@@
+libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix SQL injection via the $user paramter (Closes: #633637)
+Fixes: CVE-2011-2688
+
+ -- Steffen Joeris Mon, 18 Jul 2011 10:26:11 +1000
+
libapache2-mod-authnz-external
Hi Amaya,
> Steffen Joeris wrote:
> > I had a quick look and didn't see that code included in debian as far
> > as I can see the package has the same version in all suites or am I
> > missing anything?
>
> Oh, $DEITY, you are absolutely right, I looked at a locall
Package: erlang
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Please see http://www.kb.cert.org/vuls/id/178990 for all the information.
The upstream patch can be reviewed here:
https://github.com/erlang/otp/commit/f228601de45c5
Cheers,
Steffen
-BEGIN PGP
Package: python2.6
Version: 2.6.6-10
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python2.6.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
| bef
Package: python3.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python3.1.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
| before 3.2.1 process
Package: ruby1.8
Version: 1.8.7.334-5
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ru
Package: ruby1.9
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 and ear
Package: libruby1.9.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 an
Package: openswan
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-2147[0]:
| Openswan 2.2.x does not properly restrict permissions for (1)
| /var/run/starter.pid, relat
Package: libav
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.
CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 an
-maintainer upload by the security team
+ * Fix cross-site scripting via the fm parameters (Closes: #598584)
+Fixes: CVE-2010-3695
+
+ -- Steffen Joeris Sun, 27 Mar 2011 20:42:56 +1100
+
imp4 (4.2-4lenny2) stable; urgency=low
* Backport patches from Horde CVS (http://bugs.horde.org/ticket/883
Hi,
> On Wed, Dec 08, 2010 at 09:03:17PM +, Adam D. Barratt wrote:
> > On Wed, 2010-12-08 at 21:10 +0100, Moritz Muehlenhoff wrote:
> > > Please unblock package collectd. Judging by the changelog
> > > 4.10.1-1+squeeze1 and 4.10.1-2 look alike, but for some reason Steffen
> > > NMUd the unstab
gency=high
+
+ * Non-maintainer upload by the security team
+ * Fix DoS in RRD file creation (Closes: #605092)
+Fixes: CVE-2010-4336
+Thanks to Florian Forster
+
+ -- Steffen Joeris Wed, 08 Dec 2010 17:45:50 +1100
+
collectd (4.10.1-2) unstable; urgency=medium
* debian/rules:
di
severity 603749 normal
thx
It seems that the vulnerable file was introduced after 1.2.6, which is
currently in sid. So as long as a fixed version is uploaded next, everything
should be fine.
Cheers,
Steffen
signature.asc
Description: This is a digitally signed message part.
team
+ * Fix DoS due to wrong string handling (Closes: #596086)
+Fixes: CVE-2010-3072
+
+ -- Steffen Joeris Mon, 13 Sep 2010 17:07:51 +1000
+
squid3 (3.1.6-1) unstable; urgency=low
* New upstream release
diff -u squid3-3.1.6/debian/patches/00list squid3-3.1.6/debian/patches/00list
Hi Sam
Could you prepare updated packages for lenny and send a debdiff? We'll need to
release a DSA for this issue.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
On Mon, 8 Mar 2010 03:01:39 am Hideki Yamane wrote:
> Hi Steffen,
>
> On Sun, 7 Mar 2010 21:47:53 +1100
>
> Steffen Joeris wrote:
> > Thanks for the information. Have you been able to reproduce the problem
> > with IE and checked the patch?
>
> with IE6 and IE
Hi Hideki
Thanks for the information. Have you been able to reproduce the problem with
IE and checked the patch?
Cheers
Steffen
> On Sun, 7 Mar 2010 19:10:12 +1100
>
> Steffen Joeris wrote:
> > Apparently, to_native() is converting it to another encoding, but
> >
Hi Hideki
Indeed this should be fixed via a DSA and for unstable as well.
I am still having slight problems understanding the XSS issue here.
Apparently, to_native() is converting it to another encoding, but shouldn't it
do some escaping of certain characters to avoid having the usual html
chara
Hi Andres
I've read your previous comments to the bugreport, but wanted to stress the
point that it will not be acceptable for mediabomb to use an internal copy of
prototypejs. We do not want a version of the package in squeeze that does not
use the system wide protoypejs. I understand that thi
Hi Mirco
> > Hi
> >
> > GMime upstream has released latest 2.4.15 [1] version of the
> > library fixing one security issue. From 2.4.15-changes [2] file:
> >
> > 2010-01-31 Jeffrey Stedfast
> >
> > * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to
> > prevent possible buffer over
Package: libgmime-2.0-2a
Severity: grave
Tags: security patch
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent
reopen 559531
severity 559531 important
thanks
Hi
MSA-09-0025 and MSA-09-0029 don't seem to be fixed. Both issues are minor
security issues, so I am lowering the severity.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
diere-1.9.4/debian/changelog
--- audiere-1.9.4/debian/changelog
+++ audiere-1.9.4/debian/changelog
@@ -1,3 +1,11 @@
+audiere (1.9.4-3.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Fix FTBFS with GCC 4.4 (Closes: #505122)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris Sat, 3
Hi
For the record, this issue got CVE-2010-0303 assigned.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
descriptors
+Thanks to Julien Cristau
+
+ -- Steffen Joeris Fri, 29 Jan 2010 14:30:27 +0100
+
hybserv (1.9.2-4) unstable; urgency=low
* Update 01_fhs+mkdirfix.dpatch:
diff -u hybserv-1.9.2/debian/hybserv.postinst hybserv-1.9.2/debian/hybserv.postinst
--- hybserv-1.9.2/debian
Hi
FYI, This issue has been assigned CVE-2010-0301.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: courier-maildrop
Severity: important
Hi
During the last DSA I realised that we have a maildrop and a
courier-maildrop package in debian. Both have the same code and the only
difference afaik are some configure options and maybe a different build
system. However, I don't see a reason for
severity 554788 serious
thanks
Hi
This bug caused the regression on the last DSA and dpkg-shlibdeps is still not
able to set a proper dependency on courier-authlib. This might be fixed for
maildrop by a hard dependency, but this is not the way to go. Please fix this
issue for squeeze and IMHO
Package: ircd-hybrid
Version: 1:7.2.2.dfsg.2-6.1
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed an issue in ircd-hybrid, patch attached. Please
include this patch in your next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src
Package: ircd-ratbox
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed two issues in ircd-ratbox, patches attached. Please
include them in the next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9
Package: oftc-hybrid
Severity: grave
Tags: security patch
Hi
Please include the patch from DSA-1980-1, which fixes an integer
underflow (patch attached).
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9 @@
}
Hi
Unfortunately, the package still doesn't work, but please find the patch for
the initialising error from the newer compiler below.
Cheers
Steffen
--- insight-6.7.1.dfsg.1.orig/gdb/eval.c
+++ insight-6.7.1.dfsg.1/gdb/eval.c
@@ -1627,6 +1627,8 @@
if (nargs != ndimensions)
err
hange dependency in init LSB header to use $network rather than
+$local_fs to make sure networking is available during boot and to
+make the package installation work again (Closes: #563784)
+Thanks to Petter Reinholdtsen
+
+ -- Steffen Joeris Sat, 23 Jan 2010 13:08:40 +0100
+
bastil
GCC compiler (Closes: #505626)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris Fri, 22 Jan 2010 23:08:35 +0100
+
mm3d (1.3.7-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- mm3d-1.3.7.orig/src/mm3dcore/tool.h
+++ mm3d-1.3.7/src/mm3dcore/tool.h
by adjusting configure.ac and debian/rules
+(Closes: #565287) Thanks to Peter Green
+
+ -- Steffen Joeris Fri, 22 Jan 2010 21:39:05 +0100
+
gwget2 (1.0.4-1) unstable; urgency=low
* New upstream release. Closes: #533658, #552715.
diff -u gwget2-1.0.4/debian/rules gwget2-1.0.4/debian
xes.1-16.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Use pcap_dispatch() rather than the private functions
+pcap_offline_read()/pcap_read() and fix a few compilation errors
+(Closes: #557807)
+
+ -- Steffen Joeris Fri, 22 Jan 2010 15:16:59 +0100
+
argus (1:2.0.6.fixes
Hi Andrew
Following up on this bugreport, if I take the current argus-server package
from unstable and try to rebuild it, I'll end up without the argus (or
argus_linux) binary in the package[0]. There seems to be a change in the
libpcap package's API. Also, you've used the pcap_read() and
pcap
Package: gzip
Version: 1.3.12-8
Severity: grave
Tags: security patch
Hi Bdale, Carl
Carl, I saw too late that you're a new co-maintainer so I only
forwarded the pre-notification to Bdale (who is probably busy at LCA).
i
the following CVE (Common Vulnerabilities & Exposures) id was
published for g
Hi Christoph
> I've prepared an NMU for dc-qt (versioned as 0.2.0.alpha-4.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
Thanks for your work.
