Home Security

Advisories: September 5, 2005

By

September 6, 2005

Debian Security Advisory DSA 795-1 security@debian.org
http://www.debian.org/security/
Michael Stone
September 1st, 2005 http://www.debian.org/security/faq

Package : proftpd
Vulnerability : potential code execution
Problem-Type : format string error
Debian-specific: no
CVE ID : CAN-2005-2390

infamous42md reported that proftpd suffers from two format
string vulnerabilities. In the first, a user with the ability to
create a directory could trigger the format string error if there
is a proftpd shutdown message configured to use the “%C”, “%R”, or
“%U” variables. In the second, the error is triggered if mod_sql is
used to retrieve messages from a database and if format strings
have been inserted into the database by a user with permission to
do so.

The old stable distribution (woody) is not affected by these
vulnerabilities.

For the stable distribution (sarge) this problem has been fixed
in version 1.2.10-15sarge1.

For the unstable distribution (sid) this problem has been fixed
in version 1.2.10-20.

We recommend that you upgrade your proftpd package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10.orig.tar.gz

Size/MD5 checksum: 920495
7d2bc5b4b1eef459a78e55c027a4f3c4
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1.dsc

Size/MD5 checksum: 897
1a728465d7d40d224e457809a06bc99c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1.diff.gz

Size/MD5 checksum: 127095
88f227abf247ed988fc35203d4108802

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-doc_1.2.10-15sarge1_all.deb

Size/MD5 checksum: 417460
ffde86a53bcc329f806d1014478730d0

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_alpha.deb

Size/MD5 checksum: 444400
f07ac7db8a9c2745de8f9cab76cdb3c4
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_alpha.deb

Size/MD5 checksum: 457288
92100f9ba762c52d715c1f56f51f70a1
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_alpha.deb

Size/MD5 checksum: 476538
dc6f68d4dec57fb3646e15ca98e78d4a
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_alpha.deb

Size/MD5 checksum: 200800
ac5d323b2501c4396afd80ef0fb15c7f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_alpha.deb

Size/MD5 checksum: 476842
5caa3a66575ae253d0ce1df399d2c145

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_amd64.deb

Size/MD5 checksum: 194542
dff3b3414b99189ea8a9f8d119109d47
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_amd64.deb

Size/MD5 checksum: 388576
e197f0eb6340706bb998872c0ea32949
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_amd64.deb

Size/MD5 checksum: 415108
906cf04f3eed0c5164f71bc22b6b7e01
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_amd64.deb

Size/MD5 checksum: 414970
a7baba4ba0bdd13548e6e28c4825a83f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_amd64.deb

Size/MD5 checksum: 399826
a026b6c75ea587df68fbd1466adc1a2d

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_arm.deb

Size/MD5 checksum: 188762
0740654ff6aedc7e96a8c3dfbbd2d315
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_arm.deb

Size/MD5 checksum: 384080
1befd34e95a59132a071e3f9954eb6c4
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_arm.deb

Size/MD5 checksum: 398882
f4d78c3f50080f238407945718b45567
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_arm.deb

Size/MD5 checksum: 373788
bf67d85da87abfe27c7bf42cf2833b91
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_arm.deb

Size/MD5 checksum: 398776
b25b17e7f6bf86234865896bafa84678

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_hppa.deb

Size/MD5 checksum: 194488
8267bb5ad6c70238fcebf3fb4035dace
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_hppa.deb

Size/MD5 checksum: 403606
7dfe73131c34dc3e55c729bbc59f1252
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_hppa.deb

Size/MD5 checksum: 431726
42c9d2d7d190e0ccaafcdb44e31536f5
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_hppa.deb

Size/MD5 checksum: 431410
1aaf5d6855318e067640969095d8e96c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_hppa.deb

Size/MD5 checksum: 414794
8ebec69081b2c56b56a532db0ce504fb

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_i386.deb

Size/MD5 checksum: 397122
c629a1bf4982b085d05be740052cfa67
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_i386.deb

Size/MD5 checksum: 396966
f67e8ec673c483fd3aa90f917595a250
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_i386.deb

Size/MD5 checksum: 189470
8f024068171ca297064f29e58bc51b33
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_i386.deb

Size/MD5 checksum: 381756
5355604f7b1625db02a3f68d97eff290
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_i386.deb

Size/MD5 checksum: 371622
1a26e468fef7b863f30bf2b1fe7df817

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_ia64.deb

Size/MD5 checksum: 207014
acacffe75c737005bb6c9d9bd63f091b
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_ia64.deb

Size/MD5 checksum: 535252
ed7479cef8bc9777c5f11223779896d0
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_ia64.deb

Size/MD5 checksum: 519678
0217f6bd617282f1e8d9e598f86f83aa
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_ia64.deb

