Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1351 replies to this topic

#401 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 18 April 2012 - 11:09 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2453-2                   security@debian.org
http://www.debian.org/security/                                Nico Golde
April 19, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gajim
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2012-2093 CVE-2012-2086 CVE-2012-2085
Debian bug     : 668038

It was discovered that the last security update for gajim, DSA-2453-1,
introduced a regression in certain environments.

For the stable distribution (squeeze), this problem has been fixed in
version 0.13.4-3+squeeze3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#402 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 19 April 2012 - 09:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2454-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
April 19, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0884 CVE-2012-1165 CVE-2012-2110

Multiple vulnerabilities have been found in OpenSSL. The Common
Vulnerabilities and Exposures project identifies the following issues:

CVE-2012-0884

Ivan Nestlerode discovered a weakness in the CMS and PKCS #7
implementations that could allow an attacker to decrypt data
via a Million Message Attack (MMA).

CVE-2012-1165

It was discovered that a NULL pointer could be dereferenced
when parsing certain S/MIME messages, leading to denial of
service.

CVE-2012-2110

Tavis Ormandy, Google Security Team, discovered a vulnerability
in the way DER-encoded ASN.1 data is parsed that can result in
a heap overflow.


Additionally, the fix for CVE-2011-4619 has been updated to address an
issue with SGC handshakes.

For the stable distribution (squeeze), these problems have been fixed in
version 0.9.8o-4squeeze11.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.1a-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#403 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 20 April 2012 - 08:01 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2455-1                   security@debian.org
http://www.debian.org/security/                                Nico Golde
April 20, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : typo3-src
Vulnerability  : missing input sanitization
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2012-2112
Debian bug     : 669158

Helmut Hummel of the typo3 security team discovered that typo3, a web
content management system, is not properly sanitizing output of the
exception handler.  This allows an attacker to conduct cross-site
scripting attacks if either third-party extensions are installed that do
not sanitize this output on their own or in the presence of extensions
using the extbase MVC framework which accept objects to controller actions.


For the stable distribution (squeeze), this problem has been fixed in
version 4.3.9+dfsg1-1+squeeze4.

For the testing (wheezy) and unstable (sid) distributions, this problem
will be fixed soon.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#404 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 02 May 2012 - 08:21 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2456-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 23, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dropbear
Vulnerability  : use after free
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0920

Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon,
resulting in potential execution of arbitrary code. Exploitation is
limited to users, who have been authenticated through public key
authentication and for which command restrictions are in place.

For the stable distribution (squeeze), this problem has been fixed in
version 0.52-5+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 2012.55-1.

For the unstable distribution (sid), this problem has been fixed in
version 2012.55-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2457-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 24, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477
                 CVE-2012-0479

Several vulnerabilities have been discovered in Iceweasel, a web
browser based on Firefox. The included XULRunner library provides
rendering services for several other applications included in Debian.

CVE-2012-0467

   Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary
   Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward,
   and Olli Pettay discovered memory corruption bugs, which may lead
   to the execution of arbitrary code.

CVE-2012-0470

   Atte Kettunen discovered that a memory corruption bug in
   gfxImageSurface may lead to the execution of arbitrary code.

CVE-2012-0471

   Anne van Kesteren discovered that incorrect multibyte octet
   decoding may lead to cross-site scripting.

CVE-2012-0477

   Masato Kinugawa discovered that incorrect encoding of
   Korean and Chinese character sets may lead to cross-site scripting.

CVE-2012-0479

   Jeroen van der Gun discovered a spoofing vulnerability in the
   presentation of Atom and RSS feeds over HTTPS.

For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-14.

For the unstable distribution (sid), this problem has been fixed in
version 10.0.4esr-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2458-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 24, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iceape
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0455 CVE-2012-0456 CVE-2012-0458 CVE-2012-0461
                 CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477
                 CVE-2012-0479

Several vulnerabilities have been found in the Iceape internet suite,
an unbranded version of Seamonkey:

CVE-2012-0455

   Soroush Dalili discovered that a cross-site scripting countermeasure
   related to Javascript URLs could be bypassed.

CVE-2012-0456

   Atte Kettunen discovered an out of bounds read in the SVG Filters,
   resulting in memory disclosure.

CVE-2012-0458

   Mariusz Mlynski discovered that privileges could be escalated through
   a Javascript URL as the home page.

