dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories, August 20, 2006

Aug 21, 2006, 04:30 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 1152-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 18th, 2006 http://www.debian.org/security/faq


Package : trac
Vulnerability : missing input sanitising Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-3695

Felix Wiemann discovered that trac, an enhanced Wiki and issue tracking system for software development projects, can be used to disclose arbitrary local files. To fix this problem, python-docutils needs to be updated as well.

For the stable distribution (sarge) this problem has been fixed in version 0.8.1-3sarge5 of trac and version 0.3.7-2sarge1 of python-docutils.

For the unstable distribution (sid) this problem has been fixed in version 0.9.6-1.

We recommend that you upgrade your trac and python-docutils packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.dsc
      Size/MD5 checksum: 777 34aa13e1031f1aa26b9dee81a589c5ea
    http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1.diff.gz
      Size/MD5 checksum: 30438 52144273352f410be37bcedf90241a54
    http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7.orig.tar.gz
      Size/MD5 checksum: 679649 e0713c07d766cec04b7a36047dac558c

    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.dsc
      Size/MD5 checksum: 656 9294e113a8875efb049442aac4a0f378
    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5.diff.gz
      Size/MD5 checksum: 13250 e00671c1f4203a5c93fba3f686a7dc1b
    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz
      Size/MD5 checksum: 236791 1b6c44fae90c760074762b73cdc88c8d

Architecture independent components:

    http://security.debian.org/pool/updates/main/p/python-docutils/python-docutils_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 614676 859beee07adfd84da242a5c47f1209fe
    http://security.debian.org/pool/updates/main/p/python-docutils/python-roman_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 9942 3547f270109d5827073ba964f32863b8
    http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-difflib_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 21000 8e265bcf42aa1a01c694bacc62010692
    http://security.debian.org/pool/updates/main/p/python-docutils/python2.1-textwrap_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 9616 0a2c510802b0f97fc0289e1b968e3da1
    http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-docutils_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 4120 2ffb02ad0c4f8640a85f61182cd2a4d5
    http://security.debian.org/pool/updates/main/p/python-docutils/python2.2-textwrap_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 9614 d4f027f3eb69b465518ecc332fd1a0b6
    http://security.debian.org/pool/updates/main/p/python-docutils/python2.3-docutils_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 4096 2824761a0ee91eee5bd6b09046962f01
    http://security.debian.org/pool/updates/main/p/python-docutils/python2.4-docutils_0.3.7-2sarge1_all.deb
      Size/MD5 checksum: 4096 101eff5703e7627f83e2548ba0c9f1cb

    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge5_all.deb
      Size/MD5 checksum: 198722 243326446e719c452efdda55bd976159

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1153-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 18th, 2006 http://www.debian.org/security/faq


Package : clamav
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-4018
BugTraq ID : 19381

Damian Put discovered a heap overflow vulneravility in the UPX unpacker of the ClamAV anti-virus toolkit which could allow remote attackers to execute arbitrary code or cause denial of service.

For the stable distribution (sarge) this problem has been fixed in version 0.84-2.sarge.10.

For the stable distribution (sarge) this problem has been fixed in version 0.88.4-0volatile1 in the volatile archive.

For the unstable distribution (sid) this problem has been fixed in version 0.88.4-2.

We recommend that you upgrade your clamav packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10.dsc
      Size/MD5 checksum: 874 579ac9552dbc0075d4d087042c231804
    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10.diff.gz
      Size/MD5 checksum: 176298 01bb523d1fd48f70a3277e12b965d426
    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84.orig.tar.gz
      Size/MD5 checksum: 4006624 c43213da01d510faf117daa9a4d5326c

Architecture independent components:

    http://security.debian.org/pool/updates/main/c/clamav/clamav-base_0.84-2.sarge.10_all.deb
      Size/MD5 checksum: 154834 aa3600fb1bccc896debdf371c6b94979
    http://security.debian.org/pool/updates/main/c/clamav/clamav-docs_0.84-2.sarge.10_all.deb
      Size/MD5 checksum: 694360 6cd87074ba63f69e7cf065af1665839f
    http://security.debian.org/pool/updates/main/c/clamav/clamav-testfiles_0.84-2.sarge.10_all.deb
      Size/MD5 checksum: 123846 317f7c5a1fcba2c7502a7011edf07640

Alpha architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_alpha.deb
      Size/MD5 checksum: 74756 ee20948ad40b44d08ea016becd29c59d
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_alpha.deb
      Size/MD5 checksum: 48832 1f24a23e371f0c7cec48123dbc62d87f
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_alpha.deb
      Size/MD5 checksum: 2176454 f76987654e839526da6d30ef50678fee
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_alpha.deb
      Size/MD5 checksum: 42108 ca5ad43ec67d02f425db4cde24ea359c
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_alpha.deb
      Size/MD5 checksum: 255698 b0c02ebb16c838039d25c837887e2b20
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_alpha.deb
      Size/MD5 checksum: 285520 b7e6deae0b3f715ce64bd450fa1bed55

AMD64 architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_amd64.deb
      Size/MD5 checksum: 68854 eeca1c599d8423fedbd7458c2823e675
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_amd64.deb
      Size/MD5 checksum: 44190 a9ffbdbf3145ed7ee1b09f754f6f1cba
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_amd64.deb
      Size/MD5 checksum: 2173266 b2bbfd444309513e0fbb0ffae9f7ca6f
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_amd64.deb
      Size/MD5 checksum: 39992 c69a8afe5eb511d6d8fda40f4430acc4
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_amd64.deb
      Size/MD5 checksum: 176430 114e0b901947b5c05e14863372b20371
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_amd64.deb
      Size/MD5 checksum: 259648 34f48f60ab045c94bccdb2ef545c58bf

ARM architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_arm.deb
      Size/MD5 checksum: 63940 0149c2854989385bc91dd7f3857c22de
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_arm.deb
      Size/MD5 checksum: 39602 3069d8dbd7134cdbe2aafbee73f394eb
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_arm.deb
      Size/MD5 checksum: 2171302 36abc779119678735260f262abd46b14
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_arm.deb
      Size/MD5 checksum: 37320 1a2b2bf609209bf679f1dc0595c014f5
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_arm.deb
      Size/MD5 checksum: 174866 dd1d6ecdae9b72d4370269553de7822c
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_arm.deb
      Size/MD5 checksum: 249684 ea978f5d747b263abbab696f3ee43d84

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_i386.deb
      Size/MD5 checksum: 65192 65526868baf4727a43f50c3fc9d5bfaf
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_i386.deb
      Size/MD5 checksum: 40314 3dcbd76b10f316cb966c9d0481c86d95
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_i386.deb
      Size/MD5 checksum: 2171614 56f381689bb923aff94ea1c089c972e6
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_i386.deb
      Size/MD5 checksum: 38036 0ba3584e974098cacb54356f01ba5b81
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_i386.deb
      Size/MD5 checksum: 159624 f1df89303a47b8feadb0cc34a3af524e
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_i386.deb
      Size/MD5 checksum: 254320 fa8338410aacfed8a7699cb2e89f2f24

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_ia64.deb
      Size/MD5 checksum: 81812 24394b30b3d05645157d681e31e4a334
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_ia64.deb
      Size/MD5 checksum: 55236 0547745bea0ea7c00874cb28bb8c6076
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_ia64.deb
      Size/MD5 checksum: 2180240 bb88c2a0b8d3954e4c8c0bb2eb254626
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_ia64.deb
      Size/MD5 checksum: 49200 e89b9424d435e4b54b5541310df54d18
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_ia64.deb
      Size/MD5 checksum: 252048 307a1171d4d24ec18b405300c8abc8c3
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_ia64.deb
      Size/MD5 checksum: 317632 f26a3c8aa9686fe1325f19ceb21ae876

HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_hppa.deb
      Size/MD5 checksum: 68266 53f9a7dc51264112fa03824a6f159a55
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_hppa.deb
      Size/MD5 checksum: 43282 2cd52c92c09be751c18871aa1779e412
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_hppa.deb
      Size/MD5 checksum: 2173738 3b5b881e2c5a9e68ea3ef9181acb8f00
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_hppa.deb
      Size/MD5 checksum: 39448 452a3eca157ec974030633ecd149f1d7
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_hppa.deb
      Size/MD5 checksum: 202646 f11e31f03249e881007664e1fe68e575
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_hppa.deb
      Size/MD5 checksum: 283402 84b6b57ffe3d653db556102896b32d73

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_m68k.deb
      Size/MD5 checksum: 62518 cc621b1387c92be1ac653e05f3ca5971
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_m68k.deb
      Size/MD5 checksum: 38206 36154fc4bd779e3ab9ac3eb51ea0f833
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_m68k.deb
      Size/MD5 checksum: 2170522 8b576066f0b981f9e55b4400f6ecbe69
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_m68k.deb
      Size/MD5 checksum: 35060 61a22458f305bd2c28834c62cdaa9e9a
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_m68k.deb
      Size/MD5 checksum: 146266 0fbd30a2c656ef6ec0d75c010aedb5a4
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_m68k.deb
      Size/MD5 checksum: 250410 8b804dadd0fc35420d477228d254d543

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_mips.deb
      Size/MD5 checksum: 67948 5c5216d18d7d584a5f0859f0094aa417
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_mips.deb
      Size/MD5 checksum: 43792 512afdde1b2da6791bd463de827449f4
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_mips.deb
      Size/MD5 checksum: 2173022 48dae648fe0713d6afc79127838d5271
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_mips.deb
      Size/MD5 checksum: 37672 e34c78057e3f92367bd8591364550e3c
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_mips.deb
      Size/MD5 checksum: 195464 1fb3cda50e0d5c2db77ae4fb985516e7
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_mips.deb
      Size/MD5 checksum: 257498 0262d853aa80aa7a58d19a2eca3b44e8

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_mipsel.deb
      Size/MD5 checksum: 67554 4185522ad02b337b9da6663cbd1024ac
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_mipsel.deb
      Size/MD5 checksum: 43592 fb26021b07612a92028d8830f6ff3804
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_mipsel.deb
      Size/MD5 checksum: 2173004 9193ea804f2b7c19548417165178ca05
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_mipsel.deb
      Size/MD5 checksum: 37960 2030dcaed3d04a2d7a918940e310d280
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_mipsel.deb
      Size/MD5 checksum: 191886 2b3158916a4251c4d5a5381ebb49c838
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_mipsel.deb
      Size/MD5 checksum: 255096 3bf9a5cee57791754a88bbb96a2c6fc0

PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_powerpc.deb
      Size/MD5 checksum: 69290 63e95304cf75bbc09fdcdc74b5065e81
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_powerpc.deb
      Size/MD5 checksum: 44666 000b1226fe5f62d5dab412f302ee2624
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_powerpc.deb
      Size/MD5 checksum: 2173672 d72f0dbd55ddf72f68b7455b39318593
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_powerpc.deb
      Size/MD5 checksum: 38866 3cbd90828e563181db163c8f2be59dbf
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_powerpc.deb
      Size/MD5 checksum: 187672 529b30228ccd9858381953ef29a1a799
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_powerpc.deb
      Size/MD5 checksum: 264866 3b4f8f04c88d0ae27db4c37d43adb7b8

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_s390.deb
      Size/MD5 checksum: 67900 6025940acf3fd7317140990d3b767598
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_s390.deb
      Size/MD5 checksum: 43556 9121cc8c74337e8fc8df83b6f4d317aa
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_s390.deb
      Size/MD5 checksum: 2172970 b76417d453c968451ca19abff7f3b1cf
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_s390.deb
      Size/MD5 checksum: 38934 c6ba23cdab5a45fd0ed314ac85537ad6
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_s390.deb
      Size/MD5 checksum: 182620 0d27f0ef5d3e2e530486ec2391f1ee0d
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_s390.deb
      Size/MD5 checksum: 269456 272e24025e52efd9c7b1f41c3f92765e

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.84-2.sarge.10_sparc.deb
      Size/MD5 checksum: 64430 6a3177a86caaf0b5a1a9709c85e56749
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.84-2.sarge.10_sparc.deb
      Size/MD5 checksum: 39468 81982545aa069ecface4252e0892f57e
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.84-2.sarge.10_sparc.deb
      Size/MD5 checksum: 2171174 a7f6fb7b6e0948a598d7a85c12c5f1d5
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.84-2.sarge.10_sparc.deb
      Size/MD5 checksum: 36856 37da7d38dfbeebdcb933892eb7826cab
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.84-2.sarge.10_sparc.deb
      Size/MD5 checksum: 175820 3af502c16ea8a016050d84a24bc9278f
    http://security.debian.org/pool/updates/main/c/clamav/libclamav1_0.84-2.sarge.10_sparc.deb
      Size/MD5 checksum: 264768 d9b5237456cfe44294020c771982b8c3

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1154-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
August 20th, 2006 http://www.debian.org/security/faq


Package : squirrelmail
Vulnerability : variable overwriting
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-4019

James Bercegay of GulfTech Security Research disovered a vulnerability in SquirrelMail where an authenticated user could overwrite random variables in the compose script. This might be exploited to read or write the preferences or attachment files of other users.

For the stable distribution (sarge) this problem has been fixed in version 1.4.4-9.

For the unstable distribution (sid) this problem has been fixed in version 1.4.8-1.

