Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Advisories, May 15, 2006

May 16, 2006, 04:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 1056-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 15th, 2006 http://www.debian.org/security/faq


Package : webcalendar
Vulnerability : verbose error message
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2247
Debian Bug : 366927

David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar, returns different error messages on login attempts for an invalid password and a non-existing user, allowing remote attackers to gain information about valid usernames.

The old stable distribution (woody) does not contain a webcalendar package

For the stable distribution (sarge) this problem has been fixed in version 0.9.45-4sarge4.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your webcalendar package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge4.dsc
      Size/MD5 checksum: 610 1a88e45355b0ca1a474eba42ac6c8eb4
    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge4.diff.gz
      Size/MD5 checksum: 12135 a518268d52b8a4744dd31ae9a7b60d0c
    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz
      Size/MD5 checksum: 612360 a6a66dc54cd293429b604fe6da7633a6

Architecture independent components:

    http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge4_all.deb
      Size/MD5 checksum: 629232 c83c6d64bf495a79cc6fad26b68708e0

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1057-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 15th, 2006 http://www.debian.org/security/faq


Package : phpldapadmin
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2016
BugTraq ID : 17643
Debian Bug : 365313

Several cross-site scripting vulnerabilities have been discovered in phpLDAPadmin, a web based interface for administering LDAP servers, tha allows remote attackers to inject arbitrary web script or HTML.

The old stable distribution (woody) does not contain phpldapadmin packages.

For the stable distribution (sarge) these problems have been fixed in version 0.9.5-3sarge3.

For the unstable distribution (sid) these problems have been fixed in version 0.9.8.3-1.

We recommend that you upgrade your phpldapadmin package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge3.dsc
      Size/MD5 checksum: 619 0889400f9f965c338dff4c547ea046cd
    http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge3.diff.gz
      Size/MD5 checksum: 12460 212a8a58288ba85121a0cd3ec86dc284
    http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5.orig.tar.gz
      Size/MD5 checksum: 617707 fb0669d4c4b88573875555aef2630de8

Architecture independent components:

    http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge3_all.deb
      Size/MD5 checksum: 617970 3bb8628eb5ba813c653fe74d56520273

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Ubuntu Linux


Ubuntu Security Notice USN-274-2 May 15, 2006
mysql-dfsg vulnerability
CVE-2006-0903

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

mysql-server

The problem can be corrected by upgrading the affected package to version 4.0.23-3ubuntu2.4 (for Ubuntu 5.04), or 4.0.24-10ubuntu2.3 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-274-1 fixed a logging bypass in the MySQL server. Unfortunately it was determined that the original update was not sufficient to completely fix the vulnerability, thus another update is necessary. We apologize for the inconvenience.

For reference, these are the details of the original USN:

A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely.

This only affects you if you enabled the 'log' parameter in the MySQL configuration.

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.4.diff.gz
      Size/MD5: 347218 5bf62963f2439449d17429b974dc954e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.4.dsc
      Size/MD5: 891 cf807937ea7cb09d1717c562c355e2cd
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23.orig.tar.gz
      Size/MD5: 9814467 5eec8f66ed48c6ff92e73161651a492b

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.23-3ubuntu2.4_all.deb
      Size/MD5: 32366 1a3bd9d864cae3bfa1987f859b5624aa

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.4_amd64.deb
      Size/MD5: 2867226 cee7c90e2a0fd2ab3d17ba1b25b74f0d
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.4_amd64.deb
      Size/MD5: 307670 e7fea674e9dcad07d491e70f80aefa77
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.4_amd64.deb
      Size/MD5: 431800 6b87ceedfa25337da77b1cb0f461526e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.4_amd64.deb
      Size/MD5: 3629366 3ae34465083080e3bf9d620f8cb8cb02

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.4_i386.deb
      Size/MD5: 2827210 8efa7c02567c9728cd915d3c40e5a197
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.4_i386.deb
      Size/MD5: 290266 d922e809d77b6b5dc3b4ed0b60aab4ca
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.4_i386.deb
      Size/MD5: 405024 b44e2e31c97d7e53fe0c165c8857dae2
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.4_i386.deb
      Size/MD5: 3538020 3b77c2725479cf9167f0015ab6c84217

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.4_powerpc.deb
      Size/MD5: 3181320 b9a3a84b59e90cebc93f0a19cc63c9ef
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.4_powerpc.deb
      Size/MD5: 313258 cbcdd0d05906c05ff730b1b75d04c860
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.4_powerpc.deb
      Size/MD5: 462556 3b7b56ceb6c3698ab404080a0692f5ec
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.4_powerpc.deb
      Size/MD5: 3840116 63049c52217853f785162ba6d54f133d

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.3.diff.gz
      Size/MD5: 99812 d274d44f9970d8b2489f2a70b033f77a
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.3.dsc
      Size/MD5: 966 2f2a9b55283f1d634dce18e558d92ba3
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
      Size/MD5: 9923794 aed8f335795a359f32492159e3edfaa3

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.24-10ubuntu2.3_all.deb
      Size/MD5: 35028 a2a4b01f8de78f0489b2fb1563cb5f7a

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.3_amd64.deb
      Size/MD5: 3232638 40620811f457a1bc647683d69dabed50
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.3_amd64.deb
      Size/MD5: 308672 f67209b5f82fe1db0a8aaf2089775249
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.3_amd64.deb
      Size/MD5: 439872 29286727ed489fca96b7357b31654472
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.3_amd64.deb
      Size/MD5: 3922314 78937781a11bf5746e8bf097f2779d2e

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.3_i386.deb
      Size/MD5: 2869396 6e99c974cb0355a5e38d3ad5ac5efc07
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.3_i386.deb
      Size/MD5: 292406 09616be33817ad7f18b9cf51fe113ff4
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.3_i386.deb
      Size/MD5: 413836 6e183f2233ce7ce06debad5c859ba0f5
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.3_i386.deb
      Size/MD5: 3556146 b3baed5ddbe9fb739dd99b7849016e5e

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.3_powerpc.deb
      Size/MD5: 3091448 0396a05bb982ca252035a11c2c05bae7
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10ubuntu2.3_powerpc.deb
      Size/MD5: 306534 0acfdb89ce0e89142f97ccf9a35ed37a
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.24-10ubuntu2.3_powerpc.deb
      Size/MD5: 453810 d5e519305ce715c0092e943331d0e6ce
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.24-10ubuntu2.3_powerpc.deb
      Size/MD5: 3665140 272c761ae9f0c232444c7701a65a98c9


Ubuntu Security Notice USN-284-1 May 15, 2006
quagga vulnerabilities
CVE-2006-2223, CVE-2006-2224, CVE-2006-2276

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

quagga

The problem can be corrected by upgrading the affected package to version 0.97.3-1ubuntu1.1 (for Ubuntu 5.04), or 0.99.1-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Paul Jakma discovered that Quagga's ripd daemon did not properly handle authentication of RIPv1 requests. If the RIPv1 protocol had been disabled, or authentication for RIPv2 had been enabled, ripd still replied to RIPv1 requests, which could lead to information disclosure. (CVE-2006-2223)

Paul Jakma also noticed that ripd accepted unauthenticated RIPv1 response packets if RIPv2 was configured to require authentication and both protocols were allowed. A remote attacker could exploit this to inject arbitrary routes. (CVE-2006-2224)

Fredrik Widell discovered that Quagga did not properly handle certain invalid 'sh ip bgp' commands. By sending special commands to Quagga, a remote attacker with telnet access to the Quagga server could exploit this to trigger an endless loop in the daemon (Denial of Service). (CVE-2006-2276)

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1.diff.gz
      Size/MD5: 38413 eda4c03884896ba450f16ee70f8c082a
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1.dsc
      Size/MD5: 714 22a7196923c807617fcd995c01c340b1
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3.orig.tar.gz
      Size/MD5: 1964834 9015a5c61b22dc4e51b07fdc9bdadfd1

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.97.3-1ubuntu1.1_all.deb
      Size/MD5: 477692 15527f6d3580a5327a31a6244cfc78f7

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1_amd64.deb
      Size/MD5: 1345612 75b7044e62475f2b4b6bf4a2c682f681

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1_i386.deb
      Size/MD5: 1124086 9ff534e9d6a717b340d448b486f5a8de

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1_powerpc.deb
      Size/MD5: 1245250 acaa9feaf12f20e42407d25103b698bd

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1.diff.gz
      Size/MD5: 27760 5577e4835dca7dce5d857ca843c43358
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1.dsc
      Size/MD5: 722 f2690f9ed75e966362870c591e4e5a72
    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1.orig.tar.gz
      Size/MD5: 2107583 afd8c23a32050be76e55c28ec9dcff73

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.1-1ubuntu1.1_all.deb
      Size/MD5: 580362 af8e02b1ef292dc9e883a24b644d3e3f

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1_amd64.deb
      Size/MD5: 1418614 6d36f2bc13d16f87d8bed040dfdfcc0d

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1_i386.deb
      Size/MD5: 1204568 39d90181e76908dabf23d4bee37c220e