---

Advisories, May 11, 2006

Debian GNU/Linux


Debian Security Advisory DSA 1055-1 [email protected]
http://www.debian.org/security/
Martin Schulze
May 11th, 2006 http://www.debian.org/security/faq


Package : mozilla-firefox
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-1993
CERT advisory : VU#866300
BugTraq ID : 17671

Martijn Wargers and Nick Mott described crashes of Mozilla due
to the use of a deleted controller context. In theory this could be
abused to execute malicious code. Since Mozilla and Firefox share
the same codebase, Firefox may be vulnerable as well.

For the stable distribution (sarge) this problem has been fixed
in version 1.7.8-1sarge7.

For the unstable distribution (sid) this problem has been fixed
in version 1.5.dfsg+1.5.0.3-1.

We recommend that you upgrade your Mozilla Firefox packages.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7.dsc

      Size/MD5 checksum: 1001
b182197490af4a8c07faa21ec3178291
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7.diff.gz

      Size/MD5 checksum: 382272
eae0832fc7a4d408c33ff598859b95c3
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz

      Size/MD5 checksum: 40212297
8e4ba81ad02c7986446d4e54e978409d

Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_alpha.deb

      Size/MD5 checksum: 11170108
35d0f530d00b9760f9b37b6d59a7b98c
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_alpha.deb

      Size/MD5 checksum: 168254
27b2e718d091dcff900a878dd352e2eb
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_alpha.deb

      Size/MD5 checksum: 60066
c8f22cf9f8971e69e6cc69d52ceb033a

AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_amd64.deb

      Size/MD5 checksum: 9401164
9b9f42d600ca975265e57c51e0fe420b
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_amd64.deb

      Size/MD5 checksum: 162980
ae57927c8905ca478c9aaac05fd77679
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_amd64.deb

      Size/MD5 checksum: 58588
bbe086cded328a79afc3a5b5e04f1447

ARM architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_arm.deb

      Size/MD5 checksum: 8220434
d63fdf2bc771e7903e18fc95c03d21b4
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_arm.deb

      Size/MD5 checksum: 154458
10bee95fe87228a9107215d643b68cf7
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_arm.deb

      Size/MD5 checksum: 53918
3a1ffa2d6a7e115bc1e778dd0077044a

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_i386.deb

      Size/MD5 checksum: 8896786
b4905b847321b7731c1288c9d0122789
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_i386.deb

      Size/MD5 checksum: 158256
476a15b546d7b1254cc008cb1a844ef3
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_i386.deb

      Size/MD5 checksum: 55464
fb9c72d1b12b5aa5d2dc361b77726cd7

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_ia64.deb

      Size/MD5 checksum: 11629186
3e1248f0329f167f5bc8eed406b06420
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_ia64.deb

      Size/MD5 checksum: 168566
330d75c658d1223910417aee513d5a23
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_ia64.deb

      Size/MD5 checksum: 63240
4e346f99587fa558c5ad4d85289ba370

HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_hppa.deb

      Size/MD5 checksum: 10273196
ffe9299d71a54b492ef877bd257dc03e
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_hppa.deb

      Size/MD5 checksum: 165962
bae1954b7d4890212b6b2b9a3d19b0f1
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_hppa.deb

      Size/MD5 checksum: 59044
099a56aea5ac814d73c64ebb9908212c

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_m68k.deb

      Size/MD5 checksum: 8171346
b9757d714b8fb34a7e97932bf0051ea6
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_m68k.deb

      Size/MD5 checksum: 157066
6726876e93ddec7b9769cd8c61bc16b4
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_m68k.deb

      Size/MD5 checksum: 54714
a33fecb05d28dda42c769cecec91565b

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_mips.deb

      Size/MD5 checksum: 9927864
4c70937659ebe4d7fc7ae13a5309007c
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_mips.deb

      Size/MD5 checksum: 155976
78d61083b2c02dbd379b6636ebbc2cbb
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_mips.deb

      Size/MD5 checksum: 55732
edfba6b5447f47d96c98c3db4f0cf52e

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_mipsel.deb

      Size/MD5 checksum: 9807630
a0c05595aa8e1468750bd3ff0ae670fb
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_mipsel.deb

      Size/MD5 checksum: 155546
ff7579d18436e60494704248cc5b1903
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_mipsel.deb

      Size/MD5 checksum: 55542
9e5b366836347ea73ffc69bd73426950

PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_powerpc.deb

      Size/MD5 checksum: 8567490
c978e68620c8723ab1ec2362a2da55db
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_powerpc.deb

      Size/MD5 checksum: 156650
36577e400def2520244ed10477e835ac
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_powerpc.deb

      Size/MD5 checksum: 57838
71d25d8679a89959f2a3940b506d132b

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_s390.deb

      Size/MD5 checksum: 9639082
74a78e821f228e9e1e666989a20cb3c2
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_s390.deb

      Size/MD5 checksum: 163604
bd61659892deb545cd5f8d951f76cc9d
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_s390.deb

      Size/MD5 checksum: 58020
da2faef8dedb60e007645f3e337c66ca

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge7_sparc.deb

      Size/MD5 checksum: 8659776
381305a5710ff4246c38548cfa0716cc
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge7_sparc.deb

      Size/MD5 checksum: 156856
d648cb8107adf03e2754db2cb2f6a55d
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge7_sparc.deb

      Size/MD5 checksum: 54282
ab2a47c10e3c6fab92d7e1c1bd94f4f6

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: [email protected]

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200605-13


http://security.gentoo.org/


Severity: Low
Title: MySQL: Information leakage
Date: May 11, 2006
Bugs: #132146
ID: 200605-13


Synopsis

A MySQL server may leak information to unauthorized users.

Background

MySQL is a popular multi-threaded, multi-user SQL database
server.

Affected packages


     Package       /  Vulnerable  /                         Unaffected

  1  dev-db/mysql      < 4.1.19                              >= 4.1.19

Description

The processing of the COM_TABLE_DUMP command by a MySQL server
fails to properly validate packets that arrive from the client via
a network socket.

Impact

By crafting specific malicious packets an attacker could gather
confidential information from the memory of a MySQL server process,
for example results of queries by other users or applications. By
using PHP code injection or similar techniques it would be possible
to exploit this flaw through web applications that use MySQL as a
database backend.

Note that on 5.x versions it is possible to overwrite the stack
and execute arbitrary code with this technique. Users of MySQL 5.x
are urged to upgrade to the latest available version.

Workaround

There is no known workaround at this time.

Resolution

All MySQL users should upgrade to the latest version.

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.1.19"

References

[ 1 ] Original advisory


http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-05/msg00041.html

[ 2 ] CVE-2006-1516

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516

[ 3 ] CVE-2006-1517

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200605-13.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5