Linux Today - Advisories, January 10, 2006

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices

Technology Jobs

LinuxToday Newsletters

Server Daily
IT Management Daily
Subscribe News
Subscribe PR
Subscribe Security

internet.com

Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

Current Newswire:

Malware devs embrace open-source

A tale of two distros: Ubuntu and Linux Mint

Raspberry Pi benchmarked against Beagleboard, low price is long term

20 popular Ubuntu Linux apps you may want to try

A Selection of the Very Best Open Source Tutorials and Tools

Android Ice Cream Sandwich ported to x86 tablets, netbooks and notebooks

SECURITY: Google Chrome 17 Improves Security

How to read a CSV file in Perl?

Red Hat Brings Gluster to Amazon Cloud

New Linux kernel fixes power-saving issues

Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Post A Job | Post A Resume

:Advisories, January 10, 2006

Advisories, January 10, 2006
Jan 11, 2006, 04 :45 UTC (0 Talkback[s]) (2361 reads)

Debian GNU/Linux

Debian Security Advisory DSA 929-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
Jan 9, 2006 http://www.debian.org/security/faq

Vulnerability : buffer overflow
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2005-3540

Steve Kemp from the Debian Security Audit project discovered a buffer overflow in petris, a clone of the Tetris game, which may be exploited to execute arbitary code with group games privileges.

The old stable distribution (woody) does not contain the petris package.

For the stable distribution (sarge) this problem has been fixed in version 1.0.1-4sarge0.

For the unstable distribution the package will be updated shortly.

We recommend that you upgrade your petris package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    petris_1.0.1-4sarge0.diff.gz
      Size/MD5 checksum: 4255 f043952580a76a670090f5e10456cac0
    petris_1.0.1-4sarge0.dsc
      Size/MD5 checksum: 597 a8f7e7dc2da54370faf95307432ea057
    petris_1.0.1.orig.tar.gz
      Size/MD5 checksum: 11400 36ce4098c5305606ebbb66641eb9cea3

Alpha architecture:

petris_1.0.1-4sarge0_alpha.deb
Size/MD5 checksum: 17164 14925ee0cd40732d78d4d3267e304a6d

AMD64 architecture:

petris_1.0.1-4sarge0_amd64.deb
Size/MD5 checksum: 16118 ae80ded8db7237ac7ffbd235e94583bc

ARM architecture:

petris_1.0.1-4sarge0_arm.deb
Size/MD5 checksum: 14808 710db3e851a54a5c385a691de161ec35

HP Precision architecture:

petris_1.0.1-4sarge0_hppa.deb
Size/MD5 checksum: 16402 a7f392bda8179958a5cd95299865c1a5

Intel IA-32 architecture:

petris_1.0.1-4sarge0_i386.deb
Size/MD5 checksum: 15040 2efc32faf40e7402e818a088ab2ba6e2

Intel IA-64 architecture:

petris_1.0.1-4sarge0_ia64.deb
Size/MD5 checksum: 19610 bea0e1a48f9159ea1ef1c291af8f7974

Motorola 680x0 architecture:

petris_1.0.1-4sarge0_m68k.deb
Size/MD5 checksum: 14342 84fd7e89e8034c491df081bf562047f5

Big endian MIPS architecture:

petris_1.0.1-4sarge0_mips.deb
Size/MD5 checksum: 16488 4828a8700d380fe7fee578c4982cadc1

Little endian MIPS architecture:

petris_1.0.1-4sarge0_mipsel.deb
Size/MD5 checksum: 16434 3da9a116a510b2d095076015494fc72c

PowerPC architecture:

petris_1.0.1-4sarge0_powerpc.deb
Size/MD5 checksum: 17154 246d78ced212deb20bafdffc25b34503

IBM S/390 architecture:

petris_1.0.1-4sarge0_s390.deb
Size/MD5 checksum: 15928 bafe7066921152a84e610268031b1c3b

Sun Sparc architecture:

petris_1.0.1-4sarge0_sparc.deb
Size/MD5 checksum: 14866 e7a0d84f92bbf1e57d4aef61e257fc48

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 930-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
Jan 9, 2006 http://www.debian.org/security/faq

Vulnerability : format string attack
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2006-0083

Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges.

The old stable distribution (woody) does not contain smstools package.

For the stable distribution (sarge) this problem has been fixed in version 1.14.8-1sarge0.

For the unstable distribution the package will be updated shortly.

We recommend that you upgrade your smstools package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    smstools_1.14.8-1sarge0.diff.gz
      Size/MD5 checksum: 5106 ef55852ce6da003ef5f45df6eed1a8c5
    smstools_1.14.8-1sarge0.dsc
      Size/MD5 checksum: 624 1e69b0c4a20ce7f08bce8a8b51b8504d
    smstools_1.14.8.orig.tar.gz
      Size/MD5 checksum: 158423 85b342e53d7fdde89ef25ad21e1c5fe0

Alpha architecture:

smstools_1.14.8-1sarge0_alpha.deb
Size/MD5 checksum: 184268 59ca41ecd61cc94de2b63c8698464732

AMD64 architecture:

smstools_1.14.8-1sarge0_amd64.deb
Size/MD5 checksum: 178130 f957b798e9de3075e013521bbf6241d6

ARM architecture:

smstools_1.14.8-1sarge0_arm.deb
Size/MD5 checksum: 173506 aa2b0df1d47ad50070aebacc266f729d

HP Precision architecture:

smstools_1.14.8-1sarge0_hppa.deb
Size/MD5 checksum: 180032 168dba93586bc10214fbb6a5914f962e

Intel IA-32 architecture:

smstools_1.14.8-1sarge0_i386.deb
Size/MD5 checksum: 166816 aee3afc84707f7190c255ed3739c2958

Intel IA-64 architecture:

smstools_1.14.8-1sarge0_ia64.deb
Size/MD5 checksum: 201440 9868ead0f8885bc3851137b23d76877d

Motorola 680x0 architecture:

smstools_1.14.8-1sarge0_m68k.deb
Size/MD5 checksum: 166452 d713ee667bee3c3186ba477f9d0f91a8

Big endian MIPS architecture:

smstools_1.14.8-1sarge0_mips.deb
Size/MD5 checksum: 182332 846d0a829680db2b3662982c9fe49d4f

Little endian MIPS architecture:

smstools_1.14.8-1sarge0_mipsel.deb
Size/MD5 checksum: 182004 db7200f1504ea22681e23e749435c22a

PowerPC architecture:

smstools_1.14.8-1sarge0_powerpc.deb/ Size/MD5 checksum: 172100 183e00f44548fce56df228441593bb90

IBM S/390 architecture:

smstools_1.14.8-1sarge0_s390.deb
Size/MD5 checksum: 179978 ab77f608c71a908bc51e7781b51c416d

Sun Sparc architecture:

smstools_1.14.8-1sarge0_sparc.deb
Size/MD5 checksum: 175994 a03ff752a8910e397e73f53649c5a931

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 930-2 security@debian.org
http://www.debian.org/security/ Steve Kemp

January 10, 2006 http://www.debian.org/security/faq

Package : smstools
Vulnerability : format string attack
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2006-0083

Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges.

The original advisory for this issue said that the old stable distribution (woody) was not affected because it did not contain smstools. This was incorrect, and the only change in this updated advisory is the inclusion of corrected packages for woody.

