dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Advisories, October 4, 2006

Oct 05, 2006, 03:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 1188-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 4th, 2006 http://www.debian.org/security/faq


Package : mailman
Vulnerability : format string
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2006-3636 CVE-2006-4624
BugTraq ID : 19831

Several security related problems have been discovered in mailman, the web-based GNU mailing list manager. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2006-3636

Moritz Naumann discovered several cross-site scripting problems that could allow remote attackers to inject arbitrary web script or HTML.

CVE-2006-4624

Moritz Naumann discovered that a remote attacker can inject arbitrary strings into the logfile.

For the stable distribution (sarge) this problem has been fixed in version 2.1.5-8sarge5.

For the unstable distribution (sid) this problem has been fixed in version 2.1.8-3.

We recommend that you upgrade your mailman package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5.dsc
      Size/MD5 checksum: 816 3f2cd37005f340202f0c7660d8c91196
    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5.diff.gz
      Size/MD5 checksum: 122128 292c5264aeffbd2079b5a3257b165de0
    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5.orig.tar.gz
      Size/MD5 checksum: 5745912 f5f56f04747cd4aff67427e7a45631af

Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_alpha.deb
      Size/MD5 checksum: 6612236 6e98b9f63c0eb5168902fb863167a197

AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_amd64.deb
      Size/MD5 checksum: 6611036 3ca3419b399ec2a8a9a398e81d744d07

ARM architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_arm.deb
      Size/MD5 checksum: 6610764 e2d64ba3fe9dc2883d48cbcfcb016bbe

HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_hppa.deb
      Size/MD5 checksum: 6617802 14f8c5db2d8e38c470e3375a7e2102bb

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_i386.deb
      Size/MD5 checksum: 6606630 112c41dadf9efdf4823ad5c32180fe0e

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_ia64.deb
      Size/MD5 checksum: 6612188 d6a6b7fd9613f4d7a7ac6b59ffff40f9

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_m68k.deb
      Size/MD5 checksum: 6617856 ebe2b791034f4d08461b2d2c6d60f37d

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_mips.deb
      Size/MD5 checksum: 6661270 2412e64f5406bc1e84d3e64fc9e5a9fc

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_mipsel.deb
      Size/MD5 checksum: 6652256 816264d9b311c02fc99d68dd62604cef

PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_powerpc.deb
      Size/MD5 checksum: 6618128 6c5974478f4b877ddd47c115d66075f1

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_s390.deb
      Size/MD5 checksum: 6617184 6977902eb91d3eab34141d0de34f0323

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mailman/mailman_2.1.5-8sarge5_sparc.deb
      Size/MD5 checksum: 6616594 3847454bf1b64d728f7e6bcaf57dea89

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1189-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
October 4th, 2006 http://www.debian.org/security/faq


Package : openssh-krb5
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-4924 CVE-2006-5051

Several remote vulnerabilities have been discovered in OpenSSH, a free implementation of the Secure Shell protocol, which may lead to denial of service and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2006-4924

Tavis Ormandy of the Google Security Team discovered a denial of service vulnerability in the mitigation code against complexity attacks, which might lead to increased CPU consumption until a timeout is triggered. This is only exploitable if support for SSH protocol version 1 is enabled.

CVE-2006-5051

Mark Dowd discovered that insecure signal handler usage could potentially lead to execution of arbitrary code through a double free. The Debian Security Team doesn't believe the general openssh package without Kerberos support to be exploitable by this issue. However, due to the complexity of the underlying code we will issue an update to rule out all eventualities.

For the stable distribution (sarge) these problems have been fixed in version 3.8.1p1-7sarge1.

For the unstable distribution (sid) these problems have been fixed in version 4.3p2-4 of openssh. openssh-krb5 will soon be converted towards a transitional package against openssh.

We recommend that you upgrade your openssh-krb5 packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.8.1p1-7sarge1.dsc
      Size/MD5 checksum: 693 d0a8ac5b868c5f84fd372c9ef597f3a6
    http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.8.1p1-7sarge1.diff.gz
      Size/MD5 checksum: 167076 1fcdbc92c7a0992711b2dc67b9923ba7
    http://security.debian.org/pool/updates/main/o/openssh-krb5/openssh-krb5_3.8.1p1.orig.tar.gz
      Size/MD5 checksum: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d

Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_alpha.deb
      Size/MD5 checksum: 909896 44611f5a619acf0bccdeb366d76f39c5

AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_amd64.deb
      Size/MD5 checksum: 773658 dc8335560cead18af3fa4eb52911af92

ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_arm.deb
      Size/MD5 checksum: 689752 18e79d4e27c0ec313147e0951ef6082a

HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_hppa.deb
      Size/MD5 checksum: 780142 5e692daa057c38f1fa1f0f877824e991

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_i386.deb
      Size/MD5 checksum: 706910 a4eda3cc320f77d2dc1065976086c31f

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_ia64.deb
      Size/MD5 checksum: 1004916 91f89e80f1a27f942bd5fe9e7ae2ba3e

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_m68k.deb
      Size/MD5 checksum: 651232 8f41b159434ef7bf3187cd4954e816cc

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_mips.deb
      Size/MD5 checksum: 790716 cbc586aa73bcf295cd61f1c09e8015d8

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_mipsel.deb
      Size/MD5 checksum: 793644 3364603438fceb21bffdd3efb4887e0e

PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_powerpc.deb
      Size/MD5 checksum: 757954 ddb9cbba0e84f84da8e60fcbcbaddbae

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_s390.deb
      Size/MD5 checksum: 771520 2148d40fa59dc98b94ac6a03ed2c444f

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssh-krb5/ssh-krb5_3.8.1p1-7sarge1_sparc.deb
      Size/MD5 checksum: 694800 9c059e2e4ba232774a522da0a2757f06

These files will probably be moved into the stable distribution on its next update.



Debian Security Advisory DSA 1XXX-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
October 4th, 2006 http://www.debian.org/security/faq


Package : maxdb-7.5.00
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-4305
Debian Bug : 386182

Oliver Karow discovered that the WebDBM frontend of the MaxDB database performs insufficient sanitising of requests passed to it, which might lead to the execution of arbitrary code.

For the stable distribution (sarge) this problem has been fixed in version 7.5.00.24-4.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your maxdb-7.5.00 package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-7.5.00_7.5.00.24-4.dsc
      Size/MD5 checksum: 1141 2747ee99a22fd9b6ba0ee9229cf23956
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-7.5.00_7.5.00.24-4.diff.gz
      Size/MD5 checksum: 102502 b00c857a9956eed998e17a155d692d8b
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-7.5.00_7.5.00.24.orig.tar.gz
      Size/MD5 checksum: 16135296 4d581530145c30a46ef7a434573f3beb

AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 681616 b4bf816d096fc5cf147e530979de8c2a
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00-dev_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 835926 0c6f2a9e4d8c945937afd044e15ff688
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 602828 f1ff9957fd7713422f589e2b5ce878e1
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00-dev_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 110542 d1b0ad84bba2fbf2e1fc66870d217c1a
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbanalyzer_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 879638 6c14c3e14f8a3d311b753da8059e8718
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbmcli_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 1002292 249bf89f7f2b342fc23bb230c87ce0d2
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-loadercli_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 1924254 fedf03c8551d3c89fdcf9bd381ce25a9
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-lserver_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 1861026 7cd7e22627438e425fc014d5c0689882
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 2815606 12eca89b6c94a93f0805a3be61f053f5
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-7.5.00_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 11762902 9543cd40e9dd2bd31668dc34bdde714b
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-dbg-7.5.00_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 5454626 1a9e3e48fe5e5d0088e896ca1e2c535a
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-sqlcli_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 125258 cbc85c2295d40664794d8dea7fdefe36
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-webtools_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 2469898 7cf201e9a125267ab012196a6515b4bd
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 57530 cc1d8ba42c0213d233ecb07855733fab
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb-loader_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 52896 2623c86e1e8c104a7b6e534283f92d88
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 388490 dc2719125122fc8c9d74cf621db8a159
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb-loader_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 195236 edff932c86a91803ac12fa12afdffe80
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 388500 7e4f4d52029cffb09b4dec330be23f9f
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb-loader_7.5.00.24-4_amd64.deb
      Size/MD5 checksum: 195262 579c30388c18177e6a59fdb5b7a228ce

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 724428 7f3da03ea2e15ec1906a17a844a8de71
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00-dev_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 884322 f87be31d0c3ccc25826a8adbb90c0fd8
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 662674 b768894d4d0613c7a78561ec3c63a736
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00-dev_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 113500 0762412421cc8bba7920cd3e5c7ba912
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbanalyzer_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 959610 05077a4995b6f30736dd031f650fc8bb
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbmcli_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 1151380 f5952dd48f3c289d59c59869a7910675
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-loadercli_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 2074392 198c3e94e284f312acb8a60680fb3dac
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-lserver_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 1998244 e85b595329b9d3ee86abca690ae8205f
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 3087456 3ba8dc9c84e7e0d65e07b8d1f469adcd
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-7.5.00_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 13245168 5bcd0e38d550518e611a510d338a3bd8
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-dbg-7.5.00_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 6269766 b747c1d1155a6512266a1ce3e52a6ce1
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-sqlcli_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 132864 f0c46a30fd72b4a29e93b9b75042c6a8
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-webtools_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 2619482 9b66168b5b70efbd69c16a06e2de734d
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 57534 7d4cb5ef1fa3bf65d79b590023cdc1db
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb-loader_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 52902 61f35976dd90a9e461dfceea5430fa1e
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 411124 79212c1b66ae516b5404f4d1bb314dc6
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb-loader_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 204636 ae693e5ef1041afef92f11fa81314dfe
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 411094 3974583dbdfb586097274e4aaddf376b
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb-loader_7.5.00.24-4_i386.deb
      Size/MD5 checksum: 204620 c2f00a1d54744ed51c547e681595f537

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 928300 8f9b50424dae7723c38aac9e0c9a52ab
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00-dev_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 1057976 d1127e1ab07ac2a3bc485f040fb0339c
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 911096 4b2d26b87f9e8abe2a8cabb5f5a3dc38
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00-dev_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 125196 c590b2aeb6e773afc78b234880679d0b
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbanalyzer_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 1157550 bc505370fe0b635ed20241dcec297922
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbmcli_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 1457434 239d74377e81b0d4cceed7e1c99553a5
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-loadercli_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 2340496 2f32566da56fcaed5a889f29b2df2ae1
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-lserver_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 2253224 b49a58cd8ad452633f57c0d4c2bb7ccc
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 4126188 db0b224332c029575c85ec3b4af7055f
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-7.5.00_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 16985506 7634c5b20bbed0b559c5a30a70abcff1
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-dbg-7.5.00_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 8270364 76ac234b9524ec827443e44270b10a7d
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-sqlcli_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 172092 c89208be8d296c2a188b52b60e42ff1c
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-webtools_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 3018916 de87cf29f90c5b6e08698411c6ee6366
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 57530 67e6ce8dfb5282aed0aaf8c0d2e3dfba
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb-loader_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 52898 00f142490fbc22408ef5347abf228baa
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 512998 f38b9df396ef132650ddbd151780f5ce
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb-loader_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 247500 d014a66017bbabc285f0bb42df85a71e
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 513000 244752450b149746ec25fbbb67037d9e
    http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb-loader_7.5.00.24-4_ia64.deb
      Size/MD5 checksum: 247500 06b34ba0ab20719baf4c44a828de0436

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200610-01

http://security.gentoo.org/


Severity: Normal
Title: Mozilla Thunderbird: Multiple vulnerabilities
Date: October 04, 2006
Bugs: #147653
ID: 200610-01


Synopsis

The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird.

Background

The Mozilla Thunderbird mail client is a redesign of the Mozilla Mail component.

Affected packages


     Package                  /  Vulnerable  /              Unaffected


1 mozilla-thunderbird < 1.5.0.7 >= 1.5.0.7 2 mozilla-thunderbird-bin < 1.5.0.7 >= 1.5.0.7 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

A number of vulnerabilities have been found and fixed in Mozilla Thunderbird. For details please consult the references below.

Impact

The most severe vulnerabilities might lead to the execution of arbitrary code with the rights of the user running the application. Other vulnerabilities include program crashes and the acceptance of forged certificates.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Thunderbird users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.7"

All Mozilla Thunderbird binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.7"

References

[ 1 ] CVE-2006-4253

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4253

[ 2 ] CVE-2006-4340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4340

[ 3 ] CVE-2006-4565

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4565

[ 4 ] CVE-2006-4566

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4566

[ 5 ] CVE-2006-4567

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4567

[ 6 ] CVE-2006-4570

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4570

[ 7 ] CVE-2006-4571

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4571

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200610-01.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200610-02

http://security.gentoo.org/


Severity: Normal
Title: Adobe Flash Player: Arbitrary code execution
Date: October 04, 2006
Bugs: #147421
ID: 200610-02


Synopsis

Multiple input validation errors have been identified that allow arbitrary code execution on a user's system via the handling of malicious Flash files.

Background

The Adobe Flash Player is a renderer for Flash files - commonly used to provide interactive websites, digital experiences and mobile content.

Affected packages


     Package                 /  Vulnerable  /               Unaffected

  1  net-www/netscape-flash      < 7.0.68                    >= 7.0.68

Description

The Adobe Flash Player contains multiple unspecified vulnerabilities.

Impact

An attacker could entice a user to view a malicious Flash file and execute arbitrary code with the rights of the user running the player.

Workaround

There is no known workaround at this time.

Resolution

All Adobe Flash Player users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-www/netscape-flash-7.0.68"

References

[ 1 ] Adobe Security Bulletin

http://www.adobe.com/support/security/bulletins/apsb06-11.html

[ 2 ] CVE-2006-3311

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3311

[ 3 ] CVE-2006-3587

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3587

[ 4 ] CVE-2006-3588

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3588

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200610-02.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:179
http://www.mandriva.com/security/


Package : openssh
Date : October 3, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0


Problem Description:

Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes (CVE-2006-4924, CVE-2006-4925). Please note that Mandriva ships with only SSH protocol version 2 enabled by default.

Next, an unsafe signal handler was found by Mark Dowd. This signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication DoS, and theoretically a pre-authentication remote code execution in the case where some authentication methods like GSSAPI are enabled (CVE-2006-5051).

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051


Updated Packages:

Mandriva Linux 2006.0:
1280b30b3520a9ca5c2e6a716a770a0c 2006.0/i586/openssh-4.3p1-0.3.20060mdk.i586.rpm
007b28a957c4537d6ed196d2b2367c1e 2006.0/i586/openssh-askpass-4.3p1-0.3.20060mdk.i586.rpm
280b2c0b27ef2387110d363493be892f 2006.0/i586/openssh-askpass-gnome-4.3p1-0.3.20060mdk.i586.rpm
3a41abc407c20928f672223c67d06c36 2006.0/i586/openssh-clients-4.3p1-0.3.20060mdk.i586.rpm
063589a511985d4127e03c349fa23330 2006.0/i586/openssh-server-4.3p1-0.3.20060mdk.i586.rpm
6f11187f048ef296607c54c1c92e7c24 2006.0/SRPMS/openssh-4.3p1-0.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
68bc6ad235e0534bc57e180b90c33bdb 2006.0/x86_64/openssh-4.3p1-0.3.20060mdk.x86_64.rpm
d0668a2d76eb927afcaa4897fc509f91 2006.0/x86_64/openssh-askpass-4.3p1-0.3.20060mdk.x86_64.rpm
502b3088f7f55d3de57b2278b5452a5a 2006.0/x86_64/openssh-askpass-gnome-4.3p1-0.3.20060mdk.x86_64.rpm
2551d84521716a9b6702a98b9d121b9d 2006.0/x86_64/openssh-clients-4.3p1-0.3.20060mdk.x86_64.rpm
c8627d7e04e87c1e5bed7d0b744b2ad2 2006.0/x86_64/openssh-server-4.3p1-0.3.20060mdk.x86_64.rpm
6f11187f048ef296607c54c1c92e7c24 2006.0/SRPMS/openssh-4.3p1-0.3.20060mdk.src.rpm

