|
|
| Top White Papers
Current Newswire:
Security Digest: February 11, 2005Feb 12, 2005, 04:45 (0 Talkback[s])Debian GNU/LinuxDebian Security Advisory DSA 674-2 security@debian.org Package : mailman Due to an error the last mailman update was slightly broken and had to be corrected. This advisory only updates the packages updated with DSA 674-1. For completeness below is the original advisory text: Two security related problems have been discovered in mailman, web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2004-1177 Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page that would include the malicious code verbatim. CAN-2005-0202 Several listmasters have noticed unauthorised access to archives of private lists and the list configuration itself, including the users passwords. Administrators are advised to check the webserver logfiles for requests that contain "/...../" and the path to the archives or cofiguration. This does only seem to affect installations running on web servers that do not strip slashes, such as Apache 1.3. For the stable distribution (woody) these problems have been fixed in version 2.0.11-1woody10. For the unstable distribution (sid) these problems have been fixed in version 2.1.5-6. We recommend that you upgrade your mailman package. Upgrade Instructions wget url will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody Source archives:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10.dsc Alpha architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_alpha.deb ARM architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_arm.deb Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_i386.deb Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_ia64.deb HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_hppa.deb Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_m68k.deb Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_mips.deb Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_mipsel.deb PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_powerpc.deb IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_s390.deb Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mailman/mailman_2.0.11-1woody10_sparc.deb These files will probably be moved into the stable distribution on its next update. Debian Security Advisory DSA 676-1 security@debian.org Package : xpcd Erik Sjölund discovered a buffer overflow in pcdsvgaview, an SVGA PhotoCD viewer. xpcd-svga is part of xpcd and uses svgalib to display graphics on the Linux console for which root permissions are required. A malicious user could overflow a fixed-size buffer and may cause the program to execute arbitrary code with elevated privileges. For the stable distribution (woody) this problem has been fixed in version 2.08-8woody3. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your xpcd-svga package immediately. Upgrade Instructions wget url will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody Source archives:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3.dsc Alpha architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_alpha.deb ARM architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_arm.deb Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_i386.deb Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_ia64.deb HP Precision architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_hppa.deb Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_m68k.deb Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_mips.deb Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_mipsel.deb PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_powerpc.deb IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_s390.deb Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xpcd/xpcd_2.08-8woody3_sparc.deb These files will probably be moved into the stable distribution on its next update. For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> Debian Security Advisory DSA 677-1 security@debian.org Package : sympa Erik Sjölund discovered that a support script of sympa, a mailing list manager, is running setuid sympa and vulnerable to a buffer overflow. This could potentially lead to the execution of arbitrary code under the sympa user id. For the stable distribution (woody) this problem has been fixed in version 3.3.3-3woody2. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your sympa package. Upgrade Instructions wget url will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody Source archives:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2.dsc Architecture independent components:
http://security.debian.org/pool/updates/main/s/sympa/wwsympa_3.3.3-3woody2_all.deb Alpha architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_alpha.deb ARM architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_arm.deb Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_i386.deb Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_ia64.deb HP Precision architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_hppa.deb Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_m68k.deb Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_mips.deb Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_mipsel.deb PowerPC architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_powerpc.deb IBM S/390 architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_s390.deb Sun Sparc architecture:
http://security.debian.org/pool/updates/main/s/sympa/sympa_3.3.3-3woody2_sparc.deb These files will probably be moved into the stable distribution on its next update. Debian Security Advisory DSA 678-1 security@debian.org Package : netkit-rwho "Vlad902" discovered a vulnerability in the rwhod program that can be used to crash the listening process. The broadcasting one is unaffected. This vulnerability only affects little endian architectures (i.e. on Debian: alpha, arm, alpha, ia64, i386, mipsel and s390). For the stable distribution (woody) this problem has been fixed in version 0.17-4woody2. For the unstable distribution (sid) this problem has been fixed in version 0.17-8. We recommend that you upgrade your rwhod package. Upgrade Instructions wget url will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody Source archives:
http://security.debian.org/pool/updates/main/n/netkit-rwho/netkit-rwho_0.17-4woody2.dsc Alpha architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_alpha.deb ARM architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_arm.deb Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_i386.deb Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_ia64.deb HP Precision architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_hppa.deb Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_m68k.deb Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_mips.deb Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_mipsel.deb PowerPC architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_powerpc.deb IBM S/390 architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_s390.deb Sun Sparc architecture:
http://security.debian.org/pool/updates/main/n/netkit-rwho/rwho_0.17-4woody2_sparc.deb These files will probably be moved into the stable distribution on its next update. For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> Fedora LegacyFedora Legacy Update Advisory Synopsis: Updated gpdf package fixes security issues 1. Topic: An updated gpdf package that fixes a number of integer overflow security flaws is now available. GPdf is a viewer for Portable Document Format (PDF) files for GNOME. 2. Relevant releases/architectures: Fedora Core 1 - i386 3. Problem description: During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of xpdf. These issues also affect gpdf as it is based on xpdf source code. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0888 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. This flaw also affects gpdf as it is based on xpdf source code. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found when processing the /Encrypt /Length tag. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0064 to this issue. Users of gpdf are advised to upgrade to this errata package, which contains backported patches correcting these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2353 - xpdf buffer overflows apply to gpdf 6. RPMs required: Fedora Core 1: SRPM: i386: 7. Verification: SHA1 sum Package Name 63438a137ac33d1355bc6b8065fef0a03dde7e68
fedora/1/updates/i386/gpdf-0.110-1.4.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory Synopsis: Updated iptables packages resolve security issues 1. Topic: Updated iptables packages that correct a security problem are now available. The iptables utility controls the network packet filtering code in the Linux kernel. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: Under certain conditions, iptables did not properly load the required modules at system startup, which caused the firewall rules to fail to load and protect the system from remote attackers. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0986 to this issue. Users of iptables are advised to upgrade to these errata packages, which contain backported patches correcting these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2252 - iptables May Fail to Automatically Load Some Modules 6. RPMs required: Red Hat Linux 7.3: SRPM: i386: Red Hat Linux 9: SRPM: i386: Fedora Core 1: SRPM: i386: 7. Verification: SHA1 sum Package Name 83895bb3697fc2c0a6442a12a481e5670a4c4e36
redhat/7.3/updates/i386/iptables-1.2.8-8.73.1.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0986 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory Synopsis: Updated Xpdf package fixes security issues 1. Topic: Updated Xpdf packages that fix several security issues are now available. Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0888 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found when processing the /Encrypt /Length tag. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2005-0064 to this issue. Users of xpdf are advised to upgrade to these errata packages, which contain backported patches correcting these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2352 - xpdf 3.00 Buffer overflow 6. RPMs required: Red Hat Linux 7.3: SRPM: i386: Red Hat Linux 9: SRPM: i386: Fedora Core 1: SRPM: i386: 7. Verification: SHA1 sum Package Name 423ffbb749b7ee88eeb10e6a859eeb0bf065e14f
redhat/7.3/updates/i386/xpdf-1.00-7.4.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory Synopsis: Updated gaim package resolves security issues 1. Topic: An updated gaim package that fixes security issues and various bugs is now avaliable. The gaim application is a multi-protocol instant messaging client. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A buffer overflow has been discovered in the MSN protocol handler. When receiving unexpected sequence of MSNSLP messages, it is possible that an attacker could cause an internal buffer overflow, leading to a crash or possible code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0891 to this issue. This updated gaim package also fixes multiple user interface, protocol, and error handling problems, including an ICQ communication encoding issue. Users of gaim are advised to upgrade to this updated package which contains gaim version 1.0.2 and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #2188 - gaim MSN protocol buffer overflow. 6. RPMs required: Red Hat Linux 7.3: SRPM: i386: Red Hat Linux 9: SRPM: i386: Fedora Core 1: SRPM: i386: 7. Verification: SHA1 sum Package Name a174d3f8283b608124a7d1061d951d3f44eaf5df
redhat/7.3/updates/i386/gaim-1.0.2-0.FC0.73.0.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Gentoo LinuxGentoo Linux Security Advisory GLSA 200502
0 Talkback[s]
(click to add your comment)
|
