Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Advisories, May 29, 2006

May 30, 2006, 04:45 (0 Talkback[s])

This holiday weekend's security advisories: awstats, lynx, lynx-ssl, tiff, mysql-dfsg, dovecot, libextractor, kernel-image-2.4.17-hppa, kernel-image-2.4.17-ia64, kernel-image-2.4.17-s390, kernel-patch-2.4.17-apus, kernel-patch-2.4.17-mips, kernel-patch-2.4.17-s390, and kernel-source-2.4.17 (Debian GNU/Linux); mpg123 (Mandriva Linux); kernel and quagga (Trustix Secure Linux); and nagios, postgresql-7.4/-8.0, postgresql, psycopg, and python-pgsql (Ubuntu Linux).

Debian GNU/Linux


Debian Security Advisory DSA 1075-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 26th, 2006 http://www.debian.org/security/faq


Package : awstats
Vulnerability : programming error
Problem type : remote
Debian-specific: no
Debian Bug : 365910

Hendrik Weimer discovered that awstats can execute arbitrary commands under the user id the web-server runs when users are allowed to supply arbitrary configuration files. Even though, this bug was referenced in DSA 1058 accidently, it was not fixed yet.

The new default behaviour is not ao accept arbitrary configuration directories from the user. This can be overwritten by the AWSTATS_ENABLE_CONFIG_DIR environment variable when users are to be trusted.

The old stable distribution (woody) does not seem to be affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 6.4-1sarge3.

For the unstable distribution (sid) this problem has been fixed in version 6.5-2.

We recommend that you upgrade your awstats package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge3.dsc
      Size/MD5 checksum: 589 c89ec8be4c06c290950e1da615b4e215
    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge3.diff.gz
      Size/MD5 checksum: 19145 fb59598c0a1ddd970c48bed857c0b364
    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4.orig.tar.gz
      Size/MD5 checksum: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1

Architecture independent components:

    http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge3_all.deb
      Size/MD5 checksum: 728706 395a9e5acb69dcc50da9cf88ed9a89da

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1076-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 26th, 2006 http://www.debian.org/security/faq


Package : lynx
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2004-1617
BugTraq ID : 11443
Debian Bug : 296340

Michal Zalewski discovered that lynx, the popular text-mode WWW Browser, is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML.

For the old stable distribution (woody) this problem has been fixed in version 2.8.4.1b-3.4.

For the stable distribution (sarge) this problem has been fixed in version 2.8.5-2sarge2.

For the unstable distribution (sid) this problem has been fixed in version 2.8.5-2sarge2.

We recommend that you upgrade your lynx package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4.dsc
      Size/MD5 checksum: 581 a9853909c61c5ef2fcc8868599f9b875
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4.diff.gz
      Size/MD5 checksum: 16334 74bce8912c28f979c33055a012cf29d6
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b.orig.tar.gz
      Size/MD5 checksum: 2557510 053a10f76b871e3944c11c7776da7f7a

Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_alpha.deb
      Size/MD5 checksum: 1610344 3e1ec04a0c6532506519e8051a0067b6

ARM architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_arm.deb
      Size/MD5 checksum: 1487906 a06ad20f4d8a0ce1cc0d59a0dfa24e9b

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_i386.deb
      Size/MD5 checksum: 1444914 cb6449afd1e3029d06606bf823e0f064

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_ia64.deb
      Size/MD5 checksum: 1762966 cb0b05d5cb148372fd2cd3d2e99843cc

HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_hppa.deb
      Size/MD5 checksum: 1555454 79392b2914654a7d4519247d9584e816

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_m68k.deb
      Size/MD5 checksum: 1405980 1df4dff2fc4191ee512811e0ac42c361

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_mips.deb
      Size/MD5 checksum: 1508022 d5b58fc5611b1ea1d37bc5a1034478f1

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_mipsel.deb
      Size/MD5 checksum: 1504120 1078ef11583d9664fecd2d9d5712ecad

PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_powerpc.deb
      Size/MD5 checksum: 1491256 2967d2f0c3a722b4b42a2b06510aabcc

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_s390.deb
      Size/MD5 checksum: 1463536 5a5692d6d572ef301d052e7e8c62d004

