:Advisories: October 3, 2005
Advisories: October 3, 2005 0 Talkback[s]
Debian GNU/Linux
Debian Security Advisory DSA 833-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : mysql-dfsg-4.1
A stack-based buffer overflow in the init_syms function of MySQL, a
popular database, has been discovered that allows remote authenticated
users who can create user-defined functions to execute arbitrary code
via a long function_name field. The ability to create user-defined
functions is not typically granted to untrusted users.
The following vulnerability matrix explains which version of MySQL in
which distribution has this problem fixed:
woody sarge sid mysql 3.23.49-8.14 n/a n/a mysql-dfsg n/a 4.0.24-10sarge1 4.0.24-10sarge1 mysql-dfsg-4.1 n/a 4.1.11a-4sarge2 4.1.14-2 mysql-dfsg-5.0 n/a n/a 5.0.11beta-3
We recommend that you upgrade your mysql-dfsg-4.1 packages.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge2.dsc http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge2.diff.gz http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge2_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_alpha.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_alpha.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_alpha.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_amd64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_amd64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_amd64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_arm.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_arm.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_arm.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_i386.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_i386.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_i386.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_ia64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_ia64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_ia64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_hppa.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_hppa.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_hppa.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_m68k.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_m68k.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_m68k.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge1_mips.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mips.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mips.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_mipsel.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_mipsel.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_mipsel.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_powerpc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_powerpc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_powerpc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_s390.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_s390.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_s390.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge2_sparc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge2_sparc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge2_sparc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge2_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 834-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : prozilla
Tavis Ormandy discovered a buffer overflow in prozilla, a
multi-threaded download accelerator, which may be exploited to execute
arbitrary code.
For the old stable distribution (woody) this problem has been fixed in
version 1.3.6-3woody3.
The stable distribution (sarge) does not contain prozilla packages.
The unstable distribution (sid) does not contain prozilla packages.
We recommend that you upgrade your prozilla package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3.dsc http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3.diff.gz http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_alpha.deb
ARM architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/p/prozilla/prozilla_1.3.6-3woody3_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 835-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : cfengine
Javier Fernández-Sanguino Peña discovered several insecure temporary
file uses in cfengine, a tool for configuring and maintaining
networked machines, that can be exploited by a symlink attack to
overwrite arbitrary files owned by the user executing cfengine, which
is probably root.
For the old stable distribution (woody) these problems have been fixed in
version 1.6.3-9woody1.
For the stable distribution (sarge) these problems have been fixed in
version 1.6.5-1sarge1.
For the unstable distribution (sid) these problems have will be fixed soon.
We recommend that you upgrade your cfengine package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1.dsc http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1.diff.gz http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine-doc_1.6.3-9woody1_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_alpha.deb
ARM architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.3-9woody1_sparc.deb
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1.dsc http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1.diff.gz http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine-doc_1.6.5-1sarge1_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/cfengine/cfengine_1.6.5-1sarge1_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 836-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : cfengine2
Javier Fernández-Sanguino Peña discovered insecure temporary file use
in cfengine2, a tool for configuring and maintaining networked
machines, that can be exploited by a symlink attack to overwrite
arbitrary files owned by the user executing cfengine, which is
probably root.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) these problems have been fixed in
version 2.1.14-1sarge1.
For the unstable distribution (sid) these problems will be fixed soon.
We recommend that you upgrade your cfengine2 package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1.dsc http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1.diff.gz http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2-doc_2.1.14-1sarge1_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/cfengine2/cfengine2_2.1.14-1sarge1_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 837-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : mozilla-firefox
Tom Ferris discovered a bug in the IDN hostname handling of Mozilla
Firefox, which is also present in the other browsers from the same
family that allows remote attackers to cause a denial of service and
possibly execute arbitrary code via a hostname with dashes.
For the stable distribution (sarge) this problem has been fixed in
version 1.0.4-2sarge4.
For the unstable distribution (sid) this problem has been fixed in
version 1.0.6-5.