CVE-2012-0461

   Bob Clary discovered memory corruption bugs, which may lead to the
   execution of arbitrary code.

CVE-2012-0467

   Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary
   Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward,
   and Olli Pettay discovered memory corruption bugs, which may lead
   to the execution of arbitrary code.

CVE-2012-0470

   Atte Kettunen discovered that a memory corruption bug in
   gfxImageSurface may lead to the execution of arbitrary code.

CVE-2012-0471

   Anne van Kesteren discovered that incorrect multibyte octet
   encoding may lead to cross-site scripting.

CVE-2012-0477

   Masato Kinugawa discovered that incorrect encoding of
   Korean and Chinese character sets may lead to cross-site scripting.

CVE-2012-0479

   Jeroen van der Gun discovered a spoofing vulnerability in the
   presentation of Atom and RSS feeds over HTTPS.

For the stable distribution (squeeze), this problem has been fixed in
version 2.0.11-11

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2454-2                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
April 24, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2131

Tomas Hoger, Red Hat, discovered that the fix for CVE-2012-2110 for
the 0.9.8 series of OpenSSL was incomplete. It has been assigned the
CVE-2012-2131 identifier.

For reference, the original description of CVE-2012-2110 from DSA-2454-1
is quoted below:

CVE-2012-2110

Tavis Ormandy, Google Security Team, discovered a vulnerability
in the way DER-encoded ASN.1 data is parsed that can result in
a heap overflow.

For the stable distribution (squeeze), this problem has been fixed in
version 0.9.8o-4squeeze12.

The testing distribution (wheezy), and the unstable distribution (sid),
are not affected by this issue.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2460-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 25, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-1183 CVE-2012-2414 CVE-2012-2415

Several vulnerabilities were discovered in the Asterisk PBX and telephony
toolkit:

CVE-2012-1183

   Russell Bryant discovered a buffer overflow in the Milliwatt
   application.

CVE-2012-2414

   David Woolley discovered a privilege escalation in the Asterisk
   manager interface.

CVE-2012-2415

   Russell Bryant discovered a buffer overflow in the Skinny driver.

For the stable distribution (squeeze), this problem has been fixed in
version 1:1.6.2.9-2+squeeze5.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2459-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
April 26, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : quagga
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0249 CVE-2012-0250 CVE-2012-0255

Several vulnerabilities have been discovered in Quagga, a routing
daemon.

CVE-2012-0249
A buffer overflow in the ospf_ls_upd_list_lsa function in the
OSPFv2 implementation allows remote attackers to cause a
denial of service (assertion failure and daemon exit) via a
Link State Update (aka LS Update) packet that is smaller than
the length specified in its header.

CVE-2012-0250
A buffer overflow in the OSPFv2 implementation allows remote
attackers to cause a denial of service (daemon crash) via a
Link State Update (aka LS Update) packet containing a
network-LSA link-state advertisement for which the
data-structure length is smaller than the value in the Length
header field.

CVE-2012-0255
The BGP implementation does not properly use message buffers
for OPEN messages, which allows remote attackers impersonating
a configured BGP peer to cause a denial of service (assertion
failure and daemon exit) via a message associated with a
malformed AS4 capability.

This security update upgrades the quagga package to the most recent
upstream release.  This release includes other corrections, such as
hardening against unknown BGP path attributes.

For the stable distribution (squeeze), these problems have been fixed
in version 0.99.20.1-0+squeeze1.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 0.99.20.1-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2461-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 26, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : not yet available

Several vulnerabilities have been found in SPIP, a website engine for
publishing, resulting in cross-site scripting, script code injection
and bypass of restrictions.

For the stable distribution (squeeze), this problem has been fixed in
version 2.1.1-3squeeze3.

For the testing distribution (wheezy), this problem has been fixed in
version 2.1.13-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.1.13-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2462-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 29, 2012                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0259 CVE-2012-0260 CVE-2012-1185 CVE-2012-1186
                 CVE-2012-1610 CVE-2012-1798

Several integer overflows and missing input validations were discovered
in the ImageMagick image manipulation suite, resulting in the execution
of arbitrary code or denial of service.

For the stable distribution (squeeze), this problem has been fixed in
version 6.6.0.4-3+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 8:6.7.4.0-5.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2463-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 02, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
Vulnerability  : missing permission checks
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2111

Ivano Cristofolini discovered that insufficient security checks in
Samba's handling of LSA RPC calls could lead to privilege escalation
by gaining the "take ownership" privilege.

For the stable distribution (squeeze), this problem has been fixed in
version 3.5.6~dfsg-3squeeze8.

For the unstable distribution (sid), this problem has been fixed in
version 3.6.5-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#405 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 03 May 2012 - 10:10 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2464-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 02, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477
                 CVE-2012-0479

Several vulnerabilities have been discovered in Icedove, an unbranded
version of the Thunderbird mail/news client.

CVE-2012-0467

   Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary
   Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward,
   and Olli Pettay discovered memory corruption bugs, which may lead
   to the execution of arbitrary code.

CVE-2012-0470

   Atte Kettunen discovered that a memory corruption bug in
   gfxImageSurface may lead to the execution of arbitrary code.

CVE-2012-0471

   Anne van Kesteren discovered that incorrect multibyte octet
   decoding may lead to cross-site scripting.

CVE-2012-0477

   Masato Kinugawa discovered that incorrect encoding of
   Korean and Chinese character sets may lead to cross-site scripting.

CVE-2012-0479

   Jeroen van der Gun discovered a spoofing vulnerability in the
   presentation of Atom and RSS feeds over HTTPS.

For the stable distribution (squeeze), this problem has been fixed in
version 3.0.11-1+squeeze9.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2462-2                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 3, 2012                            http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0259 CVE-2012-0260 CVE-2012-1185 CVE-2012-1186
                 CVE-2012-1610 CVE-2012-1798

The initial update introduced a regression, which could lead to errors
when processing some JPEG files.

For the stable distribution (squeeze), this problem has been fixed in
version 6.6.0.4-3+squeeze3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#406 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 04 May 2012 - 07:19 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2459-2                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 04, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : quagga
Vulnerability  : regression
Problem type   : remote
Debian-specific: no

The recent quagga update, DSA-2459-1, introduced a memory leak in the
bgpd process in some configurations.

For the stable distribution (squeeze), this problem has been fixed in
version 0.99.20.1-0+squeeze2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#407 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 08 May 2012 - 09:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2464-2                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 08, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
Debian Bug     : 671408 671410

The latest security update, DSA-2464-1, for Icedove, Debian's version
of the Mozilla Thunderbird mail client, contained a regression: the
removal of UTF-7 support resulted in incorrect display of IMAP folder
names.

For the stable distribution (squeeze), this problem has been fixed in
version 3.0.11-1+squeeze10.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#408 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 09 May 2012 - 08:38 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2465-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
May 09, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php5
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-1172 CVE-2012-1823 CVE-2012-2311

De Eindbazen discovered that PHP, when run with mod_cgi, will
interpret a query string as command line parameters, allowing to
execute arbitrary code.

Additionally, this update fixes insufficient validation of upload
name which lead to corrupted $_FILES indices.

For the stable distribution (squeeze), this problem has been fixed in
version 5.3.3-7+squeeze9.

The testing distribution (wheezy) will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 5.4.3-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2466-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
May 09, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : rails
Vulnerability  : cross site scripting
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-1099
Debian Bug     : 668607

Sergey Nartimov discovered that in Rails, a Ruby based framework for
web development, when developers generate html options tags manually,
user input concatenated with manually built tags may not be escaped
and an attacker can inject arbitrary HTML into the document.

For the stable distribution (squeeze), this problem has been fixed in
version 2.3.5-1.2+squeeze3.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 2.3.14.


- -------------------------------------------------------------------------
Debian Security Advisory DSA-2467-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
May 09, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mahara
Vulnerability  : insecure defaults
Problem type   : remote
Debian-specific: no

It was discovered that Mahara, the portfolio, weblog, and resume builder,
had an insecure default with regards to SAML-based authentication used
with more than one SAML identity provider. Someone with control over one
IdP could impersonate users from other IdP's.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.6-2+squeeze4.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 1.4.2-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2422-2                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
May 09, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : file
Vulnerability  : regression fix
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-1571

A regression was discovered in the security update for file, which
lead to false positives on the CDF format. This update fixes that
regression. For reference the original advisory text follows.

The file type identification tool, file, and its associated library,
libmagic, do not properly process malformed files in the Composite
Document File (CDF) format, leading to crashes.

Note that after this update, file may return different detection
results for CDF files (well-formed or not). The new detections are
believed to be more accurate.

For the stable distribution (squeeze), this problem has been fixed in
version 5.04-5+squeeze2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2468-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 09, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libjakarta-poi-java
Vulnerability  : unbounded memory allocation
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2012-0213

It was discovered that Apache POI, a Java implementation of the
Microsoft Office file formats, would allocate arbitrary amounts of
memory when processing crafted documents.  This could impact the
stability of the Java virtual machine.

For the stable distribution (squeeze), this problem has been fixed in
version 3.6+dfsg-1+squeeze1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#409 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 10 May 2012 - 08:51 PM

- ----------------------------------------------------------------------
Debian Security Advisory DSA-2469-1                security@debian.org
http://www.debian.org/security/                           Dann Frazier
May 10, 2012                        http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : privilege escalation/denial of service
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2011-4086 CVE-2012-0879 CVE-2012-1601 CVE-2012-2123
                 CVE-2012-2133

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2011-4086

    Eric Sandeen reported an issue in the journaling layer for EXT4 filesystems
    (jbd2). Local users can cause buffers to be accessed after they have been
    torn down, resulting in a denial of service (DoS) due to a system crash.

CVE-2012-0879

    Louis Rilling reported two reference counting issues in the CLONE_IO
    feature of the kernel. Local users can prevent io context structures
    from being freed, resulting in a denial of service.

CVE-2012-1601

    Michael Ellerman reported an issue in the KVM subsystem. Local users could
    cause a denial of service (NULL pointer dereference) by creating VCPUs
    before a call to KVM_CREATE_IRQCHIP.

CVE-2012-2123

    Steve Grubb reported in an issue in fcaps, a filesystem-based capabilities
    system. Personality flags set using this mechanism, such as the disabling
    of address space randomization, may persist across suid calls.

CVE-2012-2133

    Shachar Raindel discovered a use-after-free bug in the hugepages
    quota implementation. Local users with permission to use hugepages
    via the hugetlbfs implementation may be able to cause a denial of
    service (system crash).

For the stable distribution (squeeze), this problem has been fixed in version
2.6.32-44. Updates are currently only available for the amd64, i386 and sparc
ports.

NOTE: Updated linux-2.6 packages will also be made available in the release
of Debian 6.0.5, scheduled to take place the weekend of 2012.05.12. This
pending update will be version 2.6.32-45, and provides an additional fix for
build failures on some architectures. Users for whom this update is not
critical, and who may wish to avoid multiple reboots, should consider waiting
for the 6.0.5 release before updating, or installing the 2.6.32-45 version
ahead of time from proposed-updates.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

                                             Debian 6.0 (squeeze)
     user-mode-linux                         2.6.32-1um-4+44
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#410 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 11 May 2012 - 09:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2670-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
May 11, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-3122 CVE-2011-3125 CVE-2011-3126 CVE-2011-3127
                 CVE-2011-3128 CVE-2011-3129 CVE-2011-3130 CVE-2011-4956
                 CVE-2011-4957 CVE-2012-2399 CVE-2012-2400 CVE-2012-2401
                 CVE-2012-2402 CVE-2012-2403 CVE-2012-2404
Debian Bug     : 670124

Several vulnerabilities were identified in Wordpress, a web blogging
tool.  As the CVEs were allocated from releases announcements and
specific fixes are usually not identified, it has been decided to
upgrade the Wordpress package to the latest upstream version instead
of backporting the patches.

This means extra care should be taken when upgrading, especially when
using third-party plugins or themes, since compatibility may have been
impacted along the way.  We recommend that users check their install
before doing the upgrade.

For the stable distribution (squeeze), those problems have been fixed in
version 3.3.2+dfsg-1~squeeze1.

For the testing distribution (wheezy) and the unstable distribution
(sid), those problems have been fixed in version 3.3.2+dfsg-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#411 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 13 May 2012 - 10:38 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2471-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 13, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2011-3892 CVE-2011-3893 CVE-2011-3895 CVE-2011-3929
                 CVE-2011-3936 CVE-2011-3940 CVE-2011-3947 CVE-2012-0853
                 CVE-2012-0947

Several vulnerabilities have been discovered in FFmpeg, a multimedia
player, server and encoder. Multiple input validations in the decoders/
demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska,
Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of
arbitrary code.

