:Security Digest: February 9, 2005
Security Digest: February 9, 2005 0 Talkback[s]
Debian GNU/Linux
Debian Security Advisory DSA 671-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : xemacs21
Max Vozeler discovered several format string vulnerabilities in the
movemail utility of Emacs, the well-known editor. Via connecting to a
malicious POP server an attacker can execute arbitrary code under the
privileges of group mail.
For the stable distribution (woody) these problems have been fixed in
version 21.4.6-8woody2.
For the unstable distribution (sid) these problems have been fixed in
version 21.4.16-2.
We recommend that you upgrade your emacs packages.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21_21.4.6-8woody2.dsc http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21_21.4.6-8woody2.diff.gz http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21_21.4.6.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-support_21.4.6-8woody2_all.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-supportel_21.4.6-8woody2_all.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21_21.4.6-8woody2_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_alpha.deb
ARM architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_arm.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_arm.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_arm.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_arm.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_arm.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_arm.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_i386.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_i386.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_i386.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_i386.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_i386.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_i386.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_ia64.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_mips.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_mips.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_mips.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_mips.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_mips.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_mips.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_s390.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_s390.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_s390.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_s390.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_s390.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_s390.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-bin_21.4.6-8woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule_21.4.6-8woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.6-8woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-gnome-nomule_21.4.6-8woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule_21.4.6-8woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.6-8woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xemacs21/xemacs21-nomule_21.4.6-8woody2_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 672-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : xview
Erik Sjölund discovered that programs linked against xview are
vulnerable to a number of buffer overflows in the XView library. When
the overflow is triggered in a program which is installed setuid root
a malicious user could perhaps execute arbitrary code as privileged
user.
For the stable distribution (woody) these problems have been fixed in
version 3.2p1.4-16woody2.
For the unstable distribution (sid) these problems have been fixed in
version 3.2p1.4-19.
We recommend that you upgrade your xview packages.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/x/xview/xview_3.2p1.4-16woody2.dsc http://security.debian.org/pool/updates/main/x/xview/xview_3.2p1.4-16woody2.diff.gz http://security.debian.org/pool/updates/main/x/xview/xview_3.2p1.4.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_alpha.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_alpha.deb
ARM architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_arm.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_arm.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_arm.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_arm.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_arm.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_i386.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_i386.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_i386.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_i386.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_i386.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_ia64.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_hppa.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_hppa.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_hppa.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_hppa.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_hppa.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_m68k.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_m68k.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_m68k.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_m68k.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_m68k.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_mips.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_mips.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_mips.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_mips.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_mips.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_mipsel.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_powerpc.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_s390.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_s390.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_s390.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_s390.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_s390.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xview/olvwm_4.4.3.2p1.4-16woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xview/olwm_3.2p1.4-16woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xview/xview-clients_3.2p1.4-16woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xview/xview-examples_3.2p1.4-16woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xview/xviewg_3.2p1.4-16woody2_sparc.deb http://security.debian.org/pool/updates/main/x/xview/xviewg-dev_3.2p1.4-16woody2_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> ;
Fedora Core
Product : Fedora Core 2
Description :
This update fixes the CAN-2005-0100 movemail vulnerability
and backports current bug fixes.