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.4.1b-3.4_sparc.deb
      Size/MD5 checksum: 1492926 6bb21df62a773736a1f694cedacea3de

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2.dsc
      Size/MD5 checksum: 616 241c00a777c333b7270d8dbdaa4ad210
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2.diff.gz
      Size/MD5 checksum: 17357 22b394977569bbeda207bfb5bcb42175
    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5.orig.tar.gz
      Size/MD5 checksum: 2984352 5f516a10596bd52c677f9bfd9579bc28

Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_alpha.deb
      Size/MD5 checksum: 1994618 4a23d6234470f59a47100bcd13d18a51

AMD64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_amd64.deb
      Size/MD5 checksum: 1881876 046312043fffdbcf5ad218074e21e119

ARM architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_arm.deb
      Size/MD5 checksum: 1853176 0d33e5835a479accab8c3282cdc19c14

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_i386.deb
      Size/MD5 checksum: 1854894 1e525c61aac1e0fac0ddad4d9e15d8f6

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_ia64.deb
      Size/MD5 checksum: 2128572 78bfa4c383e41d352b67595da80904c9

HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_hppa.deb
      Size/MD5 checksum: 1909746 371fb69c98ff2e510861ba210ec11bda

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_m68k.deb
      Size/MD5 checksum: 1780836 bdf8b0d6a711cf21202ef86189cfb8bf

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_mips.deb
      Size/MD5 checksum: 1894118 9be5baba4f5e3f99b618553c4252b289

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_mipsel.deb
      Size/MD5 checksum: 1889604 11840739365387bb4741099f9310c77c

PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_powerpc.deb
      Size/MD5 checksum: 1878302 4885a52c8ad1992335f5c9f87ef522cf

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_s390.deb
      Size/MD5 checksum: 1866982 8125a8d85817c29d3984fdb2d2ac4df6

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.5-2sarge2_sparc.deb
      Size/MD5 checksum: 1861484 407b283a4c8656a0ef1a5935780c8204

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1077-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 26th, 2006 http://www.debian.org/security/faq


Package : lynx-ssl
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2004-1617
BugTraq ID : 11443
Debian Bug : 296340

Michal Zalewski discovered that lynx, the popular text-mode WWW Browser, is not able to grok invalid HTML including a TEXTAREA tag with a large COLS value and a large tag name in an element that is not terminated, and loops forever trying to render the broken HTML. The same code is present in lynx-ssl.

For the old stable distribution (woody) this problem has been fixed in version 2.8.4.1b-3.3.

The stable distribution (sarge) does not contain lynx-ssl packages anymore.

The unstable distribution (sid) does not contain lynx-ssl packages anymore.

We recommend that you upgrade your lynx-ssl package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3.dsc
      Size/MD5 checksum: 611 7ee1218eb5536e5a79b644dd7b56af53
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3.diff.gz
      Size/MD5 checksum: 89483 c46454ac050fff129e77eb0f4b151517
    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b.orig.tar.gz
      Size/MD5 checksum: 2557510 053a10f76b871e3944c11c7776da7f7a

Alpha architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_alpha.deb
      Size/MD5 checksum: 1617522 9dd7997b45df6331c660e2afca324840

ARM architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_arm.deb
      Size/MD5 checksum: 1491938 de3a7656d192e5bca1cb9d3bd1ff84ff

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_i386.deb
      Size/MD5 checksum: 1450298 ef8c2a423c1530b21a79a834776abba7

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_ia64.deb
      Size/MD5 checksum: 1769276 ad79ec138883ce575cb528346fb7b074

HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_hppa.deb
      Size/MD5 checksum: 1559678 4e725d8701a1721784d490f000da3199

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_m68k.deb
      Size/MD5 checksum: 1410804 f8a1018bc195fc4972cff586e9694163

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_mips.deb
      Size/MD5 checksum: 1512074 5c395f3cbda76895a061e79913633853

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_mipsel.deb
      Size/MD5 checksum: 1508018 ead159d28f1fb4a60f25e077e4c122f0

PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_powerpc.deb
      Size/MD5 checksum: 1497258 512c921d1ef663439d51b4ba7cc203ef

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_s390.deb
      Size/MD5 checksum: 1468830 7ccab81df77cd4ffd0553707adf820a6

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b-3.3_sparc.deb
      Size/MD5 checksum: 1497292 40f28922fce6ad486d5c46c56fa822f1

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1078-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 27th, 2006 http://www.debian.org/security/faq


Package : tiff
Vulnerability : out-of-bounds read
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-2120
BugTraq ID : 17809
Debian Bug : 366588

Andrey Kiselev discovered a problem in the TIFF library that may allow an attacker with a specially crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values to crash the library and hence the surrounding application.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 3.7.2-4.

