Advisories, February 21, 2005Feb 22, 2005, 04:45 (0 Talkback[s])
Package : mailman
Due to an incompatibility between Python 1.5 and 2.1 the last mailman update did not run with Python 1.5 anymore. This problem is corrected with this update. This advisory only updates the packages updated with DSA 674-2. The version in unstable is not affected since it is not supposed to work with Python 1.5 anymore. For completeness below is the original advisory text:
Two security related problems have been discovered in mailman, web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems:
Several listmasters have noticed unauthorised access to archives of private lists and the list configuration itself, including the users passwords. Administrators are advised to check the webserver logfiles for requests that contain "/...../" and the path to the archives or cofiguration. This does only seem to affect installations running on web servers that do not strip slashes, such as Apache 1.3.
For the stable distribution (woody) these problems have been fixed in version 2.0.11-1woody11.
We recommend that you upgrade your mailman package.
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Intel IA-32 architecture:
Intel IA-64 architecture:
HP Precision architecture:
Motorola 680x0 architecture:
Big endian MIPS architecture:
Little endian MIPS architecture:
IBM S/390 architecture:
Sun Sparc architecture:
These files will probably be moved into the stable distribution on its next update.
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: firstname.lastname@example.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Gentoo Linux Security Advisory GLSA 200502-28
PuTTY was found to contain vulnerabilities that can allow a malicious SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP clients.
PuTTY is a popular SSH client, PSCP is a secure copy implementation, and PSFTP is a SSH File Transfer Protocol client.
Package / Vulnerable / Unaffected
1 net-misc/putty < 0.57 >= 0.57
Two vulnerabilities have been discovered in the PSCP and PSFTP clients, which can be triggered by the SFTP server itself. These issues are caused by the improper handling of the FXP_READDIR response, along with other string fields.
An attacker can setup a malicious SFTP server that would send these malformed responses to a client, potentially allowing the execution of arbitrary code on their system.
There is no known workaround at this time.
All PuTTY users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/putty-0.57"
[ 1 ] PuTTY vulnerability vuln-sftp-readdir
[ 2 ] PuTTY vulnerability vuln-sftp-string
[ 3 ] CAN-2005-0467
[ 4 ] iDEFENSE Advisory
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to email@example.com or alternatively, you may file a bug at http://bugs.gentoo.org.
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
Ubuntu Security Notice USN-84-1 February 21, 2005
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
The problem can be corrected by upgrading the affected package to version 2.5.5-6ubuntu0.5. In general, a standard system upgrade is sufficient to effect the necessary changes.
When parsing the configuration file, squid interpreted empty Access Control Lists (ACLs) without defined authentication schemes in a non-obvious way. This could allow remote attackers to bypass intended ACLs. (CAN-2005-0194)
A remote Denial of Service vulnerability was discovered in the domain name resolution code. A faulty or malicious DNS server could stop the Squid server immediately by sending a malformed IP address. (CAN-2005-0446)
Architecture independent packages:
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
i386 architecture (x86 compatible Intel/AMD)
powerpc architecture (Apple Macintosh G3/G4/G5)
0 Talkback[s] (click to add your comment)