.10, since the affected plugin has been moved there. The fix was already included in the lenny release. For the oldstable distribution, these problems have been fixed in version 0.10.3-3.1+etch1. For the unstable distribution and the testing distribution, these problems have been fixed in version 0.10.8-4.1 of gst-plugins-good0.10.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1781-1 ffmpeg-debian -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0ffmpeg-debianSeveral vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. CVE-2008-3162 It was discovered that using a crafted STR file can lead to the execution of arbitrary code. For the oldstable distribution, these problems have been fixed in version 0.cvs20060823-8+etch1. For the stable distribution, these problems have been fixed in version 0.svn20080206-17+lenny1. For the testing distribution and the unstable distribution , these problems have been fixed in version 0.svn20080206-16. We recommend that you upgrade your ffmpeg-debian packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1910-1 mysql-ocaml -- missing escape functionDebian GNU/Linux 5.0Debian GNU/Linux 4.0mysql-ocamlIt was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string. This is needed, because mysql_real_escape_string honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape and takes the established database connection as a first argument. The old escape_string was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution, this problem has been fixed in version 1.0.4-4+lenny1. For the oldstable distribution, this problem has been fixed in version 1.0.4-2+etch1. For the testing distribution and the unstable distribution , this problem will be fixed soon. We recommend that you upgrade your mysql-ocaml packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1955-1 network-manager/network-manager-applet -- information disclosureDebian GNU/Linux 5.0Debian GNU/Linux 4.0network-manager/network-manager-appletIt was discovered that network-manager-applet, a network management framework, lacks some dbus restriction rules, which allows local users to obtain sensitive information. If you have locally modified the /etc/dbus-1/system.d/nm-applet.conf file, then please make sure that you merge the changes from this fix when asked during upgrade. For the stable distribution, this problem has been fixed in version 0.6.6-4+lenny1 of network-manager-applet. For the oldstable distribution, this problem has been fixed in version 0.6.4-6+etch1 of network-manager. For the testing distribution and the unstable distribution, this problem has been fixed in version 0.7.0.99-1 of network-manager-applet. We recommend that you upgrade your network-manager and network-manager-applet packages accordingly.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1829-2 sork-passwd-h3 -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0sork-passwd-h3The previous update introduced a regression in main.php, causing the module to fail. This update corrects the flaw. For reference the original advisory text is below. It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. For the oldstable distribution, this problem has been fixed in version 3.0-2+etch2. For the stable distribution, this problem has been fixed in version 3.0-2+lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 3.1-1.2. We recommend that you upgrade your sork-passwd-h3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1953-1 expat -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0expatJan Lieskovsky discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library. For the old stable distribution, this problem has been fixed in version 1.95.8-3.4+etch2. For the stable distribution, this problem has been fixed in version 2.0.1-4+lenny2. For the testing distribution and the unstable distribution , this problem will be in version 2.0.1-6. The builds for the mipsel architecture for the old stable distribution are not included yet. They will be released when they become available. We recommend that you upgrade your expat packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1865-1 linux-2.6 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1385 Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. CVE-2009-1389 Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. CVE-2009-1630 Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. CVE-2009-1633 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialised in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. For the oldstable distribution, this problem has been fixed in version 2.6.18.dfsg.1-24etch3. We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or "leap-frog" fashion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1737-1 wesnoth -- several vulnerabilitiesDebian GNU/Linux 4.0wesnothSeveral security issues have been discovered in wesnoth, a fantasy turn-based strategy game. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0366 Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data. CVE-2009-0367 Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly. For the stable distribution, these problems have been fixed in version 1.4.4-2+lenny1. For the oldstable distribution, these problems have been fixed in version 1.2-5. For the testing distribution and the unstable distribution , these problems have been fixed in version 1.4.7-4. We recommend that you upgrade your wesnoth packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1747-1 glib2.0 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0glib2.0Diego Petten discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code. For the stable distribution, this problem has been fixed in version 2.16.6-1+lenny1. For the oldstable distribution, this problem has been fixed in version 2.12.4-2+etch1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 2.20.0-1. We recommend that you upgrade your glib2.0 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1835-1 tiff -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0tiffSeveral vulnerabilities have been discovered in the library for the Tag Image File Format. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2285 It was discovered that malformed TIFF images can lead to a crash in the decompression code, resulting in denial of service. CVE-2009-2347 Andrea Barisani discovered several integer overflows, which can lead to the execution of arbitrary code if malformed images are passed to the rgb2ycbcr or tiff2rgba tools. For the old stable distribution, these problems have been fixed in version 3.8.2-7+etch3. For the stable distribution, these problems have been fixed in version 3.8.2-11.2. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your tiff packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1695-1 ruby1.8, ruby1.9 -- memory leakDebian GNU/Linux 4.0ruby1.8ruby1.9The regular expression engine of Ruby, a scripting language, contains a memory leak which can be triggered remotely under certain circumstances, leading to a denial of service condition. In addition, this security update addresses a regression in the REXML XML parser of the ruby1.8 package; the regression was introduced in DSA-1651-1. For the stable distribution, this problem has been fixed in version 1.8.5-4etch4 of the ruby1.8 package, and version 1.9.0+20060609-1etch4 of the ruby1.9 package. For the unstable distribution, this problem has been fixed in version 1.8.7.72-1 of the ruby1.8 package. The ruby1.9 package will be fixed soon. We recommend that you upgrade your Ruby packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1694-1 xterm -- design flawDebian GNU/Linux 4.0xtermPaul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences. As an additional precaution, this security update also disables font changing, user-defined keys, and X property changes through escape sequences. For the stable distribution, this problem has been fixed in version 222-1etch3. For the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your xterm package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1946-1 belpic -- cryptographic weaknessDebian GNU/Linux 4.0belpicIt was discovered that belpic, the belgian eID PKCS11 library, does not properly check the result of an OpenSSL function for verifying cryptographic signatures, which could be used to bypass the certificate validation. For the oldstable distribution, this problem has been fixed in version 2.5.9-7.etch.1. For the stable distribution, this problem has been fixed in version 2.6.0-6, which was already included in the lenny release. For the testing distribution and the unstable distribution , this problem has been fixed in version 2.6.0-6. We recommend that you upgrade your belpic packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1994-1 ajaxterm -- weak session IDsDebian GNU/Linux 5.0Debian GNU/Linux 4.0ajaxtermIt was discovered that ajaxterm, a web-based terminal, generates weak and predictable session IDs, which might be used to hijack a session or cause a denial of service attack on a system that uses ajaxterm. For the oldstable distribution, the problem has been fixed in version 0.9-2+etch1. For the stable distribution, the problem has been fixed in version 0.10-2+lenny1. For the unstable distribution, the problem has been fixed in version 0.10-5. We recommend that you upgrade your ajaxterm package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1731-1 ndiswrapper -- buffer overflowDebian GNU/Linux 4.0ndiswrapperAnders Kaseorg discovered that ndiswrapper suffers from buffer overflows via specially crafted wireless network traffic, due to incorrectly handling long ESSIDs. This could lead to the execution of arbitrary code. For the oldstable distribution, this problem has been fixed in version 1.28-1+etch1. For the stable distribution, this problem has been fixed in version 1.53-2, which was already included in the lenny release. For the testing distribution and the unstable distribution , this problem has been fixed in version 1.53-2.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1878-1 devscripts -- missing input sanitationDebian GNU/Linux 5.0Debian GNU/Linux 4.0devscriptsRaphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible. For the old stable distribution, this problem has been fixed in version 2.9.26etch4. For the stable distribution, this problem has been fixed in version 2.10.35lenny6. For the unstable distribution, this problem will be fixed in version 2.10.54. We recommend that you upgrade your devscripts package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1864-1 linux-2.6.24 -- privilege escalationDebian GNU/Linux 4.0linux-2.6.24A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialised in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. For the oldstable distribution, this problem has been fixed in version 2.6.24-6~etchnhalf.8etch3. We recommend that you upgrade your linux-2.6.24 packages. Note: Debian "etch" includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian "etch" concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or "leap-frog" fashion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1719-2 gnutls13, gnutls26 -- design flawDebian GNU/Linux 5.0Debian GNU/Linux 4.0gnutls13gnutls26Changes in DSA-1719-1 caused GNUTLS to reject X.509v1 certificates as CA root certificates by default, as originally described in the documentation. However, it turned out that there is still significant use of historic X.509v1 CA root certificates, so this constitutes an unacceptable regression. This update reverses this part of the changes in DSA-1719-1. Note that the X.509v1 certificate format does not distinguish between server and CA certificates, which means that an X.509v1 server certificates is implicitly converted into a CA certificate when added to the trust store. The current stable distribution was released with the changes in DSA-1719-1 already applied, and this update reverses the changes concerning X.509v1 CA certificates for this distribution, too. For the old stable distribution, this problem has been fixed in version 1.4.4-3+etch4. For the stable distribution, this problem has been fixed in version 2.4.2-6+lenny1. We recommend that you upgrade your GNUTLS packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1709-1 shadow -- race conditionDebian GNU/Linux 4.0shadowPaul Szabo discovered that login, the system login tool, did not correctly handle symlinks while setting up tty permissions. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation. For the stable distribution, this problem has been fixed in version 4.0.18.1-7+etch1. For the unstable distribution, this problem has been fixed in version 4.1.1-6. We recommend that you upgrade your shadow package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1934-1 apache2 -- multiple issuesDebian GNU/Linux 5.0Debian GNU/Linux 4.0apache2A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations: - - The "SSLVerifyClient" directive is used in a Directory or Location context. - - The "SSLCipherSuite" directive is used in a Directory or Location context. As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or virtual host level. A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this issue. In addition, this update fixes the following issues in Apache's mod_proxy_ftp: CVE-2009-3094: Insufficient input validation in the mod_proxy_ftp module allowed remote FTP servers to cause a denial of service via a malformed reply to an EPSV command. CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server. For the stable distribution, these problems have been fixed in version 2.2.9-10+lenny6. This version also includes some non-security bug fixes that were scheduled for inclusion in the next stable point release. The oldstable distribution, these problems have been fixed in version 2.2.3-4+etch11. For the testing distribution and the unstable distribution, these problems will be fixed in version 2.2.14-2. This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages. Updated apache2-mpm-itk packages for the armel architecture are not included yet. They will be released as soon as they become available. We recommend that you upgrade your apache2 and apache2-mpm-itk packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1743-1 libtk-img -- buffer overflowsDebian GNU/Linux 5.0Debian GNU/Linux 4.0libtk-imgTwo buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5137 It was discovered that libtk-img is prone to a buffer overflow via specially crafted multi-frame interlaced GIF files. CVE-2007-5378 It was discovered that libtk-img is prone to a buffer overflow via specially crafted GIF files with certain subimage sizes. For the stable distribution, these problems have been fixed in version 1:1.3-release-7+lenny1. For the oldstable distribution, these problems have been fixed in version 1:1.3-15etch3. For the testing distribution and the unstable distribution, these problems have been fixed in version 1.3-release-8. We recommend that you upgrade your libtk-img packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1694-2 xterm -- design flawDebian GNU/Linux 4.0xtermThe xterm update in DSA-1694-1 disabled font changing as a precaution. However, users reported that they need this feature. The update in this DSA makes font shifting through escape sequences configurable, using a new allowFontOps X resource, and unconditionally enables font changing through keyboard sequences. For the stable distribution, this problem has been fixed in version 222-1etch4. For the testing distribution, this problem has been fixed in version 235-2. For the unstable distribution, this problem has been fixed in version 238-2. We recommend that you upgrade your xterm package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1772-1 udev -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0udevSebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. CVE-2009-1185 udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. CVE-2009-1186 udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. For the old stable distribution, these problems have been fixed in version 0.105-4etch1. For the stable distribution, these problems have been fixed in version 0.125-7+lenny1. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your udev package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1779-1 apt -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0aptTwo vulnerabilities have been discovered in APT, the well-known dpkg frontend. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1300 In time zones where daylight savings time occurs at midnight, the apt cron.daily script fails, stopping new security updates from being applied automatically. CVE-2009-1358 A repository that has been signed with an expired or revoked OpenPGP key would still be considered valid by APT. For the old stable distribution, these problems have been fixed in version 0.6.46.4-0.1+etch1. For the stable distribution, these problems have been fixed in version 0.7.20.2+lenny1. For the unstable distribution, these problems have been fixed in version 0.7.21. We recommend that you upgrade your apt package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1979-1 lintian -- multipleDebian GNU/Linux 5.0Debian GNU/Linux 4.0lintianMultiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2009-4013: missing control files sanitation Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems" control files were not sanitised before using them in certain operations that could lead to directory traversals. An attacker could exploit these vulnerabilities to overwrite arbitrary files or disclose system information. CVE-2009-4014: format string vulnerabilities Multiple check scripts and the Lintian::Schedule module were using user-provided input as part of the sprintf/printf format string. CVE-2009-4015: arbitrary command execution File names were not properly escaped when passing them as arguments to certain commands, allowing the execution of other commands as pipes or as a set of shell commands. For the oldstable distribution, these problems have been fixed in version 1.23.28+etch1. For the stable distribution, these problems have been fixed in version 1.24.2.1+lenny1. For the testing distribution, these problems will be fixed soon. For the unstable distribution, these problems have been fixed in version 2.3.2 We recommend that you upgrade your lintian packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1750-1 libpng -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0libpngSeveral vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: The png_handle_tRNS function allows attackers to cause a denial of service via a grayscale PNG image with a bad tRNS chunk CRC value. Certain chunk handlers allow attackers to cause a denial of service via crafted pCAL, sCAL, tEXt, iTXt, and ztXT chunking in PNG images, which trigger out-of-bounds read operations. libpng allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialised memory. The png_check_keyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords. A memory leak in the png_handle_tEXt function allows context-dependent attackers to cause a denial of service via a crafted PNG file. libpng allows context-dependent attackers to cause a denial of service or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialised pointer in the png_read_png function, pCAL chunk handling, or setup of 16-bit gamma tables. For the old stable distribution, these problems have been fixed in version1.2.15~beta5-1+etch2. For the stable distribution, these problems have been fixed in version 1.2.27-2+lenny2. For the unstable distribution, these problems have been fixed in version 1.2.35-1. We recommend that you upgrade your libpng packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1771-1 clamav -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0clamavSeveral vulnerabilities have been discovered in the ClamAV anti-virus toolkit: CVE-2008-6680 Attackers can cayse a denial of service via a crafted EXE file that triggers a divide-by-zero error. CVE-2009-1270 Attackers can cause a denial of service via a crafted tar file that causes clamd and clamscan to hang. Attackers can cause a denial of service via a crafted EXE file that crashes the UPack unpacker. For the old stable distribution, these problems have been fixed in version 0.90.1dfsg-4etch19. For the stable distribution, these problems have been fixed in version 0.94.dfsg.2-1lenny2. For the unstable distribution, these problems have been fixed in version 0.95.1+dfsg-1. We recommend that you upgrade your clamav packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1902-1 elinks -- buffer overflowDebian GNU/Linux 4.0elinksJakub Wilk discovered an off-by-one buffer overflow in the charset handling of elinks, a feature-rich text-mode WWW browser, which might lead to the execution of arbitrary code if the user is tricked into opening a malformed HTML page. For the old stable distribution, this problem has been fixed in version 0.11.1-1.2etch2. The stable distribution and the unstable distribution already contain a patch for this problem. We recommend that you upgrade your elinks package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1707-1 iceweasel -- several vulnerabilitiesDebian GNU/Linux 4.0iceweaselSeveral remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5500 Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. CVE-2008-5503 Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. CVE-2008-5504 It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. CVE-2008-5506 Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. CVE-2008-5507 Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. CVE-2008-5508 Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. CVE-2008-5510 Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms CVE-2008-5511 It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." CVE-2008-5512 It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. CVE-2008-5513 moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. For the stable distribution these problems have been fixed in version 2.0.0.19-0etch1. For the testing distribution and the unstable distribution these problems have been fixed in version 3.0.5-1. Please note iceweasel in Lenny links dynamically against xulrunner. We recommend that you upgrade your iceweasel package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1748-1 libsoup -- integer overflowDebian GNU/Linux 4.0libsoupIt was discovered that libsoup, an HTTP library implementation in C, handles large strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code. For the oldstable distribution, this problem has been fixed in version 2.2.98-2+etch1. The stable distribution is not affected by this issue. The testing distribution and the unstable distribution are not affected by this issue. We recommend that you upgrade your libsoup packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1878-2 devscripts -- missing input sanitationDebian GNU/Linux 5.0Debian GNU/Linux 4.0devscriptsThis update corrects regressions introduced by the devscripts security update, DSA-1878-1. The original announcement was: Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible. For the old