For the old stable distribution (woody) this problem has been fixed in version 1.5.0-2woody0.

For the stable distribution (sarge) this problem has been fixed in version 1.14.8-1sarge0.

For the unstable distribution the package will be updated shortly.

We recommend that you upgrade your smstools package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

    http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0.dsc
      Size/MD5 checksum: 595 3b125f8d494769561c579a2afb8eedf3
    http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0.diff.gz
      Size/MD5 checksum: 7441 8fd87155404a99eb88ff06e5e7bccd4b
    http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0.orig.tar.gz
      Size/MD5 checksum: 42987 0286109d2011a5b8ab2fbd2cda6085be

Alpha architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_alpha.deb
Size/MD5 checksum: 56840 8d84dd61b7002fbb5f5ff1411345cdf6

ARM architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_arm.deb
Size/MD5 checksum: 44604 af22b10857060a0fe0f1db651ea54689

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_i386.deb
Size/MD5 checksum: 43106 af2b3c3a8a18d71481fbadeef60846f8

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_ia64.deb
Size/MD5 checksum: 74424 96904451a1a06e22d4fcee797dc68450

HP Precision architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_hppa.deb
Size/MD5 checksum: 44432 70d55071bbdf08f2d3265da85cb43458

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_m68k.deb
Size/MD5 checksum: 41598 d25cce8dcfed54f7f9b62e7764775907

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_mips.deb
Size/MD5 checksum: 52646 2edd9efcca5f608c09d6903335d7dc14

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_mipsel.deb
Size/MD5 checksum: 52290 5f019a902c94b8d4c0a6b9781afa2664

PowerPC architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_powerpc.deb
Size/MD5 checksum: 43316 df4f00d5ccc813274a3936455ff39b70

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_s390.deb
Size/MD5 checksum: 43812 9e6f27fb09a8e1152db4238eb851b659

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/s/smstools/smstools_1.5.0-2woody0_sparc.deb
Size/MD5 checksum: 51388 d98ca0bc6bbeecb8d19e630528c6fd9f

Debian Security Advisory DSA 931-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 9th, 2006 http://www.debian.org/security/faq

Package : xpdf
Vulnerability : buffer overflows
Problem type : remote
Debian-specific: no
CVE IDs : CAN-2005-3191 CAN-2005-3192 CAN-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 Debian Bug : 342281

"infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

For the old stable distribution (woody) these problems have been fixed in version 1.00-3.8.

For the stable distribution (sarge) these problems have been fixed in version 3.00-13.4.

For the unstable distribution (sid) these problems have been fixed in version 3.01-4.

We recommend that you upgrade your xpdf package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.8.dsc
      Size/MD5 checksum: 706 f8091cb4e0b0c7baa8ccc4ee75a50699
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.8.diff.gz
      Size/MD5 checksum: 11832 ab0665a0fa767785037ceff313cbc1b3
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00.orig.tar.gz
      Size/MD5 checksum: 397750 81f3c381cef729e4b6f4ce21cf5bbf3c

Architecture independent components:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_1.00-3.8_all.deb
      Size/MD5 checksum: 38826 43072ed4680dab2c7d68eec7b3f7c45a
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_1.00-3.8_all.deb
      Size/MD5 checksum: 1286 7bd55048fc7aab6c9c35f65d472932da

Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_alpha.deb
      Size/MD5 checksum: 571434 7be66f32548c87a66c2353d976a99c36
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_alpha.deb
      Size/MD5 checksum: 1046964 c83387b2ce2c92faa2cbbc86f2d9a9a8

ARM architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_arm.deb
      Size/MD5 checksum: 487502 655007df84b968ec59de01638b77f0b8
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_arm.deb
      Size/MD5 checksum: 887368 a2d7e4052bf2a5c4a495c4e45dedf89b

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_i386.deb
      Size/MD5 checksum: 449748 0ae0c17cc4624b254b2aeac09c995d6f
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_i386.deb
      Size/MD5 checksum: 828498 530637087a864c6def87e31283bdeceb

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_ia64.deb
      Size/MD5 checksum: 683068 19ecb0905f8636e67bf7238c10f59ad5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_ia64.deb
      Size/MD5 checksum: 1230046 ed52eb1ba803c65bed5b9b82ec551eef

HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_hppa.deb
      Size/MD5 checksum: 564570 e375463f1a090ee04616a2a28d074792
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_hppa.deb
      Size/MD5 checksum: 1034076 c7baa8decb624ae001b8325c426c3e83

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_m68k.deb
      Size/MD5 checksum: 427756 e516e992cf634de082e9261fec596417
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_m68k.deb
      Size/MD5 checksum: 795168 5315ec1734af63b31df537992fd575d7

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_mips.deb
      Size/MD5 checksum: 555626 38b3797dc8685b374bfa4d5b8310e002
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_mips.deb
      Size/MD5 checksum: 1017302 f1420c53961b3574c404e3dcee80e633

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_mipsel.deb
      Size/MD5 checksum: 546712 be27f108ed722e04bee9473fb463a749
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_mipsel.deb
      Size/MD5 checksum: 999554 d8983b16cb67d5b5da734e8a166079b1

PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_powerpc.deb
      Size/MD5 checksum: 470466 c90999ac3ffef0f1ca9907ec0c52e8ca
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_powerpc.deb
      Size/MD5 checksum: 860678 1b79e9b04f6b86cee3365c27c99b8c8a

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_s390.deb
      Size/MD5 checksum: 430408 09493b1bae3177137a922adbaee7af25
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_s390.deb
      Size/MD5 checksum: 786644 98062cef2cfd5f78eba94f92f7ffc7ec

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_1.00-3.8_sparc.deb
      Size/MD5 checksum: 444146 9bb3e73108672a45c87eb172b30b645e
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_1.00-3.8_sparc.deb
      Size/MD5 checksum: 810204 53735cf450d1ff09449dd4e744e31f4a

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.4.dsc
      Size/MD5 checksum: 781 df2be00a261c47ed25cbf00bdcefcc32
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.4.diff.gz
      Size/MD5 checksum: 50734 3018a9155bbcf704f47132bbefddd5b5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00.orig.tar.gz
      Size/MD5 checksum: 534697 95294cef3031dd68e65f331e8750b2c2

Architecture independent components:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.00-13.4_all.deb
      Size/MD5 checksum: 56504 333976022e4bd6b1a241844231f2db30
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.4_all.deb
      Size/MD5 checksum: 1284 1b077a992654b8df5727d844deb84e0c

Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_alpha.deb
      Size/MD5 checksum: 802112 93e96a4213f4966d8c0bb2c1e34b572d
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_alpha.deb
      Size/MD5 checksum: 1528190 5db2e3cd7ab5f2865d5303163c3d08a7

AMD64 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_amd64.deb
      Size/MD5 checksum: 667754 df5e85b58bcb2f7b86837e7a79b745f9
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_amd64.deb
      Size/MD5 checksum: 1273734 5554c8f473a892cc8478f50bc1dd96dd

ARM architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_arm.deb
      Size/MD5 checksum: 674458 b419a39cb5b1bbaefe52c51f163913d5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_arm.deb
      Size/MD5 checksum: 1279040 fe5af7d7209bb14e865404ea695a6df3

