Debian GNU/Linux
Debian Security Advisory DSA 670-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
February 8th, 2005 http://www.debian.org/security/faq
Package : emacs20
Vulnerability : format string
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0100
Max Vozeler discovered several format string vulnerabilities in
the movemail utility of Emacs, the well-known editor. Via
connecting to a malicious POP server an attacker can execute
arbitrary code under the privileges of group mail.
For the stable distribution (woody) these problems have been
fixed in version 20.7-13.3.
The unstable distribution (sid) does not contain an Emacs20
package anymore.
We recommend that you upgrade your emacs packages.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3.dsc
Size/MD5 checksum: 623 a1747d7a2adc0269123d7b9430782f81
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3.diff.gz
Size/MD5 checksum: 63385 e3762c400bee11fbfdb7aaf520854fa6
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7.orig.tar.gz
Size/MD5 checksum: 18451553 879d5eaf52f0063a2948a0e1cfc3e886
Architecture independent components:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20-el_20.7-13.3_all.deb
Size/MD5 checksum: 5733996 bde64de09a9b2485b81aaaecd9318d97
Alpha architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_alpha.deb
Size/MD5 checksum: 9299902 3fd599dcf23a59d69aeb30cdfeb0bc1a
ARM architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_arm.deb
Size/MD5 checksum: 9053904 225b349728df97f1908966e663c2ce1c
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_i386.deb
Size/MD5 checksum: 8983948 5da8b74b0bbffd9d7ae04e9d3d7ad44b
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_ia64.deb
Size/MD5 checksum: 9563936 58ff45962cf2e7f5304b9f10e792c685
HP Precision architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_hppa.deb
Size/MD5 checksum: 9226312 94f642cf49a685de3f3ec7b6da9f6121
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_m68k.deb
Size/MD5 checksum: 8977188 b6248cb5843a342bd3a6bb0cd60f34dd
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_mips.deb
Size/MD5 checksum: 9218238 44ecc07fa53fabf4b1398e817722573d
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_mipsel.deb
Size/MD5 checksum: 9178056 68daa071410f9c64294878e04c48383d
PowerPC architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_powerpc.deb
Size/MD5 checksum: 9095196 e9c2599335c5b96bfd5d831925568d8d
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_s390.deb
Size/MD5 checksum: 9094704 25be346bd91d34abcfe7724e3602c45c
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13.3_sparc.deb
Size/MD5 checksum: 9085792 1abfcd061af7cdb4e3cf8cd28b771865
These files will probably be moved into the stable distribution
on its next update.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Fedora Core
Fedora Update Notification
FEDORA-2005-124
2005-02-07
Product : Fedora Core 3
Name : postgresql
Version : 7.4.7
Release : 1.FC3.2
Summary : PostgreSQL client programs and libraries.
Description :
PostgreSQL is an advanced Object-Relational database management
system (DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions).
- Mon Feb 07 2005 Tom Lane <tgl@redhat.com> 7.4.7-1.FC3.2
- Put regression tests under /usr/lib64 on 64-bit archs, since
.so files are not architecture-independent.
- Put regression tests under /usr/lib64 on 64-bit archs, since
- Mon Feb 07 2005 Tom Lane <tgl@redhat.com> 7.4.7-1.FC3.1
- Update to PostgreSQL 7.4.7 (fixes CAN-2005-0227 and other
issues). - Update to PyGreSQL 3.6.1.
- Add versionless symlinks to jar files (bz#145744)
- Add restorecon to postgresql.init in order to restore database
to correct SELinux context.