stable distribution, this problem has been fixed in version 2.9.26etch5. For the stable distribution, this problem has been fixed in version 2.10.35lenny7. For the unstable distribution, this problem will be fixed in version 2.10.55. We recommend that you upgrade your devscripts package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1866-1 kdegraphics -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0kdegraphicsTwo security issues have been discovered in kdegraphics, the graphics apps from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0945 It was discovered that the KSVG animation element implementation suffers from a null pointer dereference flaw, which could lead to the execution of arbitrary code. CVE-2009-1709 It was discovered that the KSVG animation element implementation is prone to a use-after-free flaw, which could lead to the execution of arbitrary code. For the stable distribution, these problems have been fixed in version 4:3.5.9-3+lenny2. For the oldstable distribution, these problems have been fixed in version 4:3.5.5-3etch4. For the testing distribution and the unstable distribution , these problems have been fixed in version 4:4.0. We recommend that you upgrade your kdegraphics packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1803-1 nsd, nsd3 -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0nsdnsd3Ilja van Sprundel discovered that a buffer overflow in NSD, an authoritative name service daemon, allowed to crash the server by sending a crafted packet, creating a denial of service. For the old stable distribution, this problem has been fixed in version 2.3.6-1+etch1 of the nsd package. For the stable distribution, this problem has been fixed in version 2.3.7-1.1+lenny1 of the nsd package and version 3.0.7-3.lenny2 of the nsd3 package. For the unstable distribution, this problem has been fixed in version 2.3.7-3 for nsd; nsd3 will be fixed soon. We recommend that you upgrade your nsd or nsd3 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1745-2 lcms -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0lcmsThis update fixes a possible regression introduced in DSA-1745-1 and also enhances the security patch. For reference the original advisory text is below. Several security issues have been discovered in lcms, a color management library. The Common Vulnerabilities andi Exposures project identifies the following problems: CVE-2009-0581 Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. CVE-2009-0723 Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. CVE-2009-0733 Chris Evans discovered the lack of upper-gounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. For the stable distribution, these problems have been fixed in version 1.17.dfsg-1+lenny2. For the oldstable distribution, these problems have been fixed in version 1.15-1.1+etch3. For the testing distribution and the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your lcms packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1937-1 gforge -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0gforgeIt was discovered that gforge, collaborative development tool, is prone to a cross-site scripting attack via the helpname parameter. Beside fixing this issue, the update also introduces some additional input sanitising. However, there are no known attack vectors. For the stable distribution, these problem have been fixed in version 4.7~rc2-7lenny2. The oldstable distribution, these problems have been fixed in version 4.5.14-22etch12. For the testing distribution and the unstable distribution, these problems have been fixed in version 4.8.1-3. We recommend that you upgrade your gforge packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1851-1 gst-plugins-bad0.10 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0gst-plugins-bad0.10It was discovered that gst-plugins-bad0.10, the GStreamer plugins from the "bad" set, is prone to an integer overflow when processing a MED file with a crafted song comment or song name. For the stable distribution, this problem has been fixed in version 0.10.7-2+lenny2. For the oldstable distribution, this problem has been fixed in version 0.10.3-3.1+etch3. For the testing distribution and the unstable distribution , gst-plugins-bad0.10 links against libmodplug. We recommend that you upgrade your gst-plugins-bad0.10 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1844-1 linux-2.6.24 -- denial of service/privilege escalationDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1385 Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. CVE-2009-1389 Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. CVE-2009-1630 Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. CVE-2009-1633 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. CVE-2009-1895 Julien Tinnes and Tavis Ormandy reported and issue in the Linux vulnerability code. Local users can take advantage of a setuid binary that can either be made to dereference a NULL pointer or drop privileges and return control to the user. This allows a user to bypass mmap_min_addr restrictions which can be exploited to execute arbitrary code. CVE-2009-1914 Mikulas Patocka discovered an issue in sparc64 kernels that allows local users to cause a denial of service by reading the /proc/iomem file. CVE-2009-1961 Miklos Szeredi reported an issue in the ocfs2 filesystem. Local users can create a denial of service using a particular sequence of splice system calls. CVE-2009-2406 CVE-2009-2407 Ramon de Carvalho Valle discovered two issues with the eCryptfs layered filesystem using the fsfuzzer utility. A local user with permissions to perform an eCryptfs mount may modify the contents of a eCryptfs file, overflowing the stack and potentially gaining elevated privileges. For the stable distribution, these problems have been fixed in version 2.6.24-6~etchnhalf.8etch2. We recommend that you upgrade your linux-2.6.24 packages. Note: Debian "etch" includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian "etch" concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or "leap-frog" fashion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1723-1 phpmyadmin -- insufficient input sanitisingDebian GNU/Linux 4.0phpmyadminMichael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver. For the stable distribution, this problem has been fixed in version 4:2.9.1.1-10. For the testing distribution and unstable distribution, this problem has been fixed in version 2.11.8.1-5. We recommend that you upgrade your phpmyadmin package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1904-1 wget -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0wgetDaniel Stenberg discovered that wget, a network utility to retrieve files from the Web using http and ftp, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. For the oldstable distribution, this problem has been fixed in version 1.10.2-2+etch1. For the stable distribution, this problem has been fixed in version 1.11.4-2+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.12-1. We recommend that you upgrade your wget packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1738-1 curl -- arbitrary file accessDebian GNU/Linux 5.0Debian GNU/Linux 4.0curlDavid Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and scp:// URLs - depending on the setup - an untrusted server could use that to expose local files, overwrite local files or even execute arbitrary code via a malicious URL redirect. This update introduces a new option called CURLOPT_REDIR_PROTOCOLS which by default does not include the scp and file protocol handlers. For the oldstable distribution this problem has been fixed in version 7.15.5-1etch2. For the stable distribution this problem has been fixed in version 7.18.2-8lenny2. For the unstable distribution this problem has been fixed in version 7.18.2-8.1. We recommend that you upgrade your curl packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1899-1 strongswan -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0strongswanSeveral remote vulnerabilities have been discovered in strongswan, an implementation of the IPSEC and IKE protocols. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1957 CVE-2009-1958 The charon daemon can crash when processing certain crafted IKEv2 packets. CVE-2009-2185 CVE-2009-2661 The pluto daemon could crash when processing a crafted X.509 certificate. For the old stable distribution, these problems have been fixed in version 2.8.0+dfsg-1+etch2. For the stable distribution, these problems have been fixed in version 4.2.4-5+lenny3. For the unstable distribution, these problems have been fixed in version 4.3.2-1.1. We recommend that you upgrade your strongswan packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1969-1 krb5 -- integer underflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0krb5It was discovered that krb5, a system for authenticating users and services on a network, is prone to integer underflow in the AES and RC4 decryption operations of the crypto library. A remote attacker can cause crashes, heap corruption, or, under extraordinarily unlikely conditions, arbitrary code execution. For the old stable distribution, this problem has been fixed in version 1.4.4-7etch8. For the stable distribution, this problem has been fixed in version 1.6.dfsg.4~beta1-5lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.8+dfsg~alpha1-1. We recommend that you upgrade your krb5 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1802-2 squirrelmail -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0squirrelmailMichal Hlavinka discovered that the fix for code execution in the map_yp_alias function, known as CVE-2009-1579 and released in DSA 1802-1, was incomplete. This update corrects the fix for that function. For the old stable distribution, this problem has been fixed in version 1.4.9a-5. For the stable distribution, this problem has been fixed in version 1.4.15-4+lenny2. For the unstable distribution, this problem has been fixed in version 1.4.19-1 We recommend that you upgrade your squirrelmail package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1724-1 moodle -- several vulnerabilitiesDebian GNU/Linux 4.0moodleSeveral vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0500 It was discovered that the information stored in the log tables was not properly sanitised, which could allow attackers to inject arbitrary web code. CVE-2009-0502 It was discovered that certain input via the "Login as" function was not properly sanitised leading to the injection of arbitrary web script. CVE-2008-5153 Dmitry E. Oboukhov discovered that the SpellCheker plugin creates temporary files insecurely, allowing a denial of service attack. Since the plugin was unused, it is removed in this update. For the stable distribution these problems have been fixed in version 1.6.3-2+etch2. For the testing distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. For the unstable distribution these problems have been fixed in version 1.8.2.dfsg-4. We recommend that you upgrade your moodle package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1914-1 mapserver -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0mapserverSeveral vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0843 Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages. CVE-2009-0842 A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages. CVE-2009-0841 Due to missing input validation when saving map files under certain conditions it is possible to perform directory traversal attacks and to create arbitrary files. NOTE: Unless the attacker is able to create directories in the image path or there is already a readable directory this doesn’t affect installations on Linux as the fopen syscall will fail in case a sub path is not readable. CVE-2009-0839 It was discovered that mapserver is vulnerable to a stack-based buffer overflow when processing certain GET parameters. An attacker can use this to execute arbitrary code on the server via crafted id parameters. CVE-2009-0840 An integer overflow leading to a heap-based buffer overflow when processing the Content-Length header of an HTTP request can be used by an attacker to execute arbitrary code via crafted POST requests containing negative Content-Length values. CVE-2009-2281 An integer overflow when processing HTTP requests can lead to a heap-based buffer overflow. An attacker can use this to execute arbitrary code either via crafted Content-Length values or large HTTP request. This is partly because of an incomplete fix for CVE-2009-0840. For the oldstable distribution, this problem has been fixed in version 4.10.0-5.1+etch4. For the stable distribution, this problem has been fixed in version 5.0.3-3+lenny4. For the testing distribution, this problem has been fixed in version 5.4.2-1. For the unstable distribution, this problem has been fixed in version 5.4.2-1. We recommend that you upgrade your mapserver packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1777-1 git-core -- file permission errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0git-corePeter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. This issue only affects the DEC Alpha and MIPS architectures. For the old stable distribution, this problem has been fixed in version 1.4.4.4-4+etch2. For the stable distribution, this problem has been fixed in version 1.5.6.5-3+lenny1. For the unstable distribution, this problem has been fixed in version 1.6.2.1-1. We recommend that you upgrade your git-core package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1765-1 horde3 -- Multiple vulnerabilitiesDebian GNU/Linux 4.0horde3Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0932 Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. CVE-2008-3330 It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. CVE-2008-5917 It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. For the oldstable distribution, these problems have been fixed in version 3.1.3-4etch5. For the stable distribution, these problems have been fixed in version 3.2.2+debian0-2, which was already included in the lenny release. For the testing distribution and the unstable distribution , these problems have been fixed in version 3.2.2+debian0-2. We recommend that you upgrade your horde3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1713-1 rt2500 -- integer overflowDebian GNU/Linux 4.0rt2500It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2500-source/README.Debian For the stable distribution, this problem has been fixed in version 1.1.0+cvs20060620-3+etch1. For the upcoming stable distribution and the unstable distribution , this problem has been fixed in version 1:1.1.0-b4+cvs20080623-3. We recommend that you upgrade your rt2500 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1951-1 firefox-sage -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0firefox-sageIt was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitise the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack. For the stable distribution, this problem has been fixed in version 1.4.2-0.1+lenny1. For the oldstable distribution, this problem has been fixed in version 1.3.6-4etch1. For the testing distribution and the unstable distribution, this problem has been fixed in version 1.4.3-3. We recommend that you upgrade your firefox-sage packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1730-1 proftpd-dfsg -- SQL injection vulnerabilitesDebian GNU/Linux 4.0proftpd-dfsgThe security update for proftpd-dfsg in DSA-1727-1 caused a regression with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution is not affected by the security issues. For reference the original advisory follows. Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. For the stable distribution, these problems have been fixed in version 1.3.1-17lenny2. The oldstable distribution is not affected by these problems. For the unstable distribution, these problems have been fixed in version 1.3.2-1. For the testing distribution, these problems will be fixed soon.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1760-1 openswan -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0openswanTwo vulnerabilities have been discovered in openswan, an IPSec implementation for linux. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4190 Dmitry E. Oboukhov discovered that the livetest tool is using temporary files insecurely, which could lead to a denial of service attack. CVE-2009-0790 Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet. For the stable distribution, this problem has been fixed in version 1:2.4.12+dfsg-1.3+lenny1. For the oldstable distribution, this problem has been fixed in version 1:2.4.6+dfsg.2-1.1+etch1. For the testing distribution and the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your openswan packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1722-1 libpam-heimdal -- programming errorDebian GNU/Linux 4.0libpam-heimdalDerek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation. For the stable distribution, this problem has been fixed in version 2.5-1etch1. For the upcoming stable distribution, this problem has been fixed in version 3.10-2.1. For the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your libpam-heimdal package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1860-1 ruby1.8, ruby1.9 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0ruby1.8ruby1.9Several vulnerabilities have been discovered in Ruby. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0642 The return value from the OCSP_basic_verify function was not checked properly, allowing continued use of a revoked certificate. CVE-2009-1904 An issue in parsing BigDecimal numbers can result in a denial-of-service condition. The following matrix identifies fixed versions: ruby1.8 ruby1.9 oldstable 1.8.5-4etch5 1.9.0+20060609-1etch5 stable 1.8.7.72-3lenny1 1.9.0.2-9lenny1 unstable 1.8.7.173-1 We recommend that you upgrade your Ruby packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1814-1 libsndfile -- heap-based buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0libsndfileTwo vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. The Common Vulnerabilities and Exposures project identified the following problems: Tobias Klein discovered that the VOC parsing routines suffer of a heap-based buffer overflow which can be triggered by an attacker via a crafted VOC header. The vendor discovered that the AIFF parsing routines suffer of a heap-based buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker via a crafted AIFF header. In both cases the overflowing data is not completely attacker controlled but still leads to application crashes or under some circumstances might still lead to arbitrary code execution. For the oldstable distribution, this problem has been fixed in version 1.0.16-2+etch2. For the stable distribution, this problem has been fixed in version 1.0.17-4+lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.0.20-1. We recommend that you upgrade your libsndfile packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1787-1 linux-2.6.24 -- denial of service/privilege escalation/information leakDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4307 Bryn M. Reeves reported a denial of service in the NFS filesystem. Local users can trigger a kernel BUG due to a race condition in the do_setlk function. CVE-2008-5079 Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. CVE-2008-5395 Helge Deller discovered a denial of service condition that allows local users on PA-RISC systems to crash a system by attempting to unwind a stack contiaining userspace addresses. CVE-2008-5700 Alan Cox discovered a lack of minimum timeouts on SG_IO requests, which allows local users of systems using ATA to cause a denial of service by forcing drives into PIO mode. CVE-2008-5701 Vlad Malov reported an issue on 64-bit MIPS systems where a local user could cause a system crash by crafing a malicious binary which makes o32 syscalls with a number less than 4000. CVE-2008-5702 Zvonimir Rakamaric reported an off-by-one error in the ib700wdt watchdog driver which allows local users to cause a buffer underflow by making a specially crafted WDIOC_SETTIMEOUT ioctl call. CVE-2009-0028 Chris Evans discovered a situation in which a child process can send an arbitrary signal to its parent. CVE-2009-0029 Christian Borntraeger discovered an issue affecting the alpha, mips, powerpc, s390 and sparc64 architectures that allows local users to cause a denial of service or potentially gain elevated privileges. CVE-2009-0031 Vegard Nossum discovered a memory leak in the keyctl subsystem that allows local users to cause a denial of service by consuming all of kernel memory. CVE-2009-0065 Wei Yongjun discovered a memory overflow in the SCTP implementation that can be triggered by remote users, permitting remote code execution. CVE-2009-0269 Duane Griffin provided a fix for an issue in the eCryptfs subsystem which allows local users to cause a denial of service. CVE-2009-0322 Pavel Roskin provided a fix for an issue in the dell_rbu driver that allows a local user to cause a denial of service by reading 0 byts from a sysfs entry. CVE-2009-0675 Roel Kluin discovered inverted logic in the skfddi driver that permits local, unprivileged users to reset the driver statistics. CVE-2009-0676 Clement LECIGNE discovered a bug in the sock_getsockopt function that may result in leaking sensitive kernel memory. CVE-2009-0745 Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service during a resize operation. CVE-2009-0834 Roland McGrath discovered an issue on amd64 kernels that allows local users to circumvent system call audit configurations which filter based on the syscall numbers or argument details. CVE-2009-0859 Jiri Olsa discovered that a local user can cause a denial of service using a SHM_INFO shmctl call on kernels compiled with CONFIG_SHMEM disabled. This issue does not affect prebuilt Debian kernels. CVE-2009-1046 Mikulas Patocka reported an issue in the console subsystem that allows a local user to cause memory corruption by selecting a small number of 3-byte UTF-8 characters. CVE-2009-1192 Shaohua Li reported an issue in the AGP subsystem they may allow local users to read sensitive kernel memory due to a leak of uninitialised memory. CVE-2009-1242 Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops. CVE-2009-1265 Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialised kernel memory that may contain sensitive data. CVE-2009-1337 Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. CVE-2009-1338 Daniel Hokka Zakrisson discovered that a kill is permitted to reach processes outside of the current process namespace. CVE-2009-1439 Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount. For the stable distribution, these problems have been fixed in version 2.6.24-6~etchnhalf.8etch1. We recommend that you upgrade your linux-2.6.24 packages. Note: Debian "etch" includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian "etch" concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or "leap-frog" fashion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1770-1 imp4 -- Insufficient input sanitisingDebian