Mandriva Linux 2007.0:
9687bdb4f2865c2765da0f01efda87ef 2007.0/i586/openssh-4.3p2-12.1mdv2007.0.i586.rpm
40f80b906c0e9ec5d2d6622ce7efc3fd 2007.0/i586/openssh-askpass-4.3p2-12.1mdv2007.0.i586.rpm
b50bae14a353fdd3ca632096467a51cd 2007.0/i586/openssh-askpass-common-4.3p2-12.1mdv2007.0.i586.rpm
0d393f5af4f97c0ca2073c3f11628a40 2007.0/i586/openssh-askpass-gnome-4.3p2-12.1mdv2007.0.i586.rpm
084d0fa10aa7daa1aaea59cb2efc9494 2007.0/i586/openssh-clients-4.3p2-12.1mdv2007.0.i586.rpm
07f0a46845c178b78549c0734074407f 2007.0/i586/openssh-server-4.3p2-12.1mdv2007.0.i586.rpm
c9ccf40372c7c2b0eca968aec9f9385d 2007.0/SRPMS/openssh-4.3p2-12.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
a1ed25a9f53038434574b3ce921eac1a 2007.0/x86_64/openssh-4.3p2-12.1mdv2007.0.x86_64.rpm
d9acf43a28f105d80fcd7a12535efdda 2007.0/x86_64/openssh-askpass-4.3p2-12.1mdv2007.0.x86_64.rpm
ed6488abb9c621dab762307136493969 2007.0/x86_64/openssh-askpass-common-4.3p2-12.1mdv2007.0.x86_64.rpm
ef48a28c45ec44dc1f20eb0ee26f4877 2007.0/x86_64/openssh-askpass-gnome-4.3p2-12.1mdv2007.0.x86_64.rpm
80c7ee2ccb6ac35fe1b893cb58b092cd 2007.0/x86_64/openssh-clients-4.3p2-12.1mdv2007.0.x86_64.rpm
217eb2fbf7574aa34a592e54d527f8dd 2007.0/x86_64/openssh-server-4.3p2-12.1mdv2007.0.x86_64.rpm
c9ccf40372c7c2b0eca968aec9f9385d 2007.0/SRPMS/openssh-4.3p2-12.1mdv2007.0.src.rpm

Corporate 3.0:
08ee3d3de53563481a748d8b4d9f5e5b corporate/3.0/i586/openssh-4.3p1-0.2.C30mdk.i586.rpm
bb472724a2e1afce4b2d526f75d65d3e corporate/3.0/i586/openssh-askpass-4.3p1-0.2.C30mdk.i586.rpm
cdcf5e37768032e2c6599d219493db0c corporate/3.0/i586/openssh-askpass-gnome-4.3p1-0.2.C30mdk.i586.rpm
1909a018d6883df234a2bb41072a839b corporate/3.0/i586/openssh-clients-4.3p1-0.2.C30mdk.i586.rpm
fc516bf57f9faf0168fef9638f1f7546 corporate/3.0/i586/openssh-server-4.3p1-0.2.C30mdk.i586.rpm
b6c94995c4c1408a1d72b6fb1956e7c1 corporate/3.0/SRPMS/openssh-4.3p1-0.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
dab1069ffd0d206b230872ce11d6ef32 corporate/3.0/x86_64/openssh-4.3p1-0.2.C30mdk.x86_64.rpm
940a582fce6836589755ceea2d494421 corporate/3.0/x86_64/openssh-askpass-4.3p1-0.2.C30mdk.x86_64.rpm
ee2543c6210ce8294e586305aa950c0e corporate/3.0/x86_64/openssh-askpass-gnome-4.3p1-0.2.C30mdk.x86_64.rpm
236f5b3229aebf958a7726f861f5c279 corporate/3.0/x86_64/openssh-clients-4.3p1-0.2.C30mdk.x86_64.rpm
245fa68997db318e68b27c1d47a19219 corporate/3.0/x86_64/openssh-server-4.3p1-0.2.C30mdk.x86_64.rpm
b6c94995c4c1408a1d72b6fb1956e7c1 corporate/3.0/SRPMS/openssh-4.3p1-0.2.C30mdk.src.rpm

Corporate 4.0:
cd934818457b0e688c5e49e16e022e03 corporate/4.0/i586/openssh-4.3p1-0.3.20060mlcs4.i586.rpm
3d14fc47de98f81e803755f80df948c1 corporate/4.0/i586/openssh-askpass-4.3p1-0.3.20060mlcs4.i586.rpm
03f2d3a6089b5a2d5abcf3ceffeecdc1 corporate/4.0/i586/openssh-askpass-gnome-4.3p1-0.3.20060mlcs4.i586.rpm
37a2a56723f5dc119acce62df2759749 corporate/4.0/i586/openssh-clients-4.3p1-0.3.20060mlcs4.i586.rpm
331331d9843f490c6e98c28d54b42ca9 corporate/4.0/i586/openssh-server-4.3p1-0.3.20060mlcs4.i586.rpm
988d0f895a34d6a71e69f7ec12bd45f0 corporate/4.0/SRPMS/openssh-4.3p1-0.3.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
5bdd94f5242c68fe0b490c13cbd08ea0 corporate/4.0/x86_64/openssh-4.3p1-0.3.20060mlcs4.x86_64.rpm
48874aea14500ca90da22dcdfab029f8 corporate/4.0/x86_64/openssh-askpass-4.3p1-0.3.20060mlcs4.x86_64.rpm
4f7a3fc780511ead79932bbdf5e64b61 corporate/4.0/x86_64/openssh-askpass-gnome-4.3p1-0.3.20060mlcs4.x86_64.rpm
d99aa2e584d3e58cf40e49c99d9ce3a6 corporate/4.0/x86_64/openssh-clients-4.3p1-0.3.20060mlcs4.x86_64.rpm
6a622455fc895b7b30d049d799207f19 corporate/4.0/x86_64/openssh-server-4.3p1-0.3.20060mlcs4.x86_64.rpm
988d0f895a34d6a71e69f7ec12bd45f0 corporate/4.0/SRPMS/openssh-4.3p1-0.3.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
6da5f9bf7f28e8017133a4f5fa72651f mnf/2.0/i586/openssh-4.3p1-0.2.M20mdk.i586.rpm
3b5fce9c7d8a67a179bb40c3c537f160 mnf/2.0/i586/openssh-askpass-4.3p1-0.2.M20mdk.i586.rpm
7ff70b823d0fa18677447a90bb3ea503 mnf/2.0/i586/openssh-askpass-gnome-4.3p1-0.2.M20mdk.i586.rpm
434e7b3885a37ce4d72ed7f2fd3d9342 mnf/2.0/i586/openssh-clients-4.3p1-0.2.M20mdk.i586.rpm
1772c26f342a5d8b00c3894cdf6ad514 mnf/2.0/i586/openssh-server-4.3p1-0.2.M20mdk.i586.rpm
2d96693d80c25155b97272596da9aabe mnf/2.0/SRPMS/openssh-4.3p1-0.2.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Ubuntu


Ubuntu Security Notice USN-353-2 October 04, 2006
openssl vulnerability
CVE-2006-2940

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 5.04:
libssl0.9.7 0.9.7e-3ubuntu0.6

Ubuntu 5.10:
libssl0.9.7 0.9.7g-1ubuntu1.5

Ubuntu 6.06 LTS:
libssl0.9.8 0.9.8a-7ubuntu0.3

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

Details follow:

USN-353-1 fixed several vulnerabilities in OpenSSL. However, Mark J Cox noticed that the applied patch for CVE-2006-2940 was flawed. This update corrects that patch.

For reference, this is the relevant part of the original advisory:

Certain types of public key could take disproportionate amounts of time to process. The library now limits the maximum key exponent size to avoid Denial of Service attacks. (CVE-2006-2940)

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.6.diff.gz
      Size/MD5: 31740 97bbcc504a6a95a33dbbdc5cbd37229e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.6.dsc
      Size/MD5: 645 6d09dca9825c7249d785a307b0425ae9
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz
      Size/MD5: 3043231 a8777164bca38d84e5eb2b1535223474

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.6_amd64.udeb
      Size/MD5: 495260 fd92e08373a92041809218c214823b73
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.6_amd64.deb
      Size/MD5: 2694372 eb5ca3d700f0cc9212c41b6f734b4f88
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.6_amd64.deb
      Size/MD5: 770484 3ea407d9dade085833bbf317486b04c8
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.6_amd64.deb
      Size/MD5: 904306 ed9e6cd718227584e7ad53127c20792a

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.6_i386.udeb
      Size/MD5: 433546 a9c706c6822ac597b71ea68f39b222db
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.6_i386.deb