- Update to PostgreSQL 7.4.7 (fixes CAN-2005-0227 and other
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
b09496c5894b3d952de83e49c2370e9b
SRPMS/postgresql-7.4.7-1.FC3.2.src.rpm
be06719f5a0541bfaead793b2f971506
x86_64/postgresql-7.4.7-1.FC3.2.x86_64.rpm
74a04a7eb5b46d9fb83d2cd3520bd3d1
x86_64/postgresql-libs-7.4.7-1.FC3.2.x86_64.rpm
1f3525b621a529d7f226cf98e57d909b
x86_64/postgresql-server-7.4.7-1.FC3.2.x86_64.rpm
2033ab7c66caf4da115af6102c5b840d
x86_64/postgresql-docs-7.4.7-1.FC3.2.x86_64.rpm
7319e25d0bb162fecbdeb832c7af1643
x86_64/postgresql-contrib-7.4.7-1.FC3.2.x86_64.rpm
8c46c3089168e2953b852c986ae0ba36
x86_64/postgresql-devel-7.4.7-1.FC3.2.x86_64.rpm
521d2b4fa6ad45fd2b62d395a4df1a70
x86_64/postgresql-pl-7.4.7-1.FC3.2.x86_64.rpm
96281e4ef08c923bd5a3b8e0d581710e
x86_64/postgresql-tcl-7.4.7-1.FC3.2.x86_64.rpm
d2c86c1ef11ef12a942a633549d51ad6
x86_64/postgresql-python-7.4.7-1.FC3.2.x86_64.rpm
1dfeb0d3c82083061680de6520d19b93
x86_64/postgresql-jdbc-7.4.7-1.FC3.2.x86_64.rpm
ff45098dc994314dd0233c3495cb7746
x86_64/postgresql-test-7.4.7-1.FC3.2.x86_64.rpm
e35c40754504068c0260bc62caf06920
x86_64/debug/postgresql-debuginfo-7.4.7-1.FC3.2.x86_64.rpm
e83623e1ad217043cd9058e5fe5bede8
x86_64/postgresql-libs-7.4.7-1.FC3.2.i386.rpm
306a7a2c7452aeee33508f7c952b2b65
i386/postgresql-7.4.7-1.FC3.2.i386.rpm
e83623e1ad217043cd9058e5fe5bede8
i386/postgresql-libs-7.4.7-1.FC3.2.i386.rpm
dfc33673b4766fba207aeaeec8d09906
i386/postgresql-server-7.4.7-1.FC3.2.i386.rpm
8a4cb19d095c295ad1250d114d89d375
i386/postgresql-docs-7.4.7-1.FC3.2.i386.rpm
68b59a0175dafcfd1bde52bba1ac3fe4
i386/postgresql-contrib-7.4.7-1.FC3.2.i386.rpm
e2774561c5b6d5f5580d7b02882cef15
i386/postgresql-devel-7.4.7-1.FC3.2.i386.rpm
767a3080a58eb626efbcb8d46c9f5c92
i386/postgresql-pl-7.4.7-1.FC3.2.i386.rpm
24b4a54297efec52646475fe52c1e09a
i386/postgresql-tcl-7.4.7-1.FC3.2.i386.rpm
c04e85aaa929ad314f8170601bf41bb3
i386/postgresql-python-7.4.7-1.FC3.2.i386.rpm
cc9a9b44cbade3f8b4f691efae59d3bb
i386/postgresql-jdbc-7.4.7-1.FC3.2.i386.rpm
17eb8dceaf683260200097ba569c2777
i386/postgresql-test-7.4.7-1.FC3.2.i386.rpm
656c2eb42195b601e7bedaea1878d914
i386/debug/postgresql-debuginfo-7.4.7-1.FC3.2.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-125
2005-02-07
Product : Fedora Core 2
Name : postgresql
Version : 7.4.7
Release : 1.FC2.2
Summary : PostgreSQL client programs and libraries.
Description :
PostgreSQL is an advanced Object-Relational database management
system (DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions).
- Mon Feb 07 2005 Tom Lane <tgl@redhat.com> 7.4.7-1.FC2.2
- Put regression tests under /usr/lib64 on 64-bit archs, since
.so files are not architecture-independent.
- Put regression tests under /usr/lib64 on 64-bit archs, since
- Mon Feb 07 2005 Tom Lane <tgl@redhat.com> 7.4.7-1.FC2.1
- Update to PostgreSQL 7.4.7 (fixes CAN-2005-0227 and other
issues). - Update to PyGreSQL 3.6.1.
