|
 |
Debian GNU/Linux
Debian Security Advisory DSA 1052-1 security@debian.org
Package : cgiirc Several buffer overflows have been discovered in cgiirc, a web-based IRC client, which could be exploited to execute arbitrary code. The old stable distribution (woody) does not contain cgiirc packages. For the stable distribution (sarge) these problems have been fixed in version 0.5.4-6sarge1. For the unstable distribution (sid) these problems have been fixed in version 0.5.4-6sarge1. We recommend that you upgrade your cgiirc package. Upgrade Instructions wget url
will fetch the file for you will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge Source archives:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1.dsc Alpha architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_alpha.deb AMD64 architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_amd64.deb ARM architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_arm.deb Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_i386.deb Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_ia64.deb HP Precision architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_hppa.deb Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_m68k.deb Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_mips.deb Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_mipsel.deb PowerPC architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_powerpc.deb IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_s390.deb Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/cgiirc/cgiirc_0.5.4-6sarge1_sparc.deb These files will probably be moved into the stable distribution on its next update. For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> Gentoo LinuxGentoo Linux Security Advisory GLSA 200605-07
Severity: High SynopsisNagios is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. BackgroundNagios is an open source host, service and network monitoring program. Affected packages
DescriptionSebastian Krahmer of the SuSE security team discovered a buffer overflow vulnerability in the handling of a negative HTTP Content-Length header. ImpactA buffer overflow in Nagios CGI scripts under certain web servers allows remote attackers to execute arbitrary code via a negative content length HTTP header. WorkaroundThere is no known workaround at this time. ResolutionAll Nagios users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-1.4"
References[ 1 ] CVE-2006-2162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-07.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Gentoo Linux Security Advisory GLSA 200605-08
Severity: High SynopsisPHP is affected by multiple issues, including a buffer overflow in wordwrap() which may lead to execution of arbitrary code. BackgroundPHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages
DescriptionSeveral vulnerabilities were discovered on PHP4 and PHP5 by Infigo, Tonu Samuel and Maksymilian Arciemowicz. These included a buffer overflow in the wordwrap() function, restriction bypasses in the copy() and tempname() functions, a cross-site scripting issue in the phpinfo() function, a potential crash in the substr_compare() function and a memory leak in the non-binary-safe html_entity_decode() function. ImpactRemote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. WorkaroundThere is no known workaround at this point. ResolutionAll PHP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.1.4"
PHP4 users that wish to keep that version line should upgrade to the latest 4.x version:
# emerge --sync
# emerge --ask --oneshot --verbose =dev-lang/php-4.4.2-r2
References[ 1 ] CVE-2006-0996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0996 [ 2 ] CVE-2006-1490 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490 [ 3 ] CVE-2006-1990 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1990 [ 4 ] CVE-2006-1991 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1991 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-08.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Gentoo Linux Security Advisory GLSA 200605-09
Severity: Normal SynopsisSeveral vulnerabilities in Mozilla Thunderbird allow attacks ranging from script execution with elevated privileges to information leaks. BackgroundMozilla Thunderbird is the next-generation mail client from the Mozilla project. Affected packages
DescriptionSeveral vulnerabilities were found and fixed in Mozilla Thunderbird. ImpactA remote attacker could craft malicious emails that would leverage these issues to inject and execute arbitrary script code with elevated privileges, steal local files or other information from emails, and spoof content. Some of these vulnerabilities might even be exploited to execute arbitrary code with the rights of the user running Thunderbird. WorkaroundThere are no known workarounds for all the issues at this time. ResolutionAll Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.0.8"
All Mozilla Thunderbird binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.0.8"
Note: There is no stable fixed version for the ALPHA architecture yet. Users of Mozilla Thunderbird on ALPHA should consider unmerging it until such a version is available. References[ 1 ] CVE-2006-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292 [ 2 ] CVE-2006-0296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296 [ 3 ] CVE-2006-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0748 [ 4 ] CVE-2006-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749 [ 5 ] CVE-2006-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0884 [ 6 ] CVE-2006-1045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1045 [ 7 ] CVE-2006-1727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727 [ 8 ] CVE-2006-1728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728 [ 9 ] CVE-2006-1730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730 [ 10 ] CVE-2006-1731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731 [ 11 ] CVE-2006-1732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732 [ 12 ] CVE-2006-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733 [ 13 ] CVE-2006-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734 [ 14 ] CVE-2006-1735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735 [ 15 ] CVE-2006-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737 [ 16 ] CVE-2006-1738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738 [ 17 ] CVE-2006-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739 [ 18 ] CVE-2006-1741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741 [ 19 ] CVE-2006-1742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742 [ 20 ] CVE-2006-1790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790 [ 21 ] Mozilla Foundation Security Advisories http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-09.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Ubuntu LinuxUbuntu Security Notice USN-282-1 May 08, 2006 nagios vulnerability CVE-2006-2162 A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: nagios-common The problem can be corrected by upgrading the affected package to version 2:1.3-0+pre6ubuntu0.1 (for Ubuntu 5.04), or 2:1.3-cvs.20050402-4ubuntu3.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The nagios CGI scripts did not sufficiently check the validity of the HTTP Content-Length attribute. By sending a specially crafted HTTP request with a negative Content-Length value to the Nagios server, a remote attacker could exploit this to execute arbitrary code with web server privileges. Please note that the Apache 2 web server already checks for valid Content-Length values, so installations using Apache 2 (the only web server officially supported in Ubuntu) are not vulnerable to this flaw. Updated packages for Ubuntu 5.04: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-0+pre6ubuntu0.1.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-0+pre6ubuntu0.1_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.1_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.1_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-0+pre6ubuntu0.1_powerpc.deb Updated packages for Ubuntu 5.10: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios_1.3-cvs.20050402-4ubuntu3.1.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-common_1.3-cvs.20050402-4ubuntu3.1_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.1_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.1_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/n/nagios/nagios-mysql_1.3-cvs.20050402-4ubuntu3.1_powerpc.deb Ubuntu Security Notice USN-283-1 May 08, 2006 mysql-dfsg-4.1, mysql-dfsg vulnerabilities CVE-2006-1516, CVE-2006-1517 A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected:
mysql-server The problem can be corrected by upgrading the affected package to version 4.0.23-3ubuntu2.3 (for Ubuntu 5.04), 4.0.24-10ubuntu2.2 (mysql-server for Ubuntu 5.10), or 4.1.12-1ubuntu3.3 (mysql-server-4.1 for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Stefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516) Stefano Di Paola also found a similar information leak in the parser for the COM_TABLE_DUMP request. (CVE-2006-1517) Updated packages for Ubuntu 5.04: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.3.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.23-3ubuntu2.3_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.3_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.3_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.3_powerpc.deb Updated packages for Ubuntu 5.10: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.12-1ubuntu3.3.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.12-1ubuntu3.3_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.2_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.2_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.2_powerpc.deb  
|
 |
|
|
|
|
| All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux, Apache and PHP |
