[SECURITY] [DSA 2642-1] sudo security update

[Michael Gilbert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2642-1   secur...@debian.org
http://www.debian.org/security/   Michael Gilbert
March 09, 2013 http://www.debian.org/security/faq
- -

Package: sudo
Vulnerability  : several issues
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1775 CVE-2013-1776
Debian Bug : 701838 701839

Several vulnerabilities have been discovered in sudo, a program designed
to allow a sysadmin to give limited root privileges to users. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2013-1775

Marco Schoepl discovered an authentication bypass when the clock is
set to the UNIX epoch [00:00:00 UTC on 1 January 1970].

CVE-2013-1776

Ryan Castellucci and James Ogden discovered aspects of an issue that
would allow session id hijacking from another authorized tty.

For the stable distribution (squeeze), these problems have been fixed in
version 1.7.4p4-2.squeeze.4.

For the testing (wheezy) and unstable (sid) distributions, these problems
have been fixed in version 1.8.5p2-1+nmu1.

We recommend that you upgrade your sudo packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJROvQlAAoJEFb2GnlAHawEXIcH/0cASxNsRL3Y9on8brvEnpah
0B9qQ1NY9pzEQLzdQjQ/rJpzb/wK46Cx3aI6XpTxy9AbDNiQPgjxujbcQDtNNWQU
OYsQl0O77qhPs42v2TAGEnNoVtrsdiWNSIAwV4YOz3H/gc/Q8z3awpsvx8DjT+Q3
mO23mQ1ukHivwfPam5l4FegCGM4sZhZjetiRb9zjVKtpDvZpD1SEUfGU+sb/CZ8s
622vJ7zGBGF1tbeY2ff2JPG7t7QWXx4KDNLup9yA4CqZzUYZEX6k8j7ATS8VvZQk
XhSiWDldVYgeO/uZlO1jRSZLB0XCJLp9UEqNxBxwKyjPVl5kIORzC1hljpJKeHY=
=Czjn
-END PGP SIGNATURE-

[slackware-security] mozilla-thunderbird (SSA:2013-068-02)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  mozilla-thunderbird (SSA:2013-068-02)

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,
and -current to fix a security issue.


Here are the details from the Slackware 14.0 ChangeLog:
+--+
patches/packages/mozilla-thunderbird-17.0.4esr-i486-1_slack14.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the Get Slack section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/mozilla-thunderbird-17.0.4esr-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/mozilla-thunderbird-17.0.4esr-x86_64-1_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mozilla-thunderbird-17.0.4esr-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mozilla-thunderbird-17.0.4esr-x86_64-1_slack14.0.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-thunderbird-17.0.4esr-i486-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-thunderbird-17.0.4esr-x86_64-1.txz


MD5 signatures:
+-+

Slackware 13.37 package:
a49744368feea875fc2263a23758ee01  
mozilla-thunderbird-17.0.4esr-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
1f685bb13b30cbe0dad80d8fced5945e  
mozilla-thunderbird-17.0.4esr-x86_64-1_slack13.37.txz

Slackware 14.0 package:
fffdad3bc42676b8804abafef703c915  
mozilla-thunderbird-17.0.4esr-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
7d6f8bde5261e3368727a126b2da10f5  
mozilla-thunderbird-17.0.4esr-x86_64-1_slack14.0.txz

Slackware -current package:
e1c9389a3392f1d13b0164008b9b8ff9  xap/mozilla-thunderbird-17.0.4esr-i486-1.txz

Slackware x86_64 -current package:
4ecd1c4a3dea617120bf6c1c6d8cad7b  xap/mozilla-thunderbird-17.0.4esr-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg mozilla-thunderbird-17.0.4esr-i486-1_slack14.0.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE62FMACgkQakRjwEAQIjNCmQCfcl8bJiEZbHuZUFuFMLu5JXHP
uaMAnixZigY9CZyaHBJbsoHNVemr/fmQ
=jShV
-END PGP SIGNATURE-

[slackware-security] mozilla-firefox (SSA:2013-068-01)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  mozilla-firefox (SSA:2013-068-01)

New mozilla-firefox packages are available for Slackware 13.37, 14.0,
and -current to fix a security issue.


Here are the details from the Slackware 14.0 ChangeLog:
+--+
patches/packages/mozilla-firefox-19.0.2-i486-1_slack14.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefox.html
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the Get Slack section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/mozilla-firefox-19.0.2-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/mozilla-firefox-19.0.2-x86_64-1_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mozilla-firefox-19.0.2-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mozilla-firefox-19.0.2-x86_64-1_slack14.0.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-19.0.2-i486-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-19.0.2-x86_64-1.txz


MD5 signatures:
+-+

Slackware 13.37 package:
23e37a6cf8ef1f3d2df8796c0063d990  mozilla-firefox-19.0.2-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
c81eb2da62fb24b9dc5bb62f9b41de5a  mozilla-firefox-19.0.2-x86_64-1_slack13.37.txz

Slackware 14.0 package:
b9a04763c17a2ae0f45a13c9144e2a86  mozilla-firefox-19.0.2-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
230227873d13591800073ed030b72336  mozilla-firefox-19.0.2-x86_64-1_slack14.0.txz

Slackware -current package:
9c874f07ca53c159015754cd40883d66  xap/mozilla-firefox-19.0.2-i486-1.txz

