:Advisories, June 8, 2006
Advisories, June 8, 2006 0 Talkback[s]
Debian GNU/Linux
Debian Security Advisory DSA 1091-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : tiff
Several problems have been discovered in the TIFF library. The Common
Vulnerabilities and Exposures project identifies the following issues:
CVE-2006-2193
SuSE discovered a buffer overflow in the conversion of TIFF files
into PDF documents which could be exploited when tiff2pdf is used
e.g. in a printer filter.
CVE-2006-2656
The tiffsplit command from the TIFF library contains a buffer
overflow in the commandline handling which could be exploited when
the program is executed automatically on unknown filenames.
For the old stable distribution (woody) this problem has been fixed in
version 3.5.5-7woody2.
For the stable distribution (sarge) this problem has been fixed in
version 3.7.2-5.
For the unstable distribution (sid) this problem has been fixed in
version 3.8.2-4.
We recommend that you upgrade your tiff packages.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7woody2.dsc http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7woody2.diff.gz http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_alpha.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_alpha.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_alpha.deb
ARM architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_arm.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_arm.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_i386.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_i386.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_ia64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_ia64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_hppa.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_hppa.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_m68k.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_m68k.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_mips.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_mips.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_mipsel.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_mipsel.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_powerpc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_powerpc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_s390.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_s390.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_sparc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_sparc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_sparc.deb
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-5.dsc http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-5.diff.gz http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_alpha.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_alpha.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_alpha.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_alpha.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_amd64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_amd64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_amd64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_amd64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_arm.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_arm.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_arm.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_arm.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_i386.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_i386.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_i386.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_i386.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_ia64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_ia64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_ia64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_ia64.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_hppa.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_hppa.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_hppa.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_hppa.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_m68k.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_m68k.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_m68k.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_m68k.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_mips.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_mips.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_mips.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_mips.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_mipsel.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_mipsel.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_mipsel.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_mipsel.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_powerpc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_powerpc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_powerpc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_powerpc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_s390.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_s390.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_s390.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_s390.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_sparc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_sparc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_sparc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_sparc.deb http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 1092-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : mysql-dfsg-4.1
Josh Berkus and Tom Lane discovered that MySQL 4.1, a popular SQL
database, incorrectly parses astring escaped with mysql_real_escape()
which could lead to SQL injection. This problem does only exist in
versions 4.1 and 5.0.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) this problem has been fixed in
version 4.1.11a-4sarge4.
For the unstable distribution (sid) this problem has been fixed in
version 5.0.21-4.
Version 4.0 in the stable distribution (sarge) is also not affected by
this problem.
We recommend that you upgrade your mysql packages.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge4.dsc http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge4.diff.gz http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
Architecture independent components:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.11a-4sarge4_all.deb
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_alpha.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_alpha.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_alpha.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_amd64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_amd64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_amd64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_arm.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_arm.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_arm.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_i386.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_i386.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_i386.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_ia64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_ia64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_ia64.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_hppa.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_hppa.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_hppa.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_m68k.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_m68k.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_m68k.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_mips.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_mips.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_mips.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_mipsel.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_mipsel.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_mipsel.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_powerpc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_powerpc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_powerpc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_s390.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_s390.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_s390.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.11a-4sarge4_sparc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge4_sparc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge4_sparc.deb http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge4_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
Debian Security Advisory DSA 1093-1 security@debian.org http://www.debian.org/security/ Martin Schulzehttp://www.debian.org/security/faq
Package : xine-ui
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service.
The old stable distribution (woody) is not affected by these problems.
For the stable distribution (sarge) these problems have been fixed in
version 0.99.3-1sarge1.
For the unstable distribution (sid) these problems will be fixed soon.
We recommend that you upgrade your xine-ui package.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1.dsc http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1.diff.gz http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_arm.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_ia64.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_hppa.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
http://security.debian.org/ stable/updates mainftp://security.debian.org/debian-security dists/stable/updates/maindebian-security-announce@lists.debian.org http://packages.debian.org/<pkg>
Fedora Legacy
Fedora Legacy Update Advisory
Synopsis: Updated mozilla packages fix security issues
Updated mozilla packages that fix several security bugs are now
available.
Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
3. Problem description:
Several bugs were found in the way Mozilla processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)
Several bugs were found in the way Mozilla processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)
Several bugs were found in the way Mozilla processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Mozilla. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1790)
A bug was found in the way Mozilla displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)
A bug was found in the way Mozilla allows javascript mutation events on
"input" form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)
A bug was found in the way Mozilla executes in-line mail forwarding. If
a user can be tricked into forwarding a maliciously crafted mail message
as in-line content, it is possible for the message to execute javascript
with the permissions of "chrome". (CVE-2006-0884)
Users of Mozilla are advised to upgrade to these updated packages
containing Mozilla version 1.7.13 which corrects these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory only
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137
6. RPMs required:
Red Hat Linux 7.3:
SRPM:http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.13-0.73.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.6.legacy.src.rpm
i386:http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.6.legacy.i386.rpm
Red Hat Linux 9:
SRPM:http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.13-0.90.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.6.legacy.src.rpM
i386:http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.13-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.6.legacy.i386.rpm
Fedora Core 1:
SRPM:http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.13-1.1.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.6.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.13-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.6.legacy.i386.rpm
Fedora Core 2:
SRPM:http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.13-1.2.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.7.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.10.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.13-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.10.legacy.i386.rpm
Fedora Core 3:
SRPM:http://download.fedoralegacy.org/fedora/3/updates/SRPMS/mozilla-1.7.13-1.3.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/3/updates/SRPMS/epiphany-1.4.9-1.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/3/updates/SRPMS/devhelp-0.9.2-2.3.7.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-chat-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-devel-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-dom-inspector-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-js-debugger-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-mail-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-nspr-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-nspr-devel-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-nss-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mozilla-nss-devel-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/epiphany-1.4.9-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/epiphany-devel-1.4.9-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/devhelp-0.9.2-2.3.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/devhelp-devel-0.9.2-2.3.7.legacy.i386.rpm
x86_64:http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-chat-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-devel-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-dom-inspector-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-js-debugger-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-mail-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-nspr-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-nspr-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-nspr-devel-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-nss-1.7.13-1.3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-nss-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mozilla-nss-devel-1.7.13-1.3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/epiphany-1.4.9-1.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/epiphany-devel-1.4.9-1.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/devhelp-0.9.2-2.3.7.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/devhelp-devel-0.9.2-2.3.7.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
rh7.3:
rh9:
fc1:
fc2:
fc3:
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org >. More
project details at http://www.fedoralegacy.org
Fedora Legacy Update Advisory
Synopsis: Updated firefox package fixes security issues
An updated firefox package that fixes several security bugs is now
available.
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.
2. Relevant releases/architectures:
Fedora Core 3 - i386, x86_64
3. Problem description:
Several bugs were found in the way Firefox processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)
Several bugs were found in the way Firefox processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)
Several bugs were found in the way Firefox processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Firefox. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737,
CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)
A bug was found in the way Firefox displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)
A bug was found in the way Firefox allows javascript mutation events on
"input" form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)
Users of Firefox are advised to upgrade to these updated packages
containing Firefox version 1.0.8 which corrects these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory only
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137
6. RPMs required:
Fedora Core 3:
SRPM:http://download.fedoralegacy.org/fedora/3/updates/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm
x86_64:http://download.fedoralegacy.org/fedora/3/updates/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
8b719bb18c6dfe14b472c684ac5133d82d1b96d0
fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org >. More
project details at http://www.fedoralegacy.org
Fedora Legacy Update Advisory
Synopsis: Updated X.org packages fix security issue
Updated X.org packages that fix a security issue are now available.
X.org is an open source implementation of the X Window System. It
provides the basic low-level functionality that full-fledged graphical
user interfaces (GUIs) such as GNOME and KDE are designed upon.
