|
|
| Top White Papers
Current Newswire:
Advisories, March 27, 2006Mar 28, 2006, 04:45 (0 Talkback[s])Debian GNU/LinuxDebian Security Advisory DSA 1020-1 security@debian.org Package : flex Chris Moore discovered that flex, a scanner generator, generates code, which allocates insufficient memory, if the grammar contains REJECT statements or trailing context rules. This may lead to a buffer overflow and the execution of arbitrary code. If you use code, which is derived from a vulnerable lex grammar in an untrusted environment you need to regenerate your scanner with the fixed version of flex. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.5.31-31sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.5.33-1. We recommend that you upgrade your flex package. Upgrade Instructions wget url will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge Source archives: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1.dsc Architecture independent components: http://security.debian.org/pool/updates/main/f/flex/flex-doc_2.5.31-31sarge1_all.deb Alpha architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_alpha.deb AMD64 architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_amd64.deb ARM architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_arm.deb Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_i386.deb Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_ia64.deb HP Precision architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_hppa.deb Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_m68k.deb Big endian MIPS architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_mips.deb Little endian MIPS architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_mipsel.deb PowerPC architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_powerpc.deb IBM S/390 architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_s390.deb Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/flex/flex_2.5.31-31sarge1_sparc.deb These files will probably be moved into the stable distribution on its next update. For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> Gentoo LinuxGentoo Linux Security Advisory GLSA 200603-24 Severity: Normal SynopsisRealPlayer is vulnerable to a buffer overflow that could lead to remote execution of arbitrary code. BackgroundRealPlayer is a multimedia player capable of handling multiple multimedia file formats. Affected packages
Package / Vulnerable / Unaffected
1 media-video/realplayer < 10.0.7 >= 10.0.7 DescriptionRealPlayer is vulnerable to a buffer overflow when processing malicious SWF files. ImpactBy enticing a user to open a specially crafted SWF file an attacker could execute arbitrary code with the permissions of the user running the application. WorkaroundThere is no known workaround at this time. ResolutionAll RealPlayer users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.7"
References[ 1 ] CVE-2006-0323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323 [ 2 ] RealNetworks Advisory http://service.real.com/realplayer/security/03162006_player/en/ AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-24.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Gentoo Linux Security Advisory GLSA 200603-25 Severity: Normal SynopsisOpenOffice.org contains a vulnerable version of libcurl that may cause a heap overflow when parsing URLs. BackgroundOpenOffice.org is an office productivity suite, including word processing, spreadsheet, presentation, data charting, formula editing and file conversion facilities. libcurl, which is included in OpenOffice.org, is a free and easy-to-use client-side library for transferring files with URL syntaxes, supporting numerous protocols. Affected packages
Package / Vulnerable / Unaffected
1 app-office/openoffice-bin < 2.0.2 >= 2.0.2
2 app-office/openoffice < 2.0.1-r1 >= 2.0.1-r1
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
DescriptionOpenOffice.org includes libcurl code. This libcurl code is vulnerable to a heap overflow when it tries to parse a URL that exceeds a 256-byte limit (GLSA 200512-09). ImpactAn attacker could entice a user to call a specially crafted URL with OpenOffice.org, potentially resulting in the execution of arbitrary code with the rights of the user running the application. WorkaroundThere is no known workaround at this time. ResolutionAll OpenOffice.org binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.0.2"
All OpenOffice.org users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/openoffice-2.0.1-r1"
References[ 1 ] CVE-2005-4077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4077 [ 2 ] Hardened-PHP Advisory 24/2005 http://www.hardened-php.net/advisory_242005.109.html [ 3 ] GLSA 200512-09 http://www.gentoo.org/security/en/glsa/glsa-200512-09.xml AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-25.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
0 Talkback[s]
(click to add your comment)
|