GNU/Linux 4.0imp4Several vulnerabilities have been found in imp4, a webmail component for the horde framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4182 It was discovered that imp4 suffers from a cross-site scripting attack via the user field in an IMAP session, which allows attackers to inject arbitrary HTML code. CVE-2009-0930 It was discovered that imp4 is prone to several cross-site scripting attacks via several vectors in the mail code allowing attackers to inject arbitrary HTML code. For the oldstable distribution, these problems have been fixed in version 4.1.3-4etch1. For the stable distribution, these problems have been fixed in version 4.2-4, which was already included in the lenny release. For the testing distribution and the unstable distribution, these problems have been fixed in version 4.2-4. We recommend that you upgrade your imp4 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1798-1 pango1.0 -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0pango1.0Will Drewry discovered that pango, a system for layout and rendering of internationalised text, is prone to an integer overflow via long glyphstrings. This could cause the execution of arbitrary code when displaying crafted data through an application using the pango library. For the stable distribution, this problem has been fixed in version 1.20.5-3+lenny1. For the oldstable distribution, this problem has been fixed in version 1.14.8-5+etch1. For the testing distribution and the unstable distribution , this problem has been fixed in version 1.24-1. We recommend that you upgrade your pango1.0 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1940-1 php5 -- multiple issuesDebian GNU/Linux 5.0Debian GNU/Linux 4.0php5Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems: The following issues have been fixed in both the stable and the oldstable distributions: CVE-2009-2687 CVE-2009-3292 The exif module did not properly handle malformed jpeg files, allowing an attacker to cause a segfault, resulting in a denial of service. CVE-2009-3291 The php_openssl_apply_verification_policy function did not properly perform certificate validation. No CVE id yet Bogdan Calin discovered that a remote attacker could cause a denial of service by uploading a large number of files in using multipart/ form-data requests, causing the creation of a large number of temporary files. To address this issue, the max_file_uploads option introduced in PHP 5.3.1 has been backported. This option limits the maximum number of files uploaded per request. The default value for this new option is 50. See NEWS.Debian for more information. The following issue has been fixed in the stable distribution: CVE-2009-2626 A flaw in the ini_restore function could lead to a memory disclosure, possibly leading to the disclosure of sensitive data. In the oldstable distribution, this update also fixes a regression introduced by the fix for CVE-2008-5658 in DSA-1789-1. For the stable distribution, these problems have been fixed in version 5.2.6.dfsg.1-1+lenny4. The oldstable distribution, these problems have been fixed in version 5.2.0+dfsg-8+etch16. For the testing distribution and the unstable distribution , these problems will be fixed in version 5.2.11.dfsg.1-2. We recommend that you upgrade your php5 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1954-1 cacti -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0cactiSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1773-1 cups -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0cupsIt was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. For the stable distribution, this problem has been fixed in version 1.3.8-1lenny5. For the oldstable distribution, this problem has been fixed in version 1.2.7-4etch7. For the testing distribution and the unstable distribution , this problem will be fixed soon. We recommend that you upgrade your cups packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1818-1 gforge -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0gforgeLaurent Almeras and Guillaume Smet have discovered a possible SQL injection vulnerability and cross-site scripting vulnerabilities in gforge, a collaborative development tool. Due to insufficient input sanitising, it was possible to inject arbitrary SQL statements and use several parameters to conduct cross-site scripting attacks. For the stable distribution, these problem have been fixed in version 4.7~rc2-7lenny1. The oldstable distribution, these problems have been fixed in version 4.5.14-22etch11. For the testing distribution, these problems will be fixed soon. For the unstable distribution, these problems have been fixed in version 4.7.3-2. We recommend that you upgrade your gforge packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1872-1 linux-2.6 -- denial of service/privilege escalation/information leakDebian GNU/Linux 4.0linux-2.6CVE-2009-2698 Herbert Xu discovered an issue in the way UDP tracks corking status that could allow local users to cause a denial of service. Tavis Ormandy and Julien Tinnes discovered that this issue could also be used by local users to gain elevated privileges. CVE-2009-2846 Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. CVE-2009-2847 Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. CVE-2009-2848 Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service. CVE-2009-2849 Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service. For the oldstable distribution, this problem has been fixed in version 2.6.18.dfsg.1-24etch4. We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or "leap-frog" fashion. The following matrix lists additional source packages that were rebuilt for compatability with or to take advantage of this update: Debian 4.0 fai-kernels 1.17+etch.24etch4 user-mode-linux 2.6.18-1um-2etch.24etch4SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1701-1 openssl, openssl097 -- interpretation conflictDebian GNU/Linux 4.0opensslopenssl097It was discovered that OpenSSL does not properly verify DSA signatures on X.509 certificates due to an API misuse, potentially leading to the acceptance of incorrect X.509 certificates as genuine. For the stable distribution, this problem has been fixed in version 0.9.8c-4etch4 of the openssl package, and version 0.9.7k-3.1etch2 of the openssl097 package. For the unstable distribution, this problem has been fixed in version 0.9.8g-15. The testing distribution will be fixed soon. We recommend that you upgrade your OpenSSL packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1869-1 curl -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0curlIt was discovered that curl, a client and library to get files from servers using HTTP, HTTPS or FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. For the oldstable distribution, this problem has been fixed in version 7.15.5-1etch3. For the stable distribution, this problem has been fixed in version 7.18.2-8lenny3. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your curl packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1706-1 amarok -- integer overflowsDebian GNU/Linux 4.0amarokTobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code. For the stable distribution, this problem has been fixed in version 1.4.4-4etch1. Updated packages for sparc and arm will be provided later. For the upcoming stable distribution and the unstable distribution, this problem has been fixed in version 1.4.10-2. We recommend that you upgrade your amarok packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1882-1 xapian-omega -- missing input sanitisationDebian GNU/Linux 5.0Debian GNU/Linux 4.0xapian-omegaIt was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website. For the oldstable distribution, this problem has been fixed in version 0.9.9-1+etch1. For the stable distribution, this problem has been fixed in version 1.0.7-3+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your xapian-omega packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1921-1 expat -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0expatPeter Valchev discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library. For the old stable distribution, this problem has been fixed in version 1.95.8-3.4+etch1. For the stable distribution, this problem has been fixed in version 2.0.1-4+lenny1. For the testing distribution and the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your expat packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1801-1 ntp -- buffer overflowsDebian GNU/Linux 5.0Debian GNU/Linux 4.0ntpSeveral remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0159 A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. CVE-2009-1252 A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled. For the old stable distribution, these problems have been fixed in version 4.2.2.p4+dfsg-2etch3. For the stable distribution, these problems have been fixed in version 4.2.4p4+dfsg-8lenny2. The unstable distribution will be fixed soon. We recommend that you upgrade your ntp package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1968-2 pdns-recursor -- DNS cache poisoningDebian GNU/Linux 4.0pdns-recursorIt was discovered that pdns-recursor, the PowerDNS recursive name server, contains a cache poisoning vulnerability which may allow attackers to trick the server into serving incorrect DNS data. This DSA provides a security update for the old stable distribution, similar to the previous update in DSA-1968-1. Extra care should be applied when installing this update. It is an etch backport of the lenny version of the package. Major differences in internal domain name processing made backporting just the security fix too difficult. For the old stable distribution, this problem has been fixed in version 3.1.4+v3.1.7-0+etch1. We recommend that you upgrade your pdns-recursor package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1796-1 libwmf -- pointer use-after-freeDebian GNU/Linux 5.0Debian GNU/Linux 4.0libwmfTavis Ormandy discovered that the embedded GD library copy in libwmf, a library to parse windows metafiles, makes use of a pointer after it was already freed. An attacker using a crafted WMF file can cause a denial of service or possibly the execute arbitrary code via applications using this library. For the oldstable distribution, this problem has been fixed in version 0.2.8.4-2+etch1. For the stable distribution, this problem has been fixed in version 0.2.8.4-6+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 0.2.8.4-6.1. We recommend that you upgrade your libwmf packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1819-1 vlc -- several vulnerabilitiesDebian GNU/Linux 4.0vlcSeveral vulnerabilities have been discovered in vlc, a multimedia player and streamer. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-1768 Drew Yao discovered that multiple integer overflows in the MP4 demuxer, Real demuxer and Cinepak codec can lead to the execution of arbitrary code. CVE-2008-1769 Drew Yao discovered that the Cinepak codec is prone to a memory corruption, which can be triggered by a crafted Cinepak file. CVE-2008-1881 Luigi Auriemma discovered that it is possible to execute arbitrary code via a long subtitle in an SSA file. CVE-2008-2147 It was discovered that vlc is prone to a search path vulnerability, which allows local users to perform privilege escalations. CVE-2008-2430 Alin Rad Pop discovered that it is possible to execute arbitrary code when opening a WAV file containing a large fmt chunk. CVE-2008-3794 Pınar YanardaÄ discovered that it is possible to execute arbitrary code when opening a crafted mmst link. CVE-2008-4686 Tobias Klein discovered that it is possible to execute arbitrary code when opening a crafted .ty file. CVE-2008-5032 Tobias Klein discovered that it is possible to execute arbitrary code when opening an invalid CUE image file with a crafted header. For the oldstable distribution, these problems have been fixed in version 0.8.6-svn20061012.debian-5.1+etch3. For the stable distribution, these problems have been fixed in version 0.8.6.h-4+lenny2, which was already included in the lenny release. For the testing distribution and the unstable distribution, these problems have been fixed in version 0.8.6.h-5. We recommend that you upgrade your vlc packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1837-1 dbus -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0dbusIt was discovered that the dbus_signature_validate function in dbus, a simple interprocess messaging system, is prone to a denial of service attack. This issue was caused by an incorrect fix for DSA-1658-1. For the stable distribution, this problem has been fixed in version 1.2.1-5+lenny1. For the oldstable distribution, this problem has been fixed in version 1.0.2-1+etch3. Packages for ia64 and s390 will be released once they are available. For the testing distribution and the unstable distribution , this problem has been fixed in version 1.2.14-1. We recommend that you upgrade your dbus packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1705-1 netatalk -- missing input sanitisingDebian GNU/Linux 4.0netatalkIt was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job. For the stable distribution this problem has been fixed in version 2.0.3-4+etch1. For the upcoming stable distribution this problem has been fixed in version 2.0.3-11+lenny1. For the unstable distribution this problem has been fixed in version 2.0.4~beta2-1. We recommend that you upgrade your netatalk package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1863-1 zope2.10/zope2.9 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0zope2.10/zope2.9Several remote vulnerabilities have been discovered in the zope, a feature-rich web application server written in python, that could lead to arbitrary code execution in the worst case. The Common Vulnerabilities and Exposures project identified the following problems: Due to a programming error an authorisation method in the StorageServer component of ZEO was not used as an internal method. This allows a malicious client to bypass authentication when connecting to a ZEO server by simply calling this authorisation method. The ZEO server doesn’t restrict the callables when unpickling data received from a malicious client which can be used by an attacker to execute arbitrary python code on the server by sending certain exception pickles. This also allows an attacker to import any importable module as ZEO is importing the module containing a callable specified in a pickle to test for a certain flag. The update also limits the number of new object ids a client can request to 100 as it would be possible to consume huge amounts of resources by requesting a big batch of new object ids. No CVE id has been assigned to this. The oldstable distribution, this problem has been fixed in version 2.9.6-4etch2 of zope2.9. For the stable distribution, this problem has been fixed in version 2.10.6-1+lenny1 of zope2.10. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 2.10.9-1 of zope2.10. We recommend that you upgrade your zope2.10/zope2.9 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1987-1 lighttpd -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0lighttpdLi Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion. For the oldstable distribution, this problem has been fixed in version 1.4.13-4etch12. For the stable distribution, this problem has been fixed in version 1.4.19-5+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your lighttpd packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1767-1 multipath-tools -- insecure file permissionsDebian GNU/Linux 5.0Debian GNU/Linux 4.0multipath-toolsIt was discovered that multipathd of multipath-tools, a tool-chain to manage disk multipath device maps, uses insecure permissions on its unix domain control socket which enables local attackers to issue commands to multipathd prevent access to storage devices or corrupt file system data. For the oldstable distribution, this problem has been fixed in version 0.4.7-1.1etch2. For the stable distribution, this problem has been fixed in version 0.4.8-14+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 0.4.8-15. We recommend that you upgrade your multipath-tools packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1981-2 maildrop -- privilege escalationDebian GNU/Linux 5.0Debian GNU/Linux 4.0maildropThe latest DSA for maildrop introduced two regressions. The maildrop program stopped working when invoked as a non-root user, such as with postfix. Also, the lenny version dropped a dependency on the courier-authlib package. For the stable distribution, this problem has been fixed in version 2.0.4-3+lenny3. For the oldstable distribution, this problem has been fixed in version 2.0.2-11+etch2. For the testing distribution this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 2.2.0-3.1. For reference, the original advisory text is below. Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges. We recommend that you upgrade your maildrop packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1953-2 expat -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0expatThe expat updates released in DSA-1953-1 caused a regression: In some cases, expat would abort with the message "error in processing external entity reference". For the old stable distribution, this problem has been fixed in version 1.95.8-3.4+etch3. For the stable distribution, this problem has been fixed in version 2.0.1-4+lenny3. For the testing distribution and the unstable distribution , this problem will be fixed soon. We recommend that you upgrade your expat packages. For reference, the original advisory text is provided below. Jan Lieskovsky discovered an error in expat, an XML parsing C library, when parsing certain UTF-8 sequences, which can be exploited to crash an application using the library.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1853-1 memcached -- heap-based buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0memcachedRonald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached. For the oldstable distribution, this problem has been fixed in version 1.1.12-1+etch1. For the stable distribution, this problem has been fixed in version 1.2.2-1+lenny1. For the testing and unstable distribution , this problem will be fixed soon. We recommend that you upgrade your memcached packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1813-2 evolution-data-server -- Several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0evolution-data-serverThe previous update introduced a regression that stopped encrypted and signed S/MIME messages to work properly. Also, there have been other regressions caused by the introduction of an undefined symbol. This update corrects these flaws. For reference the original advisory text is below. Several vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0587 It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. CVE-2009-0547 Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. CVE-2009-0582 It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service. For the oldstable distribution, these problems have been fixed in version 1.6.3-5etch3. For the stable distribution, these problems have been fixed in version 2.22.3-1.1+lenny2. For the testing distribution and the unstable distribution , these problems have been fixed in version 2.26.1.1-1. We recommend that you upgrade your evolution-data-server packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1784-1 freetype -- integer overflowsDebian GNU/Linux 5.0Debian GNU/Linux 4.0freetypeTavis Ormandy discovered several integer overflows in FreeType, a library to process and access font files, resulting in heap- or stack-based buffer overflows leading to application crashes or the execution of arbitrary code via a crafted font file. For the oldstable distribution, this problem has been fixed in version 2.2.1-5+etch4. For the stable distribution, this problem has been fixed in version 2.3.7-2+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 2.3.9-4.1. We recommend that you upgrade your freetype packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1762-1 icu -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0icuIt was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to cross- site scripting attacks. For the stable distribution, this problem has been fixed in version 3.8.1-3+lenny1. For the oldstable distribution, this problem has been fixed in version 3.6-2etch2. For the testing distribution and the unstable distribution, this problem has been fixed in version 4.0.1-1. We recommend that you upgrade your icu packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1841-1 git-core -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0git-coreIt was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions. For the oldstable distribution, this problem has been fixed in version 1:1.4.4.4-4+etch3. For the stable distribution, this problem has been fixed in version 1:1.5.6.5-3+lenny2. For the testing distribution, this problem has been fixed in version 1:1.6.3.3-1. For the unstable distribution, this problem has been fixed in version 1:1.6.3.3-1. We recommend that you upgrade your git-core packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1916-1 kdelibs -- insufficient input validationDebian GNU/Linux 4.0kdelibsDan Kaminsky and Moxie Marlinspike discovered that kdelibs, core libraries from the official KDE release, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. For the oldstable distribution, this problem has been fixed in version 4:3.5.5a.dfsg.1-8etch3 Due to a bug in the archive system, the fix for the stable distribution , will be released as version 4:3.5.10.dfsg.1-0lenny3 once it is available. For the testing distribution, and the unstable distribution , this problem has been fixed in version 4:3.5.10.dfsg.1-2.1 We recommend that you upgrade your kdelibs pakcages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1854-1 apr, apr-util -- heap buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0aprapr-utilMatt Lewis discovered that the memory management code in the Apache Portable Runtime library does not guard against a wrap-around during size computations. This could cause the library to return a memory area which smaller than requested, resulting a heap overflow and possibly arbitrary code execution. For the old stable distribution, this problem has been fixed in version 1.2.7-9 of the apr package, and version 1.2.7+dfsg-2+etch3 of the apr-util package. For the stable distribution, this problem has been fixed in version 1.2.12-5+lenny1 of the apr package and version 1.2.12-5+lenny1 of the apr-util package. For the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your APR packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1925-1 proftpd-dfsg -- insufficient input validationDebian GNU/Linux 5.0Debian GNU/Linux 4.0proftpd-dfsgIt has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a "\0" character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled. For the stable distribution, this problem has been fixed in version 1.3.1-17lenny4. For the oldstable distribution, this problem has been fixed in version 1.3.0-19etch3. Binaries for the amd64 architecture will be released once they are available. For the testing distribution and the unstable distribution , this problem has been fixed in version 1.3.2a-2. We recommend that you upgrade your proftpd-dfsg packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1703-1 bind9 -- interpretation conflictDebian GNU/Linux 4.0bind9It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. For the stable distribution, this problem has been fixed in version 1:9.3.4-2etch4. For the unstable distribution and the testing distribution, this problem will be fixed soon. We recommend that you upgrade your BIND packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1926-1 typo3-src -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0typo3-srcSeveral remote vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3628 The Backend subcomponent allows remote authenticated users to determine an encryption key via crafted input to a form field. CVE-2009-3629 Multiple cross-site scripting vulnerabilities in the Backend subcomponent allow remote authenticated users to inject arbitrary web script or HTML. CVE-2009-3630 The Backend subcomponent allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters. CVE-2009-3631 The Backend subcomponent, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. CVE-2009-3632 SQL injection vulnerability in the traditional frontend editing feature in the Frontend Editing subcomponent allows remote authenticated users to execute arbitrary SQL commands. CVE-2009-3633 Cross-site scripting vulnerability in allows remote attackers to inject arbitrary web script. CVE-2009-3634 Cross-site scripting vulnerability in the Frontend Login Box subcomponent allows remote attackers to inject arbitrary web script or HTML. CVE-2009-3635 The Install Tool subcomponent allows remote attackers to gain access by using only the password’s md5 hash as a credential. CVE-2009-3636 Cross-site scripting vulnerability in the Install Tool subcomponen allows remote attackers to inject arbitrary web script or HTML. For the old stable distribution, these problems have been fixed in version 4.0.2+debian-9. For the stable distribution, these problems have been fixed in version 4.2.5-1+lenny2. For the unstable distribution, these problems have been fixed in version 4.2.10-1. We recommend that you upgrade your typo3-src package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1928-1 linux-2.6.24 -- privilege escalation/denial of service/sensitive memory leakDebian GNU/Linux 4.0linux-2.6.24Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2846 Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. CVE-2009-2847 Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. CVE-2009-2848 Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service. CVE-2009-2849 Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service. CVE-2009-2903 Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp"N" device is found, remote attackers can cause a denial of service by consuming large amounts of system memory. CVE-2009-2908 Loic Minier discovered an issue in the eCryptfs filesystem. A local user can cause a denial of service by causing a dentry value to go negative. CVE-2009-2909 Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt can result in a denial of service. CVE-2009-2910 Jan Beulich discovered the existence of a sensitive kernel memory leak. Systems running the "amd64" kernel do not properly sanitise registers for 32-bit processes. CVE-2009-3001 Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. CVE-2009-3002 Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP, NET/ROM, Acorn Econet/AUN, and Controller Area Network implementations. Local users can exploit these issues to gain access to kernel memory. CVE-2009-3228 Eric Dumazet reported an instance of uninitialised kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory. CVE-2009-3238 Linus Torvalds provided a change to the get_random_int function to increase its randomness. CVE-2009-3286 Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. CVE-2009-3547 Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges. CVE-2009-3612 Jiri Pirko discovered a typo in the initialisation of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory. CVE-2009-3613 Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service by transmitting a large amount of jumbo frames. CVE-2009-3620 Ben Hutchings discovered an issue in the DRM manager for ATI Rage 128 graphics adapters. Local users may be able to exploit this vulnerability to cause a denial of service. CVE-2009-3621 Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service. For the oldstable distribution, this problem has been fixed in version 2.6.24-6~etchnhalf.9etch1. We recommend that you upgrade your linux-2.6.24 packages. Note: Debian "etch" includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian "etch" concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or "leap-frog" fashion.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1768-1 openafs -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0openafsTwo vulnerabilities were discovered in the client part of OpenAFS, a distributed file system. An attacker with control of a file server or the ability to forge RX packets may be able to execute arbitrary code in kernel mode on an OpenAFS client, due to avulnerability in XDR array decoding. An attacker with control of a file server or the ability to forge RX packets may crash OpenAFS clients because of wrongly handled error return codes in the kernel module. Note that in order to apply this security update, you must rebuild the OpenAFS kernel module. Be sure to also upgrade openafs-modules-source, build a new kernel module for your system following the instructions in /usr/share/doc/openafs-client/README.modules.gz, and then either stop and restart openafs-client or reboot the system to reload the kernel module. For the old stable distribution, these problems have been fixed in version 1.4.2-6etch2. For the stable distribution, these problems have been fixed in version 1.4.7.dfsg1-6+lenny1. For the unstable distribution, these problems have been fixed in version 1.4.10+dfsg1-1. We recommend that you upgrade your openafs packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1786-1 acpid -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0acpidIt was discovered that acpid, a daemon for delivering ACPI events, is prone to a denial of service attack by opening a large number of UNIX sockets, which are not closed properly. For the stable distribution, this problem has been fixed in version 1.0.8-1lenny1. For the oldstable distribution, this problem has been fixed in version 1.0.4-5etch1. For the testing distribution and the unstable distribution , this problem has been fixed in version 1.0.10-1. We recommend that you upgrade your acpid packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1880-1 openoffice.org -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0openoffice.orgSeveral vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0200 Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in an integer underflow that may lead to heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. CVE-2009-0201 Dyon Balding of Secunia Research has discovered a vulnerability, which can be exploited by opening a specially crafted Microsoft Word document. When reading a Microsoft Word document, a bug in the parser of sprmTDelete records can result in heap-based buffer overflows. Successful exploitation may allow arbitrary code execution in the context of the OpenOffice.org process. CVE-2009-2139 A vulnerability has been discovered in the parser of EMF files of OpenOffice/Go-oo 2.x and 3.x that can be triggered by a specially crafted document and lead to the execution of arbitrary commands the privileges of the user running OpenOffice.org/Go-oo. This vulnerability does not exist in the packages for oldstable, testing and unstable. For the old stable distribution these problems have been fixed in version 2.0.4.dfsg.2-7etch7. For the stable distribution these problems have been fixed in version 1:2.4.1+dfsg-1+lenny3 and higher. For the unstable and testing distribution these problems have been fixed in version 3.1.1~ooo310m15-1. We recommend that you upgrade your Openoffice.org package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1973-1 glibc, eglibc -- information disclosureDebian GNU/Linux 5.0Debian GNU/Linux 4.0glibceglibcChristoph Pleger has discovered that the GNU C Library and its derivatives add information from the passwd.adjunct.byname map to entries in the passwd map, which allows local users to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. For the oldstable distribution, this problem has been fixed in version 2.3.6.ds1-13etch10 of the glibc package. For the stable distribution, this problem has been fixed in version 2.7-18lenny2 of the glibc package. For the unstable distribution this problem has been fixed in version 2.10.2-4 of the eglibc package. We recommend that you upgrade your glibc or eglibc package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1949-1 php-net-ping -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0php-net-pingIt was discovered that php-net-ping, a PHP PEAR module to execute ping independently of the Operating System, performs insufficient input sanitising, which might be used to inject arguments or execute arbitrary commands on a system that uses php-net-ping. For the stable distribution, this problem has been fixed in version 2.4.2-1+lenny1. For the oldstable distribution, this problem has been fixed in version 2.4.2-1+etch1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 2.4.2-1.1. We recommend that you upgrade your php-net-ping packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1858-1 imagemagick -- multipleDebian GNU/Linux 5.0Debian GNU/Linux 4.0imagemagickSeveral vulnerabilities have been discovered in the imagemagick image manipulation programs which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1667 Multiple integer overflows in XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution. CVE-2007-1797 Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution. CVE-2007-4985 A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution. CVE-2007-4986 Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution. CVE-2007-4987 Off-by-one error allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a "\0" character to an out-of-bounds address. It affects only the oldstable distribution. CVE-2007-4988 A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution. CVE-2008-1096 The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only to oldstable. CVE-2008-1097 Heap-based buffer overflow in the PCX coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption. It affects only to oldstable. CVE-2009-1882 Integer overflow allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. For the old stable distribution, these problems have been fixed in version 7:6.2.4.5.dfsg1-0.15+etch1. For the stable distribution, these problems have been fixed in version 7:6.3.7.9.dfsg2-1~lenny3. For the upcoming stable distribution and the unstable distribution, these problems have been fixed in version 7:6.5.1.0-1.1. We recommend that you upgrade your imagemagick packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1867-1 kdelibs -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0kdelibsSeveral security issues have been discovered in kdelibs, core libraries from the official KDE release. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1690 It was discovered that there is a use-after-free flaw in handling certain DOM event handlers. This could lead to the execution of arbitrary code, when visiting a malicious website. CVE-2009-1698 It was discovered that there could be an uninitialised pointer when handling a Cascading Style Sheets attr function call. This could lead to the execution of arbitrary code, when visiting a malicious website. CVE-2009-1687 It was discovered that the JavaScript garbage collector does not handle allocation failures properly, which could lead to the execution of arbitrary code when visiting a malicious website. For the stable distribution, these problems have been fixed in version 4:3.5.10.dfsg.1-0lenny2. For the oldstable distribution, these problems have been fixed in version 4:3.5.5a.dfsg.1-8etch2. For the testing distribution and the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your kdelibs packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1911-1 pygresql -- missing escape functionDebian GNU/Linux 5.0Debian GNU/Linux 4.0pygresqlIt was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn. This is needed, because PQescapeStringConn honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string, which takes the database connection as a first argument. The old function escape_string has been preserved as well for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution, this problem has been fixed in version 1:3.8.1-3+lenny1. For the oldstable distribution, this problem has been fixed in version 1:3.8.1-1etch2. For the testing distribution and the unstable distribution, this problem has been fixed in version 1:4.0-1. We recommend that you upgrade your pygresql packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1942-1 wireshark -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0wiresharkSeveral remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2560 A NULL pointer dereference was found in the RADIUS dissector. CVE-2009-3550 A NULL pointer dereference was found in the DCERP/NT dissector. CVE-2009-3829 An integer overflow was discovered in the ERF parser. This update also includes fixes for three minor issues, which were scheduled for the next stable point update. Also CVE-2009-1268 was fixed for Etch. Since this security update was issued prior to the release of the point update, the fixes were included. For the old stable distribution, this problem has been fixed in version 0.99.4-5.etch.4. For the stable distribution, this problem has been fixed in version 1.0.2-3+lenny7. For the unstable distribution these problems have been fixed in version 1.2.3-1. We recommend that you upgrade your Wireshark packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1889-1 icu -- programming errorDebian GNU/Linux 5.0Debian GNU/Linux 4.0icuIt was discovered that the ICU unicode library performed incorrect processing of invalid multibyte sequences, resulting in potential bypass of security mechanisms. For the old stable distribution, this problem has been fixed in version 3.6-2etch3. For the stable distribution, this problem has been fixed in version 3.8.1-3+lenny2. For the unstable distribution, this problem has been fixed in version 4.0.1-1. We recommend that you upgrade your icu packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1917-1 mimetex -- several vulnerabilitiesDebian GNU/Linux 4.0mimetexSeveral vulnerabilities have been discovered in mimetex, a lightweight alternative to MathML. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1382 Chris Evans and Damien Miller, discovered multiple stack-based buffer overflow. An attacker could execute arbitrary code via a TeX file with long picture, circle, input tags. CVE-2009-2459 Chris Evans discovered that mimeTeX contained certain directives that may be unsuitable for handling untrusted user input. A remote attacker can obtain sensitive information. For the oldstable distribution, these problems have been fixed in version 1.50-1+etch1. Due to a bug in the archive system, the fix for the stable distribution will be released as version 1.50-1+lenny1 once it is available. For the testing distribution, and the unstable distribution, these problems have been fixed in version 1.50-1.1. We recommend that you upgrade your mimetex packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1894-1 newt -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0newtMiroslav Lichvar discovered that newt, a windowing toolkit, is prone to a buffer overflow in the content processing code, which can lead to the execution of arbitrary code. For the stable distribution, this problem has been fixed in version 0.52.2-11.3+lenny1. For the oldstable distribution, this problem has been fixed in version 0.52.2-10+etch1. For the testing distribution and the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your newt packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1991-1 squid/squid3 -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0squid/squid3Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2855 Bastian Blank discovered that it is possible to cause a denial of service via a crafted auth header with certain comma delimiters. CVE-2010-0308 Tomas Hoger discovered that it is possible to cause a denial of service via invalid DNS header-only packets. For the stable distribution, these problems have been fixed in version 2.7.STABLE3-4.1lenny1 of the squid package and version 3.0.STABLE8-3+lenny3 of the squid3 package. For the oldstable distribution, these problems have been fixed in version 2.6.5-6etch5 of the squid package and version 3.0.PRE5-5+etch2 of the squid3 package. For the testing distribution and the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your squid/squid3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1702-1 ntp -- interpretation conflictDebian GNU/Linux 4.0ntpIt has been discovered that NTP, an implementation of the Network Time Protocol, does not properly check the result of an OpenSSL function for verifying cryptographic signatures, which may ultimately lead to the acceptance of unauthenticated time information. For the stable distribution, this problem has been fixed in version 1:4.2.2.p4+dfsg-2etch1. For the unstable distribution, this problem has been fixed in version 4.2.4p4+dfsg-8. The testing distribution will be fixed soon. We recommend that you upgrade your ntp package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1697-1 iceape -- several vulnerabilitiesDebian GNU/Linux 4.0iceapeSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1793-1 kdegraphics -- multipleDebian GNU/Linux 5.0Debian GNU/Linux 4.0kdegraphicskpdf, a Portable Document Format viewer for KDE, is based on the xpdf program and thus suffers from similar flaws to those described in DSA-1790. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0146 Multiple buffer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service via a crafted PDF file, related to JBIG2SymbolDict::setBitmap and JBIG2Stream::readSymbolDictSeg. CVE-2009-0147 Multiple integer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service via a crafted PDF file, related to JBIG2Stream::readSymbolDictSeg, JBIG2Stream::readSymbolDictSeg, and JBIG2Stream::readGenericBitmap. CVE-2009-0165 Integer overflow in the JBIG2 decoder in kpdf has unspecified impact related to "g*allocn." CVE-2009-0166 The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service via a crafted PDF file that triggers a free of uninitialised memory. CVE-2009-0799 The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service via a crafted PDF file that triggers an out-of-bounds read. CVE-2009-0800 Multiple "input validation flaws" in the JBIG2 decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1179 Integer overflow in the JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1180 The JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. CVE-2009-1181 The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service via a crafted PDF file that triggers a NULL pointer dereference. CVE-2009-1182 Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1183 The JBIG2 MMR decoder in kpdf allows remote attackers to cause a denial of service via a crafted PDF file. We recommend that you upgrade your kdegraphics packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1981-1 maildrop -- privilege escalationDebian GNU/Linux 5.0Debian GNU/Linux 4.0maildropChristoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges. For the stable distribution, this problem has been fixed in version 2.0.4-3+lenny1. For the oldstable distribution, this problem has been fixed in version 2.0.2-11+etch1. For the testing distribution and the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your maildrop packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1810-1 libapache-mod-jk -- information disclosureDebian GNU/Linux 5.0Debian GNU/Linux 4.0libapache-mod-jkAn information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated equests very quickly, one client could obtain a response intended for another client. For the stable distribution, this problem has been fixed in version 1:1.2.26-2+lenny1. The oldstable distribution, this problem has been fixed in version 1:1.2.18-3etch2. For the testing distribution and the unstable distribution, this problem has been fixed in version 1:1.2.26-2.1. We recommend that you upgrade your libapache-mod-jk packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1698-1 gforge -- insufficient input sanitisingDebian GNU/Linux 4.0gforgeIt was discovered that GForge, a collaborative development tool, insufficiently sanitises some input allowing a remote attacker to perform SQL injection. For the stable distribution, this problem has been fixed in version 4.5.14-22etch10. For the testing and unstable distribution, this problem has been fixed in version 4.7~rc2-7. We recommend that you upgrade your gforge package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1766-1 krb5 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0krb5Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identified the following problems: The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information. Under certain conditions the SPNEGO GSS-API mechanism references a null pointer which crashes the application using the library. An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program. Under certain conditions the the ASN.1 decoder of the MIT krb5 implementation frees an uninitialised pointer which could lead to denial of service and possibly arbitrary code execution. For the oldstable distribution, this problem has been fixed in version 1.4.4-7etch7. For the stable distribution, this problem has been fixed in version 1.6.dfsg.4~beta1-5lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.6.dfsg.4~beta1-13. We recommend that you upgrade your krb5 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1812-1 apr-util -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0apr-utilSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1735-1 znc -- missing input sanitisationDebian GNU/Linux 4.0zncIt was discovered that znc, an IRC proxy/bouncer, does not properly sanitise input contained in configuration change requests to the webadmin interface. This allows authenticated users to elevate their privileges and indirectly execute arbitrary commands. For the old stable distribution, this problem has been fixed in version 0.045-3+etch2. For the stable distribution, this problem has been fixed in version 0.058-2+lenny1. For the unstable distribution, this problem has been fixed in version 0.066-1. We recommend that you upgrade your znc packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1947-1 shibboleth-sp, shibboleth-sp2, opensaml2 -- missing input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0shibboleth-spshibboleth-sp2opensaml2Matt Elder discovered that Shibboleth, a federated web single sign-on system is vulnerable to script injection through redirection URLs. For the stable distribution, this problem has been fixed in version 1.3.1.dfsg1-3+lenny2 of shibboleth-sp, version 2.0.dfsg1-4+lenny2 of shibboleth-sp2 and version 2.0-2+lenny2 of opensaml2. For the unstable distribution, this problem has been fixed in version 2.3+dfsg-1 of shibboleth-sp2, version 2.3-1 of opensaml2 and version 1.3.1-1 of xmltooling. We recommend that you upgrade your Shibboleth packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1884-1 nginx -- buffer underflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0nginxChris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. An attacker can use this to execute arbitrary code with the rights of the worker process or possibly perform denial of service attacks by repeatedly crashing worker processes via a specially crafted URL in an HTTP request. For the oldstable distribution, this problem has been fixed in version 0.4.13-2+etch2. For the stable distribution, this problem has been fixed in version 0.6.32-3+lenny2. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 0.7.61-3. We recommend that you upgrade your nginx packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1711-1 typo3-src -- severalDebian GNU/Linux 4.0typo3-srcSeveral remotely exploitable vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0255 Chris John Riley discovered that the TYPO3-wide used encryption key is generated with an insufficiently random seed resulting in low entropy which makes it easier for attackers to crack this key. CVE-2009-0256 Marcus Krause discovered that TYPO3 is not invalidating a supplied session on authentication which allows an attacker to take over a victims session via a session fixation attack. CVE-2009-0257 Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various arguments and user- supplied strings used in the indexed search system extension, adodb extension test scripts or the workspace module. CVE-2009-0258 Mads Olesen discovered a remote command injection vulnerability in the indexed search system extension which allows attackers to execute arbitrary code via a crafted file name which is passed unescaped to various system tools that extract file content for the indexing. Because of CVE-2009-0255, please make sure that besides installing this update, you also create a new encryption key after the installation. For the stable distribution these problems have been fixed in version 4.0.2+debian-7. For the unstable distribution these problems have been fixed in version 4.2.5-1. We recommend that you upgrade your TYPO3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1746-1 ghostscript -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0ghostscriptTwo security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0583 Jan Lieskovsky discovered multiple integer overflows in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. CVE-2009-0584 Jan Lieskovsky discovered insufficient upper-bounds checks on certain variable sizes in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. For the stable distribution, these problems have been fixed in version 8.62.dfsg.1-3.2lenny1. For the oldstable distribution, these problems have been fixed in version 8.54.dfsg.1-5etch2. Please note that the package in oldstable is called gs-gpl. For the testing distribution and the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your ghostscript/gs-gpl packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1841-2 git-core -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0git-coreA bug in git-core caused the security update in DSA 1841 to fail to build on a number of architectures Debian supports. This update corrects the bug and releases builds for all supported architectures. The original advisory is quoted in full below for reference. It was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions. For the oldstable distribution, this problem has been fixed in version 1.4.4.4-4+etch4. For the stable distribution, this problem has been fixed in version 1.5.6.5-3+lenny3. For the testing distribution, this problem has been fixed in version 1:1.6.3.3-1. For the unstable distribution, this problem has been fixed in version 1:1.6.3.3-1. We recommend that you upgrade your git-core packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1919-1 smarty -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0smartySeveral remote vulnerabilities have been discovered in Smarty, a PHP templating engine. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4810 The _expand_quoted_text function allows for certain restrictions in templates, like function calling and PHP execution, to be bypassed. CVE-2009-1669 The smarty_function_math function allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the equation attribute of the math function. For the old stable distribution, these problems have been fixed in version 2.6.14-1etch2. For the stable distribution, these problems have been fixed in version 2.6.20-1.2. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your smarty package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1936-1 libgd2 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0libgd2Several vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-0455 Kees Cook discovered a buffer overflow in libgd2's font renderer. An attacker could cause denial of service and possibly execute arbitrary code via a crafted string with a JIS encoded font. This issue only affects the oldstable distribution. CVE-2009-3546 Tomas Hoger discovered a boundary error in the "_gdGetColors" function. An attacker could conduct a buffer overflow or buffer over-read attacks via a crafted GD file. For the oldstable distribution, these problems have been fixed in version 2.0.33-5.2etch2. For the stable distribution, these problems have been fixed in version 2.0.36~rc1~dfsg-3+lenny1. For the upcoming stable distribution and the unstable distribution ion, these problems have been fixed in version 2.0.36~rc1~dfsg-3.1. We recommend that you upgrade your libgd2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1714-1 rt2570 -- integer overflowDebian GNU/Linux 4.0rt2570It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. Please note that you need to rebuild your driver from the source package in order to set this update into effect. Detailed instructions can be found in /usr/share/doc/rt2570-source/README.Debian For the stable distribution, this problem has been fixed in version 1.1.0+cvs20060620-3+etch1. For the upcoming stable distribution and the unstable distribution, this problem has been fixed in version 1.1.0+cvs20080623-2. We recommend that you upgrade your rt2570 package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1710-1 ganglia-monitor-core -- buffer overflowDebian GNU/Linux 4.0ganglia-monitor-coreSpike Spiegel discovered a stack-based buffer overflow in gmetad, the meta-daemon for the ganglia cluster monitoring toolkit, which could be triggered via a request with long path names and might enable arbitrary code execution. For the stable distribution, this problem has been fixed in version 2.5.7-3.1etch1. For the unstable distribution this problem has been fixed in version 2.5.7-5. For the testing distribution, this problem will be fixed soon. We recommend that you upgrade your ganglia-monitor-core packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1871-1 wordpress -- several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0wordpressSeveral vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-6762 It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. CVE-2008-6767 It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. CVE-2009-2334 It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. CVE-2009-2854 It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. CVE-2009-2851 It was discovered that the administrator interface is prone to a cross-site scripting attack. CVE-2009-2853 It was discovered that remote attackers can gain privileges via certain direct requests. CVE-2008-1502 It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. CVE-2008-4106 It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. CVE-2008-4769 It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. CVE-2008-4796 It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. CVE-2008-5113 It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. For the stable distribution, these problems have been fixed in version 2.5.1-11+lenny1. For the oldstable distribution, these problems have been fixed in version 2.0.10-1etch4. For the testing distribution and the unstable distribution, these problems have been fixed in version 2.8.3-1. We recommend that you upgrade your wordpress packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1909-1 postgresql-ocaml -- missing escape functionDebian GNU/Linux 5.0Debian GNU/Linux 4.0postgresql-ocamlIt was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn. This is needed, because PQescapeStringConn honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn and takes the established database connection as a first argument. The old escape_string was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution, this problem has been fixed in version 1.7.0-3+lenny1. For the oldstable distribution, this problem has been fixed in version 1.5.4-2+etch1. For the testing distribution and the unstable distribution, this problem has been fixed in version 1.12.1-1. We recommend that you upgrade your postgresql-ocaml packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1908-1 ntp -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0ntpRobin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets. An unexpected NTP mode 7 packets with spoofed IP data can lead ntpd to reply with a mode 7 response to the spoofed address. This may result in the service playing packet ping-pong with other ntp servers or even itself which causes CPU usage and excessive disk use due to logging. An attacker can use this to conduct denial of service attacks. For the oldstable distribution, this problem has been fixed in version 1:4.2.2.p4+dfsg-2etch4. For the stable distribution, this problem has been fixed in version 1:4.2.4p4+dfsg-8lenny3. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your ntp packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1826-1 eggdrop -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0eggdropSeveral vulnerabilities have been discovered in eggdrop, an advanced IRC robot. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-2807 It was discovered that eggdrop is vulnerable to a buffer overflow, which could result in a remote user executing arbitrary code. The previous DSA did not fix the issue correctly. CVE-2009-1789 It was discovered that eggdrop is vulnerable to a denial of service attack, that allows remote attackers to cause a crash via a crafted PRIVMSG. For the stable distribution, these problems have been fixed in version 1.6.19-1.1+lenny1. For the old stable distribution, these problems have been fixed in version 1.6.18-1etch2. For the unstable distribution, this problem has been fixed in version 1.6.19-1.2 We recommend that you upgrade your eggdrop package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1881-1 cyrus-imapd-2.2 -- buffer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0cyrus-imapd-2.2It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof operator an attacker is able to pass a negative length to snprintf calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. For the oldstable distribution, this problem has been fixed in version 2.2.13-10+etch2. For the stable distribution, this problem has been fixed in version 2.2.13-14+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your cyrus-imapd-2.2 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1829-1 sork-passwd-h3 -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0sork-passwd-h3It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. For the oldstable distribution, this problem has been fixed in version 3.0-2+etch1. For the stable distribution, this problem has been fixed in version 3.0-2+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 3.1-1.1. We recommend that you upgrade your sork-passwd-h3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1974-1 gzip -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0gzipSeveral vulnerabilities have been found in gzip, the GNU compression utilities. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2624 Thiemo Nagel discovered a missing input sanitation flaw in the way gzip used to decompress data blocks for dynamic Huffman codes, which could lead to the execution of arbitrary code when trying to decompress a crafted archive. This issue is a reappearance of CVE-2006-4334 and only affects the lenny version. CVE-2010-0001 Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. For the stable distribution, these problems have been fixed in version 1.3.12-6+lenny1. For the oldstable distribution, these problems have been fixed in version 1.3.5-15+etch1. For the testing distribution and the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your gzip packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1964-1 postgresql-7.4, postgresql-8.1, postgresql-8.3 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0postgresql-7.4postgresql-8.1postgresql-8.3Several vulnerabilities have been discovered in PostgreSQL, a database server. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that PostgreSQL did not properly verify the Common Name attribute in X.509 certificates, enabling attackers to bypass the TLS protection on client-server connections, by relying on a certificate from a trusted CA which contains an embedded NUL byte in the Common Name. Authenticated database users could elevate their privileges by creating specially-crafted index functions. The following table shows fixed source package versions for the respective distributions. oldstable/etch stable/lenny testing/unstable postgresql-7.4 1:7.4.27-0etch1 postgresql-8.1 8.1.19-0etch1 postgresql-8.3 8.3.9-0lenny1 8.3.9-1 postgresql-8.4 8.4.2-1 In addition to these security fixes, the updates contain reliability improvements and fix other defects. We recommend that you upgrade your PostgreSQL packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1696-1 icedove -- several vulnerabilitiesDebian GNU/Linux 4.0icedoveSecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1871-2 wordpress -- several vulnerabilitiesDebian GNU/Linux 4.0wordpressThe previous wordpress update introduced a regression when fixing CVE-2008-4769 due to a function that was not backported with the patch. Please note that this regression only affects the oldstable distribution. For reference the original advisory text follows. Several vulnerabilities have been discovered in wordpress, weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-6762 It was discovered that wordpress is prone to an open redirect vulnerability which allows remote attackers to conduct phishing atacks. CVE-2008-6767 It was discovered that remote attackers had the ability to trigger an application upgrade, which could lead to a denial of service attack. CVE-2009-2334 It was discovered that wordpress lacks authentication checks in the plugin configuration, which might leak sensitive information. CVE-2009-2854 It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. CVE-2009-2851 It was discovered that the administrator interface is prone to a cross-site scripting attack. CVE-2009-2853 It was discovered that remote attackers can gain privileges via certain direct requests. CVE-2008-1502 It was discovered that the _bad_protocol_once function in KSES, as used by wordpress, allows remote attackers to perform cross-site scripting attacks. CVE-2008-4106 It was discovered that wordpress lacks certain checks around user information, which could be used by attackers to change the password of a user. CVE-2008-4769 It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. CVE-2008-4796 It was discovered that the _httpsrequest function in the embedded snoopy version is prone to the execution of arbitrary commands via shell metacharacters in https URLs. CVE-2008-5113 It was discovered that wordpress relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier to perform attacks via crafted cookies. For the stable distribution, these problems have been fixed in version 2.5.1-11+lenny1. For the oldstable distribution, these problems have been fixed in version 2.0.10-1etch5. For the testing distribution and the unstable distribution, these problems have been fixed in version 2.8.3-1. We recommend that you upgrade your wordpress packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1891-1 changetrack -- shell command executionDebian GNU/Linux 5.0Debian GNU/Linux 4.0changetrackMarek Grzybowski discovered that changetrack, a program to monitor changes to files, is prone to shell command injection via metacharacters in filenames. The behaviour of the program has been adjusted to reject all filenames with metacharacters. For the stable distribution, this problem has been fixed in version 4.3-3+lenny1. For the oldstable distribution, this problem has been fixed in version 4.3-3+etch1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 4.5-2. We recommend that you upgrade your changetrack packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1939-1 libvorbis -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0libvorbisLucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky discovered that libvorbis, a library for the Vorbis general-purpose compressed audio codec, did not correctly handle certain malformed ogg files. An attacher could cause a denial of service or possibly execute arbitrary code via a crafted .ogg file. For the oldstable distribution, these problems have been fixed in version 1.1.2.dfsg-1.4+etch1. For the stable distribution, these problems have been fixed in version 1.2.0.dfsg-3.1+lenny1. For the testing distribution and the unstable distribution, these problems have been fixed in version 1.2.3-1 We recommend that you upgrade your libvorbis packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1782-1 mplayer -- several vulnerabilitiesDebian GNU/Linux 4.0mplayerSeveral vulnerabilities have been discovered in mplayer, a movie player for Unix-like systems. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. CVE-2008-4866 It was discovered that multiple buffer overflows could lead to the execution of arbitrary code. CVE-2008-5616 It was discovered that watching a malformed TwinVQ file could lead to the execution of arbitrary code. For the oldstable distribution, these problems have been fixed in version 1.0~rc1-12etch7. For the stable distribution, mplayer links against ffmpeg-debian. For the testing distribution and the unstable distribution, mplayer links against ffmpeg-debian. We recommend that you upgrade your mplayer packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1759-1 strongswan -- denial of serviceDebian GNU/Linux 5.0Debian GNU/Linux 4.0strongswanGerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. For the stable distribution, this problem has been fixed in version 4.2.4-5+lenny1. For the oldstable distribution, this problem has been fixed in version 2.8.0+dfsg-1+etch1. For the testing distribution and the unstable distribution, this problem will be fixed soon. We recommend that you upgrade your strongswan packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1833-1 dhcp3 -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0dhcp3Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. For the old stable distribution, these problems have been fixed in version 3.0.4-13+etch2. For the stable distribution, this problem has been fixed in version 3.1.1-6+lenny2. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your dhcp3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1802-1 squirrelmail -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0squirrelmailSeveral remote vulnerabilities have been discovered in SquirrelMail, a webmail application. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1578 Cross site scripting was possible through a number of pages which allowed an attacker to steal sensitive session data. CVE-2009-1579 Code injection was possible when SquirrelMail was configured to use the map_yp_alias function to authenticate users. This is not the default. CVE-2009-1580 It was possible to hijack an active user session by planting a specially crafted cookie into the user's browser. CVE-2009-1581 Specially crafted HTML emails could use the CSS positioning feature to place email content over the SquirrelMail user interface, allowing for phishing. For the old stable distribution, these problems have been fixed in version 2:1.4.9a-4. For the stable distribution, these problems have been fixed in version 2:1.4.15-4+lenny1. For the unstable distribution, these problems have been fixed in version 1.4.18-1. We recommend that you upgrade your squirrelmail package.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1719-1 gnutls13 -- design flawDebian GNU/Linux 4.0gnutls13Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine. In addition, this update tightens the checks for X.509v1 certificates which causes GNUTLS to reject certain certificate chains it accepted before. For the stable distribution, this problem has been fixed in version 1.4.4-3+etch3. For the unstable distribution, this problem has been fixed in version 2.4.2-3 of the gnutls26 package. We recommend that you upgrade your gnutls13 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1742-1 libsndfile -- integer overflowDebian GNU/Linux 5.0Debian GNU/Linux 4.0libsndfileAlan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution. For the oldstable distribution this problem has been fixed in version 1.0.16-2+etch1. For the stable distribution this problem has been fixed in version 1.0.17-4+lenny1. For the unstable distribution this problem has been fixed in version 1.0.19-1. We recommend that you upgrade your libsndfile packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1992-1 chrony -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0chronySeveral vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0292 chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorised hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. CVE-2010-0293 The client logging facility of chronyd doesn't limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. CVE-2010-0294 chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorised hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets. For the oldstable distribution, this problem has been fixed in version 1.21z-5+etch1. For the stable distribution, this problem has been fixed in version 1.23-6+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your chrony packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1708-1 git-core -- shell command injectionDebian GNU/Linux 4.0git-coreIt was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality. Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server. For the stable distribution, these problems have been fixed in version 1:1.4.4.4-4+etch1. For the unstable distribution and testing distribution, the remote shell command injection issuei has been fixed in version 1.5.6-1. The other issue will be fixed soon. We recommend that you upgrade your Git packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDMaria MikhnoINTERIMACCEPTEDACCEPTEDDSA-1896-1 opensaml, shibboleth-sp -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0opensamlshibboleth-spSeveral vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x: Chris Ries discovered that decoding a crafted URL leads to a crash. Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignored key usage constraints. For the old stable distribution, these problems have been fixed in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version 1.1a-2+etch1 of the opensaml packages. For the stable distribution, these problems have been fixed in version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1 of the opensaml packages. The unstable distribution does not contain Shibboleth 1.x packages. This update requires restarting the affected services to become effective. We recommend that you upgrade your Shibboleth 1.x packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1945-1 gforge -- symlink attackDebian GNU/Linux 5.0Debian GNU/Linux 4.0gforgeSylvain Beucler discovered that gforge, a collaborative development tool, is prone to a symlink attack, which allows local users to perform a denial of service attack by overwriting arbitrary files. For the stable distribution, this problem has been fixed in version 4.7~rc2-7lenny3. The oldstable distribution, this problem has been fixed in version 4.5.14-22etch13. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 4.8.2-1. We recommend that you upgrade your gforge packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1877-1 mysql-dfsg-5.0 -- denial of service/execution of arbitrary codeDebian GNU/Linux 5.0Debian GNU/Linux 4.0mysql-dfsg-5.0In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld allow remote authenticated users to cause a denial of service and potentially the execution of arbitrary code via format string specifiers in a database name in a COM_CREATE_DB or COM_DROP_DB request. For the stable distribution, this problem has been fixed in version 5.0.51a-24+lenny2. For the old stable distribution, this problem has been fixed in version 5.0.32-7etch11. We recommend that you upgrade your mysql packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1813-1 evolution-data-server -- Several vulnerabilitiesDebian GNU/Linux 5.0Debian GNU/Linux 4.0evolution-data-serverSeveral vulnerabilities have been found in evolution-data-server, the database backend server for the evolution groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0587 It was discovered that evolution-data-server is prone to integer overflows triggered by large base64 strings. CVE-2009-0547 Joachim Breitner discovered that S/MIME signatures are not verified properly, which can lead to spoofing attacks. CVE-2009-0582 It was discovered that NTLM authentication challenge packets are not validated properly when using the NTLM authentication method, which could lead to an information disclosure or a denial of service. For the oldstable distribution, these problems have been fixed in version 1.6.3-5etch2. For the stable distribution, these problems have been fixed in version 2.22.3-1.1+lenny1. For the testing distribution and the unstable distribution, these problems have been fixed in version 2.26.1.1-1. We recommend that you upgrade your evolution-data-server packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1995-1 openoffice.org -- severalDebian GNU/Linux 5.0Debian GNU/Linux 4.0openoffice.orgSeveral vulnerabilities have been discovered in the OpenOffice.org office suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0136 It was discovered that macro security settings were insufficiently enforced for VBA macros. CVE-2009-0217 It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This also affects the integrated libxmlsec library. CVE-2009-2949 Sebastian Apelt discovered that an integer overflow in the XPM import code may lead to the execution of arbitrary code. CVE-2009-2950 Sebastian Apelt and Frank Reissner discovered that a buffer overflow in the GIF import code may lead to the execution of arbitrary code. CVE-2009-3301/CVE-2009-3302 Nicolas Joly discovered multiple vulnerabilities in the parser for Word document files, which may lead to the execution of arbitrary code. For the old stable distribution, these problems have been fixed in version 2.0.4.dfsg.2-7etch9. For the stable distribution, these problems have been fixed in version 1:2.4.1+dfsg-1+lenny6. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your openoffice.org packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1958-1 libtool -- privilege escalationDebian GNU/Linux 5.0Debian GNU/Linux 4.0libtoolIt was discovered that ltdl, a system-independent dlopen wrapper for GNU libtool, can be tricked to load and run modules from an arbitrary directory, which might be used to execute arbitrary code with the privileges of the user running an application that uses libltdl. For the stable distribution, this problem has been fixed in version 1.5.26-4+lenny1. For the oldstable distribution, this problem has been fixed in version 1.5.22-4+etch1. For the testing distribution and unstable distribution, this problem has been fixed in 2.2.6b-1. We recommend that you upgrade your libtool packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1775-1 php-json-ext -- denial of serviceDebian GNU/Linux 4.0php-json-extIt was discovered that php-json-ext, a JSON serialiser for PHP, is prone to a denial of service attack, when receiving a malformed string via the json_decode function. For the oldstable distribution, this problem has been fixed in version 1.2.1-3.2+etch1. The stable distribution does not contain a separate php-json-ext package, but includes it in the php5 packages, which will be fixed soon. The testing distribution and the unstable distribution do not contain a separate php-json-ext package, but include it in the php5 packages. We recommend that you upgrade your php-json-ext packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1966-1 horde3 -- insufficient input sanitisingDebian GNU/Linux 5.0Debian GNU/Linux 4.0horde3Several vulnerabilities have been found in horde3, the horde web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3237 It has been discovered that horde3 is prone to cross-site scripting attacks via crafted number preferences or inline MIME text parts when using text/plain as MIME type. For lenny this issue was already fixed, but as an additional security precaution, the display of inline text was disabled in the configuration file. CVE-2009-3701 It has been discovered that the horde3 administration interface is prone to cross-site scripting attacks due to the use of the PHP_SELF variable. This issue can only be exploited by authenticated administrators. CVE-2009-4363 It has been discovered that horde3 is prone to several cross-site scripting attacks via crafted data:text/html values in HTML messages. For the stable distribution, these problems have been fixed in version 3.2.2+debian0-2+lenny2. For the oldstable distribution, these problems have been fixed in version 3.1.3-4etch7. For the testing distribution and the unstable distribution, these problems have been fixed in version 3.3.6+debian0-1. We recommend that you upgrade your horde3 packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDebian GNU/Linux 5.0 is installedDebian GNU/Linux 5.0Debian GNU/Linux 5.0 (lenny) is installedSecPod TeamDRAFTINTERIMACCEPTEDPreeti SubramanianINTERIMACCEPTEDChandan SINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDSA-1972-2 audiofile -- buffer overflowDebian GNU/Linux 4.0audiofileThis advisory adds the packages for the old stable distribution, with the exception of the mips packages. The updates for the mips architecture will be released when they become available. The packages for the stable distribution have been released in DSA-1972-1. For reference, the advisory text is provided below. Max Kellermann discovered a heap-based buffer overflow in the handling of ADPCM WAV files in libaudiofile. This flaw could result in a denial of service or possibly execution of arbitrary code via a crafted WAV file. The old stable distribution, this problem has been fixed in version 0.2.6-6+etch1. For the stable distribution, this problem has been fixed in version 0.2.6-7+lenny1. For the testing distribution and the unstable distribution, this problem has been fixed in version 0.2.6-7.1. We recommend that you upgrade your audiofile packages.SecPod TeamDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDebian GNU/Linux 4.0 is installed.Debian GNU/Linux 4.0Debian GNU/Linux 4.0 (etch) is installedSecPod TeamDRAFTINTERIMACCEPTEDPreeti SubramanianINTERIMACCEPTEDChandan SINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDdovecot-devcourier-authdaemoncourier-authlib-userdbcourier-authlib-devcourier-authlib-postgresqlcourier-authlib-pipecourier-authlib-mysqlcourier-authlib-ldapcourier-authlibmaradnssmbclientlibsmbclientlibsmbclient-devsamba-doc-pdfswatsamba-docwinbindlibpam-smbpasssamba-dbgsamba-commonpython-sambasmbfssambaflamethrowerb2evolutionlibmodplug-devlibmodplug0c2fetchmailfetchmailconfmt-daapdwx2.4-doclibwxgtk2.4-contrib-devwx2.4-exampleslibwxbase2.8-dbglibwxbase2.4-1python-wxversionlibwxgtk2.6-0libwxbase2.4-dbglibwxgtk2.4-1-contriblibwxbase2.4-devwx2.4-i18nlibwxgtk2.8-devpython-wxgtk2.6-dbglibwxbase2.8-devlibwxbase2.6-dbgwx2.4-headerswx2.6-exampleslibwxbase2.8-0python-wxgtk2.4wx2.6-docpython-wxtoolswx2.8-docpython-wxgtk2.6libwxgtk2.4-dbglibwxgtk2.8-0libwxgtk2.4-1libwxgtk2.8-dbgwx2.6-i18nlibwxbase2.6-0wx2.6-headerswx2.8-i18nwx-commonlibwxbase2.6-devwx2.8-headerslibwxgtk2.4-devlibwxgtk2.6-dbgpython-wxgtk2.8python-wxgtk2.8-dbglibwxgtk2.6-devwx2.8-exampleskronolith2debian-goodieslibapache-mod-suphplibapache2-mod-suphpsuphp-commonlibnet-dns-perlunzipstreamripperphp-mailphpgedview-languagesphpgedview-themesphpgedviewphpgedview-placesnagios3-commonnagios3-dbgnagios3-docnagios3libpgtcllibpq3postgresql-devlibecpg4libpgtcl-devsquid3-clientlibfishsound1-devlibfishsound1-dbglibfishsound1peercast-serventlibpeercast0peercastlibpeercast0-devpeercast-handlerslibxml2-python2.3python2.3-libxml2python2.2-libxml2python2.4-libxml2pdns-recursorsyslog-nglibsword6libsword4libsword-devdiathekeawstatsslashipopd-ssllibc-client-devmlockuw-mailutilslibc-client2002edebianipopduw-imapduw-imapd-ssllibcairo2libcairo2-doclibcairo-directfb2-devlibcairo2-devlibcairo-directfb2splitvtopenoffice.org-binopenoffice.org-thesaurus-en-usopenoffice.org-l10n-enopenoffice.org-l10n-knopenoffice.org-mimelnkgnome-peercastboinc-managerboinc-devboinc-clientlibarchive-devbsdtarlibarchive1libimlib2libimlib2-devlibxmu6x-window-system-devlibxpm4xlibs-dataxserver-commonxdmx-window-system-corexlibmesa-glxlibosmesa4libx11-devlibsm6xlibs-static-devxlibosmesa4-dbgxfonts-75dpi-transcodedxlibmesa-devxmhlibx11-6libxtst6-dbglibxaw6-devxfonts-scalablexfonts-cyrillicxlibmesa-gl-dbgxlibmesa-gl-devxfree86-commonlibsm-devxserver-xephyrxfonts-100dpilibxpm4-dbgx-devtwmlibxft1xdmx-toolsxlibs-devlibxv1-dbgproxymngrxserver-xorg-devlibxt-devxlibmesa-glulibxaw7-dbglibxtst6libxmuu1-dbglibxi-devlibxaw7libxi6-dbglibxp6-dbgxfonts-75dpilibxmu6-dbglibxaw6-dbgpm-devlibxp-devxlibmesa-drixfslibx11-6-dbglibdps1xutilsxfonts-base-transcodedlibxtlibxtrap6libxext6-dbgxlibs-static-picxfwplibxt6-dbglibxaw7-devlibxft1-dbglibxmu-devx-window-systemlibxp6xlibmesa3xvfbxlibmesa-glu-dbglibxmuu-devlibdps-devxfonts-baselibxfont1-dbglibxfont-devxlibs-dbgxnestlibxfont1libxv-devlibxaw6libxpm-devxfonts-100dpi-transcodedxspecsxlibs-piclibxtst-devlibsm6-dbgxlibmesa-dri-dbglibxi6xlibsxserver-xfree86libxrandr2libxtrap6-dbglibxext6libxv1xbase-clientslibxmuu1libdps1-dbglibxext-devxlibosmesa-devlibxrandr-devlibice6xdmxxlibmesa3-dbgxlibmesa-glu-devlibice6-dbglbxproxylibxtrap-devlibxrandr2-dbgxserver-xfree86-dbglibice-devxserver-xorg-corelibdspam7-drv-mysqllibdspam7-drv-sqlite3libdspam7-devdspam-webfrontenddspam-doclibdspam7libdspam7-drv-pgsqldspamlibdspam7-drv-db4cpiowzdftpd-back-pgsqlwzdftpd-mod-perlwzdftpd-mod-avahiwzdftpd-devwzdftpdwzdftpd-back-mysqlwzdftpd-mod-tclpython-djangobsdutilsmountutil-linux-localesutil-linuxlibexif10libexif-devlibexif12sympahpijshplip-datahpliphpijs-ppdshplip-dochplip-dbgblenderfetaphp4-snmplibapache-mod-php4libapache2-mod-php4php4-mhashphp4-curlphp4-devphp4-odbcphp4-gdphp4-mcalphp4-cgiphp4-mysqlphp4-pspellphp4-xsltphp4php4-domxmlphp4-recodephp4-pearphp4-mcryptphp4-imapphp4-pgsqlphp4-ldapphp4-cliphp4-sybasephp4-commonphp4-interbasegaim-devgaim-datagaim-dbggaimgnumeric-commongnumeric-docgnumericgnumeric-plugins-extradhcp3-relaydhcp3-serverdhcp3-clientdhcp3-devdhcp3-server-ldapdhcp-clientdhcp3-commonnewsxldapscriptsturba2afuseeggdrop-dataeggdropdovecot-pop3ddovecot-commondovecot-imapdpolicyd-weightphpbb2phpbb2-languagesphpbb2-conf-mysqllinux-headers-2.6.18-6-xen-686linux-headers-2.6.18-6-686linux-image-2.6.18-6-vserver-686linux-image-2.6.18-6-486linux-headers-2.6.18-6-all-i386xen-linux-system-2.6.18-6-xen-vserver-686xen-linux-system-2.6.18-6-xen-686linux-image-2.6.18-6-vserver-k7linux-modules-2.6.18-6-xen-vserver-686linux-image-2.6.18-6-686linux-modules-2.6.18-6-xen-686linux-image-2.6.18-6-xen-vserver-686linux-image-2.6.18-6-686-bigmemlinux-headers-2.6.18-6-k7linux-image-2.6.18-6-xen-686linux-headers-2.6.18-6-xen-vserver-686linux-headers-2.6.18-6-vserver-k7linux-image-2.6.18-6-k7linux-headers-2.6.18-6-vserver-686user-mode-linuxlinux-headers-2.6.18-6-686-bigmemlinux-headers-2.6.18-6-486pulseaudiopulseaudio-module-gconfpulseaudio-esound-compatpulseaudio-module-lirclibpulse-mainloop-glib0pulseaudio-module-x11libpulse-devlibpulse-browse0pulseaudio-utilspulseaudio-module-zeroconfpulseaudio-module-halpulseaudio-module-jacklibpulse0evolution-data-server-commonevolution-data-serverevolution-data-server-dbgevolution-data-server-devkazehakasexwinepython-cherrypyno-iptomcat5tomcat5-webappstomcat5-adminlibtomcat5-javapython2.5-dbgpython2.5python2.5-minimalpython2.5-examplespython2.5-devidle-python2.5linux-image-2.6.24-etchnhalf.1-s390linux-headers-2.6.24-etchnhalf.1-all-s390linux-headers-2.6.24-etchnhalf.1-s390xlinux-image-2.6.24-etchnhalf.1-s390xlinux-headers-2.6.24-etchnhalf.1-s390linux-image-2.6.24-etchnhalf.1-s390-tapessh-askpass-gnomeopenssh-blacklistssh-krb5openssh-serversshopenssh-clientrdesktopwordnet-sense-indexwordnet-basewordnet-devwordnetmonlibnetpbm10netpbmlibnetpbm9-devlibnetpbm9libnetpbm10-devalsa-modules-2.4-k6alsa-modules-2.4-k7-smpalsa-modules-2.4-386alsa-sourcealsa-modules-2.4.27-4-k6alsa-modules-2.4.27-4-386alsa-modules-2.4.27-4-586tscalsa-modules-2.4.27-4-k7alsa-modules-2.4.27-4-686alsa-modules-2.4-686-smplinux-sound-basealsa-basealsa-modules-2.4.27-4-k7-smpalsa-headersalsa-modules-2.4.27-4-686-smpalsa-modules-2.4-k7alsa-modules-2.4-686alsa-modules-2.4-586tscgnatswebrsynclinux-headers-2.6.24-etchnhalf.1-parisc64-smplinux-image-2.6.24-etchnhalf.1-parisc64-smplinux-image-2.6.24-etchnhalf.1-parisclinux-tree-2.6.24linux-manual-2.6.24linux-headers-2.6.24-etchnhalf.1-parisc-smplinux-headers-2.6.24-etchnhalf.1-alllinux-image-2.6.24-etchnhalf.1-parisc-smplinux-image-2.6.24-etchnhalf.1-parisc64linux-headers-2.6.24-etchnhalf.1-parisc64linux-doc-2.6.24linux-source-2.6.24linux-support-2.6.24-etchnhalf.1linux-headers-2.6.24-etchnhalf.1-all-hppalinux-headers-2.6.24-etchnhalf.1-parisclinux-headers-2.6.24-etchnhalf.1-commonlinux-patch-debian-2.6.24linux-image-2.6.24-etchnhalf.1-amd64linux-headers-2.6.24-etchnhalf.1-amd64libcdaudio-devlibcdaudio1libimager-perlpdns-backend-sqlitepdns-backend-pipepdns-backend-ldappdns-backend-mysqlpdns-docpdns-serverpdns-backend-pgsqlpdns-backend-geopdnselinkselinks-liteenscriptevolution-pluginsevolution-plugins-experimentalevolution-devevolutionevolution-commonevolution-dbgtwikilibspeex-devlibspeex1speex-docspeexdbus-1-utilsdbus-1-docdbusdbus-x11python2.4-minimalpython2.4-dbgpython2.4-examplesidle-python2.4python2.4-devpython2.4slapd-dbgldap-utilslibldap2-devlibldap-2.3-0slapdlibldap-2.4-2-dbglibldap-2.4-2lighttpd-doclighttpd-mod-cmllighttpd-mod-magnetlighttpd-mod-trigger-b4-dllighttpd-mod-mysql-vhostlighttpd-mod-webdavlighttpdphp-xajaxexiv2libexiv2-0.10libexiv2-devlibexiv2-docwmlpython-moinmoinmoinmoin-commonpgrepkolab-libcyrus-imap-perlkolab-cyrus-commonkolab-cyrus-imapdkolab-cyrus-clientskolab-cyrus-adminkolab-cyrus-pop3dlibavahi-compat-howl-devlibavahi-compat-libdnssd1libavahi-common-datalibavahi-core4libavahi-compat-howl0libavahi-glib-devlibavahi-qt3-1libavahi-core-devlibavahi-compat-libdnssd-devavahi-utilslibavahi-common3libavahi-qt4-devavahi-discoverlibavahi-client3python-avahiavahi-daemonlibavahi-qt3-devlibavahi-client-devlibavahi-qt4-1avahi-autoipdlibavahi-glib1avahi-dnsconfdlibavahi-common-devfail2banqemuksvgkviewkdvikdegraphics-doc-htmlkghostviewkdegraphics-devkfaxkfaxviewkuickshowlibkscan-devkrulerkgammakdegraphics-dbgkdegraphicskmrmlkpdfksnapshotkookakpovmodelerkdegraphics-kfile-pluginskolourpaintkcoloreditkviewshellkiconeditlibkscan1kameralibopenexr2c2alibopenexr6libopenexr-devopenexrkoffice-libskoffice-dbgkugarkiviokthesauruskformulakoffice-doc-htmlkpresenter-datakpresenterkivio-datakarbonkwordkchartkoffice-devkword-datakoshellkoffice-dockoffice-datakrita-datakspreadkplatokritakexikofficerequest-tracker3.4rt3.4-clientsrt3.6-db-postgresqlrt3.6-db-mysqlrt3.6-clientsrt3.6-db-sqlitert3.6-apacherequest-tracker3.6rt3.6-apache2rt3.4-apache2rt3.4-apacheloop-aes-utilsnagios-plugins-standardnagios-plugins-basicnagios-pluginsapt-listchangesvlclibvlc0-devvlc-plugin-esdmozilla-plugin-vlcvlc-plugin-sdlvlc-plugin-svgaliblibvlc0vlc-plugin-artsvlc-plugin-glidevlc-noxvlc-plugin-ggitcpreenpostfix-ldappostfix-cdbpostfixpostfix-devpostfix-pgsqlpostfix-pcrepostfix-mysqlpostfix-doctk8.4-doctk8.4-devtk8.4yarssrspfquerylibspf2-devlibspf2-2libperl-devlibperl5.8perl-debugperl-modulesperl-baseperl-docperl-suidperllibcgi-fast-perlexiftagsalsaplayer-commonalsaplayer-gtkalsaplayer-textalsaplayer-ossalsaplayer-esdalsaplayer-xosdalsaplayer-alsaalsaplayer-daemonalsaplayer-naslibalsaplayer-devalsaplayer-jacklibalsaplayer0libsdl-image1.2-devlibsdl-image1.2liboggflac1libflac++4libflac-doclibflac7liboggflac3flacxmms-flaclibflac6libflac++5libflac++-devliboggflac++-devlibflac-devliboggflac-devliboggflac++0c102liboggflac++2libxslt1-dbglibxslt1-devxsltprocpython-libxslt1libxslt1.1libxine1libxine1-dbglibxine-devpython-dnslibpcre3-devlibpcre3libpcrecpp0pcregrepscponlyphppgadminserendipityikiwikibackup-managerbackup-manager-docselinux-policy-refpolicy-strictselinux-policy-refpolicy-srcselinux-policy-refpolicy-targetedselinux-policy-refpolicy-docselinux-policy-refpolicy-devlinux-image-2.6.18-6-parisc64-smplinux-headers-2.6-parisc64linux-headers-2.6.18-6-parisc-smplinux-image-parisc64-smplinux-image-2.6.18-6-parisc64linux-headers-2.6.18-6-parisc64linux-image-2.6-parisc-smplinux-image-2.6-parisc64linux-headers-2.6-parisclinux-image-2.6-parisclinux-image-2.6-parisc64-smplinux-image-parisc-smplinux-headers-2.6-parisc64-smplinux-image-parisc64linux-image-2.6.18-6-parisc-smplinux-headers-2.6.18-6-all-hppalinux-image-2.6-amd64-k8nvidia-kernel-legacy-2.6.18-6-amd64linux-image-amd64linux-image-2.6-amd64-k8-smplinux-image-2.6-em64t-p4linux-image-2.6.18-6-xen-vserver-amd64linux-image-2.6.18-6-vserver-amd64kernel-image-2.6-em64t-p4-smplinux-image-2.6-s390xloop-aes-testsuitelinux-source-2.6.18linux-image-2.6-xen-vserver-amd64linux-headers-2.6-parisc-smplinux-image-2.6-vserver-em64t-p4-smplinux-headers-2.6-s390xlinux-image-2.6.18-6-s390-tapelinux-image-2.6-xen-amd64kernel-image-2.6-amd64-genericlinux-image-2.6-amd64linux-headers-2.6.18-6-all-amd64linux-image-xen-amd64linux-image-2.6.18-6-s390xlinux-headers-2.6.18-6-vserver-amd64linux-patch-debian-2.6.18linux-image-2.6.18-6-vserver-s390xkernel-image-2.6-em64t-p4linux-headers-2.6-amd64linux-doc-2.6.18linux-image-2.6-s390-tapelinux-headers-2.6-vserver-s390xlinux-image-2.6.18-6-amd64linux-image-2.6-amd64-genericxen-linux-system-2.6.18-6-xen-amd64kernel-image-2.6-s390linux-headers-2.6.18-6-parisckernel-image-2.6-s390xlinux-headers-2.6-xen-vserver-amd64linux-image-2.6-em64t-p4-smplinux-image-2.6.18-6-s390loop-aes-sourcelinux-image-2.6-s390linux-image-2.6.18-6-xen-amd64kernel-image-2.6-amd64-k8-smplinux-headers-2.6.18-6-xen-vserver-amd64linux-image-vserver-s390xlinux-headers-2.6.18-6-xen-amd64linux-headers-2.6.18-6-parisc64-smplinux-headers-2.6.18-6-xenlinux-image-2.6-vserver-s390xlinux-headers-2.6.18-6-s390xlinux-headers-2.6.18-6-vserver-s390xlinux-image-s390xlinux-manual-2.6.18linux-headers-2.6.18-6-xen-vserverlinux-image-2.6-vserver-amd64-k8-smpnvidia-kernel-2.6.18-6-amd64kernel-image-2.6-amd64-k8linux-image-2.6-vserver-amd64linux-support-2.6.18-6linux-image-vserver-amd64linux-headers-2.6.18-6-vservernvidia-kernel-2.6-amd64nvidia-kernel-legacy-2.6-amd64linux-image-parisclinux-headers-2.6.18-6linux-image-xen-vserver-amd64linux-headers-2.6-s390linux-image-2.6.18-6-parisclinux-headers-2.6.18-6-alllinux-headers-2.6-vserver-amd64linux-tree-2.6.18xen-linux-system-2.6.18-6-xen-vserver-amd64linux-image-s390linux-headers-2.6.18-6-s390linux-image-s390-tapelinux-modules-2.6.18-6-xen-vserver-amd64linux-headers-2.6.18-6-amd64linux-modules-2.6.18-6-xen-amd64linux-headers-2.6-xen-amd64linux-headers-2.6.18-6-all-s390libnss3-toolslibmozjs0dpython-xpcomlibnss3-0dlibmozillainterfaces-javalibnss3-0d-dbglibnspr4-devxulrunnerlibxul0d-dbglibxul0dlibsmjs1libnspr4-0d-dbglibnspr4-0dxulrunner-gnome-supportlibnss3-devspidermonkey-binlibxul-devlibxul-commonlibsmjs-devlibmozjs0d-dbglibmozjs-devznclibgadu-devlibgadu3ekgtomcat5.5-webappstomcat5.5tomcat5.5-adminlibtomcat5.5-javavim-runtimevimvim-perlvim-tinyvim-docvim-gnomevim-rubyvim-commonvim-gtkvim-fullvim-tclvim-pythonvim-lesstifvim-gui-commonethereal-devethereal-commonetherealdnsmasqxpdf-readerxpdfxpdf-commonxpdf-utilslibopensc2-devmozilla-openscopensclibopensc2libopensc2-dbggraphicsmagick-imagemagick-compatlibgraphicsmagick++1-devgraphicsmagicklibgraphicsmagick1graphicsmagick-libmagick-dev-compatlibgraphicsmagick++1graphicsmagick-dbglibgraphicsmagick1-devlibgraphics-magick-perlzaptelzaptel-sourcelibtonezone1libtonezone-devsourceforgegforge-cvsgforge-sourceforge-transitionhfasterisk-devasterisk-sounds-mainasterisk-h323asteriskasterisk-docasterisk-classicasterisk-configasterisk-bristuffasterisk-web-vmailltsp-clientldmltsp-server-standaloneltsp-serverlibfreetype6freetype2-demoslibfreetype6-devbeidguibeid-toolssquidsquid-commonsquid-cgiwebhttracklibhttrack-devlibhttrack1proxytrackhttrackhttrack-docjailerlibxerces2-javalibxerces2-java-doclibxerces2-java-gcjdevscriptsmtr-tinymtrtk8.3tk8.3-devtk8.3-doclibdevil-devlibdevil1c2python2.4python2.4-dbgpython2.4-examplespython2.5-devpython2.4-devpython2.5-examplesidle-python2.4python2.5idle-python2.5python2.5-minimalpython2.4-minimalpython2.5-dbglibpoppler0c2-gliblibpoppler0c2poppler-utilslibpoppler-glib-devlibpoppler0c2-qtlibpoppler-qt-devlibpoppler-devlibsnmp9snmplibsnmp-perlsnmpdlibsnmp9-devlibsnmp-basetkmibcactimplayer-docmplayerfuse-utilslibfuse-devlibfuse2libthai0libthai-devlibthai-doclibthai-dataexpatlibmilter1.0.1sensible-mdalibmilter0-dbgsendmail-binlibmilter0sendmail-basesendmail-doclibmilter1.0.1-dbgsendmaillibmilter-devsendmail-cfrmaillibsndfilektorrentpostfix-policydcurlpptpdt1libevolution-data-servertcpdumpmaradnsphp4monopostgresql-7.4xfce4-terminalelinksxen-3.0ipsec-toolsqt-x11-freelibphp-phpmailerphpwikiwesnothzabbixeggdropmtrlibcairolibimager-perlevolutionpulseaudioquaggamydnsphpbb2gforge-plugin-scmcvslibrpcsecgssunziplink-grammarslashdbustinymuxgsambadicedoveltspruby1.9fail2banxmmshplippolicyd-weighthorde3netpbm-freemt-daapdspeexkrb5openoffice.orgnewsxtwikipostfixlibspf2kdegraphicsfetabochslibvorbiscactidhcpgnumericsendmailopenldapopenldap2.3awstatsqemufetchmailopensslpcre3inotify-toolsdevilalsaplayerxpdfdovecotruby1.8xwineldapscriptswiresharkpopplerpython2.5suphproundupkolab-cyrus-imapdcyrus-imapd-2.2blendertk8.3gnutls26exiftagspostgresql-8.1wmlserendipitycupsyssyslog-nghttrackrdesktopxorg-serverlibcdaudiovime2fsprogsopenafswordpressgs-espgs-gplproftpd-dfsgstreamrippermoodletarsambaasteriskzope-cmfplonegforgeexiv2perlgit-coresplitvtlibnet-dns-perlgnutls13lighttpdlibxsltmoinutil-linuxfai-kernelsuser-mode-linuxpdnsfileswordtomcat5.5kofficesquidtk8.4id3lib3.8.3net-snmpphp5mysql-dfsg-5.0clamaviceapebind9uw-imapiceweaselgnome-peercastzaptelphpgedviewlibnss-ldapphppgadmingnatsweblibxerces2-javalinux-2.6xulrunnerlibxml2gimpxine-liblinux-2.6.24pdns-recursorwzdftpdgraphicsmagickfreetypemplayerphpmyadminpython2.4apache2uniconpptpdotrs2libwpdopen-iscsihikiicutcpreensitebarlibarchivemaradnsjffnmskazehakasewesnothphpgedviewgaimturba2squidrefpolicyikiwikitomcat5.5linux-2.6.24repreprodnsmasqkofficescponlynet-snmpavahigallery2no-iplibvorbistk8.3monxen-3.0python-cherrypyphp-xajaxkronolith2backup-managerlibtk-imglibexifpcre3openssl097opensslsmartymoincupslcmswordnetqt4-x11lighttpdlibfishsoundhtdigxorg-serverapt-listchangesafuseiceapephp5postfixpeercastopensshloop-aes-utilscentericqdspamflactk8.4freetypesympamplayerimlib2flamethrowerdbusdebian-goodiesperllibapache-mod-jkdhcpkdebasefireflierxine-libekgqemuemacs21zophcupsyspopplerwordpressenscriptvlcfileuser-mode-linuxfai-kernelswxwidgets2.6wxwindows2.4wxwidgets2.8sambaruby1.9nagios-pluginskrb5mapserverrsyncaircrack-ngalsa-drivericeweaseltomcat5fuseruby-gnome2libgd2nginxruby1.8openldap2.3libxml2courier-authlibjaileropenschsqldbphpmyadmintypo3-srcktorrentxpdfgforgeyarssrwiresharklibthaiopenoffice.orgpython-dnshfb2evolutionopenswanphp4cpiotiffpython-djangoxfspostgresql-7.4horde3linux-2.6python2.5python2.4librpcsecgssdovecotsquirrelmailvimsquid3asteriskmysql-dfsg-5.0perditionicedovexulrunnersdl-image1.2clamavphp-mailntprt2400rt2400-sourcesubversion-toolslibsvn1libapache2-svnlibsvn-perllibsvn-javalibsvn-docsubversionpython-subversionlibsvn-devlibsvn-javahllibsvn-rubylibsvn-ruby1.8libxml-security-c12libxml-security-c14libxml-security-c-doclibxml-security-c-devlibhtml-parser-perlvnc4serverxvnc4viewervnc4-commonyaws-wikiyaws-mailyaws-chatyawsyaws-yapplibcamlimages-ocaml-doclibcamlimages-ocaml-devlibcamlimages-ocamlipsec-toolsracoonlinux-headers-2.6.18-6-powerpc-smplinux-image-2.6.18-6-powerpc64linux-headers-2.6.18-6-all-powerpclinux-headers-2.6.18-6-preplinux-headers-2.6.18-6-powerpc-mibootlinux-headers-2.6.18-6-vserver-powerpc64linux-image-2.6.18-6-vserver-powerpc64linux-headers-2.6.18-6-powerpc64linux-image-2.6.18-6-powerpc-smplinux-image-2.6.18-6-preplinux-image-2.6.18-6-vserver-powerpclinux-headers-2.6.18-6-vserver-powerpclinux-image-2.6.18-6-powerpc-mibootlinux-headers-2.6.18-6-powerpclinux-image-2.6.18-6-powerpcgstreamer0.10-esdgstreamer0.10-plugins-good-dbggstreamer0.10-plugins-good-docgstreamer0.10-plugins-goodbind9utilsliblwres40libisccc40libbind9-40libdns45libisccfg40libisc45oinc-manageroinc-clientoinc-devlibpam-krb5libxml-devlibxml1roundupmediawiki1.7-mathmediawiki1.7nagios2-commonnagios2-docnagios2nagios2-dbglibdbd-pg-perlliblasso3liblasso-javaphp4-lassopython-lassoliblasso3-devpython-libxml2libxml2-dbglibxml2-devlibxml2-doclibxml2-utilslibxml2libpostproc0dlibswscale-devlibavdevice-devlibpostproc51libavdevice52libswscale0libpostproc-devffmpeg-dbglibavcodec0dlibavcodec51libavformat52libavutil-devffmpeglibavutil49libavformat0dlibavcodec-devffmpeg-doclibavformat-devlibmysql-ocamllibmysql-ocaml-devnetwork-manager-devlibnm-glib0libnm-util-devnetwork-managerlibnm-glib-devnetwork-manager-gnomelibnm-util0wesnoth-trowwesnoth-tsgwesnoth-musicwesnoth-dbgwesnoth-aoiwesnoth-ttbwesnoth-toolswesnothwesnoth-utbswesnoth-sotbewesnoth-datawesnoth-thotwesnoth-eiwesnoth-editorwesnoth-htttwesnoth-sofwesnoth-lwesnoth-allwesnoth-didwesnoth-nrwesnoth-serverlibgio-famlibglib2.0-datalibglib2.0-0libglib2.0-0-dbglibglib2.0-devlibglib2.0-doclibtiff-doclibtiff-opengllibtiff-toolslibtiff4libtiffxx0c2libtiff4-devlibbeidlibopensc2-devlibbeid2idguilibbeid2-devlibbeidlibopensc2id-toolsajaxtermndiswrapper-commonndiswrapper-utils-1.9ndiswrapper-sourcelibgnutls26-dbglibgnutls26guile-gnutlspasswdloginapache2-mpm-itkapache2-suexec-customapache2-prefork-devapache2apache2-dbgapache2-utilsapache2-srcapache2-suexecapache2-threaded-devapache2-mpm-workerapache2-docapache2-mpm-preforkapache2-mpm-eventapache2-mpm-perchildapache2.2-commonlibtk-img-doclibtk-imglibtk-img-devxtermudevlibvolume-id0libvolume-id-devlibapt-pkg-devapt-utilsapt-transport-httpsapt-docaptlibapt-pkg-doclintianlibpng12-0libpng12-devlibpng3clamav-baselibclamav5libclamav2clamav-testfilesclamav-freshclamclamav-daemonlibclamav-devclamav-dbgclamav-docsclamav-milterclamavlinkslinks-liteiceweaseliceweasel-dom-inspectoriceweasel-gnome-supportmozilla-firefox-dom-inspectorfirefoxmozilla-firefox-gnome-supporticeweasel-dbgfirefox-gnome-supportfirefox-dom-inspectormozilla-firefoxlibsoup2.2-devlibsoup2.2-doclibsoup2.2-8vscriptsnsd3nsdliblcms1liblcms1-devpython-liblcmsliblcms-utilsgstreamer0.10-plugins-bad-docgstreamer0.10-sdlgstreamer0.10-plugins-bad-dbggstreamer0.10-plugins-badphpmyadminwgetmoodlelibmapscript-rubyphp5-mapscriptlibmapscript-ruby1.8mapserver-binperl-mapscriptpython-mapscriptcgi-mapservermapserver-doclibmapscript-ruby1.9php4-mapscriptrt2500rt2500-sourcefirefox-sageproftpd-mod-mysqlproftpd-mod-pgsqlproftpd-mod-ldapproftpd-basiclinux-patch-openswanopenswan-modules-sourceopenswanlibpam-heimdalruby1.8libtcltk-ruby1.9libgdbm-ruby1.9libruby1.9libopenssl-ruby1.8ruby1.9rdoc1.8libdbm-ruby1.8libdbm-ruby1.9libopenssl-ruby1.9ruby1.9-elisplibgdbm-ruby1.8irb1.9ruby1.8-elisplibtcltk-ruby1.8rdoc1.9libruby1.8-dbglibreadline-ruby1.8libruby1.8libruby1.9-dbgruby1.9-examplesruby1.9-devri1.9libreadline-ruby1.9ruby1.8-devri1.8irb1.8ruby1.8-exampleslinux-image-2.6.24-etchnhalf.1-s390-tapelinux-headers-2.6.24-etchnhalf.1-s390linux-headers-2.6.24-etchnhalf.1-s390xlinux-headers-2.6.24-etchnhalf.1-all-s390linux-image-2.6.24-etchnhalf.1-s390xlinux-image-2.6.24-etchnhalf.1-s390imp4libpango1.0-commonlibpango1.0-devlibpango1.0-doclibpango1.0-0-dbglibpango1.0-0php5-mcryptphp5-gmpphp-pearphp5-xslphp5-dbgphp5-curllibapache2-mod-php5filterphp5-gdphp5-ldapphp5-sybasephp5-pspellphp5-devlibapache2-mod-php5php5-snmpphp5-sqlitephp5-recodephp5-cliphp5-pgsqllibapache-mod-php5php5-odbcphp5-mysqlphp5-xmlrpcphp5-tidyphp5-commonphp5-imapphp5php5-interbasephp5-cgiphp5-mhashcactilibcups2libcupsys2-gnutls10cups-bsdcups-clientlibcupsimage2-devcups-commoncupslibcupsimage2cupsyslibcupsys2libcups2-devcups-dbgcupsys-commoncupsys-dbgcupsys-clientlibcupsys2-devcupsys-bsdlinux-headers-2.6.18-6-s390linux-doc-2.6.18linux-image-2.6.18-6-vserver-amd64linux-headers-2.6.18-6linux-tree-2.6.18linux-headers-2.6.18-6-vserver-s390xlinux-image-2.6.18-6-parisclinux-headers-2.6.18-6-s390xlinux-headers-2.6.18-6-xenlinux-image-2.6.18-6-s390xlinux-image-2.6.18-6-xen-amd64linux-image-2.6.18-6-xen-vserver-amd64linux-image-2.6.18-6-amd64linux-headers-2.6.18-6-vserverlinux-modules-2.6.18-6-xen-vserver-amd64xen-linux-system-2.6.18-6-xen-vserver-amd64linux-headers-2.6.18-6-xen-amd64linux-image-2.6.18-6-vserver-s390xlinux-image-2.6.18-6-s390fai-kernelslinux-support-2.6.18-6linux-patch-debian-2.6.18linux-headers-2.6.18-6-all-s390linux-headers-2.6.18-6-alllinux-headers-2.6.18-6-vserver-amd64xen-linux-system-2.6.18-6-xen-amd64linux-headers-2.6.18-6-xen-vserverlinux-image-2.6.18-6-parisc-smplinux-modules-2.6.18-6-xen-amd64linux-headers-2.6.18-6-parisclinux-headers-2.6.18-6-xen-vserver-amd64linux-headers-2.6.18-6-all-amd64linux-headers-2.6.18-6-parisc64-smplinux-headers-2.6.18-6-parisc-smplinux-image-2.6.18-6-parisc64linux-headers-2.6.18-6-all-hppalinux-image-2.6.18-6-parisc64-smplinux-headers-2.6.18-6-amd64linux-manual-2.6.18linux-headers-2.6.18-6-parisc64linux-image-2.6.18-6-s390-tapelinux-source-2.6.18libssl0.9.8libssl0.9.8-dbglibssl-devlibssl0.9.7libssl0.9.7-dbgopensslcurllibcurl4-openssl-devlibcurl4-gnutls-devlibcurl3-openssl-devlibcurl3-devlibcurl3-gnutls-devlibcurl3-gnutlslibcurl3-dbglibcurl3amarokamarok-xineamarok-enginesxapian-omegapdns-recursorlibwmf-doclibwmf-binlibwmf0.2-7libwmf-devlibvlc0vlc-plugin-svgalibvlc-plugin-ggiwxvlcvlc-noxvlc-plugin-sdlvlc-plugin-glidelibvlc0-devvlc-plugin-alsavlcmozilla-plugin-vlcvlc-plugin-artsvlc-plugin-esdus-x11us-1-docus-1-utilsuslibdbus-1-devlibdbus-1-3netatalkzope2.10zope2.9zope2.10-sandboxzope2.9-sandboxlighttpd-mod-magnetlighttpd-mod-webdavlighttpd-doclighttpd-mod-mysql-vhostlighttpd-mod-trigger-b4-dllighttpdlighttpd-mod-cmlmultipath-tools-bootkpartxmultipath-toolslib64expat1-devlibexpat1libexpat1-devxpatlib64expat1memcachedlibfreetype6freetype2-demoslibfreetype6-devlibapr1libapr1-devlibapr1-dbgproftpd-pgsqlproftpd-mysqlproftpdproftpd-docproftpd-ldaplwresdlibisccfg1bind9bind9-doclibdns22liblwres9dnsutilslibbind9-0libbind-devbind9-hostlibisccc0libisc11typo3-src-4.2linux-headers-2.6.24-etchnhalf.1-parisc64linux-headers-2.6.24-etchnhalf.1-parisclinux-image-2.6.24-etchnhalf.1-parisclinux-tree-2.6.24linux-headers-2.6.24-etchnhalf.1-all-amd64linux-patch-debian-2.6.24linux-headers-2.6.24-etchnhalf.1-alllinux-headers-2.6.24-etchnhalf.1-amd64linux-image-2.6.24-etchnhalf.1-parisc-smplinux-doc-2.6.24linux-headers-2.6.24-etchnhalf.1-all-hppalinux-image-2.6.24-etchnhalf.1-amd64linux-manual-2.6.24linux-headers-2.6.24-etchnhalf.1-commonlinux-headers-2.6.24-etchnhalf.1-parisc64-smplinux-support-2.6.24-etchnhalf.1linux-source-2.6.24linux-headers-2.6.24-etchnhalf.1-parisc-smplinux-image-2.6.24-etchnhalf.1-parisc64-smplinux-image-2.6.24-etchnhalf.1-parisc64libopenafs-devopenafs-dbserverlibpam-openafs-kaserveropenafs-docopenafs-dbgopenafs-fileserveropenafs-clientopenafs-krb5openafs-modules-sourceopenafs-kpasswdacpidlibc6.1libc6-mips64libc6-dev-mips64libc6-mipsn32libc6.1-devlibc6-dbglibc6.1-dbglibc6libc6.1-piclibc6-s390xlibc6-proflibc6-dev-s390xnscdlocales-alllibc6-devglibc-sourceglibc-doclibc6-dev-mipsn32libc6.1-proflocaleslibc6-picphp-net-pinglibmagick++10libmagick10perlmagicklibmagick++9c2alibmagick9libmagick9-devlibmagick++9-devimagemagickkdelibs-dbgkdelibs4c2akdelibs-datakdelibs4-devkdelibs4-dockdelibspython-pygresql-dbgpython-pygresqltetherealthereal-commontsharkwireshark-devwireshark-commonthereal-devwiresharkthereallibicu-devlibicu38-dbglib32icu38lib32icu-devlibicu36-devlibicu38libicu36icu-docmimetexlibnewt-devnewt-tcllibnewt-picwhiptailpython-newtlibnewt0.52squid3-clientsquid3-commonsquidsquid3-cgisquidclientsquid3squid-commonsquid-cgiiceape-gnome-supportmozilla-calendariceape-dbgiceapemozillaiceape-devmozilla-dom-inspectormozilla-psmmozilla-js-debuggericeape-mailnewsiceape-calendariceape-chatzillaiceape-dom-inspectormozilla-mailnewsmozilla-chatzillaiceape-browsermozilla-devmozilla-browserkolourpaintkrulerkpovmodelerkfaxviewkfaxkookakdegraphics-dbgkviewkuickshowkamerakdegraphics-kfile-pluginskghostviewkmrmlkdvikgammakiconeditkviewshellksnapshotkpdfkdegraphics-devkcoloreditlibkscan1kdegraphicsksvglibkscan-devkdegraphics-doc-htmlmaildroplibapache-mod-jk-doclibapache-mod-jklibapache2-mod-jkkrb5-kdclibkrb53krb5-rsh-serverkrb5-pkinitkrb5-admin-serverkrb5-telnetdlibkrb5-devkrb5-ftpdkrb5-dockrb5-clientslibkrb5-dbgkrb5-userkrb5-kdc-ldaplibkadm55libaprutil1libaprutil1-dbglibaprutil1-devznclibsaml2-doclibsaml2-devlibsaml2opensaml2-toolsopensaml2-schemaslibshibsp1shibboleth-sp2-schemaslibshibsp-devlibapache2-mod-shib2libshibsp-docnginxtypo3typo3-src-4.0ghostscriptgs-commonghostscript-xgs-aladdinlibgs8gs-gplgs-esplibgs-devghostscript-docgsgit-guismartylibgd2-xpm-devlibgd2-noxpm-devlibgd2-xpmlibgd-toolslibgd2-noxpmrt2570-sourceganglia-monitorlibganglia1libganglia1-devgmetadlibpostgresql-ocamllibpostgresql-ocaml-devntpntp-refclockntp-docntp-simplentpdateggdropggdrop-datacyrus-admin-2.2cyrus-clients-2.2libcyrus-imap-perl22cyrus-pop3d-2.2cyrus-imapd-2.2cyrus-murder-2.2cyrus-common-2.2cyrus-doc-2.2cyrus-nntpd-2.2cyrus-dev-2.2sork-passwd-h3gzipgzip-win32libecpg-compat2postgresql-7.4postgresql-doc-8.1postgresql-8.1postgresql-contrib-8.1postgresql-plpython-7.4postgresql-server-dev-7.4libpgtypes2postgresql-client-7.4postgresql-doc-7.4postgresql-pltcl-8.1libecpg5postgresql-pltcl-8.3postgresql-plperl-7.4postgresql-plperl-8.1postgresql-clientpostgresql-plpython-8.3postgresql-client-8.3postgresql-doc-8.3libecpg6postgresql-client-8.1libpq5libecpg-compat3postgresql-contrib-8.3postgresql-plpython-8.1libpgtypes3postgresql-server-dev-8.1postgresql-plperl-8.3libpq4libpq-devpostgresql-server-dev-8.3postgresql-docpostgresql-pltcl-7.4postgresql-contribpostgresql-contrib-7.4libecpg-devpostgresql-8.3postgresqlthunderbird-gnome-supporticedove-dbgthunderbird-dbgmozilla-thunderbird-inspectoricedove-gnome-supporticedove-devmozilla-thunderbirdthunderbird-typeaheadfindthunderbird-devmozilla-thunderbird-typeaheadfindicedovethunderbirdicedove-inspectoricedove-typeaheadfindmozilla-thunderbird-devthunderbird-inspectorwordpresschangetracklibvorbis0alibvorbisfile3libvorbis-devlibvorbisenc2mplayer-docmplayerstrongswanhcp3-serverhcp3-clienthcp3-devhcp3-server-ldaphcp-clienthcp3-commonhcp3-relaysquirrelmailgnutls-doclibgnutls-devlibgnutls13libgnutls13-dbggnutls-binlibsndfile1-devsndfile-programslibsndfile1chronygit-svngit-coregit-archgit-daemon-rungitwebgit-emailgitkgit-docgit-cvslibshib-devlibapache2-mod-shiblibshib-target5libshib6libsaml5opensaml-schemaslibsaml-devgforge-ldap-openldapgforge-mta-exim4gforge-mta-eximgforge-plugin-scmsvngforge-ftp-proftpdgforge-lists-mailmangforge-mta-couriergforge-shell-postgresqlgforge-mta-postfixgforge-web-apache2gforge-shell-ldapgforge-web-apachegforge-plugin-scmcvsgforge-db-postgresqlgforge-plugin-mediawikigforge-dns-bind9gforge-commongforgelibmysqlclient15-devlibmysqlclient15offmysql-servermysql-server-4.1mysql-client-5.0mysql-commonmysql-server-5.0mysql-clientlibgdata1.2-devlibecal1.2-6libedata-cal1.2-6libegroupwise1.2-devvolution-data-serverlibexchange-storage1.2-1libgdata-google1.2-1libedata-book1.2-2libecal1.2-7libedataserverui1.2-6libexchange-storage1.2-3libedataserver1.2-9libebook1.2-5libecal1.2-devlibgdata1.2-1libegroupwise1.2-10libedata-book1.2-devlibedataserverui1.2-devvolution-data-server-commonvolution-data-server-devlibedataserverui1.2-8libgdata-google1.2-devlibcamel1.2-8libedata-cal1.2-devlibedataserver1.2-7libedataserver1.2-devlibcamel1.2-11libegroupwise1.2-13libebook1.2-devvolution-data-server-dbglibcamel1.2-devlibedata-cal1.2-5libexchange-storage1.2-devlibebook1.2-9openoffice.org-gtk-gnomeopenoffice.org-filter-so52libmythes-devopenoffice.org-help-hi-inopenoffice.org-gnomeopenoffice.org-help-enopenoffice.org-devopenoffice.org-l10n-hicli-uno-bridgeopenoffice.org-calcopenoffice.org-coreopenoffice.org-l10n-euopenoffice.org-qa-toolsopenoffice.org-l10n-hropenoffice.org-filter-binfilteropenoffice.org-l10n-rulibuno-cli-ure1.0-cilopenoffice.org-l10n-gu-inlibuno-cli-cppuhelper1.0-cilopenoffice.org-l10n-te-inopenoffice.org-l10n-nnopenoffice.org-l10n-tnopenoffice.org-java-commonopenoffice.org-help-daopenoffice.org-l10n-xhopenoffice.org-help-ptopenoffice.org-writeropenoffice.org-l10n-uzopenoffice.org-help-kmopenoffice.org-report-builder-binopenoffice.org-emailmergeopenoffice.org-help-svlibuno-cli-types1.1-cilttf-opensymbolopenoffice.org-l10n-tropenoffice.org-help-glopenoffice.org-l10n-kmopenoffice.org-commonopenoffice.org-l10n-skopenoffice.org-l10n-ml-inopenoffice.org-l10n-deopenoffice.org-l10n-ptopenoffice.org-l10n-nropenoffice.org-l10n-lvopenoffice.org-l10n-veopenoffice.org-ogltransopenoffice.org-mathopenoffice.org-l10n-ta-inopenoffice.org-l10n-aropenoffice.orgopenoffice.org-base-coreopenoffice.org-l10n-faopenoffice.org-impressopenoffice.org-presentation-minimizeropenoffice.org-l10n-rwopenoffice.org-l10n-loopenoffice.org-l10n-kuopenoffice.org-gcjopenoffice.org-help-en-gbopenoffice.org-l10n-glopenoffice.org-l10n-fiopenoffice.org-l10n-tgopenoffice.org-help-etopenoffice.org-style-andromedaopenoffice.org-help-deopenoffice.org-l10n-cyopenoffice.org-l10n-itopenoffice.org-l10n-jaopenoffice.org-help-csopenoffice.org-help-huopenoffice.org-qa-api-testsopenoffice.org-headlessopenoffice.org-dev-docopenoffice.org-baseopenoffice.org-help-euopenoffice.org-l10n-ltopenoffice.org-l10n-tsopenoffice.org-l10n-bgopenoffice.org-l10n-heopenoffice.org-l10n-ssopenoffice.org-l10n-csopenoffice.org-help-ruopenoffice.org-help-esopenoffice.org-help-itopenoffice.org-kdeopenoffice.org-l10n-esopenoffice.org-l10n-inopenoffice.org-drawopenoffice.org-help-en-usopenoffice.org-l10n-or-inopenoffice.org-l10n-sropenoffice.org-help-plopenoffice.org-l10n-eoopenoffice.org-l10n-elopenoffice.org-dbgopenoffice.org-l10n-zh-twopenoffice.org-l10n-hi-inopenoffice.org-l10n-zabroffice.orgopenoffice.org-help-dzopenoffice.org-l10n-en-gbopenoffice.org-style-crystalopenoffice.org-l10n-dzopenoffice.org-l10n-as-inopenoffice.org-help-zh-twopenoffice.org-help-nlopenoffice.org-l10n-be-byopenoffice.org-style-industrialopenoffice.org-help-koure-dbgopenoffice.org-l10n-sr-csopenoffice.org-l10n-romozilla-openoffice.orgopenoffice.org-l10n-gaopenoffice.org-l10n-en-zaopenoffice.org-help-pt-bropenoffice.org-style-tangoopenoffice.org-l10n-pt-bropenoffice.org-l10n-viopenoffice.org-l10n-caopenoffice.org-l10n-kaopenoffice.org-l10n-bropenoffice.org-l10n-zh-cnopenoffice.org-style-hicontrastopenoffice.org-l10n-zuopenoffice.org-l10n-neopenoffice.org-l10n-mr-inopenoffice.org-l10n-etopenoffice.org-l10n-stopenoffice.org-sdbc-postgresqlopenoffice.org-evolutionopenoffice.org-l10n-svopenoffice.org-l10n-koopenoffice.org-filter-mobiledevopenoffice.org-help-jaopenoffice.org-l10n-nbopenoffice.org-dtd-officedocument1.0openoffice.org-help-fropenoffice.org-l10n-plopenoffice.org-help-slopenoffice.org-l10n-afopenoffice.org-l10n-thopenoffice.org-l10n-ukopenoffice.org-help-zh-cnopenoffice.org-l10n-bnopenoffice.org-l10n-slopenoffice.org-l10n-mkopenoffice.org-l10n-nlopenoffice.org-l10n-fropenoffice.org-l10n-nsopenoffice.org-l10n-pa-inlibuno-cli-basetypes1.0-cilopenoffice.org-officebeanpython-unoopenoffice.org-gtkureopenoffice.org-l10n-daopenoffice.org-l10n-huopenoffice.org-l10n-bsopenoffice.org-report-builderlibtoollibtool-doclibltdl3-devlibltdl3php4-jsonphp5-jsonhorde3/etcdebian_version^(\d\.\d).*$1libaudiofile0libaudiofile-dev2:1.4.15-4+lenny22:1.4.9a-50:3.6-2etch20:2.2.98-2+etch10:1.0.rc15-2etch50:1.0.15-2.3+lenny10:1.2-50:1.4.4-2+lenny11:2.4.12+dfsg-1.3+lenny21:2.4.6+dfsg.2-1.1+etch21:1.3-15etch21:1.3-15etch31:1.3-release-7+lenny10:5.5.20-2etch30:0.58-4+etch20:1.0.27-20:1.2.12.04-1etch20:3.0.24-6etch100:1.28-1+etch10:0.1.8-1+etch10:0.058-2+lenny10:1.1.1-21etch50:0.9.2-3+etch10:1.3.0.0debian1-4+etch20:0.99.4-5.etch.20:0.10.10-2sarge110:0.8.4-1+lenny10:0.7-5.2+etch10:6.3.9~rc2-4+lenny10:6.3.6-1etch20:2.3.7-1.1+lenny10:2.3.6-1+etch10:3.0.7-3.lenny20:0.2.4+r1376-1.1+etch20:1.4.4-3+etch50:2.4.2-6+lenny22:1.4.9a-30:0.52.2-11.3+lenny10:0.52.2-10+etch10:2.4.5.1.1+etch1-00:2.6.3.2.1.5+etch1-00:2.6.3.2.2-3+lenny10:2.8.7.1-1.1+lenny10:0.10.3-3.1+etch30:0.10.7-2+lenny20:1.8.0.15~pre080323b-0etch20:0.6.46.4-0.1+etch10:0.7.20.2+lenny1-00:4.3-3+lenny10:4.3-3+etch10:0.94.dfsg.2-1lenny20:0.90.1dfsg-4etch190:0.8.6-svn20061012.debian-5.1+etch30:4.0.2.dfsg-30:2.1.4-1etch10:0.23+sarge1-00:0.27+etch1-00:3.6-2etch10:3.1.3-4etch40:1.2.1-3.2+etch10:0.99.4-5.etch.30:0.6.2-1+etch00:2.6.24-6~etchnhalf.50:0.48-1sarge10:0.59-1etch10:1.2.7-4etch60:1.2.7-4+etch90:1.3.8-1+lenny70:5.52-1sarge50:5.52-9etch10:1.6.18-1etch10:1.6.17-3sarge10:2.0.36~rc1~dfsg-3+lenny10:2.0.33-5.2etch20:2.3.7-2+lenny10:2.2.1-5+etch44:2.9.1.1-90:0.4.5-5.1etch30:0.125-7+lenny10:0.105-4etch10:1.61.27-1+etch10:1.1.6-2+etch10:1.1.14-1+lenny10:1.77-3+lenny10:1.65-4etch10:1.0~rc1-12etch57:6.3.7.9.dfsg2-1~lenny37:6.2.4.5.dfsg1-0.15+etch10:2.2.1-5+etch20:4.0.2.dfsg-40:2.2.6-02-1+lenny2+b20:2.2.3-01-2+etch4+b10:2.2.9-10+lenny60:2.2.3-4+etch110:2.6-2+etch30:3.0.6-4~lenny20:7.4.7-6sarge60:7.4.19-0etch10:3.0.PRE5-5+etch10:0.7.0-2etch10:2.0.0.15-0etch10:0.1217.toots.20060314-1etch10:1.2.12+dfsg-8+lenny20:1.2.7+dfsg-2+etch20:1.4.13-4etch110:0.4.7-1.1etch20:0.4.8-14+lenny10:1.4.13-4etch90:1.17+etch.22etch2-00:2.6.18.dfsg.1-22etch20:1.4.4-7etch70:1.6.dfsg.4~beta1-5lenny10:2.6.16-7sarge10:2.6.27.dfsg-20:1.50-1+etch10:3.1.4-1+etch20:0.10.3-3.1+etch10:5.0.32-7etch50:2.0.0-1etch10:1.2.7-4etch50:1.17+etch.24etch4-00:2.6.18.dfsg.1-24etch40:1.1.12-1+etch10:1.2.2-1+lenny10:3.1.3-4etch50:5.2.0+dfsg-8+etch150:5.2.6.dfsg.1-1+lenny30:2.5-1etch10:1.0.12~pre080131b-0etch10:1.8+1.0.12~pre080131b-0etch10:3.8.1-1etch20:3.8.1-3+lenny10:1.2.7-90:1.2.12-5+lenny10:1.2.7+dfsg-2+etch30:1.2.12+dfsg-8+lenny40:2.3.30-5+etch10:1.5.9-2etch10:1.5.7-7sarge14:2.9.1.1-80:2.4.4-3+etch10:6.5+dfsg-1+etch10:2.3.30-5+etch20:2.6-1etch10:1.4.2dfsg1-30:1.5.1dfsg1-44:2.9.1.1-100:1.17+etch.23etch1-00:2.6.18.dfsg.1-23etch10:2.2.6-8etch10:2002edebian1-13.1+etch10:2.0.0.18-0etch10:1.49-2+etch10:1.2.4-4.1+etch14:3.5.9-3+lenny24:3.5.5-3etch40:1.6.5-9etch10:2.6.27.dfsg-6+etch10:2.6.32.dfsg-5+lenny10:2.6.24-6~etchnhalf.8etch30:4.0.2+debian-70:3.1.3-4etch60:3.2.2+debian0-2+lenny10:3.1.3-4etch20:1.1.3-9sarge90:2.0.4.dfsg.2-7etch50:0.5.4-1.1etch00:5.4.11-4+etch10:1.2.53-2etch10:1.0.2-1+etch10:1.17+etch.18etch6-00:2.6.18.dfsg.1-18etch60:2.6.24-6~etchnhalf.8etch10:1.8.17-14+etch10:0.90.1dfsg-4etch160:0.6.32-3+lenny30:0.4.13-2+etch30:2.0.10-1etch10:1.3.0.0debian1-4+etch10:1.2.2-2.etch10:4.3.0.dfsg.1-14sarge70:1.1.1-21etch20:2.12.4-2+etch10:2.16.6-1+lenny10:3.6.8-5etch10:1.6.3-2+etch20:1.0.2-1+etch20:4.7~rc2-7lenny10:4.5.14-22etch110:1.4.4.4-4+etch20:1.5.6.5-3+lenny10:2.6-18.1+etch10:0.8.1-2etch10:0.5.2-1.1sarge30:2.5.7-3.1etch10:2.0.10-1etch30:1.3.6-2sarge60:1.4.4-7etch51:9.3.4-2etch30:0.95.1-1etch20:2.12r-19etch10:1.0.8-1lenny10:1.0.4-5etch10:0.6.9-6sarge20:0.6.13-5etch20:3.5.5a.dfsg.1-8etch20:3.5.10.dfsg.1-0lenny20:4.3p2-9etch30:5.2.0-8+etch130:4.1.3-4etch10:5.2.3-1.2+etch10:2.6.27.dfsg-50:2.6.24-6~etchnhalf.60:1.2.7-4+etch80:1.3.8-1+lenny60:2.0.10-1etch40:2.5.1-11+lenny10:5.8.8-7etch30:2.6.10+1.6.10-3etch10:1.6.10-3etch10:2.42a-7.1+etch10:1.4.15+etch1-00:4.7~rc2-7lenny20:4.5.14-22etch126:4.4.4-8+etch60:1.0.13~pre080323b-0etch30:1.8+1.0.13~pre080323b-0etch31:2.0.0+beta5-10etch10:1.0~rc1-12etch70:1.6.3-5.1+etch10:3.1.1-6+lenny20:3.0.4-13+etch20:1.9.0+20060609-1etch30:1.0.rc15-2etch40:1.6-2etch10:1.4-2etch11:0.7.1-1.3+lenny21:0.6.6-3.1etch30:2.1.3-1etch10:2.0.2-1sarge10:4.2.4-5+lenny30:2.8.0+dfsg-1+etch20:2.0.1-4+lenny10:1.95.8-3.4+etch10:1.8.0.15~pre080614d-0etch10:4.2.2.p4+dfsg-2etch30:4.2.4p4+dfsg