2. Relevant releases/architectures:
Fedora Core 3 - i386, x86_64
3. Problem description:
A buffer overflow flaw in the X.org server RENDER extension was
discovered. A malicious authorized client could exploit this issue to
cause a denial of service (crash) or potentially execute arbitrary code
with root privileges on the X.org server. (CVE-2006-1526)
Users of X.org should upgrade to these updated packages, which contain a
backported patch and is not vulnerable to this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory only
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190777
6. RPMs required:
Fedora Core 3:
SRPM:http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xorg-x11-6.8.2-1.FC3.45.3.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-doc-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-font-utils-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Mesa-libGL-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-sdk-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-tools-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-twm-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xauth-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xdm-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xdmx-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xfs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xnest-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xvfb-6.8.2-1.FC3.45.3.legacy.i386.rpm
x86_64:http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-doc-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-font-utils-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-libs-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Mesa-libGL-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Mesa-libGL-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-sdk-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-tools-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-twm-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-xauth-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-xdm-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Xdmx-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-xfs-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Xnest-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-Xvfb-6.8.2-1.FC3.45.3.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
6c4f8cc2a12da27bc7eba148b139bbbc0c16c877
fedora/3/updates/i386/xorg-x11-6.8.2-1.FC3.45.3.legacy.i386.rpm
9ac2f2b492165554bb358c39d8e4d031e1a4ee1b
fedora/3/updates/x86_64/xorg-x11-6.8.2-1.FC3.45.3.legacy.x86_64.rpm
699a18fb173a9e3a23e9fd653e152d73e7aae737
fedora/3/updates/SRPMS/xorg-x11-6.8.2-1.FC3.45.3.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org >. More
project details at http://www.fedoralegacy.org
Fedora Legacy Update Advisory
Synopsis: Updated squirrelmail package fixes security issues
An updated squirrelmail package that fixes three security issues is now
available.
SquirrelMail is a standards-based webmail package written in PHP4.
2. Relevant releases/architectures:
Red Hat Linux 9 - i386
3. Problem description:
A bug was found in the way SquirrelMail presents the right frame to the
user. If a user can be tricked into opening a carefully crafted URL, it
is possible to present the user with arbitrary HTML data.
(CVE-2006-0188)
A bug was found in the way SquirrelMail filters incoming HTML email. It
is possible to cause a victim's web browser to request remote content by
opening a HTML email while running a web browser that processes certain
types of invalid style sheets. Only Internet Explorer is known to
process such malformed style sheets. (CVE-2006-0195)
A bug was found in the way SquirrelMail processes a request to select an
IMAP mailbox. If a user can be tricked into opening a carefully crafted
URL, it is possible to execute arbitrary IMAP commands as the user
viewing their mail with SquirrelMail. (CVE-2006-0377)
Users of SquirrelMail are advised to upgrade to this updated package,
which contains SquirrelMail version 1.4.6 and is not vulnerable to these
issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory only
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190884
6. RPMs required:
Red Hat Linux 9:
SRPM:http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm
Fedora Core 1:
SRPM:http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
Fedora Core 2:
SRPM:http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm
Fedora Core 3:
SRPM:http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
x86_64:http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
7. Verification:
SHA1 sum Package Name
rh9:
fc1:
fc2:
fc3:
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org >. More
project details at http://www.fedoralegacy.org
Fedora Legacy Update Advisory
Synopsis: Updated ipsec-tools package fixes security issue
An updated ipsec-tools package that fixes a bug in racoon is now
available.
The ipsec-tools package is used in conjunction with the IPsec
functionality in the linux kernel and includes racoon, an IKEv1 keying
daemon.
2. Relevant releases/architectures:
Fedora Core 2 - i386
3. Problem description:
A denial of service flaw was found in the ipsec-tools racoon daemon. If
a victim's machine has racoon configured in a non-recommended insecure
manner, it is possible for a remote attacker to crash the racoon daemon.
(CVE-2005-3732)
Users of ipsec-tools should upgrade to this updated package, which
contains backported patches, and is not vulnerable to this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory only
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190941
6. RPMs required:
Fedora Core 2:
SRPM:http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ipsec-tools-0.5-2.fc2.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/2/updates/i386/ipsec-tools-0.5-2.fc2.1.legacy.i386.rpm
Fedora Core 3:
SRPM:http://download.fedoralegacy.org/fedora/3/updates/SRPMS/ipsec-tools-0.5-2.fc3.1.legacy.src.rpm
i386:http://download.fedoralegacy.org/fedora/3/updates/i386/ipsec-tools-0.5-2.fc3.1.legacy.i386.rpm
x86_64:http://download.fedoralegacy.org/fedora/3/updates/x86_64/ipsec-tools-0.5-2.fc3.1.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
fc2:
fc3:
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3732
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org >. More
project details at http://www.fedoralegacy.org
Gentoo Linux
http://security.gentoo.org/
Severity: Normal
Opera contains an integer signedness error resulting in a buffer
overflow which may allow a remote attacker to execute arbitrary code.
Opera is a multi-platform web browser.
SEC Consult has discovered a buffer overflow in the code processing
style sheet attributes. It is caused by an integer signedness error in
a length check followed by a call to a string function. It seems to be
hard to exploit this buffer overflow to execute arbitrary code because
of the very large amount memory that has to be copied.
A remote attacker can entice a user to visit a web page containing a
specially crafted style sheet attribute that will crash the user's
browser and maybe lead to the execution of arbitrary code.
There is no known workaround at this time.
All Opera users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-8.54"
[ 1 ] CVE-2006-1834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1834
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200606-01.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org .
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
http://security.gentoo.org/
Severity: Normal
Tor is vulnerable to a possible buffer overflow, a Denial of Service,
information disclosure and information leak.
Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.
Some integer overflows exist when adding elements to the smartlists.
Non-printable characters received from the network are not properly
sanitised before being logged. There are additional unspecified bugs in
the directory server and in the internal circuits.
The possible buffer overflow may allow a remote attacker to execute
arbitrary code on the server by sending large inputs. The other
vulnerabilities can lead to a Denial of Service, a lack of logged
information, or some information disclosure.
There is no known workaround at this time.
All Tor users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/tor-0.1.1.20"
[ 1 ] CVE-2006-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0414
[ 2 ] Tor ChangeLog
http://tor.eff.org/cvs/tor/ChangeLog
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200606-04.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org .
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
http://security.gentoo.org/
Severity: Low
Pound is vulnerable to HTTP request smuggling, which could be exploited
to bypass security restrictions or poison web caches.
Pound is a reverse proxy, load balancer and HTTPS front-end. It allows
to distribute the load on several web servers and offers a SSL wrapper
for web servers that do not support SSL directly.
Pound fails to handle HTTP requests with conflicting "Content-Length"
and "Transfer-Encoding" headers correctly.
An attacker could exploit this vulnerability by sending HTTP requests
with specially crafted "Content-Length" and "Transfer-Encoding" headers
to bypass certain security restrictions or to poison the web proxy
cache.
There is no known workaround at this time.
All Pound users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/pound-2.0.5"
[ 1 ] CVE-2005-3751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3751
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200606-05.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org .
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
http://security.gentoo.org/
Severity: High
AWStats contains a bug in the sanitization of the input parameters
which can lead to the remote execution of arbitrary code.
AWStats is an advanced log file analyzer and statistics generator.
Hendrik Weimer has found that if updating the statistics via the web
frontend is enabled, it is possible to inject arbitrary code via a pipe
character in the "migrate" parameter. Additionally, r0t has discovered
that AWStats fails to properly sanitize user-supplied input in
awstats.pl.
A remote attacker can execute arbitrary code on the server in the
context of the application running the AWStats CGI script if updating
of the statistics via web frontend is allowed. Nonetheless, all
configurations are affected by a cross-site scripting vulnerability in
awstats.pl, allowing a remote attacker to execute arbitrary scripts
running in the context of the victim's browser.
Disable statistics updates using the web frontend to avoid code
injection. However, there is no known workaround at this time
concerning the cross-site scripting vulnerability.
All AWStats users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-www/awstats-6.5-r1"
[ 1 ] CVE-2006-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1945
[ 2 ] CVE-2006-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2237
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200606-06.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org .
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Mandriva Linux
Mandriva Linux Security Advisory MDKSA-2006:096http://www.mandriva.com/security/
Package : openldap
Problem Description:
A stack-based buffer overflow in st.c in slurpd for OpenLDAP might allow
attackers to execute arbitrary code via a long hostname.
Packages have been patched to correct this issue.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2754
Updated Packages:
Mandriva Linux 10.2:
Mandriva Linux 10.2/X86_64:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Mandriva Linux Security Advisory MDKSA-2006:097http://www.mandriva.com/security/
Package : MySQL
Problem Description:
SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x
before 5.0.22 allows context-dependent attackers to execute arbitrary
SQL commands via crafted multibyte encodings in character sets such as
SJIS, BIG5, and GBK, which are not properly handled when the
mysql_real_escape function is used to escape the input.
MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue.
Packages have been patched to correct this issue.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753
Updated Packages:
Mandriva Linux 10.2:
Mandriva Linux 10.2/X86_64:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Mandriva Linux Security Advisory MDKSA-2006:098http://www.mandriva.com/security/
Package : postgresql
Problem Description:
PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13,
7.3.x before 7.3.15, and earlier versions allows context-dependent
attackers to bypass SQL injection protection methods in applications
via invalid encodings of multibyte characters, aka one variant of
"Encoding-Based SQL Injection." (CVE-2006-2313)
PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13,
7.3.x before 7.3.15, and earlier versions allows context-dependent
attackers to bypass SQL injection protection methods in applications
that use multibyte encodings that allow the (backslash) byte 0x5c to
be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK,
GB18030, and UHC, which cannot be handled correctly by a client that does
not understand multibyte encodings, aka a second variant of "Encoding-Based
SQL Injection." NOTE: it could be argued that this is a class of issue
related to interaction errors between the client and PostgreSQL, but a
CVE has been assigned since PostgreSQL is treating this as a preventative
measure against this class of problem. (CVE-2006-2314)
Packages have been patched or updated to correct these issues.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314
Updated Packages:
Mandriva Linux 10.2:
Mandriva Linux 10.2/X86_64:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Ubuntu Linux
A security issue affects the following Ubuntu releases:
Ubuntu 5.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.04:
Ubuntu 5.10:
Ubuntu 6.06 LTS:
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
Several integer overflows have been discovered in the FreeType
library. By tricking a user into installing and/or opening a specially
crafted font file, these could be exploited to execute arbitrary code
with the privileges of that user.
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.7-2.3ubuntu0.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.7-2.3ubuntu0.1.dsc http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.7.orig.tar.gz
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.7-2.3ubuntu0.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.7-2.3ubuntu0.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.7-2.3ubuntu0.1_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.7-2.3ubuntu0.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.7-2.3ubuntu0.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.7-2.3ubuntu0.1_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.7-2.3ubuntu0.1_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.7-2.3ubuntu0.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.7-2.3ubuntu0.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.7-2.3ubuntu0.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.7-2.3ubuntu0.1_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.7-2.3ubuntu0.1_powerpc.deb
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.7-2.4ubuntu1.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.7-2.4ubuntu1.1.dsc http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.7.orig.tar.gz
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.7-2.4ubuntu1.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.7-2.4ubuntu1.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.7-2.4ubuntu1.1_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.7-2.4ubuntu1.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.7-2.4ubuntu1.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.7-2.4ubuntu1.1_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.7-2.4ubuntu1.1_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.7-2.4ubuntu1.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.7-2.4ubuntu1.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.7-2.4ubuntu1.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.7-2.4ubuntu1.1_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.7-2.4ubuntu1.1_powerpc.deb
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.10-1ubuntu2.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.10-1ubuntu2.1.dsc http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.10.orig.tar.gz
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.1_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.1_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.1_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.1_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.1_powerpc.deb