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_i386.deb
      Size/MD5 checksum: 656804 e319b835c10f76ad7946b74da24ba1bf
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_i386.deb
      Size/MD5 checksum: 1242164 731e556748f3f84465bd6537462fde03

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_ia64.deb
      Size/MD5 checksum: 950974 fe4f3be5aa05772806309faaa3847db3
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_ia64.deb
      Size/MD5 checksum: 1801950 27c19b5813e7d2aa34aca9847c277b40

HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_hppa.deb
      Size/MD5 checksum: 832646 a2504b353573d384d443e923782775f1
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_hppa.deb
      Size/MD5 checksum: 1580478 72266677b36f9ec9ab2c2bcac1dfe7ac

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_m68k.deb
      Size/MD5 checksum: 585736 e1331547251b0d5eba96c68e6665abf2
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_m68k.deb
      Size/MD5 checksum: 1116746 46d969a98302c1b49b5e9a355047adfc

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_mips.deb
      Size/MD5 checksum: 807800 d1acd349bc0a932ea3467db9796919f5
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_mips.deb
      Size/MD5 checksum: 1524848 685d65d2a07676b55fa3abd8505018a9

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_mipsel.deb
      Size/MD5 checksum: 798090 18503fbab79be783005bed35d4cdb02d
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_mipsel.deb
      Size/MD5 checksum: 1503796 aaa4b1de4370d52cc2b3e595542f82c3

PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_powerpc.deb
      Size/MD5 checksum: 694126 08e64354f30b1bd573092925b894c77f
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_powerpc.deb
      Size/MD5 checksum: 1313048 5f39d0ffe44186db884a7c1115704666

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_s390.deb
      Size/MD5 checksum: 630774 8b48412164ae96066c61399a5c7b3cd7
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_s390.deb
      Size/MD5 checksum: 1198670 6b837427a05f0b19630197183c9c50f1

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.4_sparc.deb
      Size/MD5 checksum: 626394 0bbb59b11b9d11f9129fbd475e3ab186
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.4_sparc.deb
      Size/MD5 checksum: 1181726 a523c04a7ae1c3b8fc24c29f46d3c589

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 932-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 9th, 2006 http://www.debian.org/security/faq

Package : xpdf
Vulnerability : buffer overflows
Problem type : remote
Debian-specific: no

CVE IDs : CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 Debian Bug : 342281

The old stable distribution (woody) does not contain kpdf packages.

For the stable distribution (sarge) these problems have been fixed in version 3.3.2-2sarge3.

For the unstable distribution (sid) these problems have been fixed in version 3.5.0-3.

We recommend that you upgrade your kpdf package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2-2sarge3.dsc
      Size/MD5 checksum: 1317 883261a391a85afb038bb7ea2150ecd7
    http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2-2sarge3.diff.gz
      Size/MD5 checksum: 159106 1169ddf001b77319f2859c87ce482bc4
    http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2.orig.tar.gz
      Size/MD5 checksum: 7661488 6d0bb2c6e2e2f666d123778fbc520317

Architecture independent components:

http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.3.2-2sarge3_all.deb
Size/MD5 checksum: 17620 9c3f491df5dcb49a81b26062df50ea98

Alpha architecture:

AMD64 architecture:

ARM architecture:

Intel IA-32 architecture:

Intel IA-64 architecture:

HP Precision architecture:

Motorola 680x0 architecture:

Big endian MIPS architecture:

Little endian MIPS architecture:

PowerPC architecture:

IBM S/390 architecture:

Sun Sparc architecture:

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 933-1 security@debian.org
http://www.debian.org/security/ Michael Stone
January 9, 2006 http://www.debian.org/security/faq

Package : hylafax
Vulnerability : arbitrary command execution Problem-Type : local
Debian-specific: no
CVE ID : CVE-2005-3539

Patrice Fournier found that hylafax passes unsanitized user data in the notify script, allowing users with the ability to submit jobs to run arbitrary commands with the privileges of the hylafax server.

For the old stable distribution (woody) this problem has been fixed in version 4.1.1-4woody1.

For the stable distribution (sarge) this problem has been fixed in version 4.2.1-5sarge3.

For the unstable distribution the problem has been fixed in version 4.2.4-2.

We recommend that you upgrade your hylafax package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-4woody1.dsc
      Size/MD5 checksum: 800 c9fd457c2782971a41c8328435b00ece
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1-4woody1.diff.gz
      Size/MD5 checksum: 116777 a2c212abd4a22134b673b3df345cb779
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.1.1.orig.tar.gz
      Size/MD5 checksum: 1287689 1ed081750be70a800708699b7568e17e

Architecture independent components:

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.1.1-4woody1_all.deb
Size/MD5 checksum: 318384 bf2352b27b55b6a6b66acd8184864ed5

Alpha architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_alpha.deb
      Size/MD5 checksum: 556394 4acfe414a92ca39dd08d945927134fde
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_alpha.deb
      Size/MD5 checksum: 1362704 7c5d2805a86e35f77fbdc320608eae21

ARM architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_arm.deb
      Size/MD5 checksum: 445742 bd7631c263e79ba1fa222616fab0814c
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_arm.deb
      Size/MD5 checksum: 1096024 a5bccc072005832e21a63af6cd355d80

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_i386.deb
      Size/MD5 checksum: 462478 a1b1d1ffb63fa002602fa817985c10d4
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_i386.deb
      Size/MD5 checksum: 1132898 f7f7933a5c26c69048628d20c6d8c6e2

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_ia64.deb
      Size/MD5 checksum: 615750 9dd3e91618a0b7ff630fc8e73472be90
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_ia64.deb
      Size/MD5 checksum: 1491998 fcfa52b30bf30151ce3d9c9c283738b2

HP Precision architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_hppa.deb
      Size/MD5 checksum: 501764 532a01a8b1c509fff8640a63743f27b0
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_hppa.deb
      Size/MD5 checksum: 1231584 2d3a3a7072c00e4fc71bb48045aac459

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_m68k.deb
      Size/MD5 checksum: 451356 52f1e0515d0dc3f88b25de500aa8916c
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_m68k.deb
      Size/MD5 checksum: 1100320 294aa660f86c7090eb0092755a788009

PowerPC architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_powerpc.deb
      Size/MD5 checksum: 450900 349b2498e9ca56c63e219911b79e2953
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_powerpc.deb
      Size/MD5 checksum: 1104560 48b998cf768a2ff858c948e5892b32c4

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_s390.deb
      Size/MD5 checksum: 441344 51762120b318ed4c800a12e28242b5fa
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_s390.deb
      Size/MD5 checksum: 1087136 ba81545268b85fa2783814ca8322d3b3

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.1.1-4woody1_sparc.deb
      Size/MD5 checksum: 433674 4786a267f600ba71c8f9c80a1f371439
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.1.1-4woody1_sparc.deb
      Size/MD5 checksum: 1082890 6bdc5a6359c4b953f5127031af69cbe2

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.2.1-5sarge3.dsc
      Size/MD5 checksum: 746 1202e740bcb10a01977c98f6967d2da4
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.2.1-5sarge3.diff.gz
      Size/MD5 checksum: 51922 e7d0531c64d48a9907e1a9c73b882bff
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax_4.2.1.orig.tar.gz
      Size/MD5 checksum: 1412035 05430e41a279d0fff6d6e4b444440829