I am not really maintaining the package anymore. I guess I should check
whether the alternatives are good
Hi Adam
These issues have been assigned CVE ids, see below:
CVE-2009-4214[0]:
| Cross-site scripting (XSS) vulnerability in the strip_tags function in
| Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
| attackers to inject arbitrary web script or HTML via vectors involving
| non
=low
+
+ * Non-maintainer upload
+ * Add libmagickcore2-extra as build-depends since imagemagick has
+reorganised the plugin packages (thanks to Stuart Prescott)
+(Closes: #560604)
+
+ -- Steffen Joeris Wed, 23 Dec 2009 22:19:35 +0100
+
qemulator (0.5-3) unstable; urgency=low
*
Hi Luigi
By the way, drupal5 is also affected by at least one of these issues. Can we
remove drupal5 from debian or is there a reason for keeping it? It would be
easier foaev it gone, then we'd only have to track one package.
Cheers
Steffen
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ.
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and possib
Package: cacti
Severity: grave
Tags: security
Hi Sean
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.
CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the "Data Input Method" for the "Linu
d by the security team
+ * Fix several cross-site scriptings via different vectors
+Fixes: CVE-2009-4032
+
+ -- Steffen Joeris Wed, 16 Dec 2009 12:06:20 +0100
+
cacti (0.8.7e-1) unstable; urgency=low
* New upstream release (Closes: #541490).
diff -u cacti-0.8.7e/debian/patches/series c
Package: dstat
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dstat.
CVE-2009-4081[0]:
| Untrusted search path vulnerability in dstat before r3199 allows local
| users to gain privileges via a Trojan horse Python module in
Package: release-notes
Severity: important
Hi
Please indicate that the packages ocsinventory-server and sql-ledger
only receive limited security support, because they should only be used
behind authenticated HTTP zones. For sql-ledger, this is true for etch,
lenny and squeeze and for ocsinventory
Package: cups
Version: 1.4.1-5
Severity: grave
Tags: security patch
Hi Martin
The recent DSA (DSA-1933-1) fixed a few cross-site scripting issues.
Please include the patch in the unstable/testing distribution.
Cheers
Steffen
diff -u cupsys-1.2.2/debian/changelog cupsys-1.2.2/debian/changelog
---
On Sun, 11 Oct 2009 07:38:01 am Mehdi Dogguy wrote:
> Michael S Gilbert a écrit :
> > Package: advi
> > Version: 1.6.0-12
> > Severity: serious
> > Tags: security
> >
> > Hi,
> >
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for camlimages. advi statically links t
Hi
I am using version 0.7.1-2.
I do switch between several LAN connections and in the past nm used to update
the /etc/resolv.conf file correctly and only added the used name server. Now it
adds the other nameserver, but keeps the one from a previous connection as
well, which causes DNS resolut
Package: newt
Severity: grave
Tags: security patch
Hi
There is a buffer overflow in textbox.c. This issue is CVE-2009-2905.
In textbox.c the following patch has been applied.
- result = malloc(strlen(text) + (strlen(text) / width) + 2);
+ result = malloc(strlen(text) + (strlen(text)
Package: release.debian.org
Severity: normal
Hi
destar is security buggy and we have assessed the situation and decided
that it is best to remove the package from (old)stable. Please schedule
its removal with the next point release.
Cheers
Steffen
--
To UNSUBSCRIBE, email to debian-bugs-dist
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
On Wed, 16 Sep 2009 02:47:38 am Steffen Joeris wrote:
>
> Debian Security Advisory DSA-1887-1
Package: viewvc
Severity: grave
Tags: security patch
Hi
According to upstream:
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
http://viewvc.tigris.org/source/browse/*ch
Hi
> >> You can base security uploads on NMUs, so I think you could get
> >> +deb50.1
> >> +deb50.1+nmu1
> >> +deb50.2
> >> +deb50.2+nmu1
> >
> > Hum I understand +nmu1+deb50.1 for a security upload of a package whose
> > last upload was an NMU, but I don't see in what occasions you would
Hi
On Mon, 10 Aug 2009 08:58:12 pm Teste Teste wrote:
> The script should check if it can send emails and not make it a mandatory
> dependency.
>
> I think mpt-status users mostly want to check the raid status as part of
> existing health check systems which send notifications themselves. Trying
>
Because the init script sends out emails?
> Why should we need to install a mail server in order to check the
> consistency of our raid arrays? Please remove the bsd-mailx dependency.
>
>
> -- System Information:
> Debian Release: 5.0.2
> APT prefers stable
> APT policy: (500, 'stable')
> Archi
* Expand security patch for integer overflows to also cover other
+image types (Closes: #540146)
+Fixes: CVE-2009-2660
+
+ -- Steffen Joeris Sat, 08 Aug 2009 07:05:38 +
+
camlimages (1:3.0.1-2) unstable; urgency=low
[ Mehdi Dogguy ]
diff -u camlimages-3.0.1/debian/patches/fix_integ
Package: dhcp3-server
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dhcp3.
CVE-2009-1892[0]:
| dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and
| hardware ethernet configuration settings are both used, al
Hi Yaroslav
Thanks for investing the time into xoscope.
On Wed, 22 Jul 2009 02:48:03 pm Yaroslav Halchenko wrote:
> my ignorant take to prepare NMU: patch seems to be obsolete,
> not sure what to do about those magic ranames in debian/rules,
> also some issues with menu/desktop are pointed out wit
Hi
So I had another look at the issue. Indeed, set_nss_error was undefined, so I
used a different function. Also, I think there was another regression with
displaying signed and encrypted S/MIME messages. Could you please test these
updated packages[0] in your environments and tell me, whether
-maintainer upload by the security team
+ * Fix XSS via the backend parameter (Closes: #536554)
+Fixes: CVE-2009-2360
+
+ -- Steffen Joeris Sat, 11 Jul 2009 06:02:56 +
+
sork-passwd-h3 (3.1-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- sork-passwd-h3-3.1
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote
team
+ * Fix cross-site scripting vulnerability, which can be exploited via
+the userid, userdescrip, useremail, grp and grpdescrip parameters
+(Closes: #530271)
+Fixes: CVE-2009-1732
+
+ -- Steffen Joeris Mon, 06 Jul 2009 08:09:24 +
+
ipplan (4.91a-1) unstable; urgency=low
On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote:
> The existing patch is correct - using htmlspecialchars will have the
> effect of placing escaped stings in the database. It will also have
> the effect of double escaping each time you edit a field.
>
> My patch replaces the display templa
Package: wnpp
Severity: normal
ckage: mpt-status
Priority: extra
Section: admin
Installed-Size: 84
Maintainer: Steffen Joeris
Architecture: i386
Version: 1.2.0-4.2
Depends: libc6 (>= 2.7-1), lsb-base, daemon, mailx
Filename: pool/main/m/mpt-status/mpt-status_1.2.0-4.2_i386.deb
Size: 26502
MD5
Hi Richard
I am not sure about your patch.
Setting a maximum length does not fix a potential xss issue. Why not using
htmlspecialchars() to take care of escaping? I have attached a potential patch
for that. Of course, it would be good to check the rest of the code as well
and see whether it is
sure that the single tick is handled properly in order to avoid
+code execution (Closes: #525078)
+Fixes: CVE-2009-1440
+
+ -- Steffen Joeris Thu, 18 Jun 2009 14:10:54 +
+
amule (2.2.5-1) unstable; urgency=low
+++ The "Fido, Your Leash Is Too Long" release.
diff -u a
Hi
> On 2009 m. June 15 d., Monday 16:17:23 Steffen Joeris wrote:
> > Sometimes I just lose my keyboard and it won't respond anymore under
> > kde. I can help myself by changing to a system console and restart kdm.
> > Not sure what debugging information you'd
Package: kdm
Version: 4:4.2.4-1
Severity: normal
Hi
Sometimes I just lose my keyboard and it won't respond anymore under
kde. I can help myself by changing to a system console and restart kdm.
Not sure what debugging information you'd want me to include. I am happy
to collect some files next time
Hi Sam
How about the lines below (2300-2302)?
#ifndef __WXMSW__
rawFileName.Replace(QUOTE, wxT("'\"'\"'"));
#endif
Wouldn't it be sufficient to just run this over rawFileName at any time and
escape the single tick or am I missing something?
Cheers
Steffen
signature.asc
Descrip
Hi Jonas
Could you please upload a fixed moin version to unstable, so it can migrate to
testing? I can't test it here right now.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: libstruts1.2-java
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libstruts1.2-java.
CVE-2008-2025[0]:
| Cross-site scripting (XSS) vulnerability in Apache Struts before
| 1.2.9-162.31.1 on SUSE Linux Enterprise (S
On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote:
> On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote:
> >P.S. can "you" upload moin 1.7, I can't since I am not DD/DM.
>
> I'll do it now!
>
>
> - Jonas
Also, please upload fixed packages for unstable with urgency high. :)
Cheer
Package: moin
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moin.
CVE-2009-1482[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote
| attackers to
Hi John
> Steffen,
>
> I went to the URLs in this bug report, and nothing even indicated
> where in the source the problem was. I see no indication that
> upstream is even aware of this problem. The CVE status, in fact, is
> "under review" and I'm not certain that this is really an issue.
>
> Ca
Package: plone3
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for plone3.
CVE-2009-0662[0]:
| The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product
| for Plone, does not properly handle the login form, which allow
Package: ntp
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntp.
CVE-2009-0159[0]:
| Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c
| in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to e
Hi Rene
> Unfortunately, this doesn't apply as dpd code seems to have moved out of
> demux.c (I didn't find any of the patch context). Have you had contact with
> openswan upstream concerning this bug?
Isn't the vulnerable code in programs/pluto/ikev1.c?
Cheers
Steffen
--
To UNSUBSCRIBE, ema
d by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris Tue, 24 Mar 2009 12:31:39 +
+
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
diff -u strongsw
intainer upload by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris Tue, 24 Mar 2009 13:20:43 +
+
openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high
* Non-maintainer upload.
diff -u openswan-2.4.12+dfsg/debian
ction vulnerability when used with multibyte
+encodings by using mysql_real_escape_string()
+
+ -- Steffen Joeris Mon, 30 Mar 2009 11:21:06 +0200
+
auth2db (0.2.5-2+dfsg-1) unstable; urgency=medium
* New debian-specific+upstream release (Closes: #493132):
diff -u auth2db-0.2.5-2+dfsg/debian/pa
Package: squid
Severity: wishlist
Hi
I am running transparent squid in a setup with more than 1000 users. I
reached the limit of file descriptors and that slowed down the internet
for everyone. I've now increased the number of file descriptors in the
default configuration, which seemed to solve t
Package: yaws
Severity: important
Hi
The package seems to have an FTBFS, if I build it twice in a row.
The build log is below.
Cheers
Steffen
wh...@security:~/yaws/yaws-1.80$ debuild -us -uc
dpkg-buildpackage -rfakeroot -D -us -uc
dpkg-buildpackage: set CFLAGS to default value: -g -O2
dpkg-bui
Package: libpoppler3
Version: 0.8.7-1
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for poppler.
CVE-2009-0756[0]:
| The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4
| allows remote attackers to cause a
Package: movabletype-opensource
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for movabletype-opensource.
CVE-2009-0752[0]:
| Unspecified vulnerability in Movable Type Pro and Community Solution
| 4.x before 4.24 has unknown impact and
Package: psi
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for psi.
CVE-2008-6393[0]:
| PSI Jabber client before 0.12.1 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| file
Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote a
Package: openssl
Version: 0.9.8g-15
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2009-0653[0]:
| OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an
| intermediate CA-signed certificate, which all
Package: webkit
Severity: important
Tags: security
Hi Mike,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.
CVE-2008-6059[0]:
| xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not
| properly restrict access from web pages to the (1) Set-Cookie an
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for proftpd.
CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection protec
table; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Include upstream patch to fix DoS via error in request processing
+code (Closes: #514142)
+
+ -- Steffen Joeris Thu, 05 Feb 2009 18:28:57 +
+
squid (2.7.STABLE3-4) unstable; urgency=low
* debian/rules
diff -u squi
Package: release.debian.org
Severity: important
Tags: security
Hi
I was working on a security update for tmsnc, a textbased msn client. When I
tried to test the update, I found out that the program is not able to connect
to MSN servers anymore due to a protocol missmatch. I assume that the prog
Package: roundcube
Version: 0.2~alpha-4
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundcube.
CVE-2009-0413[0]:
| Cross-site scripting (XSS) vulnerability in RoundCube Webmail
| (roundcubemail) 0.2 stable allows remote attack
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for gst-plugins-good0.10.
CVE-2009-0386[0]:
| Heap-based buffer overflow in the qtdemux_parse_samp
fixed 514138 1.3.6-1
thanks
Hi Benjamin
On Wed, 4 Feb 2009 04:29:05 pm Benjamin Drung wrote:
> The upcoming audacity 1.3.7-1 does not crash if I open the generated
> file from [0]. According to the Gentoo bug tracker [1] audacity 1.3.6
> does not have this bug any more. You can find
> String_par
Package: squid
Severity: grave
Tags: security
Justification: user security hole
Hi
A DoS issue has been reported[0] for squid. So far I cannot see the
vulnerable code in the stable release, but it would be nice, if you
could check that as well. Lenny seems to be affected and needs fixing.
I've ju
Package: audacity
Version: 1.3.5-2
Severity: grave
Tags: security
Justification: user security hole
There is a buffer overflow in audacity apparently affecting the etch
and lenny version. You can find a reproducer here[0].
However, I just took a random .gro file and when importing it under
Project
Package: wordpress
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.
CVE-2008-5695[0]:
| wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2
| and earlier, does not properly validate requests to update an
1 - 100 of 725 matches
Mail list logo
