|
 |
Debian GNU/Linux
Debian Security Advisory DSA 983-1 security@debian.org
Package : pdftohtml Derek Noonburg has fixed several potential vulnerabilities in xpdf, which are also present in pdftohtml, a utility that translates PDF documents into HTML format. The old stable distribution (woody) does not contain pdftohtml packages. For the stable distribution (sarge) these problems have been fixed in version 0.36-11sarge2. For the unstable distribution (sid) these problems have been fixed in version 0.36-12. We recommend that you upgrade your gpdf package. Upgrade Instructions wget url
will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge Source archives:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2.dsc Alpha architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_alpha.deb AMD64 architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_amd64.deb ARM architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_arm.deb Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_i386.deb Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_ia64.deb HP Precision architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_hppa.deb Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_m68k.deb Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mips.deb Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_mipsel.deb PowerPC architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_powerpc.deb IBM S/390 architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_s390.deb Sun Sparc architecture:
http://security.debian.org/pool/updates/main/p/pdftohtml/pdftohtml_0.36-11sarge2_sparc.deb These files will probably be moved into the stable distribution on its next update. For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> Fedora LegacyFedora Legacy Update Advisory
Synopsis: Updated PostgreSQL packages fix security issues 1. Topic: Updated postgresql packages that fix several security vulnerabilities and risks of data loss are now available. PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). 2. Relevant releases/architectures:
Red Hat Linux 9 - i386 3. Problem description: The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names CVE-2005-1409 and CVE-2005-1410 to these issues.
Although installing this update will protect new (freshly initdb'd)
database installations from these errors, administrators MUST TAKE
MANUAL ACTION to repair the errors in pre-existing databases. The
appropriate procedures are explained at
http://www.postgresql.org/docs/8.0/static/release-7-4-8.html
for Fedora Core 2 users, or This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss. All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366 6. RPMs required: Red Hat Linux 9:
SRPM:
i386: Fedora Core 1:
SRPM:
i386: Fedora Core 2:
SRPM:
i386: 7. Verification: SHA1 sum Package Name
88bf97be3530effdf1c7c3a779bfe7f80e7ea6be
redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
de59e42459e24cd8846fbd6d765bc892d621a0dc
fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
0046d088278b0c08740222a41ca511d0c0fa3d99
fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1409 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory
Synopsis: Updated udev packages fix a security issue 1. Topic: Updated udev packages that fix a security issue are now available. The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. 2. Relevant releases/architectures:
Fedora Core 2 - i386 3. Problem description: Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818 6. RPMs required: Fedora Core 2:
SRPM:
i386: Fedora Core 3:
SRPM:
i386:
x86_64: 7. Verification: SHA1 sum Package Name
d2b2850b4066a595a4d3c162e151dc27c5b43198
fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm
a2682a89f6fe03c2f2c2401caa511c299c1ae1cc
fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory
Synopsis: Updated mod_auth_pgsql package fixes security issue 1. Topic: An updated mod_auth_pgsql package that fixes a format string flaw is now available. The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. 2. Relevant releases/architectures:
Fedora Core 1 - i386 3. Problem description: Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326 6. RPMs required: Fedora Core 1:
SRPM:
i386: Fedora Core 2:
SRPM:
i386: 7. Verification: SHA1 sum Package Name
e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f
fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm
8f9c2503b417db84b73483e6daca445c4789e4e4
fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory
Synopsis: Updated auth_ldap package fixes security issue 1. Topic: An updated auth_ldap package that fixes a format string security issue is now available for Red Hat Linux 7.3. The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org/) assigned the name CVE-2006-0150 to this issue. Note that this issue only affects servers that have auth_ldap installed and configured to perform user authentication against an LDAP database. All users of auth_ldap should upgrade to this updated package, which contains a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694 6. RPMs required:
Red Hat Linux 7.3:
i386: 7. Verification: SHA1 sum Package Name
38f70135bc17c313fecdb81f61e776ac032b796e
redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Fedora Legacy Update Advisory
Synopsis: Updated gnutls packages fix a security issue 1. Topic: Updated gnutls packages that fix a security issue are now available. The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. 2. Relevant releases/architectures: Fedora Core 3 - i386, x86_64 3. Problem description: Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014 6. RPMs required: Fedora Core 3:
SRPM:
i386:
x86_64: 7. Verification: SHA1 sum Package Name
87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org Mandriva Linux
Mandriva Linux Security Advisory MDKSA-2006:049
Package : squirrelmail Problem Description: Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188) Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195) CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377) Updated packages are patched to address these issues. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188 Updated Packages:
Corporate 3.0:
Corporate 3.0/X86_64: To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Mandriva Linux Security Advisory MDKSA-2005:050
Package : unzip Problem Description: A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges. The updated packages have been patched to address this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667 Updated Packages:
Mandriva Linux 10.2:
Mandriva Linux 10.2/X86_64:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
Multi Network Firewall 2.0: To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Mandriva Linux Security Advisory MDKSA-2006:051
Package : gettext Problem Description: The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966 Updated Packages:
Corporate 3.0:
Corporate 3.0/X86_64:
Multi Network Firewall 2.0: To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com
Type Bits/KeyID Date User ID  
|
 |
|
|
|
|
| All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux, Apache and PHP |