Size/MD5 checksum: 562122
2fbccb31b331c17609d5e4fdf517416a
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_ia64.deb

Size/MD5 checksum: 562312
5084eb589b099cfd51759557ce8fd21b

m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_m68k.deb

Size/MD5 checksum: 332318
a61dd073f2f9a4697d254b8e7fb48a14
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_m68k.deb

Size/MD5 checksum: 353102
1e24565274060aeeafb77a756f31f212
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_m68k.deb

Size/MD5 checksum: 340938
7afb5724e4caf150b6f5102c34c3c1d6
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_m68k.deb

Size/MD5 checksum: 352770
ed92f153968e58aa200df1ef2888afba
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_m68k.deb

Size/MD5 checksum: 187180
764673a0052a9b2b39e94076d764e2bb

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_mips.deb

Size/MD5 checksum: 382426
aee4a0de1997e66fb89f3a8b964e716a
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_mips.deb

Size/MD5 checksum: 406442
e45275b4fbc4479ffd60849efb79d067
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_mips.deb

Size/MD5 checksum: 201640
879687be2b57e8dcc90a8ea1158393ad
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_mips.deb

Size/MD5 checksum: 406224
5e522fc33f697d5dbd4df431c0cc9790
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_mips.deb

Size/MD5 checksum: 391930
08faf62b0089f29bd019866911c699e1

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_mipsel.deb

Size/MD5 checksum: 201838
239a8377c0a5b2940afe2cf5b86bdaf2
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_mipsel.deb

Size/MD5 checksum: 409472
378d91ea943ff489ed38b49d60e84b76
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_mipsel.deb

Size/MD5 checksum: 384264
dfd8fa9d98bdcda752dc1cf7a88f6582
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_mipsel.deb

Size/MD5 checksum: 393384
ce795b5aa745c5d412c39814a5a8a427
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_mipsel.deb

Size/MD5 checksum: 409220
a84d6673ece2d89d4e28f39279f2914e

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_powerpc.deb

Size/MD5 checksum: 384498
492efa6567a3f8e13b019c7fb05f160e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_powerpc.deb

Size/MD5 checksum: 411728
2073ec04cf38a1449d4a350c3e55f16f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_powerpc.deb

Size/MD5 checksum: 412074
f07eb73d8f40955facf41d2d52d67da2
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_powerpc.deb

Size/MD5 checksum: 195382
c6079a29a73a585f060c1ee6037cb93f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_powerpc.deb

Size/MD5 checksum: 395084
23ec082a6c703f517b3d9fa68ec42d9b

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_s390.deb

Size/MD5 checksum: 193006
1e52c1da9c58b290978b7935a9d58770
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_s390.deb

Size/MD5 checksum: 379632
b7ecd26925dd5bf9a69f24e33dd55184
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_s390.deb

Size/MD5 checksum: 390112
814e21080d6d95cea596a8dc5747e29f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_s390.deb

Size/MD5 checksum: 403740
8426f8d4d195c1d51dd568249cb61619
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_s390.deb

Size/MD5 checksum: 403984
89ff426837c5b0dbfed07f88700f619c

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1_sparc.deb

Size/MD5 checksum: 394824
4b17a185fb614e83739fd7cdc711b63a
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1_sparc.deb

Size/MD5 checksum: 379428
5f182cf8e0303797c78f65f6aa8704a9
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1_sparc.deb

Size/MD5 checksum: 369734
a75df8c75998eae366a2200516eaf01f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1_sparc.deb

Size/MD5 checksum: 189018
c30ff0d36b2f68fc795f25efb128dd20
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1_sparc.deb

Size/MD5 checksum: 394700
9a8eb46038f3086f04daef31fea9b821

These files will probably be moved into the stable distribution
on its next update.

Debian Security Advisory DSA 795-2 security@debian.org
http://www.debian.org/security/
Michael Stone
September 2, 2005 http://www.debian.org/security/faq

Package : proftpd
Vulnerability : potential code execution
Problem-Type : format string error
Debian-specific: no
CVE ID : CAN-2005-2390

infamous42md reported that proftpd suffers from two format
string vulnerabilities. In the first, a user with the ability to
create a directory could trigger the format string error if there
is a proftpd shutdown message configured to use the “%C”, “%R”, or
“%U” variables. In the second, the error is triggered if mod_sql is
used to retrieve messages from a database and if format strings
have been inserted into the database by a user with permission to
do so.