The unstable distribution (sid) is not affected by this problem.

We recommend that you upgrade your tiff packages and restart the programs using it.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-4.dsc
      Size/MD5 checksum: 736 e0021d24806e337d1fbb1f07de784ba2
    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-4.diff.gz
      Size/MD5 checksum: 11234 cca061e95cccee07e8536d0c019e466c
    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz
      Size/MD5 checksum: 1252995 221679f6d5c15670b3c242cbfff79a00

Alpha architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_alpha.deb
      Size/MD5 checksum: 46854 d9bfc8b23ef18313f418a6428a997ab3
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_alpha.deb
      Size/MD5 checksum: 243572 cfc1c2e69fd26f6fd00e80fc2060e214
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_alpha.deb
      Size/MD5 checksum: 478314 f169fa8a48b6e88fc0caea7d55fdcf04
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_alpha.deb
      Size/MD5 checksum: 309820 ff5d90bfd292db105f8613d618124084
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_alpha.deb
      Size/MD5 checksum: 40962 d5a3d88cb65ccde5243a576de9f32801

AMD64 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_amd64.deb
      Size/MD5 checksum: 45776 3dcbd8b4f6738375e596faf777a4f824
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_amd64.deb
      Size/MD5 checksum: 217792 ed3b23887f2406380aecf5c87f0ca471
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_amd64.deb
      Size/MD5 checksum: 459322 1b5e6430f73c9862a6771a5f48fe82f8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_amd64.deb
      Size/MD5 checksum: 266904 814c8a97e386f73def4ed6612e2dbbf6
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_amd64.deb
      Size/MD5 checksum: 40548 8bd17da7fc319403082125b6b16d8e05

ARM architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_arm.deb
      Size/MD5 checksum: 45296 db835b005471c02c8e70f9307f575799
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_arm.deb
      Size/MD5 checksum: 208400 c257593052a9b59bf4a8ce0f002c7648
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_arm.deb
      Size/MD5 checksum: 453488 32f3da61807b63176b0867b196c8e737
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_arm.deb
      Size/MD5 checksum: 265160 1be7d1c3ad694b68d29fa545e901b56e
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_arm.deb
      Size/MD5 checksum: 40030 7c9131c151c161977d1b7fa5976e691e

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_i386.deb
      Size/MD5 checksum: 45132 1fc191c2b6c8439a5d4679790770191b
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_i386.deb
      Size/MD5 checksum: 206130 7f5797ca49fe57dd94b5a1f017e40665
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_i386.deb
      Size/MD5 checksum: 452520 a1d15c07bef2bc43d64e9e934e2bb156
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_i386.deb
      Size/MD5 checksum: 251650 2f5aaeae03e06396d277d537b3bce2ba
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_i386.deb
      Size/MD5 checksum: 40582 461d11f346fa421e48c3b5de8873a3d0

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_ia64.deb
      Size/MD5 checksum: 48250 3ecaec89588a5d8d76fb870f57272d24
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_ia64.deb
      Size/MD5 checksum: 268880 5ee821331c1b69fcf1ab5730292886a5
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_ia64.deb
      Size/MD5 checksum: 511114 3509eed54bbd43554dd230e70f785660
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_ia64.deb
      Size/MD5 checksum: 330812 fc93932aa45b25f04f215364c5bb304a
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_ia64.deb
      Size/MD5 checksum: 42172 ceb9f32b06db1abe66bb7a4d6d433dcf

HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_hppa.deb
      Size/MD5 checksum: 41814 767e8a29ea8e12fad3bd508acb0cc3ed
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_hppa.deb
      Size/MD5 checksum: 230076 4b841231ed80cacd9b0c49170bf15a97
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_hppa.deb
      Size/MD5 checksum: 473032 c97e959fedf65c3dc45a3b0ac20a111f
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_hppa.deb
      Size/MD5 checksum: 281566 7f00d2017a1ead25083a775b9a14bf92
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_hppa.deb
      Size/MD5 checksum: 41230 d66a6ec6d56eab8abd045a1af38ac41c

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_m68k.deb
      Size/MD5 checksum: 45148 71ce37b7ab06f65c85d3e3df96df4629
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_m68k.deb
      Size/MD5 checksum: 193400 3dddfa40c162c52a68f7bb408f120a43
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_m68k.deb
      Size/MD5 checksum: 442684 f7c40c9c6ef836bf2355a127a7ee0427
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_m68k.deb
      Size/MD5 checksum: 234430 97bc16b9a0c118354244195626b4c41f
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_m68k.deb
      Size/MD5 checksum: 40194 7595030ca4135f7119bb3129b0932ea9

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_mips.deb
      Size/MD5 checksum: 46040 107792cc52f67039d7052d45f24aac70
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_mips.deb
      Size/MD5 checksum: 252122 f81805bf9f8a009a56d9527fc46b33fe
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_mips.deb
      Size/MD5 checksum: 458562 70444e106a768d8833ddaa02eceff020
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_mips.deb
      Size/MD5 checksum: 280456 e8610464e76cecdb9a99bb0c0c013567
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_mips.deb
      Size/MD5 checksum: 40822 cb372f45ca6c88d866f757e1a4c01929

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_mipsel.deb
      Size/MD5 checksum: 46002 a5300e63a5566259670cd1327c451771
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_mipsel.deb
      Size/MD5 checksum: 252594 386bedb09b018f558e54b05c3525aa55
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_mipsel.deb
      Size/MD5 checksum: 458910 10053a120d4c5565e844dd6e90ee238b
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_mipsel.deb
      Size/MD5 checksum: 280324 ae4d54a959ce4b4c572f2403ead36c6d
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_mipsel.deb
      Size/MD5 checksum: 40798 1c05b23e49ccd41db8f4d9c876e2e36c

PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_powerpc.deb
      Size/MD5 checksum: 47210 fe939778aa55beafd89336df1b3c322e
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_powerpc.deb
      Size/MD5 checksum: 235362 defadd716ddb33d75ba14000cdbe0076
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_powerpc.deb
      Size/MD5 checksum: 460564 566779844370fed3702c02b4416dba49
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_powerpc.deb
      Size/MD5 checksum: 272002 3a34ea3b3eb8691d5e2679d0fa6247e6
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_powerpc.deb
      Size/MD5 checksum: 42394 0193c740ac4c629eb3c80ce28f3cfb11

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_s390.deb
      Size/MD5 checksum: 46166 ea2bda56e24b29c06d91e3bd1c63cff7
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_s390.deb
      Size/MD5 checksum: 213746 211d29444ac8596b177f40a650a4bee2
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_s390.deb
      Size/MD5 checksum: 465962 c465a95587ba28c39a0bc213f04a2b18
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_s390.deb
      Size/MD5 checksum: 266682 bdeb0f604b6a6c6420f94defb9a0d930
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_s390.deb
      Size/MD5 checksum: 40812 e5b76ee32d41a8094cfde0af0566356b

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-4_sparc.deb
      Size/MD5 checksum: 45466 c798e777f7714a44a8c25747ee34f94c
    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-4_sparc.deb
      Size/MD5 checksum: 205304 766577556058b3a3387ae82a1139f4e5
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-4_sparc.deb
      Size/MD5 checksum: 454738 b8b94ac00a5a78f5aad3b8c0f8c13a7d
    http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-4_sparc.deb
      Size/MD5 checksum: 257860 64d54fae38c0647f0fab3b5127432a29
    http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-4_sparc.deb
      Size/MD5 checksum: 40540 543e3e614f20101d54ebe9aacf6a4cbf

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1079-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 29th, 2006 http://www.debian.org/security/faq


Package : mysql-dfsg
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518
CERT advisory : VU#602457
BugTraq IDs : 16850 17780
Debian Bugs : 366044 366049 366163

Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems:

CVE-2006-0903

Improper handling of SQL queries containing the NULL character allow local users to bypass logging mechanisms.

CVE-2006-1516

Usernames without a trailing null byte allow remote attackers to read portions of memory.

CVE-2006-1517

A request with an incorrect packet length allows remote attackers to obtain sensitive information.

CVE-2006-1518

Specially crafted request packets with invalid length values allow the execution of arbitrary code.

The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed:

  woody sarge sid
mysql 3.23.49-8.15 n/a n/a
mysql-dfsg n/a 4.0.24-10sarge2 n/a
mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a
mysql-dfsg-5.0 n/a n/a 5.0.21-3

We recommend that you upgrade your mysql packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.dsc
      Size/MD5 checksum: 966 42f14bb83f832f0f88bdabb317f62df8
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10sarge2.diff.gz
      Size/MD5 checksum: 98938 9aaf7d794c14faa63a05d7630f683383
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
      Size/MD5 checksum: 9923794 aed8f335795a359f32492159e3edfaa3

Architecture independent components:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-common_4.0.24-10sarge2_all.deb
      Size/MD5 checksum: 34566 f4aa726f5f9ec79e42799a40faabcf17

Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum: 356730 97904c2a773bc61c643e4dce283a2862
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum: 4533478 8edafbc553d062864c4bb17cbca3211b
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum: 520712 5883aef348e2eb1321b21051cdd604be
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_alpha.deb
      Size/MD5 checksum: 4890620 824e4c4c078ef73612fccbea7e209651

AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum: 309490 c7943142f1f618987c87073c5893174e
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum: 3182676 e62cc19620500c5430447978b7e645c6
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum: 434022 55e3f43e8ac136951fc1b679df820cd1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_amd64.deb
      Size/MD5 checksum: 3878414 5ab561357abca1720b9942c9f8e78a4e

ARM architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum: 288180 6869739c00a8151a181ec8cfffe1ec70
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum: 2848430 945158edc0fba528a04f98170fe55921
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum: 414176 8ecea50cf576d50bd5ceb6424915da52
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_arm.deb
      Size/MD5 checksum: 3482538 ae6cb51798ea91d7b6009dcd80a55e43

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum: 296570 7cdd0f7a094215ab98249514031ef9a0
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum: 2922132 84cffb8467493bcf0cf49ef3a21caa67
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum: 415162 7bb2bfd6b9853d51abbf958eeed5b23f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_i386.deb
      Size/MD5 checksum: 3645982 b2d2991bee2e019a45cbaa39fa7e9f6b

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum: 395396 b03b6af8b0e21c8e80bbc8d2ef5c7817
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum: 4472590 aa5afd6648c2034fd0d254100e2e42fc
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum: 562984 e357eebc432a81d9f8f4c94f365528d4
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_ia64.deb
      Size/MD5 checksum: 5328582 1f528438e2282f4b51c13932d70875fd

HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum: 329948 864b11f30e86d7d2921caeda238f22f9
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum: 3314390 12c74247254b89c93dc5aecf74c3249f
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum: 456078 cf903d0dcb745d67f4ad66ad3a4b66f2
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_hppa.deb
      Size/MD5 checksum: 3947304 f8feb350cc9a6db2979d215ea6735bda

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum: 279504 9a202261b9627190d15ab5bb7e98d0e2
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum: 2665612 e49f8b011912473604c9df82047fd244
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum: 390304 d04f65d12c590a0239408e3293c80714
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-server_4.0.24-10sarge2_m68k.deb
      Size/MD5 checksum: 3293046 8a049030853d08742488a1e4dabc504d

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum: 314170 41c279180276fcf8effa8573fe75a158
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum: 3182296 f9fe3b82095434f04871092f1431d2d1
    http://security.debian.org/pool/updates/main/m/mysql-dfsg/mysql-client_4.0.24-10sarge2_mips.deb
      Size/MD5 checksum: 457290 19243ed43a65f65a3dee76657274f365
    http://security.debian.org/pool/updates/main/m/my