-8lenny24:2.9.1.1-70:0.1.1-1+etch10:0.9.8c-4etch50:0.9.8g-15+lenny10:0.9.7k-3.1etch30:1.6.19-1.1+lenny10:1.6.18-1etch20:3.55-1+etch10:3.56-1+lenny10:1.0.rc15-2etch20:1.0.rc15-2etch30:0.1.14-beta-6etch20:4.5.14-22etch80:2.0.21-70:2.0.13-6sarge40:2.6.18-1um-2etch.18etch50:1.17+etch.18etch5-00:2.6.18.dfsg.1-18etch50:0.90.1dfsg-3.1+etch140:3.0-2+lenny10:3.0-2+etch10:2.6.24-6~etchnhalf.8etch20:1.5.3-1.2etch20:1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch10:1.1.0-20:1.1.2.dfsg-1.30:1.2.1-5+etch20:0.9.5-5etch10:1.1.2.dfsg-1.40:1.6.3-5etch20:2.22.3-1.1+lenny10:0.4.2-1etch10:1.1.13.0+OOo2.4.1+dfsg-1+lenny30:1.0.10.0+OOo2.4.1+dfsg-1+lenny30:1.0.2+OOo2.4.1+dfsg-1+lenny30:1.0+OOo2.4.1+dfsg-1+lenny30:1.0.13.0+OOo2.4.1+dfsg-1+lenny30:0.7.6+OOo2.4.1+dfsg-1+lenny30:1.4+OOo2.4.1+dfsg-1+lenny30:2.0.4.dfsg.2-7etch71:2.4.1+dfsg-1+lenny30:2.4.6+dfsg.2-1.1+etch10:2.4.12+dfsg-1.3+lenny11:1.2.13~dfsg-2etch30:2.0.0.14-0etch10:1.8.0.15~pre080131a-0etch10:1.8.0.15~pre080131b-0etch10:1.0.1-1etch10:2.2.1-3etch10:1.0.16-2+etch20:1.0.17-4+lenny20:2.1.1-4+etch10:1.3f.dfsg1-2+etch10:1.1.1-2+lenny10:1.3.1.dfsg1-3+lenny10:1.1a-2+etch10:1.17+etch.24etch3-00:2.6.18.dfsg.1-24etch30:2.6.5-6etch10:5.5.20-2etch10:5.0.30-12etch10:3.01-9.1+etch20:1.1.19-20:2.5-5+etch10:2.6.24-6~etchnhalf.70:5.2.3-7etch20:0.1.1-00:4.3p2-9etch10:1.4.13-4etch50:1.5.0-1etch20:4.0.2+debian-81:2.1-4+etch10:2.6.27.dfsg-40:1.2.7-4etch30:1.1.2+dfsg-70:0.99.2-9+etch20:10.0-11.1+etch10:0.8.2-4etch20:1.2.7-4etch70:1.3.8-1lenny50:1.0.4-2+etch10:1.0.4-4+lenny10:1.0.13-5etch10:1.0.8-7sarge10:1.0.8+2sarge2-00:2.2.0-4+lenny30:2.20-8+etch30:1.8.0.15~pre080323b-0etch10:1.0.13~pre080614i-0etch10:1.8+1.0.13~pre080614i-0etch10:4.00-1etch10:1.3.0-19etch20:0.9.8c-4etch30:1.4.13-4etch70:1.17+etch.18etch4-00:2.6.18.dfsg.1-18etch40:2.6.9-2etch20:1.6.3-2+etch10:1.4.4-3+etch20:1.4.4-3+etch30:2.6.24-6~etchnhalf.9etch10:1.7.1-9etch10:1.8.5-4etch30:0.99.12p2-2+etch10:0.50-1etch10:1.2.1-3+etch10:1.4.0-3+lenny20:2.9.20-8+etch11:9.3.4-2etch40:0.11.1-1.2etch20:1.33.5-00:1.6.4-11.10:2.9.1.1-130:2.11.8.1-5+lenny30:1.9.0+20060609-1etch20:1.17+etch.22etch3-00:2.6.18.dfsg.1-22etch30:2.0.4-2sarge30:2.6.3-6etch20:0.2.8.4-2+etch10:0.2.8.4-6+lenny10:5.0.32-7etch60:1.8.2.dfsg-3+lenny20:1.6.3-2+etch31:4.0.5-9.1etch10:1.5.0.13+1.5.0.15b.dfsg1-0etch20:1.5.0.13+1.5.0.15a.dfsg1-0etch20:1.1.12-3etch10:2.6.20-1.20:2.6.14-1etch20:1.10.2-2+etch10:1.11.4-2+lenny10:2.0.0.12-0etch10:1.0.2-1+etch30:1.2.1-5+lenny10:2.8.0+dfsg-1+etch10:4.2.4-5+lenny10:5.0.51a-24+lenny20:5.0.32-7etch110:1.0.16-2+etch10:1.0.17-4+lenny10:2.4.4-3+etch20:222-1etch30:2.3.30-5+etch30:2.4.11-1+lenny10:1.4.13-4etch60:0.2.4-2+etch10:0.10-1.50:2.0.11-1etch10:1.5.3-1.2etch10:5.2.0+dfsg-8+etch160:5.2.6.dfsg.1-1+lenny40:5.2.0-8+etch110:1.4.4-3+etch10:6.7+7.4-30:4.5+7.4-20:2.6-2+etch40:1.4.4-4etch10:1.17+etch.18etch1-00:2.6.18.dfsg.1-18etch10:1.3.81-3sarge30:1.4.2-6etch10:2.2.13-14+lenny30:2.2.13-10+etch40:2.2.13-5+lenny20:2.2.13-2+etch20:0.90.1dfsg-4etch150:5.0.32-7etch100:5.0.51a-24+lenny10:0.6.16-3etch20:0.7.5-2etch10:0.8.2-4etch30:0.9.1-10lenny10:1.8.5-4etch20:5.0.3-3+lenny40:4.10.0-5.1+etch40:1.8+1.0.13~pre080323b-0etch10:1.0.13~pre080323b-0etch10:1.5.6.5-3+lenny20:1.4.4.4-4+etch34:3.5.9-3+lenny14:3.5.5-3etch30:1.2.2-4.3+etch20:1.6.1-3+lenny31:1.6.1-2etch20:3.6.1-4+etch10:3.6.7-5+lenny30:3.4.5-2+etch10:3.0.4-4sarge70:3.1.3-4etch30:1.8.5-4etch50:1.9.0+20060609-1etch50:1.9.0.2-9lenny10:1.8.7.72-3lenny10:1.0~rc1-12etch30:2.12r-15+etch10:2.12p-4sarge20:1.4-6sarge10:1.4.5-1etch10:2.72.5etch2-00:4.5.14-22etch50:2.0.10-1etch20:8.1.11-0etch10:0.cvs20060823-8+etch10:0.svn20080206-17+lenny10:2.0.33-5.2etch10:4.0.2+debian-50:2.2.0-4+lenny20:2.20-8+etch20:2.2.0-4+lenny10:2.20-8+etch10:0.8.6-svn20061012.debian-5.1+etch20:8.3.8-0lenny10:8.1.18-0etch11:7.4.26-0etch11:1.2.26-2+lenny11:1.2.18-3etch20:1.4.3-0.1etch10:9.3.4-2etch50:9.5.1.dfsg.P3-10:2.3.8-2+etch10:4.5.14-22etch100:2.6.18.dfsg.1-18etch30:8.54.dfsg.1-5etch20:8.62.dfsg.1-3.2lenny10:8.4.12-1etch20:8.4.9-1sarge20:5.0.32-7etch40:0.2.2-1etch10:4.1.1+X4.3.0-21+etch10:2.0.0.19-0etch10:2.6.27.dfsg-60:1.2.5-4+etch10:4.0.18.1-7+etch10:5.8.8-7etch50:1.17+etch.24etch2-00:2.6.18.dfsg.1-24etch10:2.6.18.dfsg.1-24etch20:0.98-1.1+0sarge1m68k0:0.98-1.1+etch10:0.99.76-9+etch10:1.2.5-2+etch10:1.2.4-1etch10:0.90.1dfsg-3etch110:2.6.14-1etch10:2.6.9-1sarge10:8.01-60:7.07.1-9sarge10:8.15.3.dfsg.1-1etch10:8.54.dfsg.1-5etch10:1.1.1-5sarge10:1.1.2-80:1.1.19-30:1.0.1-1sarge70:1.1.2+dfsg-60:1.1.2+dfsg-50:1.0.1-1sarge60:2.3.0-5.2+etch10:0.9.9-1+etch10:1.0.7-3+lenny10:6.7+7.4-40:1.8.0.15~pre080614h-0etch10:0.9.7k-3.1etch20:0.9.8c-4etch40:0.8.6i-3.40:4.6-1etch10:4.0-1sarge20:1.1.0+cvs20060620-3+etch10:4.0.1-3.1etch20:3.01-9.1+etch60:3.02-1.4+lenny10:1.0.4-1+etch10:4.2.5-1+lenny20:4.0.2+debian-91:1.4.4.4-4+etch10:1.33.4-00:1.4.7.dfsg1-6+lenny10:1.4.2-6etch20:1.3.0-19etch30:1.3.1-17lenny44:3.5.5a.dfsg.1-8etch30:1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch10:7.15.5-1etch20:7.18.2-8lenny20:0.6.32-3+lenny20:0.4.13-2+etch20:0.5.7-1sarge20:0.7.5-40:0.0.20061018-5.1+etch10:2.0.0.17-0etch10:3.1d-13etch20:1.17+etch.17etch1-00:1.0.8776+6etch2-00:1.0.7184+6etch2-00:2.6.18+6etch3-00:2.6.18.dfsg.1-17etch10:1.5.4-2+etch10:1.7.0-3+lenny10:1.8.0.15~pre080614i-0etch10:0.045-3+etch30:0.058-2+lenny30:5.0.32-7etch80:2.0.4.dfsg.2-7etch61:1.7~rc2-1etch20:3.8.2-7+etch10:4.10.0-5.1+etch20:5.5.20-2etch20:2.2.6-02-1+lenny20:2.2.3-01-2+etch30:2.2.3-4+etch90:2.2.9-10+lenny41:7.0-122+1etch50:1.0.2-3+lenny70:0.99.4-5.etch.44:2.11.8.1-5+lenny14:2.9.1.1-110:1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch10:0.6.6-4+lenny10:0.6.4-6+etch10:5.2.0-8+etch100:2.6.24-6~etchnhalf.9etch30:2.35-1+etch40:1.9.0+20060609-1etch40:1.8.5-4etch40:3.8.2-11.20:3.8.2-7+etch30:4.5.14-22etch130:4.7~rc2-7lenny30:0.9.8c-4etch90:0.9.7k-3.1etch50:0.9.8g-15+lenny50:1.3.12-6+lenny10:1.3.5-15+etch10:3.01-9.1+etch40:3.6-2etch30:3.8.1-3+lenny20:0.11.1-2etch20:1.1.7-13+etch10:1.1.11-3.2+lenny10:1.5.22-4+etch10:1.5.26-4+lenny10:2.0.0.16-0etch10:0.10.4-4+etch10:0.10.8-4.1~lenny20:1.6.dfsg.4~beta1-5lenny20:1.4.4-7etch81:1.2.11.dfsg-1+etch10:0.90.1dfsg-3etch100:2.9.6-4etch20:2.10.6-1+lenny10:4.5.14-22etch40:3.1-31sarge50:0.7.3-4etch11:1.2.13~dfsg-2etch40:1.17.dfsg-1+lenny10:1.15-1.1+etch20:0.6.5-3+etch10:0.99debian11+etch1-00:2.0.0.13-0etch11:1.4.4.4-2.1+etch10:2.2.1-5+etch31:4.2.4p4+dfsg-8lenny31:4.2.2.p4+dfsg-2etch40:1.2.1-10+etch10:1.4.4-4+lenny10:1.1.2.dfsg-1.4+etch10:1.2.0.dfsg-3.1+lenny10:2.5.9-7.etch.10:9.3.4-2etch60:9.5.1.dfsg.P3-1+lenny10:1.0.4-5etch20:1.0.8-1lenny20:3.0.STABLE8-3+lenny30:3.0.PRE5-5+etch20:2.7.STABLE3-4.1lenny10:2.6.5-6etch50:3.40.4-3.1+etch10:0.4-9+etch10:1.23-6+lenny10:1.21z-5+etch10:2.8.1-1+etch10:2.9.1-2+lenny10:7.15.5-1etch30:7.18.2-8lenny30:2.2.3-01-2+etch20:2.2.3-4+etch80:2.2.6-02-1+lenny10:2.2.9-10+lenny30:2.10.35lenny6-00:2.9.26etch4-00:1.20.5-3+lenny10:1.14.8-5+etch10:0.71-2etch10:2.6.5-6etch23.10:8.3.5-4sarge10:8.3.5-6etch20:2.2.13-10+etch20:2.2.13-14+lenny10:2.0-2+lenny20:2.0.dfsg1-4+lenny20:1.3.1.dfsg1-3+lenny20:1.3f.dfsg1-2+etch20:1.2.7-4etch40:1.15-1.1+etch10:1.6.7-5+etch10:2.4.2-1+lenny10:2.4.2-1+etch10:1.2.2+cvs20060620-4+etch10:2.0.3-4+etch10:2.4.4-3+etch30:2.5.2-15+lenny10:2.4.6-1+lenny10:2.5-5+etch20:1.4.13-4etch120:1.4.19-5+lenny10:0.4.5-5.1etch21:4.2.2.p4+dfsg-2etch10:3.1.3-4etch70:3.2.2+debian0-2+lenny20:5.2.3-7etch40:1.23.28+etch1-00:1.24.2.1+lenny1-00:0.8.6i-3.60:0.8.7b-2.1+lenny10:1.3.6-4etch10:1.4.2-0.1+lenny10:1.0~rc1-12etch20:1.4+OOo2.4.1+dfsg-1+lenny60:1.0+OOo2.4.1+dfsg-1+lenny50:1.0+OOo2.4.1+dfsg-1+lenny40:1.1.13.0+OOo2.4.1+dfsg-1+lenny50:1.4+OOo2.4.1+dfsg-1+lenny40:1.0.13.0+OOo2.4.1+dfsg-1+lenny40:1.0.10.0+OOo2.4.1+dfsg-1+lenny50:1.4+OOo2.4.1+dfsg-1+lenny50:2.0.4.dfsg.2-7etch80:2.0.4.dfsg.2-7etch90:0.7.6+OOo2.4.1+dfsg-1+lenny40:1.0.2+OOo2.4.1+dfsg-1+lenny40:1.0.13.0+OOo2.4.1+dfsg-1+lenny60:2.4.1+dfsg-1+lenny40:2.4.1+dfsg-1+lenny50:2.4.1+dfsg-1+lenny60:2.0.4-3+lenny10:2.0.2-11+etch10:2.7.4-1.1+lenny10:2.5.3-4.4+etch11:7.4.27-0etch10:8.3.9-0lenny10:8.1.19-0etch10:2.6.18.dfsg.1-26etch20:0.10-2+lenny10:0.9-2+etch10:5.0.32-7etch120:5.0.51a-24+lenny30:0.1.6-1+etch10:0.1.9-4+lenny10:1.95.8-3.4+etch20:2.0.1-4+lenny20:2.3.6.ds1-13etch100:2.7-18lenny20:8.13.8-3+etch10:8.14.3-5+lenny10:1.2.15~beta5-1+etch20:1.2.27-2+lenny20:2.6.18-1um-2etch.13etch60:1.17+etch.13etch6-00:2.6.18.dfsg.1-13etch60:1.0.16-20:2.6.18.dfsg.1-13etch20:2.0.3+dfsg1-2etch10:1.80-2.1etch10:7.15.5-1etch10:1.3.0-2etch20:5.1.0-2etch10:1.6.3-5etch10:3.9.5-2etch10:1.2.12.04-1etch16:4.4.4-8+etch40:1.2.2.1-1etch11:7.0-122+1etch31:7.4.17-0etch11:9.3.4-2etch10:8.1.9-0etch10:2.2.13-1etch10:1.4.4-7etch20:0.2.5.6rc1-2etch10:0.11.1-1.2etch10:3.0.3-0-34:2.9.1.1-40:2.0.4.dfsg.2-7etch11:0.6.6-3.1etch14:2.9.1.1-63:3.3.7-4etch10:1.73-2etch10:1.3.12p3-5etch10:1.0~rc1-12etch10:1.2-20:2.5.1-4etch20:1.4.13-4etch50:0.99.5-5etch31:1.1.4-10etch10:1.6.18-1etch10:1.1.19-30:0.71-2etch10:1.2.4-4.1+etch10:2.6.3-6etch20:0.50-1etch10:2.0.0.6+2.0.0.8-0etch10:2.6.3-6etch10:3.1.3-4etch20:2.0.0.10-0etch10:1.17+etch.13etch3-00:2.6.18.dfsg.1-13etch30:2.6.18-1um-2etch.13etch30:0.9.5-5etch10:5.0.32-7etch30:1.0~rc1-12etch20:0.99.5-5etch21:1.1.0-7etch10:5.5.20-2etch20:3.0.24-6etch84:3.5.5-3etch10:2.0.21-70:4.5.14-5etch10:0.14-2etch10:1.4.13-4etch60:0.90.1dfsg-3.1etch140:3.01-9.1+etch30:5.52-9etch10:3.1.4-1+etch10:4.2.2-4etch10:2.2.6-8etch10:1.0.2-1+etch10:1.0.10~pre070720-0etch10:1.4.13-4etch10:2.4.3.31-1etch10:0.1.4-2etch10:1.5.0.12.dfsg1-0etch10:0.8.6i-3.20:0.99debian11+etch1-00:2.6.24-6~etchnhalf.60:1.9.0+20060609-1etch20:0.7.5-2etch11:1.2.10+20061101-1etch10:1.8.5-4etch30:1.6.10-3etch10:0.1.14-beta-6etch20:3.1.3-4etch30:0.99.4-5.etch.22:10.0-11.1+etch10:2.0.0.13-0etch10:0.2.4+r1376-1.1+etch10:1.1.12-3etch10:1.17+etch.22etch3-00:2.6.18-1um-2etch.22etch30:2.6.18.dfsg.1-22etch30:1.4.4-7etch50:5.2.0-8+etch40:2.0.0.15-0etch10:2.0.4.dfsg.2-7etch60:1.6-2etch11:4.0.5-9.1etch10:2.3.8-2+etch10:1.2.5-4+etch10:1.8.0.15~pre080131b-0etch14:3.5.5-3etch20:1.4.15+etch1-00:1.4.13-4etch110:2.3-2etch10:1.1.2.dfsg-1.42:1.1.1-21etch30:2.6.18.dfsg.1-26etch20:0.8.6i-3.30:2.0pl5-19.5etch10:1.8.0.13~pre070720-0etch30:5.2.0-8+etch130:1.6.3-5.1+etch10:8.13.8-3+etch10:8.14.3-5+lenny10:2.4.11-1+lenny10:2.3.30-5+etch30:6.5+dfsg-1+etch10:2.0.10-1etch30:0.8.2-4etch20:6.3.6-1etch10:0.9.8c-4etch30:6.7+7.4-20:3.3-20:1.6.7-5+etch10:0.99.76-9+etch10:0.90.1-3etch10:3.01-9etch10:1.0.rc15-2etch10:3.0.24-6etch70:1.8.5-4etch20:1.0.1-1etch10:5.2.0-8+etch90:1.4-2etch10:0.99.4-5.etch.30:0.4.5-5.1etch20:2.5-5+etch10:0.6.2-1+etch00:2.6.18-1um-2etch.13etch50:2.6.18.dfsg.1-13etch50:1.17+etch.13etch5-00:5.0.32-7etch100:5.0.51a-24+lenny10:1.2.1-5+etch10:2.2.13-14+lenny30:2.2.13-5+lenny20:2.2.13-2+etch20:2.2.13-10+etch40:2.42a-7.1+etch10:8.3.5-6etch20:1.4.4-3+etch50:2.4.2-6+lenny20:0.98-1.1+etch10:8.1.11-0etch10:2.0.11-1etch10:2.0.0.18-0etch10:1.0.4-1+etch10:1.2.7-4etch60:2.0.0-1etch10:3.40.4-3.1+etch10:1.5.0-1etch22:1.1.1-21etch50:0.99.12p2-2+etch10:2.6.18.dfsg.1-18etch40:2.0.10-11:7.0-122+1etch50:1.39+1.40-WIP-2006.11.14+dfsg-2etch10:1.4.2-6etch10:2.0.10-1etch10:8.15.3.dfsg.1-1etch10:8.54.dfsg.1-5etch10:5.0.51a-24+lenny30:5.0.32-7etch120:1.0.12~pre080131b-0etch10:5.8.8-7etch30:1.3.0-19etch20:1.61.27-1+etch10:1.4.13-4etch90:2.2.1-5+etch20:1.6.3-2+etch10:1.16-2etch10:3.0.24-6etch21:1.2.13~dfsg-2etch40:2.6.18.dfsg.1-12etch20:2.5.1-4etch10:4.5.14-22etch80:0.10-1.50:5.8.8-7etch11:1.4.4.4-2.1+etch10:1.6.5-9etch10:0.59-1etch10:1.4.4-3+etch10:1.4.13-4etch70:1.1.19-20:1.8.0.13~pre070720-0etch10:1.5.3-1.2etch20:2.12r-19etch10:2.6.18.dfsg.1-23etch10:1.17+etch.23etch1-00:2.6.18-1um-2etch.23etch10:2.9.20-8+etch10:4.17-5etch20:1.5.9-2etch10:5.5.20-2etch31:1.6.1-2etch10:2.6.5-6etch10:8.4.12-1etch10:3.8.3-6etch10:5.2.3-7etch40:5.2.0-8+etch30:5.0.32-7etch50:2.6.24-6~etchnhalf.70:<end-of-life> (upstream has discontinued providing virus signatures for versions prior to 0.95)0:1.0.13~pre080323b-0etch21:9.3.4-2etch30:2.0.0.17-0etch17:2002edebian1-13.1+etch10:2.0.0.16-0etch10:1.8.0.15~pre080614h-0etch10:0.5.4-1.1etch01:1.2.11.dfsg-1+etch10:4.0.2.dfsg-30:251-7.5etch10:2.6.18.dfsg.1-18etch10:4.0.1-3.1etch10:4.00-1etch10:2.8.1-1+etch10:2.9.1-2+lenny10:2.6.18.dfsg.1-18etch34:2.9.1.1-90:1.8.0.14~pre071019b-0etch10:2.6.27.dfsg-30:2.2.13-1etch40:1.1.2+dfsg-50:2.6.24-6~etchnhalf.9etch30:3.1.4-1+etch20:0.8.1-2etch10:1.1.11-3.2+lenny10:1.1.7-13+etch10:2.2.1-5+etch30:1.0~rc1-12etch34:2.9.1.1-80:2.4.4-3+etch20:2.2.3-4+etch90:2.2.9-10+lenny40:2.0.0.5-0etch10:3.0.4-11etch10:1.3.0-2etch10:0.8.6-svn20061012.debian-5etch10:4.17-5etch10:2.0.0.4-0etch11:1.0.1-61:1.7~rc2-1etch10:2.0.4p01-170:1.8.0.12-0etch10:2.6.9-2etch10:2.6.18.dfsg.1-12etch16:4.4.4-8+etch20:2.6.18.dfsg.1-13etch10:1.4.4-7etch10:0.8.7-60:2.0.730-1etch10:2.0.0.6-0etch10:0.8.6-1etch10:1.0.9-0etch10:0.6.13-5etch10:3.6-2etch10:1.4.3-0.1etch10:2.6.18.dfsg.1-17etch10:3.3.8-7etch10:1.2.53-2etch10:1.2.5-2etch10:1.2.12.04-1etch20:6.7+7.4-30:0.8.3dfsg.1-2.1etch10:1.8.0.15~pre080323b-0etch10:0.4.2-1etch10:1.2-30:1.2.7-4etch50:4.0.2.dfsg-41:2.0.0+beta5-10etch10:1.2.7-4etch10:0.1217.toots.20060314-1etch00:2.1.3-1etch10:2.6.5-6etch40:1.3.0.0debian1-4+etch10:2.0.4.dfsg.2-7etch50:1.0.13~pre080323b-0etch10:3.0.24-6etch50:0.90.1-3etch30:1.33.5-00:0.0.20061018-5.1+etch10:1.33.4-00:3.0.24-6etch100:5.5.20-2etch10:2.6.24-6~etchnhalf.50:0.90.1-3etch40:1.3.1+1-10:0.90.1dfsg-3etch110:4.5.14-22etch10:2.35-1+etch40:1.0.13~pre080323b-0etch31:1.6.1-2etch20:4.6-1etch10:5.2.3-7etch20:0.6.16-3etch20:2.1.2-2.0.etch.10:2.1.1-4+etch10:1.1.2.dfsg-1.30:8.3.5-6etch10:0.99.2-9+etch20:1.0.10~pre070720-0etch30:3.0.3-0-40:2.6.18.dfsg.1-18etch60:2.2.1-3etch10:2.6.27.dfsg-20:1.2.7-4etch30:0.2.4-2+etch12:1.4.9a-30:2.1.4-1etch10:0.7.5-44:2.9.1.1-71:1.3-15etch20:0.6.13-5etch20:4.5.14-22etch20:6.7+7.4-40:1.9.0+20060609-1etch10:0.8.6-svn20061012.debian-30:1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch10:0.9.7k-3.1etch10:0.9.8c-4etch10:1.0.rc15-2etch30:1.17+etch.13etch3-00:2.6.18-1um-2etch.13etch30:2.6.18.dfsg.1-13etch30:2.6.14-1etch10:2.0.0.14-0etch10:1.5.3-1.2etch10:4.5.14-22etch30:1.2.7-4+etch80:1.3.8-1+lenny60:1.2.7-4etch40:1.15-1.1+etch11:2.1-4+etch10:4.2.1-2etch10:1.4.13-4etch40:5.0.32-7etch60:0.99.4-5.etch.00:0.7.0-2etch10:5.2.0-8+etch71:3.2.0b6-3.1etch12:1.1.1-21etch10:2.72.5etch2-00:1.0.rc15-2etch51:1.0.15-2.3+lenny10:0.1.1-1+etch10:1.0.11~pre071022-0etch10:5.2.0-8+etch110:2.3.8-2etch10:0.1217.toots.20060314-1etch11:4.3p2-9etch20:2.6.18.dfsg.1-18etch50:1.17+etch.18etch5-00:2.6.18-1um-2etch.18etch50:2.12r-15+etch10:4.21.0-18etch10:3.1.3-4etch40:3.6.8-5etch10:1.1.2+dfsg-70:1.1.2-80:8.4.12-1etch20:2.2.1-5+etch10:5.2.3-1.2+etch10:1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch10:1.0~rc1-12etch50:1.3.0.0debian1-4+etch20:0.1.8-1+etch10:1.0.2-1+etch20:0.27+etch1-00:5.8.8-7etch51:1.2.18-3etch10:2.3.30-5+etch20:2.0pl5-19.5etch20:0.90.1dfsg-4etch160:4.0.2+debian-44:3.5.5a.dfsg.1-6etch10:1.1.6-3etch10:1.1.2+dfsg-60:4.5.14-22etch40:0.4.5-5.1etch11:1.7~rc2-1etch20:0.8.2-4etch10:21.4a+1-3etch10:2.6.27.dfsg-50:0.6-2.1etch10:1.8.0.15~pre080614d-0etch16:4.4.4-8+etch30:1.2.7-4etch20:1.8.0.14~pre071019c-0etch10:0.4.5-5.1etch30:2.0.10-1etch20:1.6.4-11.10:2.4.4-3+etch10:0.8.6-svn20061012.debian-5.1+etch20:0.90.1dfsg-3etch100:4.17-5etch30:2.6.18.dfsg.1-22etch20:2.6.18-1um-2etch.22etch20:1.17+etch.22etch2-00:2.6.3.2.1.5+etch1-00:2.6.3.2.2-3+lenny10:2.4.5.1.1+etch1-00:2.8.7.1-1.1+lenny10:3.0.24-6etch90:1.9.0+20060609-1etch30:1.4.5-1etch10:1.4.4-7etch40:4.10.0-5.1+etch20:2.6.9-2etch20:5.0.32-7etch81:0.6.2-7etch10:1.0.13-5etch10:2.0.0.12-0etch10:5.0.30-12etch10:2.5.3-4.4+etch10:2.7.4-1.1+lenny10:0.15.0-1.1etch10:2.0.33-5.2etch10:1.5.0.13+1.5.0.15b.dfsg1-0etch20:0.4.13-2+etch30:0.6.32-3+lenny30:1.8.5-4etch10:2.3.30-5+etch10:2.6.27.dfsg-60:0.58-4+etch20:0.4-9+etch10:0.11.1-2etch20:1.8.0.7-1etch10:2.0.4.dfsg.2-7etch44:2.9.1.1-40:4.0.2+debian-50:2.0.3+dfsg1-2.2etch10:3.01-9.1+etch20:0.90.1-3etch80:4.5.14-22etch50:0.2.2-1etch10:0.99.4-5.etch.10:0.1.9-4+lenny10:0.1.6-1+etch10:2.0.4.dfsg.2-7etch20:1.8.0.15~pre080323b-0etch20:2.3.0-5.2+etch10:0.7.3-4etch11:1.2.13~dfsg-2etch10:0.9.2-3+etch11:2.4.12+dfsg-1.3+lenny21:2.4.6+dfsg.2-1.1+etch26:4.4.4-8+etch60:2.6-18.1+etch10:3.8.2-7+etch10:0.95.1-1etch20:1.0.1-70:7.4.19-0etch10:3.1.3-4etch10:2.6.18.dfsg.1-13etch40:2.4.6-1+lenny10:2.5-5+etch20:2.5.2-15+lenny10:2.4.4-3+etch31:1.2.13~dfsg-2etch20:0.14-2etch30:1.0.rc15-2etch42:1.4.9a-21:7.0-122+1etch30:3.0.PRE5-5+etch11:1.2.13~dfsg-2etch30:5.0.32-7etch40:1.17-7etch10:1.5.0.13+1.5.0.14b.dfsg1-0etch10:0.90.1-3etch70:1.8.0.15~pre080614i-0etch10:1.2.5-2+etch10:0.90.1dfsg-4etch150:1.1.6-2+etch10:1.1.14-1+lenny11:4.2.4p4+dfsg-8lenny31:4.2.2.p4+dfsg-2etch40:1.2.2+cvs20060620-4+etch10:4.0.2+debian-80:1.5.1dfsg1-40:1.4.2dfsg1-30:0.058-2+lenny30:0.045-3+etch30:1.4.0-3+lenny20:1.2.1-3+etch10:3.55-1+etch10:3.56-1+lenny10:4.1.1+X4.3.0-21+etch10:1.0.8-1lenny20:1.0.4-5etch20:2.2.3-01-2+etch40:2.2.3-4+etch100:2.2.3-01-2+etch20:2.2.6-02-1+lenny10:2.2.9-10+lenny30:2.2.3-4+etch80:1.65-4etch10:1.77-3+lenny10:9.3.4-2etch50:9.5.1.dfsg.P3-10:2.0.3-4+etch20:0.9.7k-3.1etch30:0.9.8g-15+lenny10:0.9.8c-4etch50:1.17.dfsg-1+lenny10:1.15-1.1+etch20:2.20-8+etch30:1:2.2.0-4+lenny34:2.11.8.1-5+lenny34:2.9.1.1-131:0.7.1-1.3+lenny21:0.6.6-3.1etch30:2.6.18.dfsg.1-26etch10:0.10.4-4+etch10:0.10.8-4.1~lenny21:9.5.1.dfsg.P3-1+lenny11:9.3.4-2etch61:9.5.1.dfsg.P3-1+lenny10:5.4.11-4+etch10:2.6-1etch10:0.9.7k-3.1etch50:0.9.8g-15+lenny50:0.9.8c-4etch94:2.11.8.1-5+lenny14:2.9.1.1-110:3.1.3-4etch60:3.2.2+debian0-2+lenny10:1.8.17-14+etch10:1.2.1-10+etch10:1.4.4-4+lenny10:8.1.18-0etch11:7.4.26-0etch10:8.3.8-0lenny10:1.7.1-9etch10:2.6-2+etch40:1.49-2+etch10:1.6.3-2+etch30:1.8.2.dfsg-3+lenny20:5.2.0+dfsg-8+etch150:5.2.6.dfsg.1-1+lenny30:0.6.5-3+etch10:2.6.18.dfsg.1-24etch20:1.17+etch.24etch2-00:2.6.18.dfsg.1-24etch10:2.6.32.dfsg-5+lenny10:2.6.27.dfsg-6+etch10:0.10.3-3.1+etch10:0.cvs20060823-8+etch10:0.svn20080206-17+lenny10:1.0.4-4+lenny10:1.0.4-2+etch10:0.6.6-4+lenny10:0.6.4-6+etch10:3.0-2+lenny20:3.0-2+etch20:2.0.1-4+lenny20:1.95.8-3.4+etch20:1.17+etch.24etch3-00:2.6.18.dfsg.1-24etch30:1.4.4-2+lenny10:2.12.4-2+etch10:2.16.6-1+lenny10:3.8.2-7+etch30:3.8.2-11.20:1.8.5-4etch40:1.9.0+20060609-1etch40:222-1etch30:2.5.9-7.etch.10:0.9-2+etch10:0.10-2+lenny10:1.28-1+etch10:2.10.35lenny6-00:2.9.26etch4-00:2.6.24-6~etchnhalf.8etch30:2.4.2-6+lenny10:1.4.4-3+etch40:4.0.18.1-7+etch10:2.2.3-01-2+etch4+b10:2.2.6-02-1+lenny2+b20:2.2.3-4+etch110:2.2.9-10+lenny61:1.3-15etch31:1.3-release-7+lenny10:222-1etch40:0.105-4etch10:0.125-7+lenny10:0.6.46.4-0.1+etch10:0.7.20.2+lenny1-00:1.23.28+etch1-00:1.24.2.1+lenny1-00:1.2.15~beta5-1+etch20:1.2.27-2+lenny20:0.94.dfsg.2-1lenny20:0.90.1dfsg-4etch190:0.11.1-1.2etch20:2.0.0.19-0etch10:2.2.98-2+etch10:2.10.35lenny7-00:2.9.26etch5-04:3.5.5-3etch44:3.5.9-3+lenny20:2.3.7-1.1+lenny10:3.0.7-3.lenny20:2.3.6-1+etch10:1.15-1.1+etch30:1.17.dfsg-1+lenny20:4.5.14-22etch120:4.7~rc2-7lenny20:0.10.7-2+lenny20:0.10.3-3.1+etch30:2.6.24-6~etchnhalf.8etch24:2.9.1.1-100:1.11.4-2+lenny10:1.10.2-2+etch10:7.15.5-1etch20:7.18.2-8lenny20:4.2.4-5+lenny30:2.8.0+dfsg-1+etch20:1.6.dfsg.4~beta1-5lenny20:1.4.4-7etch80:1.4.9a-50:1.4.15-4+lenny20:1.6.3-2+etch20:5.0.3-3+lenny40:4.10.0-5.1+etch40:1.5.6.5-3+lenny10:1.4.4.4-4+etch20:3.1.3-4etch50:1.1.0+cvs20060620-3+etch10:1.4.2-0.1+lenny10:1.3.6-4etch10:1.3.1-17lenny21:2.4.12+dfsg-1.3+lenny11:2.4.6+dfsg.2-1.1+etch10:2.5-1etch10:1.9.0.2-9lenny10:1.9.0+20060609-1etch50:1.8.5-4etch50:1.8.7.72-3lenny10:1.0.17-4+lenny20:1.0.16-2+etch20:2.6.24-6~etchnhalf.8etch10:4.1.3-4etch10:1.20.5-3+lenny10:1.14.8-5+etch10:5.2.0+dfsg-8+etch160:5.2.6.dfsg.1-1+lenny40:0.8.6i-3.60:0.8.7b-2.1+lenny10:1.2.7-4etch70:1.3.8-1lenny50:4.5.14-22etch110:4.7~rc2-7lenny10:1.17+etch.24etch4-00:2.6.18.dfsg.1-24etch40:0.9.7k-3.1etch20:0.9.8c-4etch40:7.18.2-8lenny30:7.15.5-1etch30:1.4.4-4etch10:0.9.9-1+etch10:1.0.7-3+lenny10:2.0.1-4+lenny10:1.95.8-3.4+etch10:4.2.4p4+dfsg-8lenny20:4.2.2.p4+dfsg-2etch30:3.1.4+v3.1.7-0+etch10:0.2.8.4-2+etch10:0.2.8.4-6+lenny10:0.8.6-svn20061012.debian-5.1+etch30:1.2.1-5+lenny10:1.0.2-1+etch30:2.0.3-4+etch10:2.10.6-1+lenny10:2.9.6-4etch20:1.4.13-4etch120:1.4.19-5+lenny10:0.4.7-1.1etch20:0.4.8-14+lenny10:2.0.4-3+lenny30:2.0.2-11+etch20:1.95.8-3.4+etch30:2.0.1-4+lenny30:1.1.12-1+etch10:1.2.2-1+lenny10:2.22.3-1.1+lenny20:1.6.3-5etch30:2.2.1-5+etch40:2.3.7-2+lenny10:3.6-2etch20:3.8.1-3+lenny11:1.4.4.4-4+etch31:1.5.6.5-3+lenny20:4:3.5.5a.dfsg.1-8etch30:1.2.7-90:1.2.12-5+lenny10:1.2.7+dfsg-2+etch30:1.2.12+dfsg-8+lenny40:1.3.0-19etch31:9.3.4-2etch40:4.2.5-1+lenny20:4.0.2+debian-90:2.6.24-6~etchnhalf.9etch10:1.4.2-6etch20:1.4.7.dfsg1-6+lenny10:1.0.8-1lenny10:1.0.4-5etch10:1.0+OOo2.4.1+dfsg-1+lenny30:1.4+OOo2.4.1+dfsg-1+lenny30:1.1.13.0+OOo2.4.1+dfsg-1+lenny30:1.0.10.0+OOo2.4.1+dfsg-1+lenny30:1.0.2+OOo2.4.1+dfsg-1+lenny30:1.0.13.0+OOo2.4.1+dfsg-1+lenny30:0.7.6+OOo2.4.1+dfsg-1+lenny30:2.0.4.dfsg.2-7etch60:2.0.4.dfsg.2-7etch71:2.4.1+dfsg-1+lenny30:2.3.6.ds1-13etch100:2.7-18lenny20:2.4.2-1+lenny10:2.4.2-1+etch17:6.3.7.9.dfsg2-1~lenny37:6.2.4.5.dfsg1-0.15+etch10:3.5.5a.dfsg.1-8etch20:3.5.10.dfsg.1-0lenny20:1:3.8.1-3+lenny10:1:3.8.1-1etch20:1.0.2-3+lenny70:0.99.4-5.etch.40:3.8.1-3+lenny20:3.6-2etch30:1.50-1+etch10:0.52.2-11.3+lenny10:0.52.2-10+etch10:3.0.STABLE8-3+lenny30:3.0.PRE5-5+etch20:2.7.STABLE3-4.1lenny10:2.6.5-6etch51:4.2.2.p4+dfsg-2etch10:1.0.13~pre080614i-0etch10:1.8+1.0.13~pre080614i-0etch14:3.5.9-3+lenny14:3.5.5-3etch30:2.0.4-3+lenny10:2.0.2-11+etch10:1:1.2.18-3etch20:1:1.2.26-2+lenny10:4.5.14-22etch90:4.5.14-22etch100:1.6.dfsg.4~beta1-5lenny10:1.4.4-7etch70:1.2.7+dfsg-2+etch20:1.2.12+dfsg-8+lenny20:0.045-3+etch20:2.0-2+lenny20:1.3f.dfsg1-2+etch20:2.0.dfsg1-4+lenny20:1.3.1.dfsg1-3+lenny20:0.6.32-3+lenny20:0.4.13-2+etch20:4.0.2+debian-70:8.62.dfsg.1-3.2lenny10:8.54.dfsg.1-5etch20:1.4.4.4-4+etch40:1.5.6.5-3+lenny30:2.6.20-1.20:2.6.14-1etch20:2.0.33-5.2etch20:2.0.36~rc1~dfsg-3+lenny10:1.1.0+cvs20060620-3+etch10:2.5.7-3.1etch10:2.0.10-1etch40:2.5.1-11+lenny10:1.7.0-3+lenny10:1.5.4-2+etch10:1:4.2.2.p4+dfsg-2etch40:1:4.2.4p4+dfsg-8lenny30:1.6.19-1.1+lenny10:1.6.18-1etch20:2.2.13-10+etch20:2.2.13-14+lenny10:3.0-2+lenny10:3.0-2+etch10:1.3.5-15+etch10:1.3.12-6+lenny10:8.1.19-0etch11:7.4.27-0etch10:8.3.9-0lenny10:1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch10:2.0.10-1etch50:4.3-3+etch10:4.3-3+lenny10:1.1.2.dfsg-1.4+etch10:1.2.0.dfsg-3.1+lenny10:1.0~rc1-12etch70:4.2.4-5+lenny10:2.8.0+dfsg-1+etch10:3.1.1-6+lenny20:3.0.4-13+etch22:1.4.15-4+lenny12:1.4.9a-40:1.4.4-3+etch30:1.4.4-3+etch20:1.0.17-4+lenny10:1.0.16-2+etch10:1.21z-5+etch10:1.23-6+lenny11:1.4.4.4-4+etch10:1.3f.dfsg1-2+etch10:1.3.1.dfsg1-3+lenny10:1.1.1-2+lenny10:1.1a-2+etch10:4.7~rc2-7lenny30:4.5.14-22etch130:5.0.32-7etch110:5.0.51a-24+lenny20:1.6.3-5etch20:2.22.3-1.1+lenny10:1.0.13.0+OOo2.4.1+dfsg-1+lenny40:1.0.13.0+OOo2.4.1+dfsg-1+lenny60:1.0+OOo2.4.1+dfsg-1+lenny50:1.1.13.0+OOo2.4.1+dfsg-1+lenny50:1.0+OOo2.4.1+dfsg-1+lenny40:1.4+OOo2.4.1+dfsg-1+lenny40:1.4+OOo2.4.1+dfsg-1+lenny60:0.7.6+OOo2.4.1+dfsg-1+lenny40:2.0.4.dfsg.2-7etch80:2.0.4.dfsg.2-7etch90:1.0.10.0+OOo2.4.1+dfsg-1+lenny50:2.4.1+dfsg-1+lenny40:1.4+OOo2.4.1+dfsg-1+lenny50:2.4.1+dfsg-1+lenny50:2.4.1+dfsg-1+lenny60:1.0.2+OOo2.4.1+dfsg-1+lenny40:1.5.26-4+lenny10:1.5.22-4+etch1mipsarmel0:1.2.1-3.2+etch15.00:3.1.3-4etch70:3.2.2+debian0-2+lenny24.00:0.2.6-6+etch1sparcppchppamipsels390xarmi686ia64alphax86-64