Bug#508419: [nfs-utils] [CVE-2008-4552] TCP wrappers vulnerability
Package: nfs-kernel-server Version: 1:1.0.10-6+etch.1 Severity: grave Tags: security Quoting from CVE-2008-4552: »nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes the hosts_ctl function with the wrong order of arguments, which causes TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions.« (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4552) This has already been fixed in Ubuntu: http://www.ubuntu.com/usn/USN-687-1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#509419: Deprecated VeriSign CA
Package: ca-certificates Version: 20070303 Severity: grave Tags: security It seems that ca-certificates isn't up-to-date anymore; yesterday, when checking an online banking site[1][2], I stumbled upon a Firefox warning about an unknown CA for the site's certificate (WTF...?). Same with Konqueror, both on Debian Etch and Ubuntu Dapper Drake (6.06 LTS). This morning I got the chance to check with Firefox 3 and IE6 on Win XP and also Opera 9.63 on Debian Etch, which all worked fine and showed the site as "green". So it seems obvious that ca-certificates is outdated for the site's Verisign CA certificate (the site's certificate has been renewed recently: 15.12.2008). I consider this quite grave since Versign is a major CA. CC to debian-volatile. [1] direct link, may be to long (line wrapping): https://www.mercedes-benz-bank.de/intrade/disp? $part=portal.main.applications.Login.app&_docId_=6350&linkArea=login [2] indirect, click on "Login Online Banking": http://www.mercedes-benz-bank.de/intrade/cms/PK_Startseite.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#510902: Missing security updates - version 2.0.0.20 available from upstream
Package: iceweasel Version: 2.0.0.18-0etch1 Severity: critical Tags: security Security updates from Firefox 2.0.0.19 and 2.0.0.20 are still missing for Debian's Iceweasel in Etch, some of them are considered critical. http://www.mozilla.org/security/known-vulnerabilities/firefox20.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#510902: Missing security updates - version 2.0.0.20 available from upstream
Hi, any news on this one? I consider Iceweasel to be a major desktop application, but the courrent version now lacks a security update since about a month. Or is Debian dropping support for the 2.0 branch of Iceweasel, like Mozilla recently did with the release of 2.0.0.20[1]? If so, I think there should be some official announcement. Have a nice day. hk47 [1] no offical announcemment at hand, so Wikipedia must be enough: http://en.wikipedia.org/wiki/Mozilla_Firefox#Release_history http://en.wikipedia.org/wiki/Mozilla_Firefox#cite_note-43 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