We recommend that you upgrade your squirrelmail package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-9.dsc
      Size/MD5 checksum: 678 de55f30e42570db82bec8aefe90093ac
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-9.diff.gz
      Size/MD5 checksum: 25409 b9e9854e2702f34a7d5bede75942a391
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz
      Size/MD5 checksum: 575871 f50548b6f4f24d28afb5e6048977f4da

Architecture independent components:

    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-9_all.deb
      Size/MD5 checksum: 569078 1510859cc583447180b761ae38895191

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Slackware Linux

[slackware-security] libtiff (SSA:2006-230-01)

New libtiff packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues. These issues could be used to crash programs linked to libtiff or possibly to execute code as the program's user.

Thanks to Tavis Ormandy and the Google Security Team.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465

Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/libtiff-3.8.2-i486-1_slack10.2.tgz:
Patched vulnerabilities in libtiff which were found by Tavis Ormandy of the Google Security Team. These issues could be used to crash programs linked to libtiff or possibly to execute code as the program's user. A low risk command-line overflow in tiffsplit was also patched.
For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
(* Security fix *)
+--------------------------+

Where to find the new packages:

HINT: Getting slow download speeds from ftp ftp.slackware.com? Give slackware.osuosl.org/ a try. This is another primary FTP site for Slackware that can be considerably faster than downloading from ftp.slackware.com/.

Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating additional FTP and rsync hosting to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libtiff-3.8.2-i386-1_slack9.0.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libtiff-3.8.2-i486-1_slack9.1.tgz

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libtiff-3.8.2-i486-1_slack10.0.tgz

Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/libtiff-3.8.2-i486-1_slack10.1.tgz

Updated package for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/libtiff-3.8.2-i486-1_slack10.2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libtiff-3.8.2-i486-2.tgz

MD5 signatures:

Slackware 9.0 package:
8b59a74e9a62bd5a6535658ff66b8d11 libtiff-3.8.2-i386-1_slack9.0.tgz

Slackware 9.1 package:
79406d875eaf03bd100bcf20b54f708c libtiff-3.8.2-i486-1_slack9.1.tgz

Slackware 10.0 package:
9238ef60318e9c31cbb831a42b0fafcb libtiff-3.8.2-i486-1_slack10.0.tgz

Slackware 10.1 package:
7f8ecbe32bb9a27ca360f77d49a5f897 libtiff-3.8.2-i486-1_slack10.1.tgz

Slackware 10.2 package:
e2755a744fab6a838a867db2c12035d2 libtiff-3.8.2-i486-1_slack10.2.tgz

Slackware -current package:
4820279ae6acb71298c21393c8cdd310 libtiff-3.8.2-i486-2.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg libtiff-3.8.2-i486-1_slack10.2.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] php (SSA:2006-230-02)

New php packages are available for Slackware 10.2 and -current to fix security and other issues.

More details about these issues may be found on the PHP website:

http://www.php.net

Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/php-4.4.4-i486-1_slack10.2.tgz: Upgraded to php-4.4.4. Some of the security issues fixed in this release include:

  • Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
  • Fixed possible open_basedir/safe_mode bypass in cURL extension.
  • Fixed a buffer overflow inside sscanf() function.
(* Security fix *)
testing/packages/php-5.1.5/php-5.1.5-i486-1_slack10.2.tgz:
Usually packages in /testing aren't patched or upgraded after a release, but since quite a few people have probably deployed this one, and it is a network service, an upgraded package is being provided.
Upgraded to php-5.1.5.
Some of the security issues fixed in this release include:
  • Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
  • Fixed possible open_basedir/safe_mode bypass in cURL extension and on PHP 5 with realpath cache.
  • Fixed a buffer overflow inside sscanf() function.
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated packages for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/php-4.4.4-i486-1_slack10.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/testing/packages/php-5.1.5/php-5.1.5-i486-1_slack10.2.tgz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.4.4-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/php-5.1.5/php-5.1.5-i486-1.tgz

MD5 signatures:

Slackware 10.2 packages:
c7e6c918828be69380a0b6cc86a311be php-4.4.4-i486-1_slack10.2.tgz
c8895a309e785de5234ece30600a6617 php-5.1.5-i486-1_slack10.2.tgz

Slackware -current packages:
cd87305b9576669ecb58df181acf316c php-4.4.4-i486-1.tgz
1b15cbd166f2be08c1adaad6a19409b9 php-5.1.5-i486-1.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg php-4.4.4-i486-1_slack10.2.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com