---

Home Security

Advisories, November 13, 2006

By

Debian Security Advisory DSA 1208-1 security@debian.org
http://www.debian.org/security/
Moritz Muehlenhoff
November 11th, 2006 http://www.debian.org/security/faq

Package : bugzilla
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2005-4534 CVE-2006-5453
Debian Bug : 395094 329387

Several remote vulnerabilities have been discovered in the
Bugzilla bug tracking system, which may lead to the execution of
arbitrary code. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2005-4534

Javier Fernandez-Sanguino Peña discovered that insecure
temporary file usage may lead to denial of service through a
symlink attack.

CVE-2006-5453

Several cross-site scripting vulnerabilities may lead to
injection of arbitrary web script code.

For the stable distribution (sarge) these problems have been
fixed in version 2.16.7-7sarge2.

For the upcoming stable distribution (etch) these problems have
been fixed in version 2.22.1-1.

For the unstable distribution (sid) these problems have been
fixed in version 2.22.1-1.

We recommend that you upgrade your bugzilla packages.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.16.7-7sarge2.dsc

      Size/MD5 checksum: 672
94d9f5a0686916545b0a2331cf701e9b
    http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.16.7-7sarge2.diff.gz

      Size/MD5 checksum: 58117
4b7c3e3f2dd3a25c85cc422431915355
    http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.16.7.orig.tar.gz

      Size/MD5 checksum: 1378708
b3f3fcac3103c139a218e7316a9bbcc7

Architecture independent components:

    http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla-doc_2.16.7-7sarge2_all.deb

      Size/MD5 checksum: 572342
353444279ff5ea591fdc70aaf18fa690
    http://security.debian.org/pool/updates/main/b/bugzilla/bugzilla_2.16.7-7sarge2_all.deb

      Size/MD5 checksum: 368594
93e7597ee670fe72b8a68f796a5f4b4d

These files will probably be moved into the stable distribution
on its next update.

Debian Security Advisory DSA 1209-1 security@debian.org
http://www.debian.org/security/
Moritz Muehlenhoff
November 12th, 2006 http://www.debian.org/security/faq

Package : trac
Vulnerability : cross-site request forgery
Problem-Type : remote
Debian-specific: no

It was discovered that Trac, a wiki and issue tracking system
for software development projects, performs insufficient validation
against cross-site request forgery, which might lead to an attacker
being able to perform manipulation of a Trac site with the
privileges of the attacked Trac user.

For the stable distribution (sarge) this problem has been fixed
in version 0.8.1-3sarge6.

For the unstable distribution (sid) this problem has been fixed
in version 0.10.1-1.

We recommend that you upgrade your trac package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge6.dsc

      Size/MD5 checksum: 656
9aee65c62e905729214dc065e0dd85a5
    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge6.diff.gz

      Size/MD5 checksum: 14618
7de0360d7a6cd04c7cb535b69b6d296b
    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1.orig.tar.gz

      Size/MD5 checksum: 236791
1b6c44fae90c760074762b73cdc88c8d

Architecture independent components:

    http://security.debian.org/pool/updates/main/t/trac/trac_0.8.1-3sarge6_all.deb

      Size/MD5 checksum: 199920
dd5e78a6212c457d72729a17e5810b25

These files will probably be moved into the stable distribution
on its next update.

For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.