Fri Feb 04 2005 Jens Petersen <petersen@redhat.com> - 21.3-21
fix CAN-2005-0100 movemail vulnerability with movemail-CAN-2005-0100.patch (Max Vozeler, 146702)
Fri Jan 14 2005 Jens Petersen <petersen@redhat.com> - 21.3-20
workaround xorg-x11 modifier key problem with emacs-21.3-xterm-modifiers-137868.patch (Thomas Woerner, 137868)
Mon Nov 29 2004 Jens Petersen <petersen@redhat.com> - 21.3-19
prefer XIM status under-the-window for now to stop xft httx from dying (125413): add emacs-xim-status-under-window-125413.patch
default diff to unified format in .emacs
Thu Nov 04 2004 Jens Petersen <petersen@redhat.com> - 21.3-18
show emacs again in the desktop menu (132567)
Mon Oct 18 2004 Jens Petersen <petersen@redhat.com> - 21.3-17
fix etag alternatives removal when uninstalling (Karsten Hopp, 136137)
Fri Oct 15 2004 Jens Petersen <petersen@redhat.com> - 21.3-16
do not setup frame-title-format in default.el, since it will override setting by users (Henrik Bakken, 134520)
emacs-el no longer requires emacs for the sake of -nox users (Lars Hupfeldt Nielsen, 134479)
condition calling of global-font-lock-mode in default .emacs in case xemacs should happen to load it
Wed Sep 29 2004 Jens Petersen <petersen@redhat.com> - 21.3-15
cleanup and update .desktop file
make emacs not appear in the desktop menu (Seth Nickell,132567)
move the desktop file from -common to main package
go back to using just gctags for ctags
etags is now handled by alternatives (92256)
improve the default frame title by prefixing the buffer name (Christopher Beland, 128110)
fix the names of some European aspell languages with emacs-21.3-lisp-textmodes-ispell-languages.patch (David Jansen, 122618)
fixing running "libtool gdb program" in gud with emacs-21.3-gud-libtool-fix.patch (Dave Malcolm, 130955)
Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
Fri Apr 30 2004 Jens Petersen <petersen@redhat.com> - 21.3-13
unset focus-follows-mouse in default.el to make switching frames work for click-to-focus (Theodore Belding,114736)
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
13175c9b1a0da9b3746d266346bae299 SRPMS/emacs-21.3-21.FC2.src.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Product : Fedora Core 3
Description :
This package provides an emacs binary with support for X windows.
This update fixes the CAN-2005-0100 movemail vulnerability
and backports the latest bug fixes.
Fri Feb 04 2005 Jens Petersen <petersen@redhat.com> - 21.3-21
fix CAN-2005-0100 movemail vulnerability with movemail-CAN-2005-0100.patch
(Max Vozeler, 146702)
Fri Jan 14 2005 Jens Petersen <petersen@redhat.com> - 21.3-20
workaround xorg-x11 modifier key problem with
emacs-21.3-xterm-modifiers-137868.patch (Thomas Woerner, 137868)
Mon Nov 29 2004 Jens Petersen <petersen@redhat.com> - 21.3-19
prefer XIM status under-the-window for now to stop xft httx from dying
125413): add emacs-xim-status-under-window-125413.patch
default diff to unified format in .emacs
Thu Nov 04 2004 Jens Petersen <petersen@redhat.com> - 21.3-18
show emacs again in the desktop menu (132567)
require fonts-xorg-75dpi to prevent empty boxes at startup due to missing
fonts (Johannes Kaiser, 137060)
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
1ae44786c50272b20eaaa6227867897d SRPMS/emacs-21.3-21.FC3.src.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Product : Fedora Core 3
Description :
Includes:
Tue Feb 08 2005 Than Ngo <than@redhat.com> 7:3.3.1-2.4
More fixing of CAN-2004-0888 patch (bug #135393)
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
bbd0e8802ae49e3d7b86aa2754170736 SRPMS/kdegraphics-3.3.1-2.4.src.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Product : Fedora Core 2
Description :
Includes:
Wed Feb 09 2005 Than Ngo <than@redhat.com> 7:3.2.2-1.4
More fixing of CAN-2004-0888 patch (bug #135393)
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
b0ab4e86dfa7dde5597783a6b9e39af5 SRPMS/kdegraphics-3.2.2-1.4.src.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Product : Fedora Core 2
Description :
Wed Feb 09 2005 Than Ngo <than@redhat.com> 1:3.00-3.8
More fixing of CAN-2004-0888 patch (bug #135393, #147524)
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
a777638c15179245eb18823e87706869 SRPMS/xpdf-3.00-3.8.src.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Product : Fedora Core 3
Description :
Wed Feb 09 2005 Than Ngo <than@redhat.com> 1:3.00-10.4
More fixing of CAN-2004-0888 patch (bug #135393, #147524)
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
e8887f97797ba45ba63feab0d6bb6eeb SRPMS/xpdf-3.00-10.4.src.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Gentoo Linux
http://security.gentoo.org/
Severity: High
Python-based XML-RPC servers may be vulnerable to remote execution of
arbitrary code.
Python is an interpreted, interactive, object-oriented, cross-platform
programming language.
1 dev-lang/python <= 2.3.4 >= 2.3.4-r1
*>= 2.3.3-r2
*>= 2.2.3-r6
Graham Dumpleton discovered that XML-RPC servers making use of the
SimpleXMLRPCServer library that use the register_instance() method to
register an object without a _dispatch() method are vulnerable to a
flaw allowing to read or modify globals of the associated module.
A remote attacker may be able to exploit the flaw in such XML-RPC
servers to execute arbitrary code on the server host with the rights of
the XML-RPC server.
Python users that don't make use of any SimpleXMLRPCServer-based
XML-RPC servers, or making use of servers using only the
register_function() method are not affected.
All Python users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-lang/python
[ 1 ] CAN-2005-0089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089
[ 2 ] Python PSF-2005-001
http://www.python.org/security/PSF-2005-001/
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200502-09.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org .
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
http://security.gentoo.org/
Severity: Normal
pdftohtml includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to execution of arbitrary code upon converting a malicious
PDF file.
pdftohtml is a utility to convert PDF files to HTML or XML formats. It
makes use of Xpdf code to decode PDF files.
Xpdf is vulnerable to a buffer overflow, as described in GLSA
200501-28.
An attacker could entice a user to convert a specially-crafted PDF
file, potentially resulting in the execution of arbitrary code with the
rights of the user running pdftohtml.
There is no known workaround at this time.
All pdftohtml users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/pdftohtml-0.36-r3"
[ 1 ] GLSA 200501-28
http://www.gentoo.org/security/en/glsa/glsa-200501-28.xml
[ 2 ] CAN-2005-0064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200502-10.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org .
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Mandrakelinux
Mandrakelinux Security Update Advisory
Package name: perl-DBI
Problem Description:
Javier Fernandez-Sanguino Pena disovered the perl5 DBI library created
a temporary PID file in an insecure manner, which could be exploited
by a malicious user to overwrite arbitrary files owned by the user
executing the parts of the library.
The updated packages have been patched to prevent these problems.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0077
Updated Packages:
Mandrakelinux 10.0:
Mandrakelinux 10.0/AMD64:
Mandrakelinux 10.1:
Mandrakelinux 10.1/X86_64:
Corporate Server 2.1:
Corporate Server 2.1/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
Mandrakelinux 9.2:
Mandrakelinux 9.2/AMD64:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
Mandrakelinux Security Update Advisory
Package name: perl
Problem Description:
Jeroen van Wolffelaar discovered that the rmtree() function in the perl
File::Path module would remove directories in an insecure manner which
could lead to the removal of arbitrary files and directories via a
symlink attack (CAN-2004-0452).
Trustix developers discovered several insecure uses of temporary files
in many modules which could allow a local attacker to overwrite files
via symlink attacks (CAN-2004-0976).
"KF" discovered two vulnerabilities involving setuid-enabled perl
scripts. By setting the PERLIO_DEBUG environment variable and calling
an arbitrary setuid-root perl script, an attacker could overwrite
arbitrary files with perl debug messages (CAN-2005-0155). As well,
calling a setuid-root perl script with a very long path would cause a
buffer overflow if PERLIO_DEBUG was set, which could be exploited to
execute arbitrary files with root privileges (CAN-2005-0156).
The provided packages have been patched to resolve these problems.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0156
Updated Packages:
Mandrakelinux 10.0:
Mandrakelinux 10.0/AMD64:
Mandrakelinux 10.1:
Mandrakelinux 10.1/X86_64:
Corporate Server 2.1:
Corporate Server 2.1/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
Mandrakelinux 9.2:
Mandrakelinux 9.2/AMD64:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