There was a build error for the sarge i386 proftpd packages
released in DSA 795-1. A new build, 1.2.10-15sarge1.0.1, has been
prepared to correct this error. The packages for other
architectures are unaffected.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge1.0.1_i386.deb

Size/MD5 checksum: 371596
bd3d82221561e281e11d4583ce384b4f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge1.0.1_i386.deb

Size/MD5 checksum: 189462
05f1c13c671f2576e119bfc316d01814
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge1.0.1_i386.deb

Size/MD5 checksum: 381726
b2d469c77fed2de5d35c325226556b02
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge1.0.1_i386.deb

Size/MD5 checksum: 397092
ef73f4b69701c8e88454f56887ed5b35
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge1.0.1_i386.deb

Size/MD5 checksum: 396948
42aaaeb976a9395550efc9667aa4ff31

These files will probably be moved into the stable distribution
on its next update.

Debian Security Advisory DSA 796-1 security@debian.org
http://www.debian.org/security/
Michael Stone
September 1st, 2005 http://www.debian.org/security/faq

Package : affix
Vulnerability : remote command execution
Problem-Type : unsafe use of popen
Debian-specific: no
CVE ID : CAN-2005-2716

Kevin Finisterre reports that affix, a package used to manage
bluetooth sessions under Linux, uses the popen call in an unsafe
fashion. A remote attacker can exploit this vulnerability to
execute arbitrary commands on a vulnerable system.

The old stable distribution (woody) does not contain the affix
package.

For the stable distribution (sarge) this problem has been fixed
in version 2.1.1-3.

For the unstable distribution (sid) this problem has been fixed
in version 2.1.2-3.

We recommend that you upgrade your affix package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3.diff.gz

Size/MD5 checksum: 81959
0914c96291c7bf8a4bbf5d05e5dc74c5
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3.dsc

Size/MD5 checksum: 669
616d043f1c72b3a8ebcae37e4a59fb98

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_alpha.deb

Size/MD5 checksum: 93462
a3569622764735b1b09829e575c34a04
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_alpha.deb

Size/MD5 checksum: 75608
7d0d72ed495c904ca7820624fc66b8b5
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_alpha.deb

Size/MD5 checksum: 103142
b534a5fbf6f1537456917fe45c5c8c58

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_amd64.deb

Size/MD5 checksum: 93480
dead16d09da75e9628bae0d3a61cb04d
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_amd64.deb

Size/MD5 checksum: 64450
ef7ec29b46f95b5255e9ad23243a117c
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_amd64.deb

Size/MD5 checksum: 71796
0b83fbb8796d06867c26a197393cdbed

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_arm.deb

Size/MD5 checksum: 85908
0e58ede6488bd4e9bd3dd4a06201ac7e
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_arm.deb

Size/MD5 checksum: 69546
1fb4f727a1215a89fd4e998fc56d1f26
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_arm.deb

Size/MD5 checksum: 56844
837b30e2112981a65327993f242d2e62

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_hppa.deb

Size/MD5 checksum: 76626
a701325fa8e52d04da9044b90cf2be5e
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_hppa.deb

Size/MD5 checksum: 95006
80e8960c60548492a66c6642d9977e82
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_hppa.deb

Size/MD5 checksum: 68558
a869b9ae8172cb4a2616e500dc3ba34d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_i386.deb

Size/MD5 checksum: 63360
e98b76db0c1be17fd0a0fad388580e28
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_i386.deb

Size/MD5 checksum: 59644
6c1a4dde54ea88022052473c1385418d
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_i386.deb

Size/MD5 checksum: 84952
87f0ced911c009e8cad63b1f1f517e0d

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_ia64.deb

Size/MD5 checksum: 93934
95cd1df0416297d184cf5f8a2fd8e6ff
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_ia64.deb

Size/MD5 checksum: 83676
8eb81855b4e75cc1690cbea79569cceb
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_ia64.deb

Size/MD5 checksum: 122328
317969cdc70be9a42632329472b425f8

m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_m68k.deb

Size/MD5 checksum: 80118
ec2c0265cb1068d676bb0e5dbadeb199
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_m68k.deb

Size/MD5 checksum: 58458
76faca4c3f9a94e34398927d5024991f
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_m68k.deb

Size/MD5 checksum: 54970
45bd12213859c4212baf4d1a127d0916

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_mips.deb

Size/MD5 checksum: 97566
1d8e834bd41fb7f062f47c975f25bcb8
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_mips.deb

Size/MD5 checksum: 61378
918a6064f35db1800f03529ae32d6ed9
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_mips.deb

Size/MD5 checksum: 76436
ee779d182b774efcf033a159a3e1d337

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_mipsel.deb

Size/MD5 checksum: 97296
8c445a7e88c489d53b0f52c46e9d0a50
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_mipsel.deb

Size/MD5 checksum: 76320
32e64b4ee8452a037efc17ec02e6315f
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_mipsel.deb

Size/MD5 checksum: 61012
717b6b4c932547467802ff042948fe08

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_powerpc.deb

Size/MD5 checksum: 65466
15e4ae116669a5c3431edeed01439790
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_powerpc.deb

Size/MD5 checksum: 94880
8af910d14455e555e6cb5840830c5724
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_powerpc.deb

