Debian GNU/Linux
Debian Security Advisory DSA 781-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
August 23rd, 2005 http://www.debian.org/security/faq
Package : mozilla-thunderbird
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0989 CAN-2005-1159 CAN-2005-1160 CAN-2005-1532
CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269
CAN-2005-2270
BugTraq ID : 14242 14242
Debian Bug : 318728
Several problems have been discovered in Mozilla Thunderbird,
the standalone mail client of the Mozilla suite. The Common
Vulnerabilities and Exposures project identifies the following
problems:
CAN-2005-0989
Remote attackers could read portions of heap memory into a
Javascript string via the lambda replace method.
CAN-2005-1159
The Javascript interpreter could be tricked to continue
execution at the wrong memory address, which may allow attackers to
cause a denial of service (application crash) and possibly execute
arbitrary code.
CAN-2005-1160
Remote attackers could override certain properties or methods of
DOM nodes and gain privileges.
CAN-2005-1532
Remote attackers could override certain properties or methods
due to missing proper limitation of Javascript eval and Script
objects and gain privileges.
CAN-2005-2261
XML scripts ran even when Javascript disabled.
CAN-2005-2265
Missing input sanitising of InstallVersion.compareTo() can cause
the application to crash.
CAN-2005-2266
Remote attackers could steal sensitive information such as
cookies and passwords from web sites by accessing data in alien
frames.
CAN-2005-2269
Remote attackers could modify certain tag properties of DOM
nodes that could lead to the execution of arbitrary script or
code.
CAN-2005-2270
The Mozilla browser familie does not properly clone base
objects, which allows remote attackers to execute arbitrary
code.
The old stable distribution (woody) is not affected by these
problems since it does not contain Mozilla Thunderbird
packages.
For the stable distribution (sarge) these problems have been
fixed in version 1.0.2-2.sarge1.0.6.
For the unstable distribution (sid) these problems have been
fixed in version 1.0.6-1.
We recommend that you upgrade your Mozilla Thunderbird
package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
Size/MD5 checksum: 997
53157e26cb9b032a3fdd375adcbac2bb
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.6.diff.gz
Size/MD5 checksum: 187279
35ff6f4f69563681c282d818f9e08f23
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2.orig.tar.gz
Size/MD5 checksum: 33288906
806175393a226670aa66060452d31df4
Alpha architecture:
Size/MD5 checksum: 12828558
258ee4d7ccd16193ef73a1e7f76b5e8e
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_alpha.deb
Size/MD5 checksum: 3268880
e22ea42c42b9d9194c071b67372e1ed2
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_alpha.deb
Size/MD5 checksum: 144960
78f53d39b9e4cf6897d29896a09f1fa9
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_alpha.deb
Size/MD5 checksum: 26498
342c404ee93371fc0897059f549a7a9d
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_alpha.deb
Size/MD5 checksum: 82278
48ad0c63a3da09affde9bbe934aff4e7
AMD64 architecture:
Size/MD5 checksum: 12239002
886db98a0472273676651b622fb6db78
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_amd64.deb
Size/MD5 checksum: 3269560
403f483ecb3adff814c78e3b8a44267f
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_amd64.deb
Size/MD5 checksum: 144004
a7a1bafd0ead6f05ec2c7513431e2761
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_amd64.deb
Size/MD5 checksum: 26498
056144ff158bbaa3e95081fb207ca026
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_amd64.deb
Size/MD5 checksum: 82162
857d764cd365c7aecda22aadb794b2cf
ARM architecture:
Size/MD5 checksum: 10325602
afb900570718804d74b643b6fdcbe42a
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_arm.deb
Size/MD5 checksum: 3264246
3cf2f71afc85cfdce8c2e80ad8b183a8
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_arm.deb
Size/MD5 checksum: 136040
ef6d7998e45503c38565f53f1d240dd0
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_arm.deb
Size/MD5 checksum: 26514
06819b7ec681da9c0c30ea37526d3c70
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_arm.deb
Size/MD5 checksum: 74152
82e1e77ab75f6de61f6717af97e551c7
Intel IA-32 architecture:
Size/MD5 checksum: 11523292
0b3272e1f860da8d415a9d492718dab9
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_i386.deb
Size/MD5 checksum: 3267364
e1c3e4a8c865bc13d69d94c5774c6806
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_i386.deb
Size/MD5 checksum: 139484
43e24cd43ad7b87206866614dbe7f73c
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_i386.deb
Size/MD5 checksum: 26502
e10611304b82a03ff28646cbc4a3ef4c
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_i386.deb