Architecture independent components:

http://security.debian.org/pool/updates/main/h/hylafax/hylafax-doc_4.2.1-5sarge3_all.deb
Size/MD5 checksum: 372578 70db2ce1b777e475cbe3335abc31a5a6

Alpha architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_alpha.deb
      Size/MD5 checksum: 373996 440dedf0a21a7ea99573ff9a0c8eb675
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_alpha.deb
      Size/MD5 checksum: 863606 cff4540597762579538d71e447b09f01

AMD64 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_amd64.deb
      Size/MD5 checksum: 350894 a8040ccfde418e5cdf9f353f8b7471d9
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_amd64.deb
      Size/MD5 checksum: 801152 977bdc76fc44339599770227ba93befc

ARM architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_arm.deb
      Size/MD5 checksum: 342534 a79825720236fdafac2c6a7841b1fdec
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_arm.deb
      Size/MD5 checksum: 808884 10810889ed1c044fb1fec91af88184b2

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_i386.deb
      Size/MD5 checksum: 348172 0b3837a725542ab94fe7525beb54926d
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_i386.deb
      Size/MD5 checksum: 805786 05e61ba137faedbaf4a6d4b3faf0cce6

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_ia64.deb
      Size/MD5 checksum: 402530 a592a7397d1b75dc541584e3e10cbd23
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_ia64.deb
      Size/MD5 checksum: 924558 eb3701170b63c4ca617c93c74aa59f76

HP Precision architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_hppa.deb
      Size/MD5 checksum: 402386 7ec015549d9aa57e5a8e037deb6edb32
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_hppa.deb
      Size/MD5 checksum: 911520 948195eaaf686a5cffa3237df90d8504

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_m68k.deb
      Size/MD5 checksum: 345380 635f021fb40dbdd09c138608e64c309c
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_m68k.deb
      Size/MD5 checksum: 784438 3bc0f358363b448d3f8e72f95743a9fe

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_mips.deb
      Size/MD5 checksum: 352748 a65a3fcfffc4ec111fe4237a92734254
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_mips.deb
      Size/MD5 checksum: 836146 17146c51624cfc1f7c7eaac74c483f21

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_mipsel.deb
      Size/MD5 checksum: 350272 d5d512363681880db5e3d587021cab19
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_mipsel.deb
      Size/MD5 checksum: 831156 b06e0395c7b347093f2f9e1fe9673b91

PowerPC architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_powerpc.deb
      Size/MD5 checksum: 356672 778a434ea9e2e73d85ee8b7eaec4062c
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_powerpc.deb
      Size/MD5 checksum: 819686 4e82d570b0ffe822945814f90a5c175c

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-client_4.2.1-5sarge3_s390.deb
      Size/MD5 checksum: 339480 5afce0e8172e75b1b39d0086f69c5e0a
    http://security.debian.org/pool/updates/main/h/hylafax/hylafax-server_4.2.1-5sarge3_s390.deb
      Size/MD5 checksum: 767944 bc881199411dce80be644491b031af07

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 934-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 9, 2006 http://www.debian.org/security/faq

Package : pound
Vulnerability : several
Problem-Type : remote
Debian-specific: no

CVE ID : CVE-2005-1391 CVE-2005-3751 Debian Bug : 307852

Two vulnerabilities have been discovered in Pound, a reverse proxy and load balancer for HTTP. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2005-1391: Overly long HTTP Host: headers may trigger a buffer overflow in the add_port() function, which may lead to the execution of arbitrary code.
CVE-2005-3751: HTTP requests with conflicting Content-Length and Transfer-Encoding headers could lead to HTTP Request Smuggling Attack, which can be exploited to bypass packet filters or poison web caches.

The old stable distribution (woody) does not contain pound packages.

For the stable distribution (sarge) these problems have been fixed in version 1.8.2-1sarge1

For the unstable distribution (sid) these problems have been fixed in version 1.9.4-1

We recommend that you upgrade your pound package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1.dsc
      Size/MD5 checksum: 643 334d91f8800581281ab9c8bad5bbdbf4
    http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1.diff.gz
      Size/MD5 checksum: 13242 9e404c899bfd5409610ed5f14345d341
    http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2.orig.tar.gz
      Size/MD5 checksum: 140455 c9b0793bb4d57be2270093d79b13c019

Alpha architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_alpha.deb
Size/MD5 checksum: 73284 0458e20d63c3f5f5788afe7564a385da

AMD64 architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_amd64.deb
Size/MD5 checksum: 68652 01ae48ac313a8e533f32eec2f6f7a62f

ARM architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_arm.deb
Size/MD5 checksum: 69072 73b7eb49a74c8a5ff6a8015cf9a0e45d

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_i386.deb
Size/MD5 checksum: 68684 da43b8adaf115680c72d8f5dce9bc99f

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_ia64.deb
Size/MD5 checksum: 80756 ec6d043c70e50e8ba492ef6a73a4cc18

HP Precision architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_hppa.deb
Size/MD5 checksum: 70288 22fa75150b2253640667714cf6197567

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_m68k.deb
Size/MD5 checksum: 65138 1de5e7b4492a51900e13f9a0f5decd18

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_mips.deb
Size/MD5 checksum: 68586 3eb28320dc9229ee8cc08d2967e8ee9b

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_mipsel.deb
Size/MD5 checksum: 68654 510807d792c96e8cc43edf72fcdcc243

PowerPC architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_powerpc.deb
Size/MD5 checksum: 69218 d03e4cc71f99c2017a417cf8f073438c

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/p/pound/pound_1.8.2-1sarge1_s390.deb
Size/MD5 checksum: 69268 dac44abdc98358ccc66c2c3f41bd0965

These files will probably be moved into the stable distribution on its next update.

Debian Security Advisory DSA 935-1 security@debian.org
http://www.debian.org/security/ Michael Stone
January 10, 2006 http://www.debian.org/security/faq

Package : libapache2-mod-auth-pgsql Vulnerability : format string vulnerability Problem-Type : remote
Debian-specific: no

CVE ID : CVE-2005-3656 Debian Bug : 307852

iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a library used to authenticate web users against a PostgreSQL database, could be used to execute arbitrary code with the privileges of the httpd user.

The old stable distribution (woody) does not contain libapache2-mod-auth-pgsql.

For the stable distribution (sarge) this problem has been fixed in version 2.0.2b1-5sarge0.

For the unstable distribution (sid) this problem will be fixed shortly.

We recommend that you upgrade your libapache2-mod-auth-pgsql package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0.dsc
      Size/MD5 checksum: 718 64320b302321622c1007810e18f6559a
    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0.diff.gz
      Size/MD5 checksum: 5031 400a8ca9689409375c56eafe38a957a7
    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1.orig.tar.gz
      Size/MD5 checksum: 15928 e2c032df0cd7e4a46381dcf6e488efe9

Alpha architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_alpha.deb
Size/MD5 checksum: 20410 4e2c27c73a6ca3ca70713e31842c01ca

AMD64 architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_amd64.deb
Size/MD5 checksum: 20040 9b542446b7336c88c2ffabdad730b74f

ARM architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_arm.deb
Size/MD5 checksum: 18806 fcf3a9529b0b2af5a67237360c60f554

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_i386.deb
Size/MD5 checksum: 19406 f869e108de0839dcdcc2ee9459a8848d

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_ia64.deb
Size/MD5 checksum: 22282 018e612149c4d4a2cb139ee91b972cae

HP Precision architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_hppa.deb
Size/MD5 checksum: 20686 dc84765b12cb57c7c2b68d9f875d8f07

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_m68k.deb
Size/MD5 checksum: 18944 ab3c2f517273d868d8dd3fcf9b78ea0a

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_mips.deb
Size/MD5 checksum: 18884 cfed58fc3dd4bc0e7b635f048b9ef317

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_mipsel.deb
Size/MD5 checksum: 18860 dc5b1b912b0fcf62d2a8edc7a5a9fa52

PowerPC architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_powerpc.deb
Size/MD5 checksum: 20710 bdc297d45748433b2adcd3ac962612a3

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_s390.deb
Size/MD5 checksum: 19840 798db337084461ee60239274cf89f4e0

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_sparc.deb
Size/MD5 checksum: 19006 6cd6c8809599feec59df63281adcfd7b

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core

Fedora Update Notification
FEDORA-2005-000
2006-01-05

Product : Fedora Core 4

Name : ethereal

Version : 0.10.14
Release : 1.FC4.1
Summary : Network traffic analyzer

Description :
Ethereal is a network traffic analyzer for Unix-ish operating systems.

This package lays base for libpcap, a packet capture and filtering library, contains command-line utilities, contains plugins and documentation for ethereal. A graphical user interface is packaged separately to GTK+ package.

Thu Dec 29 2005 Radek Vokal <rvokal@redhat.com> 0.10.14-1.FC4.1
- upgrade to 0.10.14

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

affe1eb1afcd43ff516e84d2d72ffc05 SRPMS/ethereal-0.10.14-1.FC4.1.src.rpm
0bad077e8bb64b17b8d46ff7b850981b ppc/ethereal-0.10.14-1.FC4.1.ppc.rpm
7c3487788fd67fcff93a8ab84b8a02d6 ppc/ethereal-gnome-0.10.14-1.FC4.1.ppc.rpm
269573f80ae4c2e6ed293679017e3c52 ppc/debug/ethereal-debuginfo-0.10.14-1.FC4.1.ppc.rpm
1f2d0fc4c51781edf58492848d275a30 x86_64/ethereal-0.10.14-1.FC4.1.x86_64.rpm
0596c4ecffad375876556769cba26662 x86_64/ethereal-gnome-0.10.14-1.FC4.1.x86_64.rpm
933603daec37ab30725cf822c015e911 x86_64/debug/ethereal-debuginfo-0.10.14-1.FC4.1.x86_64.rpm
b108f4faf613e9ec7ac1c872f6f6b9e6 i386/ethereal-0.10.14-1.FC4.1.i386.rpm
ceaa262d2bbd36d7e598f306d2ae85d8 i386/ethereal-gnome-0.10.14-1.FC4.1.i386.rpm
2889e71042aca4212a9f373e66f6a8e1 i386/debug/ethereal-debuginfo-0.10.14-1.FC4.1.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-000
2006-01-05

Product : Fedora Core 4
Name : cups
Version : 1.1.23
Release : 15.3
Summary : Common Unix Printing System

Description :
The Common UNIX Printing System provides a portable printing layer for UNIX™ operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces.

Update Information:

This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627.

Wed Jan 4 2006 Tim Waugh <twaugh@redhat.com> 1:1.1.23-15.3
- Apply patch to fix CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 (bug #176868).

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

b65393b6e832e37cd45944fa1fcb2f9f SRPMS/cups-1.1.23-15.3.src.rpm
02eadf80e0cfb528185e0b9274077006 ppc/cups-1.1.23-15.3.ppc.rpm
e2cb40aef49d878dd26d5f03cb1fd01e ppc/cups-devel-1.1.23-15.3.ppc.rpm
a5435a5bcfffa902385e459d87a497c6 ppc/cups-libs-1.1.23-15.3.ppc.rpm
2de63386f71fc3c04f698b7c72c1dba8 ppc/cups-lpd-1.1.23-15.3.ppc.rpm
43eb8850d0fafe3de68878b6f8daf77a ppc/debug/cups-debuginfo-1.1.23-15.3.ppc.rpm
a6ad7b471609dc51991518fff8d3cf60 ppc/cups-libs-1.1.23-15.3.ppc64.rpm
8742299c1f7299076bb2b3981fff4c98 x86_64/cups-1.1.23-15.3.x86_64.rpm
bd297bc78d37c1b460d1c9e43230ca69 x86_64/cups-devel-1.1.23-15.3.x86_64.rpm
6ac6c13e86d1305d9bcf9a319e78e4c2 x86_64/cups-libs-1.1.23-15.3.x86_64.rpm
40c906f6e51a7e80053d20ed3cd46db0 x86_64/cups-lpd-1.1.23-15.3.x86_64.rpm
ba48481077a96a3e2ba2aa8a45b3af62 x86_64/debug/cups-debuginfo-1.1.23-15.3.x86_64.rpm
dd421fc881b169edd6eeb4dd066c86b2 x86_64/cups-libs-1.1.23-15.3.i386.rpm
e4de7feac1df02a425ab3efa6144f4ff i386/cups-1.1.23-15.3.i386.rpm
3e11e02156acc1ab98c39e81eaa94845 i386/cups-devel-1.1.23-15.3.i386.rpm
dd421fc881b169edd6eeb4dd066c86b2 i386/cups-libs-1.1.23-15.3.i386.rpm
2b0df8e6199debab3a3715b643b4b504 i386/cups-lpd-1.1.23-15.3.i386.rpm
4f1b9c6b9a2455ed4e4f0a6531a5a006 i386/debug/cups-debuginfo-1.1.23-15.3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-000
2006-01-05

Product : Fedora Core 3
Name : cups
Version : 1.1.22
Release : 0.rc1.8.9
Summary : Common Unix Printing System

Update Information:

This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627.

Wed Jan 4 2006 Tim Waugh <twaugh@redhat.com> 1:1.1.22-0.rc1.8.9
- Apply patch to fix CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 (bug #176870).

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

e4863c8e84bd2e0be139cf9c9b981c7d SRPMS/cups-1.1.22-0.rc1.8.9.src.rpm
61f09f282d5d6d06c313d7b2a6d4a01d x86_64/cups-1.1.22-0.rc1.8.9.x86_64.rpm
0a1c9a3519066b1722f2f68f441ce135 x86_64/cups-devel-1.1.22-0.rc1.8.9.x86_64.rpm
5b704b556030ef26c76d866812161aa8 x86_64/cups-libs-1.1.22-0.rc1.8.9.x86_64.rpm
2451f45b1e738ece7af8d7dd9caf6b47 x86_64/debug/cups-debuginfo-1.1.22-0.rc1.8.9.x86_64.rpm
bb9815d2bc773c35dc61c429b77454c8 x86_64/cups-libs-1.1.22-0.rc1.8.9.i386.rpm
7a71e7c01a6ef6d50dc39e78b50496de i386/cups-1.1.22-0.rc1.8.9.i386.rpm
c8f38a36664e624ae521e76867ac1467 i386/cups-devel-1.1.22-0.rc1.8.9.i386.rpm
bb9815d2bc773c35dc61c429b77454c8 i386/cups-libs-1.1.22-0.rc1.8.9.i386.rpm
3f5ca45efebf5218f43faaaebb42f39e i386/debug/cups-debuginfo-1.1.22-0.rc1.8.9.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-013
2006-01-06

Product : Fedora Core 4
Name : kernel
Version : 2.6.14
Release : 1.1656_FC4
Summary : The Linux kernel (the core of the Linux operating system)

Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.

Update Information:

This update fixes several low-priority security problems that were discovered during the development of 2.6.15, and backported.

Notably, CVE-2005-4605.

Thu Jan 5 2006 Dave Jones <davej@redhat.com> [2.6.14-1.1656_FC4]
- Rebuild.
Tue Jan 3 2006 Dave Jones <davej@redhat.com> [2.6.14-1.1655_FC4]
- Small fixes from 2.6.15
- sysctl: don't overflow the user-supplied buffer with '0'
- sysctl: make sure to terminate strings with a NUL
- Insanity avoidance in /proc
Sun Jan 1 2006 Dave Jones <davej@redhat.com>
- Fix the ACPI whitelist date again.
Wed Dec 28 2005 Dave Jones <davej@redhat.com>
- Tighten permissions on /proc/pid/smaps. (#176687)
Wed Dec 28 2005 Dave Jones <davej@redhat.com> [2.6.14-1.1654_FC4]
- Fix usb storage oops. (#176576)
- Fix ACPI owner_id limit.
- Decrease stack usage in block layer.
Tue Dec 27 2005 Dave Jones <davej@redhat.com>
- 2.6.14.5
- usbhid incorrectly claimed wacom penpartner tablet. (#161241)
- Reinstate the y2k ACPI blacklist cutoff. It broke working suspend for apm users.
Fri Dec 16 2005 Dave Jones <davej@redhat.com>
- Rebase to final 2.6.14.4

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

0986f8f9b53aff89e38c3ac432455d13 SRPMS/kernel-2.6.14-1.1656_FC4.src.rpm
2713f20165811439c3230da4211b23f4 ppc/kernel-2.6.14-1.1656_FC4.ppc.rpm
86884ffa980bb5b799f5b7ee905f5b4d ppc/kernel-devel-2.6.14-1.1656_FC4.ppc.rpm
4c795cdd720d46f9d31abc606c51299a ppc/kernel-smp-2.6.14-1.1656_FC4.ppc.rpm
065ac33d47bc2a11160bee854e8fec43 ppc/kernel-smp-devel-2.6.14-1.1656_FC4.ppc.rpm
bf84da79ec3d9d43e2c75eae522969dc ppc/debug/kernel-debuginfo-2.6.14-1.1656_FC4.ppc.rpm
cc10f57c8999e3e276ac719007824087 ppc/kernel-2.6.14-1.1656_FC4.ppc64.rpm
a68170aaef2c4192295d6855624b9925 ppc/kernel-devel-2.6.14-1.1656_FC4.ppc64.rpm
260132f52671b5141bac5fcb05dcc57e x86_64/kernel-2.6.14-1.1656_FC4.x86_64.rpm
a643d88decc67e58dee08d6b4dc18464 x86_64/kernel-devel-2.6.14-1.1656_FC4.x86_64.rpm
86363061f3f32695afa7d649f53cfe83 x86_64/kernel-smp-2.6.14-1.1656_FC4.x86_64.rpm
aa6ec4216105399c8728227b1ee0af06 x86_64/kernel-smp-devel-2.6.14-1.1656_FC4.x86_64.rpm
48c87979a0e88a03c0434c84ed8d805a x86_64/debug/kernel-debuginfo-2.6.14-1.1656_FC4.x86_64.rpm
ddedbf5bbad3cf9c1372aeb443a3af79 x86_64/kernel-doc-2.6.14-1.1656_FC4.noarch.rpm
8429eea3c447c93407d7ace4226edec5 i386/kernel-2.6.14-1.1656_FC4.i586.rpm
13bc09d73c8c64c20b0e6a8074a022b0 i386/kernel-devel-2.6.14-1.1656_FC4.i586.rpm
4ae77938bec18857eec961af30a8cfc1 i386/debug/kernel-debuginfo-2.6.14-1.1656_FC4.i586.rpm
58281f46cef7bc8617e7c10236429ea5 i386/kernel-2.6.14-1.1656_FC4.i686.rpm
f03110252518776bc6baf106f7381292 i386/kernel-devel-2.6.14-1.1656_FC4.i686.rpm
c008e26f80b86bff71cd0bd396a537e1 i386/kernel-smp-2.6.14-1.1656_FC4.i686.rpm
7ad41e47ad57b279619dedd308f1eeef i386/kernel-smp-devel-2.6.14-1.1656_FC4.i686.rpm
0cac7a02ccb6648427f80392c25ef552 i386/debug/kernel-debuginfo-2.6.14-1.1656_FC4.i686.rpm
ddedbf5bbad3cf9c1372aeb443a3af79 i386/kernel-doc-2.6.14-1.1656_FC4.noarch.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-014
2006-01-06

Product : Fedora Core 3
Name : mod_auth_pgsql
Version : 2.0.1
Release : 6.2
Summary : Basic authentication for the Apache web server using a PostgreSQL database.

Description :
mod_auth_pgsql can be used to limit access to documents served by a web server by checking fields in a table in a PostgresQL database.

Update Information:

Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue.

Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database.

Red Hat would like to thank iDefense for reporting this issue.

Fri Jan 6 2006 Joe Orton <jorton@redhat.com> 2.0.1-6.2
- add security fix for CVE-2005-3656
- don't strip .so file so debuginfo works
- fix r->user handling (Mirko Streckenbach, #150087)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

f4de3874523d13558b62a7b616a9924b SRPMS/mod_auth_pgsql-2.0.1-6.2.src.rpm
710fe9e31a155fca650aa2e948caf3e0 x86_64/mod_auth_pgsql-2.0.1-6.2.x86_64.rpm
a98acc532d16f6824643f84681a925ba x86_64/debug/mod_auth_pgsql-debuginfo-2.0.1-6.2.x86_64.rpm
2b1130b5b5be47de09f927b2dd87bd94 i386/mod_auth_pgsql-2.0.1-6.2.i386.rpm
2d348cb3ca7f7525dce925a20fed88da i386/debug/mod_auth_pgsql-debuginfo-2.0.1-6.2.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-015
2006-01-06

Product : Fedora Core 4
Name : mod_auth_pgsql
Version : 2.0.1
Release : 8.1
Summary : Basic authentication for the Apache web server using a PostgreSQL database.

Description :
mod_auth_pgsql can be used to limit access to documents served by a web server by checking fields in a table in a PostgresQL database.

Update Information:

Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database.

Red Hat would like to thank iDefense for reporting this issue.

Fri Jan 6 2006 Joe Orton <jorton@redhat.com> 2.0.1-8.1
- add security fix for CVE-2005-3656
- don't strip .so file so debuginfo works

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

d92214578ca55f9fe41d1ae02bf6d43e SRPMS/mod_auth_pgsql-2.0.1-8.1.src.rpm
747cb8b5486624f9df1057fca3ee7e86 ppc/mod_auth_pgsql-2.0.1-8.1.ppc.rpm
7039f4f23f6a28fc27faa06ef83ea3a0 ppc/debug/mod_auth_pgsql-debuginfo-2.0.1-8.1.ppc.rpm
d5815a490b1ec2c2f59f9715253d5665 x86_64/mod_auth_pgsql-2.0.1-8.1.x86_64.rpm
4a1db6971295f3cc99b8641485577123 x86_64/debug/mod_auth_pgsql-debuginfo-2.0.1-8.1.x86_64.rpm
6ce00956921bda6ae3f5f6ed19bdde75 i386/mod_auth_pgsql-2.0.1-8.1.i386.rpm
4b265b8401bc3c5b56140b0bb65ce159 i386/debug/mod_auth_pgsql-debuginfo-2.0.1-8.1.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-025
2006-01-10

Product : Fedora Core 3
Name : gpdf
Version : 2.8.2
Release : 7.2
Summary : viewer for Portable Document Format (PDF) files for GNOME

Description :
This is GPdf, a viewer for Portable Document Format (PDF) files for GNOME. GPdf is based on the Xpdf program and uses additional GNOME libraries for better desktop integration.

GPdf includes the gpdf application, a Bonobo control for PDF display which can be embedded in Nautilus, and a Nautilus property page for PDF files.

Update Information:

Chris Evans discovered several flaws in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues.

Tue Jan 10 2006 Ray Strode <rstrode@redhat.com> 2.8.2-7.2
- Apply fix for CVE-2005-3624 (also covers CVE-2005-3193) (bug 176866)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

3f7a8f70d4f2a8f18d823c572ad99755361adf23 SRPMS/gpdf-2.8.2-7.2.src.rpm
e0b1860bc92e3b69c60dbe53548ca709223d1822 x86_64/gpdf-2.8.2-7.2.x86_64.rpm
42a7a344a3d3e040bf37e002c788f8ca5fde8dba x86_64/debug/gpdf-debuginfo-2.8.2-7.2.x86_64.rpm
cada2bbc6925dbb27ea17317f9f8c31488d33cd0 i386/gpdf-2.8.2-7.2.i386.rpm
9280b56de65f4acedd3c13b5ff455fdc610463ae i386/debug/gpdf-debuginfo-2.8.2-7.2.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Legacy

Fedora Legacy Update Advisory

Synopsis: Updated gettext package fixes security issues
Advisory ID: FLSA:136323
Issue date: 2006-01-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0966

1. Topic:

An updated gettext package that fixes security bugs is now available.

The GNU gettext package provides a set of tools and documentation for producing multi-lingual messages in programs.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Temporary file vulnerabilities were discovered in the gettext package. A malicious user could use the "autopoint" and "gettextize" scripts to create or overwrite another user's files. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CVE-2004-0966 to this issue.

All users of gettext should upgrade to this updated package, which includes a patch to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gettext-0.11.4-7.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gettext-0.12.1-1.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name

7b6dee52052cf366ae9d78f42d2266045992e8b2 redhat/9/updates/i386/gettext-0.11.4-7.2.legacy.i386.rpm
ccb4260c2f1d4778bf1190bd6d96950c361b8131 redhat/9/updates/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm

7b29432779dcbbb183b98fb5c60208366346ea93 fedora/1/updates/i386/gettext-0.12.1-1.2.legacy.i386.rpm
22bc34eef7d35bad85cf013381187660a4a68c8d fedora/1/updates/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm

7851e6bb612ae72e3fae9870ca160d2a96e7123b fedora/2/updates/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm
6c972dcef9866f7e53ba6855478078f8f24684d0 fedora/2/updates/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org

Fedora Legacy Update Advisory

Synopsis: Updated htdig packages fix security issues
Advisory ID: FLSA:152907
Issue date: 2006-01-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0085

1. Topic:

Updated htdig packages that fix a security bug are now available.

The ht://Dig system is a Web search and indexing system for a small domain or intranet.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A cross-site scripting bug has been found in htdig. This issue could allow an attacker to send a carefully crafted message, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0085 to this issue.

All users of htdig should upgrade to these updated packages, which include a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152907

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/htdig-3.2.0-2.011302.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/htdig-3.2.0-2.011302.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/htdig-web-3.2.0-2.011302.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/htdig-3.2.0-16.20021103.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/htdig-3.2.0-16.20021103.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/htdig-web-3.2.0-16.20021103.3.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/htdig-3.2.0-19.20030601.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/htdig-3.2.0-19.20030601.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/htdig-web-3.2.0-19.20030601.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/htdig-3.2.0b5-7.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/htdig-3.2.0b5-7.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/htdig-web-3.2.0b5-7.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name

9f2c2108c62a38698946a3d054a02318115575db redhat/7.3/updates/i386/htdig-3.2.0-2.011302.3.legacy.i386.rpm
2f7355e1dac9e1f0af4de0ba4c57707afe253ef0 redhat/7.3/updates/i386/htdig-web-3.2.0-2.011302.3.legacy.i386.rpm
e76b1a954834c707a05d323e1910165c204edc21 redhat/7.3/updates/SRPMS/htdig-3.2.0-2.011302.3.legacy.src.rpm

a660dbbc2839b32b186bb121e972a553586286fa redhat/9/updates/i386/htdig-3.2.0-16.20021103.3.legacy.i386.rpm
f6904537f1da733bf209d20d28b295dcc7d69b99 redhat/9/updates/i386/htdig-web-3.2.0-16.20021103.3.legacy.i386.rpm
37c36aefd9331dc327e24e2fa040399be0b80601 redhat/9/updates/SRPMS/htdig-3.2.0-16.20021103.3.legacy.src.rpm

7478d40f0bae9370d5ab262fe916c41944776adf fedora/1/updates/i386/htdig-3.2.0-19.20030601.2.legacy.i386.rpm
8df233b896f4a139ad123a5465c3d3816da27623 fedora/1/updates/i386/htdig-web-3.2.0-19.20030601.2.legacy.i386.rpm
908e27f80a740632f88bfba330c356b68c76c429 fedora/1/updates/SRPMS/htdig-3.2.0-19.20030601.2.legacy.src.rpm

7b03742a875fb2964b294a1e35d690539a097204 fedora/2/updates/i386/htdig-3.2.0b5-7.2.legacy.i386.rpm
5f590cad676cc7dae81a24d5b02c55cae3ebe603 fedora/2/updates/i386/htdig-web-3.2.0b5-7.2.legacy.i386.rpm
31ab214325ff0fadfa3a2f0d385e16b8de24aed9 fedora/2/updates/SRPMS/htdig-3.2.0b5-7.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0085

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200601-02

http://security.gentoo.org/

Severity: Normal
Title: KPdf, KWord: Multiple overflows in included Xpdf code
Date: January 04, 2006
Bugs: #114429, #115851
ID: 200601-02

Synopsis

KPdf and KWord both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code.

Background

KPdf is a KDE-based PDF viewer included in the kdegraphics package. KWord is a KDE-based word processor also included in the koffice package.

Affected packages

Package / Vulnerable / Unaffected

1 kde-base/kdegraphics < 3.4.3-r3 >= 3.4.3-r3 2 kde-base/kpdf < 3.4.3-r3 >= 3.4.3-r3 3 app-office/koffice < 1.4.2-r6 >= 1.4.2-r6 4 app-office/kword < 1.4.2-r6 >= 1.4.2-r6 ------------------------------------------------------------------- 4 affected packages on all of their supported architectures.

