visories/18124/
o http://secunia.com/advisories/22057/
Regards, Ulf Harnhammar
--- src/elogd.c.old 2006-11-28 12:25:59.0 +0100
+++ src/elogd.c 2006-12-02 20:37:44.0 +0100
@@ -9685,7 +9685,7 @@ void show_edit_form(LOGBOOK * lbs, int m
rsprintf("- %s -\n&
I've just verified that elog in stable is vulnerable to
all issues mentioned in bug #392016.
// Ulf
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
as well as in the upstream ELOG-2.6.2 version. I haven't checked
any other versions (but the upstream SVN trunk looks like it also
has these bugs).
// Ulf Harnhammar, Debian Security Audit Project
http://www.debian.org/security/audit/
--
___
I'll see what I can do.
// Ulf
--
___
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
Powered by Outblaze
Subject: zabbix-server-mysql: remote security problems
Package: zabbix-server-mysql
Version: 1:1.1.2-2
Severity: grave
Justification: user security hole
Tags: security patch
Hello,
Max Vozeler and Ulf Harnhammar from the Debian Security Audit Project
have found a number of format string bugs and
> > The bug appears to still apply to the version of the package in unstable,
> > and is marked as such.
>
> The bug looks closed to me.
It still looks closed (in all versions) to me. Are you sure that that is what
you want, instead of - say - fixing it?
// Ulf
--
__
> This bug was fixed in a security upload to stable; marking as closed in that
> version.
>
> The bug appears to still apply to the version of the package in unstable,
> and is marked as such.
The bug looks closed to me.
// Ulf
--
___
Surf the Web
://seclists.org/lists/fulldisclosure/2006/Feb/0572.html
The full-disclosure post includes a patch.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Li
no debconf information
oflow333.alz
Description: Binary data
oflow1621.alz
Description: Binary data
#!/usr/bin/perl --
# alzgen
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
die "usage: $0 \n" unless @ARGV == 2;
$len = shift;
$lenhi = int($len /
> > No, you don't need to set up a rogue CDDB server, as CDDB servers
> > let anyone add or modify information about records.
>
> But according to the freedb.org FAQs every submission is reviewed before being
> applied to the database. So it seems quite unlikely submissions of
> crafted entries
No, you don't need to set up a rogue CDDB server, as CDDB servers let anyone
add or modify information about records.
http://www.freedb.org/modules.php?name=Sections&sop=viewarticle&artid=26
// Ulf
--
___
Surf the Web in a faster, safer and easier
orm to the DFSG, so these
files must be removed from main.
As an aside, the debian/copyright file for wget only lists the license for the
wget program and not the license for the wget documentation.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:
o http://www.sitic.se/dokument/evolution.formatstring.patch
// Ulf
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
(Sorry for not doing this as a real reply with the correct mail headers,
but I'm not subscribed to debian-security, I only read it on the web.)
> > | + $text = preg_replace('#(script|about|applet|activex|chrome):#is',
> > "\\1:", $text);
> It looks like this is about preventing URL's like src="
14 matches
Mail list logo