Size/MD5 checksum: 80868
a017cf6698d4dc08d574083061876b18
Intel IA-64 architecture:
Size/MD5 checksum: 14600148
ed6a27da1a997f2259c095a2d0fcd116
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_ia64.deb
Size/MD5 checksum: 3283336
110376398b8b9ed932365de3f059f455
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_ia64.deb
Size/MD5 checksum: 148328
d1b4914d0ac468538289856fc9e2c397
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_ia64.deb
Size/MD5 checksum: 26500
36addd7bbce708f80f32a9ed7ec7307d
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_ia64.deb
Size/MD5 checksum: 99946
91de5051f92e86f47aacc6a9909e1223
HP Precision architecture:
Size/MD5 checksum: 13547772
1c53fd2a25d264244cb6d192cec34efd
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_hppa.deb
Size/MD5 checksum: 3273922
fcfe3f416265b9315e1997959aa22dd1
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_hppa.deb
Size/MD5 checksum: 146188
539321f5b43e18f58733c4105efec4cf
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_hppa.deb
Size/MD5 checksum: 26512
5d91015a025bea70b15d65034233fdd0
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_hppa.deb
Size/MD5 checksum: 90102
5947cd276b59a4637903a55af3a02303
Motorola 680×0 architecture:
Size/MD5 checksum: 10773214
e5fd6d229f37532ad9d0333b96cee1c2
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_m68k.deb
Size/MD5 checksum: 3262424
f75ea663061af141c1c6e08a73defb27
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_m68k.deb
Size/MD5 checksum: 137868
4ef977ad2552ddf5e6fe7d13479bb1e5
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_m68k.deb
Size/MD5 checksum: 26516
84fe211d15cbd087124ee92e2fda0261
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_m68k.deb
Size/MD5 checksum: 75366
f43e5ab28d62618be3e62e37c1b76002
Big endian MIPS architecture:
Size/MD5 checksum: 11932052
1935ec7c91cdb9b5e468d46d7d9157bf
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_mips.deb
Size/MD5 checksum: 3269080
5582d0a2a1a1eceb4cc69eae7c9267ac
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_mips.deb
Size/MD5 checksum: 140938
3578a4a679ffce4b60876f94de99c8d3
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_mips.deb
Size/MD5 checksum: 26504
9e9a2e7cf4d2250377f24b7d7057b198
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_mips.deb
Size/MD5 checksum: 77706
5abd79f4f7377cb3f1abaedb83f1bb99
Little endian MIPS architecture:
Size/MD5 checksum: 11792168
776ae7ac955ed7752f7ef68b8793a8a4
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_mipsel.deb
Size/MD5 checksum: 3269258
a347fe9187b6da7236529d34e5e511b5
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_mipsel.deb
Size/MD5 checksum: 140496
17e19ca8b6b544e15a179d20d8e8c486
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_mipsel.deb
Size/MD5 checksum: 26502
6660fd9aa6bb0c1e334df72af0070386
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_mipsel.deb
Size/MD5 checksum: 77556
5a3137f17694cfbd1579aba9b3272e18
PowerPC architecture:
Size/MD5 checksum: 10891054
a18795385ebbc6ed25eaf90387d54eea
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_powerpc.deb
Size/MD5 checksum: 3262070
ec3bf4e8c959dac7dbbca1de8dbe8c11
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_powerpc.deb
Size/MD5 checksum: 137876
194bf4676b6294708344f572b5495786
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_powerpc.deb
Size/MD5 checksum: 26502
e0a5e3b166e1fbff1680c3d397e61aeb
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_powerpc.deb
Size/MD5 checksum: 74240
35dcda6db87be485de2cc1a5581c5379
IBM S/390 architecture:
Size/MD5 checksum: 12683578
d218dfa4a370a6b698e87481a7bc23c8
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_s390.deb
Size/MD5 checksum: 3269612
e53f9324d774d130c0a319467690e551
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_s390.deb
Size/MD5 checksum: 144314
91369b2da923d03324cb7bc5507c2ac3
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_s390.deb
Size/MD5 checksum: 26510
7fc5828a1d89c0142f65896b35577382
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_s390.deb
Size/MD5 checksum: 82196
af4fc5e81876b142f84e6ef40b98c135
Sun Sparc architecture:
Size/MD5 checksum: 11155834
d6e7eee2c9ccd2f050672bb759fa4866
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.6_sparc.deb
Size/MD5 checksum: 3266376
eb63387994b5d108ed735cd70ccfe0f3
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.6_sparc.deb
Size/MD5 checksum: 137498
37e5452c55fbe883021466f0a9289abf
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.6_sparc.deb
Size/MD5 checksum: 26508
d45278e5302d461392b9ef8b376071bb
http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.6_sparc.deb
Size/MD5 checksum: 75996
409d7ea53302393fbfe387910562edab
These files will probably be moved into the stable distribution
on its next update.