Description

KPdf and KWord both include Xpdf code to handle PDF files. This Xpdf code is vulnerable to several heap overflows (GLSA 200512-08) as well as several buffer and integer overflows discovered by Chris Evans.

Impact

An attacker could entice a user to open a specially crafted PDF file with Kpdf or KWord, potentially resulting in the execution of arbitrary code with the rights of the user running the affected application.

Workaround

There is no known workaround at this time.

Resolution

All kdegraphics users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r3"

All Kpdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r3"

All KOffice users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.2-r6"

All KWord users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-office/kword-1.4.2-r6"

References

[ 1 ] CAN-2005-3191

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3191

[ 2 ] CAN-2005-3192

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3192

[ 3 ] CAN-2005-3193

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3193

[ 4 ] CVE-2005-3624

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624

[ 5 ] CVE-2005-3625

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625

[ 6 ] CVE-2005-3626

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626

[ 7 ] CVE-2005-3627

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627

[ 8 ] GLSA 200512-08

http://www.gentoo.org/security/en/glsa/glsa-200512-08.xml

[ 9 ] KDE Security Advisory: kpdf/xpdf multiple integer overflows

http://www.kde.org/info/security/advisory-20051207-2.txt

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200601-02.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200601-03

http://security.gentoo.org/

Severity: High
Title: HylaFAX: Multiple vulnerabilities
Date: January 06, 2006
Bugs: #116389
ID: 200601-03

Synopsis

HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities.

Background

HylaFAX is an enterprise-class system for sending and receiving facsimile messages and for sending alpha-numeric pages.

Affected packages


     Package           /  Vulnerable  /                     Unaffected

  1  net-misc/hylafax     < 4.2.3-r1                       >= 4.2.3-r1

Description

Patrice Fournier discovered that HylaFAX runs the notify script on untrusted user input. Furthermore, users can log in without a password when HylaFAX is installed with the pam USE-flag disabled.

Impact

An attacker could exploit the input validation vulnerability to run arbitrary code as the user running HylaFAX, which is usually uucp. The password vulnerability could be exploited to log in without proper user credentials.

Workaround

There is no known workaround at this time.

Resolution

All HylaFAX users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.3-r1"

References

[ 1 ] CVE-2005-3538

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3538

[ 2 ] CVE-2005-3539

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3539

[ 3 ] HylaFAX release announcement

http://www.hylafax.org/content/HylaFAX_4.2.4_release

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200601-03.xml

Concerns?

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200601-04

http://security.gentoo.org/

Severity: High
Title: VMware Workstation: Vulnerability in NAT networking
Date: January 07, 2006
Bugs: #116238
ID: 200601-04

Synopsis

VMware guest operating systems can execute arbitrary code with elevated privileges on the host operating system through a flaw in NAT networking.

Background

VMware Workstation is a powerful virtual machine for developers and system administrators.

Affected packages

Package / Vulnerable / Unaffected

1 vmware-workstation < 5.5.1.19175 >= 5.5.1.19175 *>= 4.5.3.19414

Description

Tim Shelton discovered that vmnet-natd, the host module providing NAT-style networking for VMware guest operating systems, is unable to process incorrect 'EPRT' and 'PORT' FTP requests.

Impact

Malicious guest operating systems using the NAT networking feature or local VMware Workstation users could exploit this vulnerability to execute arbitrary code on the host system with elevated privileges.

Workaround

Disable the NAT service by following the instructions at http://www.vmware.com/support/kb, Answer ID 2002.

Resolution

All VMware Workstation users should upgrade to a fixed version:

    # emerge --sync
    # emerge --ask --oneshot --verbose app-emulation/vmware-workstation

References

[ 1 ] CVE-2005-4459

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4459

[ 2 ] VMware Security Response

http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2000

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200601-04.xml

Concerns?

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux

Mandriva Linux Security Advisory MDKSA-2006:003
http://www.mandriva.com/security/

Package : poppler
Date : January 5, 2006
Affected: 2006.0

Problem Description:

Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191)

Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01 allows remote attackers to execute arbitrary code via a PDF file with an out-of-range numComps (number of components) field. (CVE-2005-3192)

Heap-based buffer overflow in the JPXStream::readCodestream function in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier allows user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with large size values that cause insufficient memory to be allocated. (CVE-2005-3193)

An additional patch re-addresses memory allocation routines in goo/gmem.c (Martin Pitt/Canonical, Dirk Mueller/KDE).

In addition, Chris Evans discovered several other vulnerbilities in the xpdf code base:

Out-of-bounds heap accesses with large or negative parameters to "FlateDecode" stream. (CVE-2005-3192)

Out-of-bounds heap accesses with large or negative parameters to "CCITTFaxDecode" stream. (CVE-2005-3624)

Infinite CPU spins in various places when stream ends unexpectedly. (CVE-2005-3625)

NULL pointer crash in the "FlateDecode" stream. (CVE-2005-3626)

Overflows of compInfo array in "DCTDecode" stream. (CVE-2005-3627)

Possible to use index past end of array in "DCTDecode" stream. (CVE-2005-3627)

Possible out-of-bounds indexing trouble in "DCTDecode" stream. (CVE-2005-3627)

Poppler uses an embedded copy of the xpdf code, with the same vulnerabilities.

The updated packages have been patched to correct these problems.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627

Updated Packages:

Mandriva Linux 2006.0:
eed45eed8ae99ca240c873c03a5cbf40 2006.0/RPMS/libpoppler0-0.4.1-3.1.20060mdk.i586.rpm
8af1cf9763672dd33d2211958a8171ba 2006.0/RPMS/libpoppler0-devel-0.4.1-3.1.20060mdk.i586.rpm
867596ef4e09751ed3d4e1e7a4e640da 2006.0/RPMS/libpoppler-qt0-0.4.1-3.1.20060mdk.i586.rpm
fd4736b863ce01d20bd6d2ae1228417a 2006.0/RPMS/libpoppler-qt0-devel-0.4.1-3.1.20060mdk.i586.rpm
c40f77c8b63d7af311801ab97ef8f72e 2006.0/SRPMS/poppler-0.4.1-3.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
d4dc20ee3d3cc10d39c3b9a05214ca7c x86_64/2006.0/RPMS/lib64poppler0-0.4.1-3.1.20060mdk.x86_64.rpm
0e577cbd784f733c54369cc153777978 x86_64/2006.0/RPMS/lib64poppler0-devel-0.4.1-3.1.20060mdk.x86_64.rpm
7145106c6988a8b99a0622265cc5b24a x86_64/2006.0/RPMS/lib64poppler-qt0-0.4.1-3.1.20060mdk.x86_64.rpm
913bb80df9cc19fe5948b23633915529 x86_64/2006.0/RPMS/lib64poppler-qt0-devel-0.4.1-3.1.20060mdk.x86_64.rpm
c40f77c8b63d7af311801ab97ef8f72e x86_64/2006.0/SRPMS/poppler-0.4.1-3.1.20060mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Mandriva Linux Security Advisory MDKSA-2006:004
http://www.mandriva.com/security/

Package : pdftohtml
Date : January 5, 2006
Affected: 2006.0