- Add versionless symlinks to jar files (bz#145744)
- Update to PostgreSQL 7.4.7 (fixes CAN-2005-0227 and other
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
b541819df309debba1ae6572e6e02074
SRPMS/postgresql-7.4.7-1.FC2.2.src.rpm
0d9b2f8f5cd6426bdfafe37305a49bb0
x86_64/postgresql-7.4.7-1.FC2.2.x86_64.rpm
70b3ee59849507a8b283c7be2c065335
x86_64/postgresql-libs-7.4.7-1.FC2.2.x86_64.rpm
497ed33050a696af05ca2d6c7dea9276
x86_64/postgresql-server-7.4.7-1.FC2.2.x86_64.rpm
ddcea0737ddaa865e9cfa240a6c7e1c5
x86_64/postgresql-docs-7.4.7-1.FC2.2.x86_64.rpm
3d0cf71c771b038cf90ec8aadebc4577
x86_64/postgresql-contrib-7.4.7-1.FC2.2.x86_64.rpm
058eb7c6b6ca8f1c1bee67a4789d9e23
x86_64/postgresql-devel-7.4.7-1.FC2.2.x86_64.rpm
079a1438c27ec9678d5ac3aff9c2c172
x86_64/postgresql-pl-7.4.7-1.FC2.2.x86_64.rpm
29425003caebe2b96f8696b7c7181861
x86_64/postgresql-tcl-7.4.7-1.FC2.2.x86_64.rpm
164b32e7840a631c4d468e6b8ea53980
x86_64/postgresql-python-7.4.7-1.FC2.2.x86_64.rpm
19ee0854752dc627829f80bbd08412a3
x86_64/postgresql-jdbc-7.4.7-1.FC2.2.x86_64.rpm
d1f4e67359e07919641352d5db5a6a6a
x86_64/postgresql-test-7.4.7-1.FC2.2.x86_64.rpm
3506d7400612a81bc66aff83af084df5
x86_64/debug/postgresql-debuginfo-7.4.7-1.FC2.2.x86_64.rpm
f995ee27f2031fb6610adab7677b5276
i386/postgresql-7.4.7-1.FC2.2.i386.rpm
a46645f5afe9b3555668ce8ce5f96ed9
i386/postgresql-libs-7.4.7-1.FC2.2.i386.rpm
131a2bf8025fecb11fc22c58f3ebc486
i386/postgresql-server-7.4.7-1.FC2.2.i386.rpm
cf29e81a6295195ac536357d3c8e5f15
i386/postgresql-docs-7.4.7-1.FC2.2.i386.rpm
cec7a5323ae2f65ea16607a47c32579d
i386/postgresql-contrib-7.4.7-1.FC2.2.i386.rpm
b11a432477a5b8c94daab43b1a930578
i386/postgresql-devel-7.4.7-1.FC2.2.i386.rpm
a52ced1276bd953ce7657abb6e726c35
i386/postgresql-pl-7.4.7-1.FC2.2.i386.rpm
1c521287481d01c988865aa6d38001cd
i386/postgresql-tcl-7.4.7-1.FC2.2.i386.rpm
3c971a4cbb8335dea8fcf6e4d7bc601c
i386/postgresql-python-7.4.7-1.FC2.2.i386.rpm
8327e0f1ad3ed1c0f1c1592ce0052b72
i386/postgresql-jdbc-7.4.7-1.FC2.2.i386.rpm
5bf812a3a85e90b2d7e5bfb116f573dc
i386/postgresql-test-7.4.7-1.FC2.2.i386.rpm
108a719d8375ca81950fea08bf8a68de
i386/debug/postgresql-debuginfo-7.4.7-1.FC2.2.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-122
2005-02-08
Product : Fedora Core 2
Name : cups
Version : 1.1.20
Release : 11.11
Summary : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer
for UNIX operating systems. It has been developed by Easy Software
Products to promote a standard printing solution for all UNIX
vendors and users. CUPS provides the System V and Berkeley
command-line interfaces.
Update Information:
A problem with PDF handling was discovered by Chris Evans, and
has been fixed. The Common Vulnerabilities and Exposures project
(www.mitre.org) has assigned
the name CAN-2004-0888 to this issue.
FEDORA-2004-337 attempted to correct this but the patch was
incomplete.
- Mon Feb 07 2005 Tim Waugh <twaugh@redhat.com>
1:1.1.20-11.11- Apply patch to fix remainder of CAN-2004-0888 (bug
#135378).
- Apply patch to fix remainder of CAN-2004-0888 (bug
- Thu Jan 20 2005 Tim Waugh <twaugh@redhat.com>
- Mark initscript noreplace (bug #145629).
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
42087a03ce930846c047eeee303d8285
SRPMS/cups-1.1.20-11.11.src.rpm
50eca45b9bff62d51a60d711fe2a4752
x86_64/cups-1.1.20-11.11.x86_64.rpm
08c54370500f08d3e5125762b7952af0
x86_64/cups-devel-1.1.20-11.11.x86_64.rpm
343ecbd93c7ad0b53d04b2e8c9c286f3
x86_64/cups-libs-1.1.20-11.11.x86_64.rpm
75c96e65876b4e0a6821a6c531495777
x86_64/debug/cups-debuginfo-1.1.20-11.11.x86_64.rpm
4a07e7750634b69273bd90e574749a33
x86_64/cups-libs-1.1.20-11.11.i386.rpm
0b3a6dd4ea8ea42c30c4280ec8aa32e8
i386/cups-1.1.20-11.11.i386.rpm
63faa06912fd06c4315e84794b9fd5bb
i386/cups-devel-1.1.20-11.11.i386.rpm
4a07e7750634b69273bd90e574749a33
i386/cups-libs-1.1.20-11.11.i386.rpm
1851a9b762fa22ae6ad41625b63578dd
i386/debug/cups-debuginfo-1.1.20-11.11.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Fedora Update Notification
FEDORA-2005-123
2005-02-08
Product : Fedora Core 3
Name : cups
Version : 1.1.22
Release : 0.rc1.8.5
Summary : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer
for UNIX operating systems. It has been developed by Easy Software
Products to promote a standard printing solution for all UNIX
vendors and users. CUPS provides the System V and Berkeley
command-line interfaces.
Update Information:
A problem with PDF handling was discovered by Chris Evans, and
has been fixed. The Common Vulnerabilities and Exposures project
(www.mitre.org) has assigned
the name CAN-2004-0888 to this issue.
FEDORA-2004-337 attempted to correct this but the patch was
incomplete.
* Mon Feb 07 2005 Tim Waugh <twaugh@redhat.com>
1:1.1.22-0.rc1.8.5
- Apply patch to fix remainder of CAN-2004-0888 (bug #135378).
- Thu Jan 20 2005 Tim Waugh <twaugh@redhat.com>
- Mark initscript noreplace (bug #145629).
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
f835d845966187b0df0b5ab6849d3a73
SRPMS/cups-1.1.22-0.rc1.8.5.src.rpm
1fbe53707843b1429558c6149be5c564
x86_64/cups-1.1.22-0.rc1.8.5.x86_64.rpm
bd17d51c40ea5ee8cf5e5a4234972b08
x86_64/cups-devel-1.1.22-0.rc1.8.5.x86_64.rpm
7ded03d83eeecf1667d7c74847ba3033
x86_64/cups-libs-1.1.22-0.rc1.8.5.x86_64.rpm
fb179dece42647c3d036ec05dcba0aee
x86_64/debug/cups-debuginfo-1.1.22-0.rc1.8.5.x86_64.rpm
6818aef8755b9c3b5030544cd42d535d
x86_64/cups-libs-1.1.22-0.rc1.8.5.i386.rpm
b08a96490a13cb1ff2995e0a4843aff1
i386/cups-1.1.22-0.rc1.8.5.i386.rpm
869b66d07e5b088a07b8d9dc89d42cbe
i386/cups-devel-1.1.22-0.rc1.8.5.i386.rpm
6818aef8755b9c3b5030544cd42d535d
i386/cups-libs-1.1.22-0.rc1.8.5.i386.rpm
e258d25d9b6d9d420601daaad95c8475
i386/debug/cups-debuginfo-1.1.22-0.rc1.8.5.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Gentoo Linux
Gentoo Linux Security Advisory GLSA 200502-08
Severity: Normal
Title: PostgreSQL: Local privilege escalation
Date: February 07, 2005
Bugs: #80342
ID: 200502-08
Synopsis
The PostgreSQL server can be tricked by a local attacker to
execute arbitrary code.
Background
PostgreSQL is a SQL compliant, open source object-relational
database management system.
Affected packages
Package / Vulnerable / Unaffected
1 dev-db/postgresql < 7.4.7 >= 7.4.7
Description
PostgreSQL’s LOAD extension is vulnerable to a local privilege
escalation discovered by John Heasman. A local user can load any
shared library, but the initialization function will then be
executed with the permissions of the PostgreSQL server.
Impact
A malicious local user could exploit this to execute arbitrary
code with the privileges of the PostgreSQL server.
Workaround
There is no know workaround at this time.
Resolution
All PostgreSQL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-7.4.7"
References
[ 1 ] PostgreSQL Announcement
http://archives.postgresql.org/pgsql-announce/2005-02/msg00000.php
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200502-08.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Gentoo Linux Security Advisory GLSA 200502-06
Severity: Normal
Title: LessTif: Multiple vulnerabilities in libXpm
Date: February 06, 2005
Bugs: #78483
ID: 200502-06
Synopsis
Multiple vulnerabilities have been discovered in libXpm, which
is included in LessTif, that can potentially lead to remote code
execution.
Background
LessTif is a clone of OSF/Motif, which is a standard user
interface toolkit available on Unix and Linux.
Affected packages
Package / Vulnerable / Unaffected
1 x11-libs/lesstif < 0.94.0 >= 0.94.0
Description
Multiple vulnerabilities, including buffer overflows, out of
bounds memory access and directory traversals, have been discovered
in libXpm, which is shipped as a part of the X Window System.
LessTif, an application that includes libXpm, suffers from the same
issues.
Impact
A carefully-crafted XPM file could crash applications making use
of the LessTif toolkit, potentially allowing the execution of
arbitrary code with the privileges of the user running the
application.
Workaround
There is no known workaround at this time.
Resolution
All LessTif users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/lesstif-0.94.0"
References
[ 1 ] CAN-2004-0914
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914
[ 2 ] LessTif Release Notes
http://www.lesstif.org/ReleaseNotes.html
Availability
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200502-06.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.