These issues were discovered by Aki Helin, Mateusz Jurczyk, Gynvael
Coldwind, and Michael Niedermayer.

For the stable distribution (squeeze), this problem has been fixed in
version 4:0.5.8-1.

For the unstable distribution (sid), this problem has been fixed in
version 6:0.8.2-1 of libav.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2457-2                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 13, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iceweasel / icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477
                 CVE-2012-0479

The updates DSA-2457 and DSA-2458 for Iceweasel and Icedove introduced
a regression, which could lead to crashes when interpreting some
Javascript statements.

For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-15 for Iceweasel and 2.0.11-12 for Icedove.

The unstable distribution (sid) is not affected.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#412 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 16 May 2012 - 02:41 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2472-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 15, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gridengine
Vulnerability  : privilege escalation
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0208

Dave Love discovered that users who are allowed to submit jobs to a
Grid Engine installation can escalate their privileges to root because
the environment is not properly sanitized before creating processes.

For the stable distribution (squeeze), this problem has been fixed in
version 6.2u5-1squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 6.2u5-6.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#413 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 16 May 2012 - 07:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2473-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 16, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openoffice.org
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2012-1149

Tielei Wang discovered that OpenOffice.org does not allocate a large
enough memory region when processing a specially crafted JPEG object,
leading to a heap-based buffer overflow and potentially arbitrary code
execution.

For the stable distribution (squeeze), this problem has been fixed in
version 1:3.2.1-11+squeeze5.

For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 1:3.4.5-1 of the
libreoffice package.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#414 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 18 May 2012 - 05:04 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2474-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
May 16, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ikiwiki
Vulnerability  : cross-site scripting
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0220

Raúl Benencia discovered that ikiwiki, a wiki compiler, does not
properly escape the author (and its URL) of certain metadata, such as
comments. This might be used to conduct cross-site scripting attacks.

For the stable distribution (squeeze), this problem has been fixed in
version 3.20100815.9.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 3.20120516.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2475-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
May 17, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
Vulnerability  : integer underflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2333

It was discovered that openssl did not correctly handle explicit
Initialization Vectors for CBC encryption modes, as used in TLS 1.1,
1.2, and DTLS. An incorrect calculation would lead to an integer
underflow and incorrect memory access, causing denial of service
(application crash.)

For the stable distribution (squeeze), this problem has been fixed in
version 0.9.8o-4squeeze13.

For the testing distribution (wheezy), and the unstable distribution
(sid), this problem has been fixed in version 1.0.1c-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#415 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 19 May 2012 - 07:21 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2476-1                   security@debian.org
http://www.debian.org/security/                        Jonathan Wiltshire
May 19, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pidgin-otr
Vulnerability  : format string vulnerability
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2369
Debian Bug     : 673154

intrigeri discovered a format string error in pidgin-otr, an off-the-record
messaging plugin for Pidgin.

This could be exploited by a remote attacker to cause arbitrary code to
be executed on the user's machine.

The problem is only in pidgin-otr. Other applications which use libotr are
not affected.

For the stable distribution (squeeze), this problem has been fixed in
version 3.2.0-5+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 3.2.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.2.1-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#416 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 20 May 2012 - 09:02 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2477-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 20, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sympa
Vulnerability  : authorization bypass
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2352
Debian Bug     :

Several vulnerabilities have been discovered in Sympa, a mailing list
manager, that allow to skip the scenario-based authorization
mechanisms. This vulnerability allows to display the archives
management page, and download and delete the list archives by
unauthorized users.

For the stable distribution (squeeze), this problem has been fixed in
version 6.0.1+dfsg-4+squeeze1.

For the testing distribution (wheezy), this problem will be fixed
soon.

For the unstable distribution (sid), this problem has been fixed in
version 6.1.11~dfsg-2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#417 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 23 May 2012 - 09:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2478-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 23, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sudo
Vulnerability  : parsing error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2337

It was discovered that sudo misparsed network masks used in Host and
Host_List stanzas. This allowed the execution of commands on hosts,
where the user would not be allowed to run the specified command.

For the stable distribution (squeeze), this problem has been fixed in
version 1.7.4p4-2.squeeze.3.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2479-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 23, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxml2
Vulnerability  : off-by-one
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-3102

Jueri Aedla discovered an off-by-one in libxml2, which could result in
the execution of arbitrary code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze4.

