Debian Security Advisory DSA 1214-1 security@debian.org
http://www.debian.org/security/
Moritz Muehlenhoff
November 20th, 2006 http://www.debian.org/security/faq
Package : gv
Vulnerability : buffer overflow
Problem-Type : local(remote)
Debian-specific: no
CVE ID : CVE-2006-5864
Debian Bug : 398292
Renaud Lifchitz discovered that gv, the PostScript and PDF
viewer for X, performs insufficient boundary checks in the
Postscript parsing code, which allows the execution of arbitrary
code through a buffer overflow.
For the stable distribution (sarge) this problem has been fixed
in version 3.6.1-10sarge1.
For the upcoming stable distribution (etch) this problem has
been fixed in version 3.6.2-2.
For the unstable distribution (sid) this problem has been fixed
in version 3.6.2-2.
We recommend that you upgrade your gv package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1.dsc
Size/MD5 checksum: 562
a6882dd7ad872c388de651464046bff1
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1.diff.gz
Size/MD5 checksum: 30773
0b08b9588e0a4d58e6a13ef3f857a8ba
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1.orig.tar.gz
Size/MD5 checksum: 453921
ace080d647b70f46fca7946e9543b79e
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_alpha.deb
Size/MD5 checksum: 204990
cf6a9a52c90e53226eb62ce0f0d02a44
AMD64 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_amd64.deb
Size/MD5 checksum: 178114
3f878b28ab56953616cfa7819c6208d8
ARM architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_arm.deb
Size/MD5 checksum: 171660
7f395714932a4fa16547b69887060a75
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_hppa.deb
Size/MD5 checksum: 183576
ff1d8233c688b444990ab658ad0adb7a
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_i386.deb
Size/MD5 checksum: 169100
46ed76270774df9900d24b96b0f29474
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_ia64.deb
Size/MD5 checksum: 236388
468fe6518efd6064a76cc9796f99463d
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_m68k.deb
Size/MD5 checksum: 152714
0518e0f6514317ae178bee63ac317b56
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_mips.deb
Size/MD5 checksum: 188450
64fbd5940f027516477cad9ac43150b6
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_mipsel.deb
Size/MD5 checksum: 187810
68fc3c4ecafea90c976aef7c680e9d62
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_powerpc.deb
Size/MD5 checksum: 178918
6c315fbf5b3b9523afc02cbf4425cae8
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_s390.deb
Size/MD5 checksum: 176388
b04e21f014181006e2a94704e034d5ac
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.6.1-10sarge1_sparc.deb
Size/MD5 checksum: 166532
23225642be076f7be8de287e00bb5735
These files will probably be moved into the stable distribution
on its next update.
Debian Security Advisory DSA 1215-1 security@debian.org
http://www.debian.org/security/
Moritz Muehlenhoff
November 20th, 2006 http://www.debian.org/security/faq
Package : xine-lib
Vulnerability : several
Problem-Type : local(remote)
Debian-specific: no
CVE ID : CVE-2006-4799 CVE-2006-4800
Debian Bug : 369876
Several remote vulnerabilities have been discovered in the Xine
multimedia library, which may lead to the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2006-4799
The XFocus Security Team discovered that insufficient
validiation of AVI headers may lead to the execution of arbitrary
code.
CVE-2006-4800
Michael Niedermayer discovered that a buffer overflow in the 4XM
codec may lead to the execution of arbitrary code.
For the stable distribution (sarge) these problems have been
fixed in version 1.0.1-1sarge4.
For the upcoming stable distribution (etch) these problems have
been fixed in version 1.1.2-1.
For the unstable distribution (sid) these problems have been
fixed in version 1.1.2-1.
We recommend that you upgrade your xine-lib packages.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1-1sarge4.dsc
Size/MD5 checksum: 1059
496e1580534533de51ecd73dcc6f7605
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1-1sarge4.diff.gz
Size/MD5 checksum: 3865
e9563d5086e17144d6fdce8399294ae9
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
Size/MD5 checksum: 7774954
9be804b337c6c3a2e202c5a7237cb0f8
Alpha architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_alpha.deb
Size/MD5 checksum: 107706
a8f2dc8666d43197a6d8d86ee35a6e2a
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_alpha.deb
Size/MD5 checksum: 4829532
720dbca316a59d5678c09040c3011f72
AMD64 architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_amd64.deb
Size/MD5 checksum: 107702
f46c34fbf3cb15e7c1051a76c0bf65e8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_amd64.deb
Size/MD5 checksum: 3933472
82a89fe04e3489369e027f844da02feb
ARM architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_arm.deb
Size/MD5 checksum: 107754
76a45e29adc3c5e3ac91a220fe45f308
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_arm.deb
Size/MD5 checksum: 3878388
43c26b48bbff755078874cd54064366a
HP Precision architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_hppa.deb
Size/MD5 checksum: 107724
c300f6415f7cdb6619695fe2bb4680ff
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_hppa.deb
Size/MD5 checksum: 3600746
197ab4dedf46e005bfcfeb88ecab6e41
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_i386.deb
Size/MD5 checksum: 107696
7452c8c07920488d4efae39eaffb3bc8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_i386.deb
Size/MD5 checksum: 4205940
e39f804fcbb15e2e64532cc3c253267e
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_ia64.deb
Size/MD5 checksum: 107700
1e1c7b93ed294053c8ba7f666c87750d
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_ia64.deb
Size/MD5 checksum: 5620774
3b512d328b7d157ab482758513abbd64
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_m68k.deb
Size/MD5 checksum: 107778
31ca7042eea32fd97c6b97b219e1979c
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_m68k.deb
Size/MD5 checksum: 3175204
73634beda9c164a8a355fe0053265a5a
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_mips.deb
Size/MD5 checksum: 107722
46920b95ec15787ada1a9d7252a7c929
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_mips.deb
Size/MD5 checksum: 4066764
0d4f7ae3ae5e2d034d3a551c85c40760
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_mipsel.deb
Size/MD5 checksum: 107718
813f51bd63594d4a2ff6396b74147df2
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_mipsel.deb
Size/MD5 checksum: 4125516
05bb286bd083dc62bd2de7d43af354b8
PowerPC architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_powerpc.deb
Size/MD5 checksum: 107728
7a8df7a817e5461f350f23655faf2613
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_powerpc.deb
Size/MD5 checksum: 4305600
3a874f3e7d1dec9b81be31576f505f0a
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_s390.deb
Size/MD5 checksum: 107712
882da791cc78e7005e5ddcb5d26ab34e
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_s390.deb
Size/MD5 checksum: 3880732
5cc6cb2f0ccc3d6640099e6a78db2d28
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge4_sparc.deb
Size/MD5 checksum: 107726
36cf39714e6b9848d9d21dae4a8306e9
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge4_sparc.deb
Size/MD5 checksum: 4360636
0c0d702507cb1c2e43a1cfe7864ab22e
These files will probably be moved into the stable distribution
on its next update.
Debian Security Advisory DSA 1216-1 security@debian.org
http://www.debian.org/security/
Moritz Muehlenhoff
November 20th, 2006 http://www.debian.org/security/faq
Package : flexbackup
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2006-4802
Debian Bug : 334350
Eric Romang discovered that the flexbackup backup tool creates
temporary files in an insecure manner, which allows denial of
service through a symlink attack.
For the stable distribution (sarge) this problem has been fixed
in version 1.2.1-2sarge1
For the upcoming stable distribution (etch) this problem has
been fixed in version 1.2.1-3.
For the unstable distribution (sid) this problem has been fixed
in version 1.2.1-3.
We recommend that you upgrade your flexbackup package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/f/flexbackup/flexbackup_1.2.1-2sarge1.dsc
Size/MD5 checksum: 587
06539319d0534272e216306562677723
http://security.debian.org/pool/updates/main/f/flexbackup/flexbackup_1.2.1-2sarge1.diff.gz
Size/MD5 checksum: 3546
3365f545bd49464f4e58bacc503f8b28
http://security.debian.org/pool/updates/main/f/flexbackup/flexbackup_1.2.1.orig.tar.gz
Size/MD5 checksum: 80158
4955c89dbee354248f354a9bf0a480dd
Architecture independent components:
http://security.debian.org/pool/updates/main/f/flexbackup/flexbackup_1.2.1-2sarge1_all.deb
Size/MD5 checksum: 75836
240f8792a65a0d80b8ef85d4343a4827
These files will probably be moved into the stable distribution
on its next update.
Debian Security Advisory DSA 1217-1 security@debian.org
http://www.debian.org/security/
Moritz Muehlenhoff
November 20th, 2006 http://www.debian.org/security/faq
Package : linux-ftpd
Vulnerability : programming error
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-5778
Debian Bug : 384454
Paul Szabo discovered that the netkit ftp server switches the
user id too late, which may lead to the bypass of access
restrictions when running on NFS. This update also adds return
value checks to setuid() calls, which may fail in some PAM
configurations.
For the stable distribution (sarge) this problem has been fixed
in version 0.17-20sarge2.
For the upcoming stable distribution (etch) this problem has
been fixed in version 0.17-22.
For the unstable distribution (sid) this problem has been fixed
in version 0.17-22.
We recommend that you upgrade your ftpd package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.dsc
Size/MD5 checksum: 610
371222af9e3f445d8b1a0622f3a70382
http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
Size/MD5 checksum: 16034
3848d3d15b78aa4dd17b0e09c64b15a8
http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17.orig.tar.gz
Size/MD5 checksum: 46763
f5f491564812db5d8783daa538c49186
Alpha architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_alpha.deb
Size/MD5 checksum: 49118
caeecd835e084796f921fd1941fc8912
AMD64 architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_amd64.deb
Size/MD5 checksum: 44858
bb6746d34dac3b9304dae0551c6355f4
ARM architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_arm.deb
Size/MD5 checksum: 44090
baa6dc258bbba352aad5d59bbc03f87b
HP Precision architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_hppa.deb
Size/MD5 checksum: 47430
d856102807f47f8dac3a0b383c1149b4
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_i386.deb
Size/MD5 checksum: 43310
10ce0c8367e83b1ce1419b244753dcc0
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_ia64.deb
Size/MD5 checksum: 57366
2121d4017c33f4968230011b27d56bfc
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_m68k.deb
Size/MD5 checksum: 40914
81af10a14af21fa4a73a97d4b7581cba
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_mips.deb
Size/MD5 checksum: 46802
ef336e8a944121be9974ae72d6ee5ae8
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_mipsel.deb
Size/MD5 checksum: 46746
05aa9e2e9c127110d09f345e2a6367d1
PowerPC architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_powerpc.deb
Size/MD5 checksum: 46712
6932bbad8b6852a3776b40196d28dee1
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_s390.deb
Size/MD5 checksum: 45992
a0b2bad9c6b04889be2c7b87840769c6
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/l/linux-ftpd/ftpd_0.17-20sarge2_sparc.deb
Size/MD5 checksum: 43366
a92a7561358f005be3ff58c73a4c4b7b
These files will probably be moved into the stable distribution
on its next update.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>