We recommend that you upgrade your mozilla-firefox package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4.dsc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4.diff.gz http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_alpha.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_alpha.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_amd64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_amd64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_arm.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_arm.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_i386.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_i386.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_ia64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_ia64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_hppa.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_hppa.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_m68k.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_m68k.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_mips.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_mips.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_mipsel.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_mipsel.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_powerpc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_powerpc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_s390.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_s390.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge4_sparc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge4_sparc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge4_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 838-1 security@debian.org http://www.debian.org/security/ Michael Stonehttp://www.debian.org/security/faq
Package : mozilla-firefox
Multiple security vulnerabilities have been identified in the
mozilla-firefox web browser. These vulnerabilities could allow an
attacker to execute code on the victim's machine via specially crafted
network resources.
CAN-2005-2701
Heap overrun in XBM image processing
CAN-2005-2702
Denial of service (crash) and possible execution of arbitrary
code via Unicode sequences with "zero-width non-joiner"
characters.
CAN-2005-2703
XMLHttpRequest header spoofing
CAN-2005-2704
Object spoofing using XBL <implements>
CAN-2005-2705
JavaScript integer overflow
CAN-2005-2706
Privilege escalation using about: scheme
CAN-2005-2707
Chrome window spoofing allowing windows to be created without
UI components such as a URL bar or status bar that could be
used to carry out phishing attacks
For the stable distribution (sarge), these problems have been fixed in
version 1.0.4-2sarge5
For the unstable distribution (sid), these problems have been fixed in
version 1.0.7-1
We recommend that you upgrade your mozilla-firefox package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5.dsc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5.diff.gz http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_alpha.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_alpha.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_amd64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_amd64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_arm.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_arm.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_i386.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_i386.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_ia64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_ia64.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_hppa.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_hppa.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_m68k.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_m68k.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_mips.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_mips.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_mipsel.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_mipsel.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_powerpc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_powerpc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_powerpc.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_sparc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_sparc.deb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
For apt-get: deb http://security.debian.org/ stable/updates mainftp://security.debian.org/debian-security dists/stable/updates/maindebian-security-announce@lists.debian.org http://packages.debian.org/<pkg>
Mandriva Linux
Mandriva Linux Security Update Advisory
Package name: kernel
Problem Description:
A number of vulnerabilities in the 2.6 Linux kernel have been corrected
with these updated packages:
An array index overflow in the xfrm_sk_policy_insert function could
allow a local user to cause a Denial of Service (oops or deadlock) and
possibly execute arbitrary code (CAN-2005-2456).
The zlib routines in the Linux 2.6 kernel before 2.6.12.5 allowed a
remote attacker to cause a DoS (crash) via a compressed file with
"improper tables" (CAN-2005-2458).
The huft_build function in the zlib routines in Linux 2.6 kernels prior
to 2.6.12.5 returned the wrong value, allowing remote attackers to
cause a DoS (crash) via a certain compressed file (CAN-2005-2459).
A stack-based buffer overflow in the sendmsg function call in Linux 2.6
kernels prior to 2.6.13.1 allow local users to execute arbitrary code by
calling sendmsg and modifying the message contents in another thread
(CAN-2005-2490).
xattr.c in the ext2 and ext3 file system code in the 2.6 Linux kernel
did not properly compare the name_index fields when sharing xattr
blocks which would prevent default ACLs from being applied
(CAN-2005-2801).
The ipt_recent kernel module in 2.6 Linux kernels prior to 2.6.12 when
running on 64-bit processors allowed remote attackers to cause a DoS
(kernel panic) via certain attacks such as SSH brute force
(CAN-2005-2872).
The ipt_recent kernel module in 2.6 Linux kernels prior to 2.6.12 did
not properly perform certain time tests when the jiffies value is
greater than LONG_MAX which could cause ipt_recent netfilter rules to
block too early (CAN-2005-2873).
The updated packages have been patched to address these issues and all
users are urged to upgrade immediately.
Updated kernels for Mandrivalinux 10.1 and later will be made available
soon.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2490 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2873
Updated Packages:
Multi Network Firewall 2.0:
Corporate 3.0:
Corporate 3.0/X86_64:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