Size/MD5 checksum: 70092
03882f73d1876f72b3bd8034b20f3f71

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_s390.deb

Size/MD5 checksum: 73034
d1a72f0d825afd50bbbe65d03ac4f492
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_s390.deb

Size/MD5 checksum: 66810
3f8535a792cebdd817ff27c3a2dacd5a
http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_s390.deb

Size/MD5 checksum: 92464
bd4141e5726e01b520b8766e3e1fabdd

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_sparc.deb

Size/MD5 checksum: 84816
2b20cbbc4020bad007a38bb8bd69718d
http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_sparc.deb

Size/MD5 checksum: 66094
ae3660011a4422011ce0f202af218f09
http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_sparc.deb

Size/MD5 checksum: 57762
00bdb8e55e4a68cb8675b0220947d423

These files will probably be moved into the stable distribution
on its next update.

Debian Security Advisory DSA 797-1 security@debian.org
http://www.debian.org/security/
Michael Stone
September 1st, 2005 http://www.debian.org/security/faq

Package : zsync
Vulnerability : DOS
Problem-Type : buffer overflow
Debian-specific: no
CVE ID : CAN-2005-1849, CAN-2005-2096

zsync, a file transfer program, includes a modified local copy
of the zlib library, and is vulnerable to certain bugs fixed
previously in the zlib package.

The old stable distribution (woody) does not contain the zsync
package.

For the stable distribution (sarge) this problem has been fixed
in version 0.3.3-1.sarge.1.

For the unstable distribution (sid) this problem has been fixed
in version 0.4.0-2.

We recommend that you upgrade your zsync package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Source archives:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1.dsc

Size/MD5 checksum: 742
38abbfacbf93f57692641a0f257abe4e
http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1.diff.gz

Size/MD5 checksum: 6213
224eae057a1eebdd3ffe16e6e3d584e6
http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3.orig.tar.gz

Size/MD5 checksum: 241726
71efef80525276990cf8af97ee2b8f97

Alpha architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_alpha.deb

Size/MD5 checksum: 120612
0efd2b252f7a2eebac03d04aee7bff87

AMD64 architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_amd64.deb

Size/MD5 checksum: 99560
ede8508b5d555b6be89c5adbbea49c20

ARM architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_arm.deb

Size/MD5 checksum: 100420
713b7d689f4ccdf4317c255dd0de7e6f

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_i386.deb

Size/MD5 checksum: 98414
bb4ff605c6e3b94f23dd0986ca55e450

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_ia64.deb

Size/MD5 checksum: 139370
91cef962076eb5d66ddda86e1ca1e8f8

HP Precision architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_hppa.deb

Size/MD5 checksum: 105062
ba01f3b644ea1be05e51d3d07b00d363

Motorola 680×0 architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_m68k.deb

Size/MD5 checksum: 85176
ec83816290778ca23005cbcf001962ed

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_mips.deb

Size/MD5 checksum: 106840
bdd9b5d16ed84330292a97eb01deb381

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_mipsel.deb

Size/MD5 checksum: 107912
bf7c5dfcac00e250efefe59959f47deb

PowerPC architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_powerpc.deb

Size/MD5 checksum: 100460
7126e64533e31ccd1be3302772ca4158

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_s390.deb

Size/MD5 checksum: 103472
b9712abdbaa529ab5ed20854b5b70406

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/z/zsync/zsync_0.3.3-1.sarge.1_sparc.deb

Size/MD5 checksum: 98614
534233dd79188ea592f23a0b00f5d524

These files will probably be moved into the stable distribution
on its next update.

Debian Security Advisory DSA 798-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
September 2nd, 2005 http://www.debian.org/security/faq

Package : phpgroupware
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2498 CAN-2005-2600 CAN-2005-2761

Several vulnerabilities have been discovered in phpgroupware, a
web based groupware system written in PHP. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CAN-2005-2498

Stefan Esser discovered another vulnerability in the XML-RPC
libraries that allows injection of arbitrary PHP code into eval()
statements. The XMLRPC component has been disabled.

CAN-2005-2600

Alexander Heidenreich discovered a cross-site scriptiong problem
in the tree view of FUD Forum Bulletin Board Software, which is
also present in phpgroupware.

CAN-2005-2761

A global cross-site scripting fix has also been included that
protects against potential malicious scripts embedded in CSS and
xmlns in various parts of the application and modules.

This update also contains a postinst bugfix that has been
approved for the next update to the stable release.

For the old stable distribution (woody) these problems don’t
apply.

For the stable distribution (sarge) these problems have been
fixed in version 0.9.16.005-3.sarge2.

For the unstable distribution (sid) these problems have been
fixed in version 0.9.16.008.

We recommend that you upgrade your phpgroupware packages.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade