On Sat, 10 Oct 2009 07:10:51 +0200 Christian Perrier wrote:
> Version: 3.4.2-1
>
> Quoting Michael S Gilbert (michael.s.gilb...@gmail.com):
> > package: samba
> > version: 3.0.24-6
> > severity: serious
> > tags: security , patch
> >
> > hi,
>
package: ffmpeg
version: 0.cvs20060823-8
severity: serious
tags: security
hi,
ffmpeg has been found to be vulnerable to many crashers [0],[1]. this
may enable remote compromise of a system.
please coordinate with upstream and the security team to push out
updates for these issues.
mike
[0] ht
Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for camlimages. advi statically links to camlimages, so any
issues in that package are also applicable to advi. There were already
updates to camlimages f
Package: openexr6
Version: 1.6.1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openexr6.
CVE-2009-1720[0]:
| Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow
| context-dependent attackers to cause a denial of service
package: samba
version: 3.0.24-6
severity: serious
tags: security , patch
hi,
the following CVEs were issued for samba.
CVE-2009-2906 [0]:
| smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4
| before 3.4.2 allows remote authenticated users to cause a denial of service
package: cupsys
version: 1.2.7-4
severity: serious
tags: security
hi,
cups may be affected by a security issue in its usb backend [0]. the
advisories state that this affects mac os x, but it is unclear if
other os'es are affected. i've submitted a bug upstream requesting
more info [1]. you can
package: xfs
version: 1:1.0.8-4
severity: serious
the latest xfs update is currently uninstallable on unstable. the error is:
Setting up xfs (1:1.0.8-4) ...
Installing new version of config file /etc/init.d/xfs ...
usermod: user debian-xfs is currently logged in
dpkg: error processing xf
package: xfce4-clipman
severity: serious
version: 2:1.1.0-2
hello,
both xfce4-clipman and xfce4-clipman-plugin install the file
'/usr/share/applications/xfce4-clipman-plugin.desktop', which causes
xfce4-clipman's installation to fail:
Unpacking xfce4-clipman (from .../xfce4-clipman_2%3a1.1.0-2
Hi,
A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed. Attached is the debdiff of the
changes.
The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://men
fixed 542400 1:9-8-2
thanks
tested revision 278. your changes have fixed this problem. thanks!
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Sun, 23 Aug 2009 20:49:13 +0200 Bertrand Marc Bertrand wrote:
> I don't think you should remove /usr/lib/fglrx/diversions/libglx.so by
> hand. This file belongs to xserver-xorg-core (that's why there is a
> diversion).
agreed. that is just a temporary solution to get the problematic
package
tag 542400 -moreinfo
found 542400 1:9-8-1
thanks
fyi, i was just able to reproduce this problem with 1:9-8-1. my suggested
workaround does work:
$ sudo rm /usr/lib/fglrx/diversions/libglx.so
$ sudo apt-get remove fglrx-glx
Reading package lists... Done
Building dependency tree
Reading st
just a quick suggestion to try: manually remove the problematic file first
(i.e.
'sudo rm /usr/lib/fglrx/diversions/libglx.so'), then use apt to remove the
package.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact li
dear maintainer,
the security team has applied an nmu for xscreensaver in unstable and
will soon for experimental also. see attached debdiffs.
regards,
michael gilbert
xscreensaver.debdiff
Description: Binary data
xscreensaver-experimental.debdiff
Description: Binary data
fyi, ubuntu has patches in progess for older versions, which may be
useful for backports to the stable releases:
http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=177e7ddb761999cd8b439e14a2bf43590756e230
--
To UNSUBSCRIBE,
forcemerge 541496 541483
thanks
the kernel-sec team is aware and tracking the issue. Dann Frazier may
be able to update with more info/timeframe.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian
severity 532689 important
thanks
denial-of-services are not serious. this should probably be fixed
with CVE-2009-0642 which is actually serious. please coordinate with
the security team to prepare updates for the stable releases on these.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@li
On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote:
> On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote:
> > Package: xulrunner
> > Version: 1.9.1.1-2
> > Severity: grave
> > Tags: security
> >
> > Hi,
> > the following CV
On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
>
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
>
Package: xulrunner
Version: 1.9.1.1-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xulrunner.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows
Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvorbis.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, a
On Mon, 10 Aug 2009 08:24:06 -0500, Gunnar Wolf wrote:
> Michael S. Gilbert dijo [Sun, Aug 09, 2009 at 11:58:04PM -0400]:
> > > I tried testgem downloaded from
> > > http://bugs.gentoo.org/show_bug.cgi?id=278566.
> > >
> > > % sudo gem install testgem
On Sun, 09 Aug 2009 17:01:38 +0900 Daigo Moriwaki wrote:
> Hello Michael,
>
> Michael S. Gilbert wrote:
> >> In Debian, executables from gems install into a particular directory
> >> specific to
> >> RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of
On Sun, 9 Aug 2009 11:00:50 +0200 Sylvain Le Gall wrote:
> Hello,
>
> On Sat, Aug 08, 2009 at 11:01:45PM -0400, Michael S. Gilbert wrote:
> > reopen 535909
> > fixed 535909 1:3.0.1-3
> > thanks
> >
> > > This bug has been solved with 1:3.0.1-2 before t
On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:
> Hello Michael,
>
> Michael S. Gilbert wrote:
> > package: rubygems1.9
> > version: 1.3.1
> > tags: security
> > severity: serious
> >
> > hello, it has been disclosed thet a specially craft
package: rubygems1.9
version: 1.3.1
tags: security
severity: serious
hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files. confirmed for 1.3.x, but older
versions may also be affected. please check and help the security
team prepare updates fo
the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3. see:
http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/
http://core.trac.wordpress.org/changeset/11765
http://core.trac.wordpress.org/changeset/11766
http://core.trac.wordpress.org/changeset/11768
http://core.
package: php5
version: 5.2.0-8+etch13
severity: serious
tags: security , patch
it has been disclosed that php is potentially vulnerable to remote
memory dislosure [0]. patches are available for 5.2.10 and 5.3.0, but
older versions are likely affected (as well as php4). please check and
coordinat
reopen 535909
fixed 535909 1:3.0.1-3
thanks
> This bug has been solved with 1:3.0.1-2 before the bug was opened.
thanks for the update. please coordinate with the security team to
prepare updates for the stable releases.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
wit
tag 524806 patch
thanks
derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5. i am fairly certain all of these CVEs are addressed in this one.
note vulnerable code not present in etch for CVE-2009-0755/1188.
please test; i've done some basic testing with existing pdfs on my
s
while this bug is still open, would it make sense to disable the gcc
option/optimization/bug/flaw that allows this vulnerability to exist?
the "-fno-delete-null-pointer-checks" flag will completely disable
this option kernel-wide [1].
obviously there is a tradeoff here. the null pointer optimizat
package: htmldoc
version: 1.8.27-2
severity: serious
tags: security , patch
hello, a security advisory has been issued for htmldoc [0]. patches
available from gentoo [1]. please coordinate with the security team to
prepare updates for the stable releases. thank you.
[0] http://secunia.com/advi
package: mediawiki
version: 1:1.15.0-1
severity: serious
tags: security
hello, multiple vulnerabilies have been fixed in upstream mediawiki
1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are
not vulnerable) [0]. please update unstable to this version. thanks.
[0]
http://lists.w
package: libio-socket-ssl-perl
version: 1.01-1
severity: serious
tags: security , patch
a security issue has been fixed in the latest upstream version of
libio-socket-ssl-perl [0]. see patch [1]. please coordinate with the
security team to prepare updates for the stable releases. thank you.
[0
reassign 537299 vim
retitle 537299 vim: potential data loss on saturated disk partitions
tag 537299 - security
thanks
On Thu, 16 Jul 2009 23:26:26 +0200, Chiel Kooijman wrote:
> Thanks for your reply,
>
> I guess you're right.
> It hadn't occurred to me yet that it could have happened at the mome
On Thu, 16 Jul 2009 21:26:53 +0200, Chiel Kooijman wrote:
> Package: base
> Severity: critical
> Tags: security
> Justification: root security hole
>
> I tried to edit /etc/fstab as user (forgot to use `sudo') but, as I
> noticed later, the partition that contains the root (/) files was full.
> Af
package: dbus
version: 1.2.16-1
severity: grave
hello, dbus is currently uninstallable on sid; erroring with the
following message:
chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No
such file or directory
this can be fixed with a 'mkdir -p':
$ sudo mkdir -p /usr/lib/dbu
forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
package: iceweasel
version: 3.5
severity: critical
tags: security
hello, a remote shellcode injection has been disclosed for firefox [0],
[1]. the advisory says that version 3.5 has been verified as
vulnerable, but older versions are very likely susseptable as well. i
have not checked.
this is c
package: wordpress
version: 2.0.10-1etch3
severity: serious
tags: security
an advisory, CORE-2009-0515, has been issued for wordpress. there are issues
with unchecked privilidges and many potential information disclosures. see [1].
this is fixed in upstream version 2.8.1. please coordinate wit
reopen 535488
reopen 535489
thanks
On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
> Hello Michael,
>
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> >
Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for apache2.
CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server befo
On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
> > version 1:1.5.2-5 that I released to unstable is suitable for stable
> > aswell. Prior to this bugfix unstable and stable both contained
> > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
> > build it for stable as
package: camlimages
version: 2.20-8
severity: serious
tags: security
hello,
camlimages is vulnerable to several integer overflows [1]. this has
not yet been fixed upstream, but has been addressed by redhat [2].
[1] http://www.ocert.org/advisories/ocert-2009-009.html
[2] https://bugzilla.redhat.
package: rails
version: 1.1.6-3
severity: serious
tags: security
hello,
it has been found that rails is vulnerable to a password bypass [1]. this will
be
fixed in upstream version 2.3.3.
[1]
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
--
To
Package: phpmyadmin
Version: 4:2.9.1.1-10
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpmyadmin.
CVE-2009-2284[0]:
| Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
| allows remote attackers to inject arbi
On Sun, 5 Jul 2009 20:25:47 +0200 Kiko Piris wrote:
> Yes, I can see it now.
>
> But, according to the file date on a couple of mirrors I just checked,
> it seems to have “appeared” this morning at 11:19 CEST (just a couple of
> hours after my bugreport).
fixed in latest unstable upload. closing
On Sun, 5 Jul 2009 08:43:27 +0200 Kiko Piris wrote:
> | # apt-cache policy nagios3
> | nagios3:
> | Installed: 3.0.6-4+b1
> | Candidate: 3.0.6-5
> | Version table:
> | 3.0.6-5 0
> | 500 http://mir1.ovh.net unstable/main Packages
> | *** 3.0.6-4+b1 0
> | 100 /var/lib/dpkg
from some of the upstream discussion, it looks like libbsd provides an
arc4random cryptographically secure PRNG, which lynx prefers when
available. an appropriate fix for this issue thus would be to depend on
libbsd0 and make sure lynx makes use of its arc4random.
mike
--
To UNSUBSCRIBE, email
forwarded 532520
http://lists.gnu.org/archive/html/lynx-dev/2009-07/msg0.html
thanks
it looks like the lynx situation for this issue isn't so simple.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debi
On 7/5/09, Kiko Piris wrote:
> Can’t upgrade nagios3 to 3.0.6-5, aptitude complains :
>
> | The following packages have unmet dependencies:
> | nagios3: Depends: libltdl3 (>= 1.5.2-2) which is a virtual package.
>
> And since that version solves DSA-1825-1, setting severity to grave.
>
> Regards
forwarded 535793 https://bugs.webkit.org/show_bug.cgi?id=26973
thanks
i've started a discussion on these issues in the upstream bug report
in the above link.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
package: webkit
version: 1.0.1-4
severity: grave
tags: security
hello,
webkit has recently been hit by a deluge of security issues [1],[2].
i've been trying to figure out the state of these problems and where
debian is affected, but apple's security announcements have been
notoriously sparse.
th
fixed 533347 1.0.8-1
thanks
some more info about this issue can be found here [1]. please
coordinate with the security team to prepare updated packages for the
stable releases. thanks.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=501929
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@
package: dillo
version: 0.8.5-4
severity: serious
tags: security
hello,
it has been found that dillo is vulnerable to an integer overflow. the
text of the problem is:
|Dillo, an open source graphical web browser, suffers from an integer
|overflow which may lead to a potentially exploitable heap
reopen 532522
forwarded 532522 http://www.dillo.org/bugtrack/Dquery.html
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
hello,
i just encountered this problem after upgrading xorg in unstable as
well. i use the dvorak keyboard, but now gdm and x have switched to
qwerty by default. i have tried reverting to libxi6 1.1.4 from
testing, but that did not solve the problem. i also tried setting up
the following in /etc
reopen 534973
fixed 534973 1:1.5.2-5
thanks
hello,
please assist the security team to prepare updates for this issue in
the stable releases. thank you.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists
Package: cups
Version: 1.3.8-1+lenny6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to c
Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to c
On Thu, 25 Jun 2009 22:33:10 + Moritz Muehlenhoff wrote:
> lynx supports neither Javascript nor multipart/form-data, so it's not
> affected.
i am trying to track the deeper cause here (the fact that all of the
web browsers use a predictable PRNG), rather than the symptom (this
particular explo
Package: libpng
Version: 1.2.15~beta5-1+etch2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.
CVE-2009-2042[0]:
| libpng before 1.2.37 does not properly parse 1-bit interlaced images
| with width values that are not divisibl
reopen 532689
thank you
this bug isn't entirely fixed yet since stable is still affected.
please coordinate with the security team to prepare updates for lenny.
thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
since this is a minor issue, would you be interested in pushing out
fixes for this problem in a stable proposed update? if so, please
contact the security team.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas..
CVE-2008-4723 is the wrong CVE, which is for firefox. it should be
CVE-2008-4724
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
reopen 520052
found 520052 1.0.1-4
fixed 520052 1.1.7-1
thanks
yes, i, as the original reporter, spent a non-insignificant amount of
time to determine that webkit is indeed affected. in fact, i believe
that my description in the original report is very complete and
describes the extent of the pro
found 532720 1.0.2-1+etch2
thank you
note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dbus.
CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
| in
package: webkit
severity: serious
tags: security
hello,
it has been discovered that all of the major web browsers use a
predictable pseudo-random number generator (PRNG). please see
reference [0]. the robust solution is to switch to a provably
unpredictable PRNG such as Blum Blum Shub [1,2].
[0
reopen 517639
found 517639 1.8.7.72-3
found 517639 1.8.5-4etch4
thank you
hi,
this bug is still present in the stable releases. please coordinate
with the security team (t...@security.debian.org) to prepare updated
packages. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.de
package: ecryptfs-utils
version: 68-1
version: 75-1
severity: serious
tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ecryptfs-utils.
CVE-2009-1296[0]:
|Chris Jones discovered that the eCryptfs support utilities would
|report the mount passphrase int
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1~lenny1 0.10.4-4
Severity: serious
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gstreamer0.10-plugins-good.
CVE-2009-1932[0]:
| Multiple integer overflows in the (1) user_info_callback,
package: openoffice.org-common
severity: grave
version: 1:3.1.0-2
the latest version of openoffice will not install because a mkdir
fails:
mkdir: cannot create directory '/var/lib/openoffice/share/config': No
such file or directory
if i manually create the directory, the installation works:
$
On Mon, 18 May 2009 06:49:48 +0200, Ola Lundqvist wrote:
> Thanks. However this applies only to the windows version as that
> functions do not even exist in the linux/unix version.
ok, yes, i see that now. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subj
this is CVE-2008-0388:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0388
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Fri, 15 May 2009 20:50:47 +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert [2009-05-15 19:45]:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which was file
On Fri, 15 May 2009 20:15:49 +0200, Andreas Metzler wrote:
> On 2009-05-15 "Michael S. Gilbert" wrote:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which w
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the gnutls26 package:
>
> #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability
does it make sense to close this bug since
On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote:
> Package: eggdrop
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> turns out my patch has a bug in it which opens this up for a
> buffer overflow again in case strlen(ctcpbuf) returns 0:
> http://www.gossamer-th
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote:
> Package: cron
> Version: 3.0pl1-105
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu jaunty ubuntu-patch
>
> Hi,
>
> I was reviewing a list of
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote:
> Hi,
>
> I wondered if any fix is likely to be available for CVE-2008-5519
> (information disclosure, looks potentially quite severe) any time
> soon or if any more help is needed?
hi,
no one has claimed this (that i've seen), and th
Package: gnutls26
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for gnutls26.
CVE-2009-1417[0]:
| gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and
| expiration times of X.509 certificates, which allows remote atta
hello all,
any news on the patches for ghostscript in stable (CVE-2007-6725,
CVE-2008-6679, and CVE-2009-0196)? these issues have been sitting
unfixed for quite a while now. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trou
Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure rsa
package: pango
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.
CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization. Pango suffers from a multiplicative integer
hi,
any news on this one? since this is being tracked with critical
severity, it really should be handled as swiftly as possible (it's been
six months now since the original disclosure). suse has issued updates
for CVE-2008-5824, perhaps their patches may be helpful [1]. thanks.
mike
[1]
http
Package: clamav
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for clamav.
CVE-2008-5525[0]:
| ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is
| used, allows remote attackers to bypass detection of malware in an
|
On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote:
> Hi,
> turns out CVE-2008-6679 also is fixed since 8.64.
> The only unfixed issue in this report is CVE-2009-0196.
>
> Michael, please better check the code next time, this would
> have save me a lot of time this evening.
I appologize. I ha
On Sat, 25 Apr 2009 01:15:11 + Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the nautilus package:
>
> #515104: nautilus: potential exploits via application launchers
awesome! any chance of backporting this to lenny
package: cups
severity: grave
tags: security
hello,
redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183
these are
package: poppler
severity: grave
tags: security
hello,
ubuntu recently patched the following poppler issues [0]:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
the
package: ghostscript
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for ghostscript.
CVE-2007-6725[0]:
| The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
| other versions, allows remote attackers to cause a denial
On Fri, 10 Apr 2009 18:18:00 +0100 Darren Salt wrote:
> This does not apply to xine-lib. You mean CVE-2009-0698, which is fixed in
> unstable (and should soon be fixed in, at least, stable too; it probably
> applies to oldstable too, but I've not looked yet).
not that i nor anyone else should trus
fyi, see upstream changelog as well:
http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
btw, redhat-based distros are thought to be invulnerable to these
attacks due their incorporation of execshield (in particular, due to
address space randomization). perhaps it's high time that debian
consider doing the same?
i know that execshield is not in the vanilla kernel, but when it comes
to
reopen 524373
thanks
On Thu, 16 Apr 2009 16:53:38 -0400 Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 04:21:10PM -0400, Michael S. Gilbert wrote:
> >
> > i think that any flaw that allows an attacker to elevate his pwnage from
> > root to hidden should always be consid
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
> > as seen in recent articles and discussions, the linux kernel is
> > currently vulnerable to rootkit attacks via the /dev/mem device. one
> >
package: linux-2.6
severity: grave
tags: security
as seen in recent articles and discussions, the linux kernel is
currently vulnerable to rootkit attacks via the /dev/mem device. one
article [1] mentions that there is an existing patch for the problem,
but does not link to it. perhaps this fix c
Package: xine-lib
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| attack
Package: php5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for php5.
CVE-2008-5814[0]:
| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
| inje
1 - 100 of 108 matches
Mail list logo