Debian Security Advisory DSA 783-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
August 24th, 2005 http://www.debian.org/security/faq
Package : mysql-dfsg-4.1
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-1636
BugTraq ID : 13660
Debian Bug : 319526
Eric Romang discovered a temporary file vulnerability in a
script accompanied with MySQL, a popular database, that allows an
attacker to execute arbitrary SQL commands when the server is
installed or updated.
The old stable distribution (woody) as well as mysql-dfsg are
not affected by this problem.
For the stable distribution (sarge) this problem has been fixed
in version 4.1_4.1.11a-4sarge1.
For the unstable distribution (sid) this problem has been fixed
in version 4.1.12 for mysql-dfsg-4.1 and 5.0.11beta-3 of
mysql-dfsg-5.0.
We recommend that you upgrade your mysql packages.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge1.dsc
Size/MD5 checksum: 1021
13739557cb2a080e28e4d8b8d3c74b3c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a-4sarge1.diff.gz
Size/MD5 checksum: 162785
ebabe63abfbe2c9cf4a56fb9515d99dd
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.11a.orig.tar.gz
Size/MD5 checksum: 15771855
3c0582606a8903e758c2014c2481c7c3
Architecture independent components:
Size/MD5 checksum: 35642
abfc7caa37c13c6861ec88cf196ef1be
Alpha architecture:
Size/MD5 checksum: 1589514
7ef6a2aaa7323251d2367fed743356a9
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_alpha.deb
Size/MD5 checksum: 7963364
4bb4ee99603b3c0918f9ef4ae8284ae1
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_alpha.deb
Size/MD5 checksum: 999878
77f29c811d6515c8affffeec74c4bb7f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_alpha.deb
Size/MD5 checksum: 17484624
1149856989da8e133f38c3d59d96b30c
AMD64 architecture:
Size/MD5 checksum: 1450326
9f45715323978f3f7c7e40267aec2ea4
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_amd64.deb
Size/MD5 checksum: 5548998
c6365b2f962fc2092e6466c7e2c4b125
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_amd64.deb
Size/MD5 checksum: 848544
b2584efe95149b344eb3c6205da2368e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_amd64.deb
Size/MD5 checksum: 14709540
1b1ca0bae85285d5b385495728f06af2
ARM architecture:
Size/MD5 checksum: 1388076
0be4eec4f3929bf0b7964157fa76accc
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_arm.deb
Size/MD5 checksum: 5557616
265a5c7293a18ea7f268bbbb4660f0fe
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_arm.deb
Size/MD5 checksum: 835746
f8f6416e44435b01068176a1ac98de0f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_arm.deb
Size/MD5 checksum: 14555588
f8922b999f0b2f620853f3239b049fc9
Intel IA-32 architecture:
Size/MD5 checksum: 1416468
a8d52b676ff4ff91d413ff9324450036
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_i386.deb
Size/MD5 checksum: 5641628
2d20f8b3174a6a9a19121a5e498bd5c9
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_i386.deb
Size/MD5 checksum: 829580
1a4df96b603f27f7c2b139c1dd055460
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_i386.deb
Size/MD5 checksum: 14556398
fe1c3f25184baab2bb0095b32c77a797
Intel IA-64 architecture:
Size/MD5 checksum: 1711768
fda64e2e04286a2fdd67d2e86a905fb0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_ia64.deb
Size/MD5 checksum: 7780852
853e3a49046d46af94ceef13ebb51c29
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_ia64.deb
Size/MD5 checksum: 1049644
b00ce1514972089cf719b85604808bde
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_ia64.deb
Size/MD5 checksum: 18474664
85e75b5428af17ec8ef0629cf57c321e
HP Precision architecture:
Size/MD5 checksum: 1550180
c5dd256372cd9627eb4dbd9582dce728
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_hppa.deb
Size/MD5 checksum: 6249180
039c8b4f93c713e967d301fea234292e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_hppa.deb
Size/MD5 checksum: 909078
94164738f1978a1eadedb4014c38097e
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_hppa.deb
Size/MD5 checksum: 15786540
bd9c9386dcacf37a1802160c21f87712
Motorola 680×0 architecture:
Size/MD5 checksum: 1396690
dfac1efd2c57ee8c1e5c8e3439e439bf
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_m68k.deb
Size/MD5 checksum: 5282688
ed08875a118d9237d00f3e3011b1dac1
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_m68k.deb
Size/MD5 checksum: 802834
e5ab7837ea28d267bfe698fee03cbba6
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_m68k.deb
Size/MD5 checksum: 14069986
f869a37931dfb86519458a9d48747f96
Big endian MIPS architecture:
Size/MD5 checksum: 1477766
fb7a8d1fb9d4607d7172c36032ebcbbb
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mips.deb
Size/MD5 checksum: 6051760
6e97430bc9b02e866e04414e627f9f4c
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mips.deb
Size/MD5 checksum: 903542
f99636d7c17d9b9647c34d3dd3379c2d
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mips.deb
Size/MD5 checksum: 15407442
36eaf9d65e7c4dcaeff920389c6bd890
Little endian MIPS architecture:
Size/MD5 checksum: 1445230
a850a8ef0b9860fdea3530e9c20ca155
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_mipsel.deb
Size/MD5 checksum: 5969356
4f65edebdd67451ff9f98d350d8de26f
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_mipsel.deb
Size/MD5 checksum: 889146
f7f3a001055f08d94598a0829a76aaf2
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_mipsel.deb
Size/MD5 checksum: 15103070
c204dcfe3af004201336df429d02972f
PowerPC architecture:
Size/MD5 checksum: 1475306
a9a981440a13e4da0f3f1eb28df8e178
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_powerpc.deb
Size/MD5 checksum: 6024926
72553153e08c80d0d52a8abc5634c61b
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_powerpc.deb
Size/MD5 checksum: 906294
6952b08aabe467261f3501fe9863d2cf
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_powerpc.deb
Size/MD5 checksum: 15402300
a8052df1923122ec2fd18d5a3aa5c125
IBM S/390 architecture:
Size/MD5 checksum: 1537478
d53485497a6fc99eb0186857fc799963
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_s390.deb
Size/MD5 checksum: 5460684
2a11f9f50e74053a17679d59ffea44ad
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_s390.deb
Size/MD5 checksum: 883270
61d8ef6a6d11ca03c84bf359a004e2e8
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_s390.deb
Size/MD5 checksum: 15053878
1a9066f65b02545819ab1fddec62ba71
Sun Sparc architecture:
Size/MD5 checksum: 1459386
b801d56ac5282e4316a11c7e231bbac0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.11a-4sarge1_sparc.deb
Size/MD5 checksum: 6205406
2cc5c4c174d61bf0f76b5fd9b75055f8
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.11a-4sarge1_sparc.deb
Size/MD5 checksum: 867260
b8d31122c0c678cd73c1ae2dba158fb0
http://security.debian.org/pool/updates/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.11a-4sarge1_sparc.deb
Size/MD5 checksum: 15390174
f2ddbee863e67a62792dec779c3a9c2e
These files will probably be moved into the stable distribution
on its next update.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Fedora Core
Fedora Update Notification
FEDORA-2005-802
2005-08-24
Product : Fedora Core 3
Name : pcre
Version : 4.5
Release : 3.1.1.fc3
Summary : Perl-compatible regular expression library.
Description :
Perl-compatible regular expression library. PCRE has its own native
API, but a set of “wrapper” functions that are based on the POSIX
API are also supplied in the library libpcreposix. Note that this
just provides a POSIX calling interface to PCRE; the regular
expressions themselves still follow Perl syntax and semantics. The
header file for the POSIX-style functions is called
pcreposix.h.
Update Information:
the new package includes a fix for a heap buffer overflow.
- Fri Aug 19 2005 Than Ngo <than@redhat.com> 4.5-3.1.1.fc3
- backport patch to fix heap overflow, CAN-2005-2491,
#166330
- backport patch to fix heap overflow, CAN-2005-2491,
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
cfca595b559afe8d33cbc39ab744d6db
SRPMS/pcre-4.5-3.1.1.fc3.src.rpm
9f498d84c73b744cd03b2b93aca582c6
x86_64/pcre-4.5-3.1.1.fc3.x86_64.rpm
344d94e5b5b64c6422c71fec331dd94c
x86_64/pcre-devel-4.5-3.1.1.fc3.x86_64.rpm
08efe09b0a59fcff8df2b42a1b64309a
x86_64/debug/pcre-debuginfo-4.5-3.1.1.fc3.x86_64.rpm
81729fbca4064dd687bab07ae6cf9fd1
x86_64/pcre-4.5-3.1.1.fc3.i386.rpm
81729fbca4064dd687bab07ae6cf9fd1
i386/pcre-4.5-3.1.1.fc3.i386.rpm
35b406ce33a16b67b73a600ab5cb5b3e
i386/pcre-devel-4.5-3.1.1.fc3.i386.rpm
14c8d8b5d8dec038bd54f9e16668d5da
i386/debug/pcre-debuginfo-4.5-3.1.1.fc3.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-803
2005-08-24
Product : Fedora Core 4
Name : pcre
Version : 5.0
Release : 4.1.fc4
Summary : Perl-compatible regular expression library.
Description :
Perl-compatible regular expression library. PCRE has its own native
API, but a set of “wrapper” functions that are based on the POSIX
API are also supplied in the library libpcreposix. Note that this
just provides a POSIX calling interface to PCRE; the regular
expressions themselves still follow Perl syntax and semantics. The
header file for the POSIX-style functions is called
pcreposix.h.
Update Information:
the new package includes a fix for a heap buffer overflow.
- Fri Aug 19 2005 Than Ngo <than@redhat.com> 5.0-4.1.fc4
- backport patch to fix heap overflow, CAN-2005-2491,
#166330
- backport patch to fix heap overflow, CAN-2005-2491,
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
ec1decec12e651d1d5bec690e3627a7d
SRPMS/pcre-5.0-4.1.fc4.src.rpm
1b891f92b05f283dfdb34b741d80cc56 ppc/pcre-5.0-4.1.fc4.ppc.rpm
6eaa9ffa13d1c54c2a77f3e38c09b243
ppc/pcre-devel-5.0-4.1.fc4.ppc.rpm
6cbe01b454cf34947086ac285f1b2434
ppc/debug/pcre-debuginfo-5.0-4.1.fc4.ppc.rpm
6f850622f337cc426174855d078080cf ppc/pcre-5.0-4.1.fc4.ppc64.rpm
f47bed04d3eeb5df7dd3eae206a4efc9
x86_64/pcre-5.0-4.1.fc4.x86_64.rpm
59d58d979da779954a975fd3b147c892
x86_64/pcre-devel-5.0-4.1.fc4.x86_64.rpm
c84a457fb0b05b28a32f4c225445091f
x86_64/debug/pcre-debuginfo-5.0-4.1.fc4.x86_64.rpm
31bcef8ff26efea03e2a2825364ab420
x86_64/pcre-5.0-4.1.fc4.i386.rpm
31bcef8ff26efea03e2a2825364ab420 i386/pcre-5.0-4.1.fc4.i386.rpm
f8ff870b071671a3a4757fc38460a95d
i386/pcre-devel-5.0-4.1.fc4.i386.rpm
198825cc873affdfe8dde48fb52b3556
i386/debug/pcre-debuginfo-5.0-4.1.fc4.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-804
2005-08-24
Product : Fedora Core 3
Name : epiphany
Version : 1.4.9
Release : 0
Summary : GNOME web browser based on the Mozilla rendering
engine
Description :
epiphany is a simple GNOME web browser based on the Mozilla
rendering engine
- Thu Aug 18 2005 Marco Pesenti Gritti <mpg@redhat.com>
1.4.9-0- Update to 1.4.9
- Remove download patch (integrated upstream)
- Add the manual to the package
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
215f0da5fecdb2dd5e3590b11b6d2a56
SRPMS/epiphany-1.4.9-0.src.rpm
3ffec6505656ee3f2bdffaa375187128
x86_64/epiphany-1.4.9-0.x86_64.rpm
95ceb629352e0221cf89530ae1906a83
x86_64/epiphany-devel-1.4.9-0.x86_64.rpm
b459864c4cf3558045fef0c844f9a94c
x86_64/debug/epiphany-debuginfo-1.4.9-0.x86_64.rpm
882cd7f444e2edd85fab9f0dfcb7b48a i386/epiphany-1.4.9-0.i386.rpm
e3e7927eaf8a7278fc4628294850d58a
i386/epiphany-devel-1.4.9-0.i386.rpm
72699feb4ede1670707bd9dfe4913939
i386/debug/epiphany-debuginfo-1.4.9-0.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Gentoo Linux
Gentoo Linux Security Advisory GLSA 200508-12
Severity: Normal
Title: Evolution: Format string vulnerabilities
Date: August 23, 2005
Bugs: #102051
ID: 200508-12
Synopsis
Evolution is vulnerable to format string vulnerabilities which
may result in remote execution of arbitrary code.
Background
Evolution is a GNOME groupware application.
Affected packages
Package / Vulnerable / Unaffected
1 mail-client/evolution < 2.2.3-r3 >= 2.2.3-r3
Description
Ulf Harnhammar discovered that Evolution is vulnerable to format
string bugs when viewing attached vCards and when displaying
contact information from remote LDAP servers or task list data from
remote servers (CAN-2005-2549). He also discovered that Evolution
fails to handle special calendar entries if the user switches to
the Calendars tab (CAN-2005-2550).
Impact
An attacker could attach specially crafted vCards to emails or
setup malicious LDAP servers or calendar entries which would
trigger the format string vulnerabilities when viewed or accessed
from Evolution. This could potentially result in the execution of
arbitrary code with the rights of the user running Evolution.
Workaround
There is no known workaround at this time.
Resolution
All Evolution users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/evolution-2.2.3-r3"
References
[ 1 ] CAN-2005-2549
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2549
[ 2 ] CAN-2005-2550
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2550
[ 3 ] SITIC Vulnerability Advisory SA05-001
http://www.sitic.se/eng/advisories_and_recommendations/sa05-001.html
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200508-12.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Mandriva Linux
Mandriva Linux Security Update Advisory
Package name: slocate
Advisory ID: MDKSA-2005:147
Date: August 22nd, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate
Server 2.1
Problem Description:
A bug was discovered in the way that slocate processes very long
paths. A local user could create a carefully crafted directory
structure that would prevent updatedb from completing its
filesystem scan, resulting in an incomplete database.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2499
Updated Packages:
Mandrakelinux 10.0:
8b492b8674dcd11652f28b267f314f89
10.0/RPMS/slocate-2.7-4.1.100mdk.i586.rpm
752863ae586d26b93bc4833967d4c5cd
10.0/SRPMS/slocate-2.7-4.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
abd885edd206419961702efee3b76f16
amd64/10.0/RPMS/slocate-2.7-4.1.100mdk.amd64.rpm
752863ae586d26b93bc4833967d4c5cd
amd64/10.0/SRPMS/slocate-2.7-4.1.100mdk.src.rpm
Mandrakelinux 10.1:
c5eb5da64a9500f2917467380ec2016b
10.1/RPMS/slocate-2.7-4.1.101mdk.i586.rpm
734eb05ad18bd9c4955a29574b2bebd0
10.1/SRPMS/slocate-2.7-4.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
2d7791f13424975932551dc9e83bfceb
x86_64/10.1/RPMS/slocate-2.7-4.1.101mdk.x86_64.rpm
734eb05ad18bd9c4955a29574b2bebd0
x86_64/10.1/SRPMS/slocate-2.7-4.1.101mdk.src.rpm
Mandrakelinux 10.2:
fd8bf38e59bb05eea611de5b2ae70255
10.2/RPMS/slocate-2.7-4.1.102mdk.i586.rpm
37c7654356b72327dd028e2ce3b1e9f0
10.2/SRPMS/slocate-2.7-4.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
8344b2bece3dca3cac1d3afbe5774936
x86_64/10.2/RPMS/slocate-2.7-4.1.102mdk.x86_64.rpm
37c7654356b72327dd028e2ce3b1e9f0
x86_64/10.2/SRPMS/slocate-2.7-4.1.102mdk.src.rpm
Corporate Server 2.1:
57e13aee8eb5547443b1d6df1897a5a4
corporate/2.1/RPMS/slocate-2.7-2.2.C21mdk.i586.rpm
e827615678546ce552ddea3784ea7651
corporate/2.1/SRPMS/slocate-2.7-2.2.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
be3dab7dac13c4a873296f9f81d8c893
x86_64/corporate/2.1/RPMS/slocate-2.7-2.2.C21mdk.x86_64.rpm
e827615678546ce552ddea3784ea7651
x86_64/corporate/2.1/SRPMS/slocate-2.7-2.2.C21mdk.src.rpm
Corporate 3.