- -------------------------------------------------------------------------- Debian Security Advisory DSA 191-2 security@debian.org http://www.debian.org/security/ Martin Schulze November 7th, 2002 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : squirrelmail Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no BugTraq ID : 5949 CVE ID : CAN-2002-1131 CAN-2002-1132 The security update for Squirrelmail (DSA 191-1) unfortunately introduced a bug in the options page. This problem is fixed in version 1.2.6-1.2 the current stable distribution (woody). The unstable distribution (sid) and the old stable distribution (potato) were not affected by this. For completeness please find below the original security advisory: Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-1131: User input is not always sanitized so execution of arbitrary code on a client computer is possible. This can happen after following a malicious URL or by viewing a malicious addressbook entry. 2. CAN-2002-1132: Another problem could make it possible for an attacker to gain sensitive information under some conditions. When a malformed argument is appended to a link, an error page will be generated which contains the absolute pathname of the script. However, this information is available through the Contents file of the distribution anyway. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.2.dsc Size/MD5 checksum: 586 6d692e30af267ebc530da83e0affe56c http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.2.diff.gz Size/MD5 checksum: 15260 b5a119c93fba2b3e8a4687c0f572b592 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-1.2_all.deb Size/MD5 checksum: 1839570 f4b77b5d0c95c336a8b882e917c53f50 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>; - -------------------------------------------------------------------------- Debian Security Advisory DSA 193-1 security@debian.org http://www.debian.org/security/ Martin Schulze November 11th, 2002 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : kdenetwork Vulnerability : buffer overflow Problem-Type : local Debian-specific: no CVE Id : CAN-2002-1247 iDEFENSE reports a security vulnerability in the klisa package, that provides a LAN information service similar to "Network Neighbourhood", which was discovered by Texonet. It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. This problem has been fixed in version 2.2.2-14.2 the current stable distribution (woody) and in version 2.2.2-14.3 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a kdenetwork package We recommend that you upgrade your klisa package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.2.dsc Size/MD5 checksum: 902 30ea9de901850dd86078a4579a15a828 http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2-14.2.diff.gz Size/MD5 checksum: 27235 e78c14ecc95942e66a53a3d09e6282be http://security.debian.org/pool/updates/main/k/kdenetwork/kdenetwork_2.2.2.orig.tar.gz Size/MD5 checksum: 3319181 25fbfc5d2592937480c0d3796a2416e0 Alpha architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_alpha.deb Size/MD5 checksum: 188864 b1693a71418d3175b7a60594a6462ed8 ARM architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_arm.deb Size/MD5 checksum: 155726 333a771bfdbf7b4bc4bb7f16370d5092 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_i386.deb Size/MD5 checksum: 150248 447ca978df2eabe8971f0106d75dd5df Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_ia64.deb Size/MD5 checksum: 210980 b17bb3613cf9fc2aead59062f9a1451e HP Precision architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_hppa.deb Size/MD5 checksum: 217942 65650fd70d68aadd52ade4e9f2cdda12 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_m68k.deb Size/MD5 checksum: 141476 1ae9ae0e344b160b1c1291fef6f053af Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_mips.deb Size/MD5 checksum: 143114 71aed55cd0d402bcd560b2f26b9a228b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_mipsel.deb Size/MD5 checksum: 142900 a0396da967699113e88c6494fd3404e3 PowerPC architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_powerpc.deb Size/MD5 checksum: 151782 fd2a725326925326882e98cc9116e91a IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_s390.deb Size/MD5 checksum: 143358 f20e164fd56ac9d94c8298f07fb3d9a3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kdenetwork/klisa_2.2.2-14.2_sparc.deb Size/MD5 checksum: 151462 2fca224f1668dfa48e46261c047b5d80 Please note that the source packages mentioned above produce more binary packages than the ones listed above. They are not relevant for the fixed problems, though. These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>;
Debian GNU/Linux Advisories: squirrelmail, kdenetwork
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis