Bug#619216: mutt: please build with openssl instead of gnutls
Package: mutt Version: 1.5.20-9+squeeze1 Severity: grave Tags: security Justification: user security hole The gnutls implementation of ssl found in mutt, in mutt_ssl_gnutls.c, appears to not validate the common name of a remote server correctly. The openssl implementation found in mutt_ssl.c does perform this check correctly. Can the mutt package be re-build against openssl and not gnutls. This bug is reported upstream at http://dev.mutt.org/trac/ticket/3506. -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38 (SMP w/128 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#617998: python-feedparser: please update feedparser, it hasn't been updated in a _long_ time
Package: python-feedparser Version: 4.1-14 Severity: grave Tags: security Justification: user security hole Please update the version of python-feedparser found in debian to something recent: The following bugs will then be fixed: 1. Issue 195: XSS vulnerability in feedparser http://code.google.com/p/feedparser/issues/detail?id=195can=1start=100 2. Issue 255: html sanitizer doesn't strip unsafe uri schemes http://code.google.com/p/feedparser/issues/detail?id=255can=1start=200 3. Issue 254: html sanitisation can be bypassed with malformed comments http://code.google.com/p/feedparser/issues/detail?id=254can=1start=200 -- System Information: Debian Release: 6.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37.3 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python-feedparser depends on: ii python 2.6.6-3+squeeze5 interactive high-level object-orie ii python-support 1.0.10 automated rebuilding support for P Versions of packages python-feedparser recommends: pn python-chardetnone (no description available) pn python-libxml2none (no description available) pn python-utidylib none (no description available) python-feedparser suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611800: isc-dhcp-server is really slow and windows 7 cannot get a lease
Package: isc-dhcp-server Severity: critical My windows 7 vm timesout when trying to get a dhcp lease from isc-dhcp-server. I am using isc-dhcp-server from debian squeeze. -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages isc-dhcp-server depends on: ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii debianutils 3.4 Miscellaneous utilities specific t ii isc-dhcp-common 4.1.1-P1-15 common files used by all the isc-d ii libc6 2.11.2-10Embedded GNU C Library: Shared lib ii lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip isc-dhcp-server recommends no packages. Versions of packages isc-dhcp-server suggests: pn isc-dhcp-server-ldap none (no description available) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607988: python2.6: the latest update is totally broken and can't byte compile *modules*
Package: python2.6 Version: 2.6.6-6 Severity: critical The latest update is totally broken and can't byte compile *modules* (squeeze). -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36.2 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python2.6 depends on: ii libbz2-1.01.0.5-6high-quality block-sorting file co ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [ ii libexpat1 2.0.1-7XML parsing C library - runtime li ii libncursesw5 5.7+20100313-4 shared libraries for terminal hand ii libreadline6 6.1-3 GNU readline and history libraries ii libsqlite3-0 3.7.3-1SQLite 3 shared library ii mime-support 3.48-1 MIME files 'mime.types' 'mailcap ii python2.6-minimal 2.6.6-6A minimal subset of the Python lan python2.6 recommends no packages. Versions of packages python2.6 suggests: ii binutils 2.20.1-15 The GNU assembler, linker and bina pn python2.6-doc none (no description available) pn python2.6-profilernone (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603594: epiphany-browser: doesn't perform any ssl certificate checking (in the squeeze version)
Package: epiphany-browser Severity: grave Tags: security Justification: user security hole epiphany-browser as found in squeeze does not check remote ssl certificate validity for https connections. Here is a test url: (WHICH SHOULD FAIL) https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/ But it won't! (in squeeze). -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (900, 'stable'), (650, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid
Package: offlineimap Severity: grave Tags: security Justification: user security hole offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack. In debian the following bugs exist: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking) This could be considered a bug in imaplib (http://bugs.python.org/issue10274). A partial 'fix' is the following(this 'fix' isn't complete and would break connections to servers using self-signed certificates): WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong. diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py index a60242b..c37688c 100644 --- a/offlineimap/imaplibutil.py +++ b/offlineimap/imaplibutil.py @@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4): self.infd.close() self.outfd.close() self.process.wait() - + class sslwrapper: def __init__(self, sslsock): self.sslsock = sslsock @@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT): if last_error != 0: # FIXME raise socket.error(last_error) -self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile) +self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=ssl.CERT_REQUIRED, ca_certs=/etc/ssl/certs/ca-certificates.crt) self.sslobj = sslwrapper(self.sslobj) Although, this isn't complete because it will break self-signed certificate using servers and http://bugs.python.org/issue1589 means that it won't provide full protection etc. Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check. This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning too https://github.com/jgoerzen/offlineimap/wiki/ perhaps debian can add a warning (in the package description) until this is fixed. [0] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760 -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (900, 'stable'), (650, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598463: python-libcloud: libcloud https connections are not secured against mitm attacks
Package: python-libcloud Severity: grave Tags: security Justification: user security hole libcloud fails to perform ssl validation on https connections. This means that users of this module, who which perform api requests using https urls / connections are at risk to mitm attacks. See http://github.com/tjfontaine/linode-python/issues/issue/1#issue/1 for more information. -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (900, 'stable'), (600, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35.4 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#543171: pidgin: CVE IN PIDGIN 2.5.9
Package: pidgin Version: 2.6.1-1 Severity: grave Tags: security Justification: user security hole PIDGIN 2.5.9 has a CVE filled in it - http://www.pidgin.im/news/security/?id=34 -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.30 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#543170: pidgin prior to 2.5.9 HAS SECURITY ISSUE CVE-2009-2694
Package: pidgin Version: pidgin prior to 2.5.9 HAS SECURITY ISSUE CVE-2009-2694 Severity: critical Tags: security Justification: root security hole pidgin prior to 2.5.9 HAS SECURITY ISSUE CVE-2009-2694 http://www.pidgin.im/news/security/?id=34 -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.30 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#348306: /etc/knowledgetree/environment.php (which contains passwords) world-readable
Package: knowledgetree Version: 2.0.7-1 Severity: critical Hey, /etc/knowledgetree/environment.php is world-readable by default. It is supposed to contain (amongst other things) the username and password for the KnowledgeTree database. Cc:'d to [EMAIL PROTECTED] just in case they care (the package is only in Sid, but maybe some other related packages are worth auditing). -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.11.4-execshield-a8-linuxjail-1-2-oftc-1 Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) Versions of packages knowledgetree depends on: ii apache2-mpm-prefork [apache2] 2.0.55-2 traditional model for Apache2 ii libphp-phpmailer 1.73-1 full featured email transfer class ii libphp-phpsniff 2.1.3-1a HTTP_USER_AGENT Client Sniffer f ii php4 4:4.4.0-4 server-side, HTML-embedded scripti ii php4-mysql4:4.4.0-4 MySQL module for php4 ii php4-pear 4:4.4.0-4 PHP Extension and Application Repo ii php4-pear-log 1.6.0-1.1 Log module for PEAR -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]