For the unstable distribution (sid), this problem has been fixed in
version 2.7.8.dfsg-9.1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#418 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 24 May 2012 - 09:00 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 24, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085
                 CVE-2011-4458 CVE-2011-4459 CVE-2011-4460

Several vulnerabilities were discovered in Request Tracker, an issue
tracking system:

CVE-2011-2082

   The vulnerable-passwords scripts introduced for CVE-2011-0009
   failed to correct the password hashes of disabled users.

CVE-2011-2083

   Several cross-site scripting issues have been discovered.

CVE-2011-2084

   Password hashes could be disclosed by privileged users.

CVE-2011-2085

   Several cross-site request forgery vulnerabilities have been
   found. If this update breaks your setup, you can restore the old
   behaviour by setting $RestrictReferrer to 0.

CVE-2011-4458

   The code to support variable envelope return paths allowed the
   execution of arbitrary code.

CVE-2011-4459

   Disabled groups were not fully accounted as disabled.

CVE-2011-4460

   SQL injection vulnerability, only exploitable by privileged users.


For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 4.0.5-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#419 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 29 May 2012 - 08:44 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-2                   security@debian.org
http://www.debian.or...    Florian Weimer
May 29, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : regression
Problem type   : remote
Debian-specific: no

It was discovered that the recent request-tracker3.8 update,
DSA-2480-1, introduced a regression which caused outgoing mail to fail
when running under mod_perl.

Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually.  The "restart"
mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#420 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 31 May 2012 - 09:01 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2483-1                   security@debian.org
http://www.debian.or... Yves-Alexis Perez
May 31, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
Vulnerability  : authentication bypass
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2388

An authentication bypass issue was discovered by the Codenomicon CROSS
project in strongSwan, an IPsec-based VPN solution. When using
RSA-based setups, a missing check in the gmp plugin could allow an
attacker presenting a forged signature to successfully authenticate
against a strongSwan responder.

The default configuration in Debian does not use the gmp plugin for
RSA operations but rather the OpenSSL plugin, so the packages as
shipped by Debian are not vulnerable.

For the stable distribution (squeeze), this problem has been fixed in
version 4.4.1-5.2.

For the testing distribution (wheezy), this problem has been fixed in
version 4.5.2-1.4.

For the unstable distribution (sid), this problem has been fixed in
version 4.5.2-1.4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#421 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 02 June 2012 - 09:31 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2484-1                   security@debian.org
http://www.debian.or... Thijs Kinkhorst
June 02, 2012                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nut
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2944
Debian Bug     : 675203

Sebastian Pohle discovered that upsd, the server of Network UPS Tools
(NUT) is vulnerable to a remote denial of service attack.

For the stable distribution (squeeze), this problem has been fixed in
version 2.4.3-1.1squeeze2.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2481-1                   security@debian.org
http://www.debian.or... Yves-Alexis Perez
June 2, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : arpwatch
Vulnerability  : fails to drop supplementary groups
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2653
Debian Bug     : 674715

Steve Grubb from Red Hat discovered that a patch for arpwatch (as shipped at
least in Red Hat and Debian distributions) in order to make it drop root
privileges would fail to do so and instead add the root group to the list of
the daemon uses.

For the stable distribution (squeeze), this problem has been fixed in
version 2.1a15-1.1+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 2.1a15-1.2.

For the unstable distribution (sid), this problem has been fixed in
version 2.1a15-1.2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2482-1                   security@debian.org
http://www.debian.or... Yves-Alexis Perez
June 2, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgdata
Vulnerability  : insufficient certificate validation
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2653
Debian Bug     : 664032

Vreixo Formoso discovered that libgdata, a library used to access various
Google services, wasn't validating certificates against trusted system
root CAs when using an https connection.

For the stable distribution (squeeze), this problem has been fixed in
version 0.6.4-2+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 0.10.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 0.10.2-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#422 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 03 June 2012 - 08:46 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2485-1                   security@debian.org
http://www.debian.or... Thijs Kinkhorst
June 3, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imp4
Vulnerability  : cross site scripting
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0791
Debian Bug     : 659392

Multiple cross-site scripting (XSS) vulnerabilities were discovered in
IMP, the webmail component in the Horde framework. The vulnerabilities
allow remote attackers to inject arbitrary web script or HTML via various
crafted parameters.

For the stable distribution (squeeze), this problem has been fixed in
version 4.3.7+debian0-2.2.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem will be fixed soon.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#423 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 05 June 2012 - 08:59 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2486-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
June 05, 2012                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-1667

It was discovered that BIND, a DNS server, can crash while processing
resource records containing no data bytes.  Both authoritative servers
and resolvers are affected.

For the stable distribution (squeeze), this problem has been fixed in
version 1:9.7.3.dfsg-1~squeeze5.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#424 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 07 June 2012 - 10:05 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-3                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
June 07, 2012                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : regression
Debian Bug     : 674924 675369

The recent security updates for request-tracker3.8, DSA-2480-1 and
DSA-2480-2, contained another regression when running under mod_perl.

Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually.  The "restart"
mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2487-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
June 07, 2012                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openoffice.org
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2012-1149 CVE-2012-2334

It was discovered that OpenOffice.org would not properly process
crafted document files, possibly leading to arbitrary code execution.

CVE-2012-1149
Integer overflows in PNG image handling

CVE-2012-2334
Integer overflow in operator new[] invocation and heap-based
buffer overflow inside the MS-ODRAW parser

For the stable distribution (squeeze), this problem has been fixed in
version 1:3.2.1-11+squeeze6.

For the unstable distribution (sid), these problems have been fixed in
version 1:3.5.2~rc2-1 of the libreoffice package.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2488-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
June 7, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iceweasel
Vulnerability  : several vulnerabilities
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2012-1937 CVE-2012-1940 CVE-2012-1947

Several vulnerabilities have been discovered in Iceweasel, a web
browser based on Firefox. The included XULRunner library provides
rendering services for several other applications included in Debian.

CVE-2012-1937

  Mozilla developers discovered several memory corruption bugs,
  which may lead to the execution of arbitrary code.

CVE-2012-1940

  Abhishek Arya discovered a use-after-free problem when working
  with column layout with absolute positioning in a container that
  changes size, which may lead to the execution of arbitrary code.

CVE-2012-1947

  Abhishek Arya discovered a heap buffer overflow in utf16 to latin1
  character set conersion, allowing to execute arbitray code.


Note: We'd like to advise users of Iceweasel's 3.5 branch in Debian
stable to consider to upgrade to the Iceweasel 10.0 ESR (Extended
Support Release) which is now availble in Debian Backports.
Although Debian will continue to support Iceweasel 3.5 in stable with
security updates, this can only be done on a best effort base as
upstream provides no such support anymore. On top of that, the 10.0
branch adds proactive security features to the browser.

For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-16.

For the unstable distribution (sid), this problem has been fixed in
version 10.0.5esr-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2489-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
June 7, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iceape
Vulnerability  : several vulnerabilities
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2012-1937 CVE-2012-1940 CVE-2012-1947

Several vulnerabilities have been found in the Iceape internet suite,
an unbranded version of Seamonkey.

CVE-2012-1937

  Mozilla developers discovered several memory corruption bugs,
  which may lead to the execution of arbitrary code.

CVE-2012-1940

  Abhishek Arya discovered a use-after-free problem when working
  with column layout with absolute positioning in a container that
  changes size, which may lead to the execution of arbitrary code.

CVE-2012-1947

  Abhishek Arya discovered a heap buffer overflow in utf16 to latin1
  character set conersion, allowing to execute arbitray code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.0.11-13.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2490-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
June 7, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0441

Kaspar Brand discovered that Mozilla's Network Security Services (NSS)
library did insufficient length checking in the QuickDER decoder,
allowing to crash a program using the library.

For the stable distribution (squeeze), this problem has been fixed in
version 3.12.8-1+squeeze5.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 2:3.13.4-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#425 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,346 posts

Posted 09 June 2012 - 10:12 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2491-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
June 09, 2012                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-8.4
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2143 CVE-2012-2655

Two vulnerabilities were discovered in PostgreSQL, an SQL database
server:

CVE-2012-2143
The crypt(text, text) function in the pgcrypto contrib module
did not handle certain passwords correctly, ignoring
characters after the first character which does not fall into
the ASCII range.

CVE-2012-2655
SECURITY DEFINER and SET attributes for a call handler of a
procedural language could crash the database server.

In addition, this update contains reliability and stability fixes from
the 8.4.12 upstream release.

For the stable distribution (squeeze), this problem has been fixed in
version 8.4.12-0squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 8.4.12-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users