Slackware x86_64 -current package:
5b5abace3714d41c3d2b9abf02bb33cf  xap/mozilla-firefox-19.0.2-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg mozilla-firefox-19.0.2-i486-1_slack14.0.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE62FAACgkQakRjwEAQIjN2egCfXxU5+zvmza6eYXt5GkUUoO12
R5cAoIdUNCdTT4fwlHt5lzx+Hut/t1pi
=Ty99
-END PGP SIGNATURE-

[SECURITY] [DSA 2641-1] perl security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2641-1   secur...@debian.org
http://www.debian.org/security/  Salvatore Bonaccorso
March 09, 2013 http://www.debian.org/security/faq
- -

Package: perl
Vulnerability  : rehashing flaw
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1667
Debian Bug : 702296

Yves Orton discovered a flaw in the rehashing code of Perl. This flaw
could be exploited to carry out a denial of service attack against code
that uses arbitrary user input as hash keys. Specifically an attacker
could create a set of keys of a hash causing a denial of service via
memory exhaustion.

For the stable distribution (squeeze), this problem has been fixed in
version 5.10.1-17squeeze6.

For the testing distribution (wheezy), and the unstable distribution
(sid), this problem has been fixed in version 5.14.2-19.

We recommend that you upgrade your perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRO01lAAoJEFb2GnlAHawEoVAH/2g7orgxovXN2SRAwDsaw1pD
MYIx/E9rPl+BEjEqlYOKC4SImJoB2+pIv4p913jvZnknMU8e1U8TBqPEXdl7f9Ko
oXucxiv2LWSf67c1yV5BY7OIeIG9vsxfn1YuS0CmmxlyzBoxUSM+ZQ6SrHg9JRgc
1L5LOnAPF70u/dwlRIO8hy3kmXazvCcbNRc4FDPvk+pFXu1aiNwNGOC+LGou9JGA
ZdSs7YqFlR/gBGKxI4oESZMj5XT/JnTqePyJX8oLQa5D+WRnj5C9v1oBeinjUCpz
eUxz222nY/cOJOv6AoA/f3YBrf2k4Xh1IRfZZ8Dr1EhKgwkOk8V9PDuAmZ9ciC0=
=T27A
-END PGP SIGNATURE-

Recon 2013 Call For Papers - June 21-23, 2013 - Montreal, Quebec

[cfp2...@recon.cx]

++ + +
   +  +   +
+ +
 \ /
+ _- _+_ -   ,__
  _=..:. /=\   _|===|_  ||::|
 |  |_|.|   | | |   | | __===_  -=- ||::|
 |==|   |  |  __|.:.|   /\| |:. | ||   | .|| : |||::|
 |  |-  |.:|_|. :__ |.: |--|==| |  .| |_   | ' |. ||.  |||:.|
   __|. | |_|. | |.|...||---|  |==| |   | | |_--. ||   |||. |
  |  |  |   |. | | |::.||: .|  |==| | . : |=|===|:|| . ||| .|
  |:.| .|   |  | | |:.:|| . |  |==| | |=|===| .   |'   | |  |
  | |  |   |   |'   :   .   |   ; ;'|
  ' :  `   :   '.   '  .  . :

REC0N 2013

MONTREAL
JUNE 21-23
http://recon.cx
@reconmtl and @hugofortier

+ RECON returns for 2013 with 7 days of Reversing and Exploitation

   - Training sessions + conference + party

+ List of training sessions for Recon 2013:

   - Reversing telecom platforms for security by Philippe Langlois (2 days)
   - Facedancer by Travis Goodspeed and Sergey Bratus (2 days)
   - iOS security/exploitation workshop by Stefan Esser (3 days)
   - Advanced Exploit Laboratory by Saumil Shah (3 days)
   - Reverse Engineering Malware by Nicolas Brulez (4 days)
   - Keep It Synple Stupid - Utilizing Programmable Logic for Hardware
 Reverse-Engineering by Dmitry Nedospasov and Thorsten Schroeder (4
days)
   - Windows Internals for Reverse Engineers by Alex Ionescu (4 days)


+ We are accepting submissions

   - Single track
   - 45-60 minute presentations, or longer, we are flexible
   - We are open to workshop proposals that would occur alongside talks
   - Trainings of 2, 3 or 4 days focused on reversing and/or exploitation
   - There will be time for 5 to 10 minutes Informal Lightning Talks
during the
 Recon Party

+ Especially on these topics

   - Hardware reverse engineering
   - Software reverse engineering
   - Finding vulnerabilities and writing exploits
   - Novel data visualization for hackers and reverse engineers
   - Bypassing security and software protections
   - Attacks on cryptography in hardware and software
   - Physical security countermeasures
   - Techniques for any of the above on new or interesting architectures
   - Wireless hacking (We aren't talking about wifi here)

 ++ Anything else elite ++

+ Please include
   - Speaker name(s) and/or handle
   - Contact information, e-mail and cell phone(optional)
   - Presentation title
   - Description of the presentation
   - Brief biography
   - If available presentation supporting materials (website, code, paper,
 slides, outline, ...)
   - And why it is cool, or why you want to present it
   - Let us know if you need help with VISA (So we can start the procedure
 early)
   - If your employer will pay for your travel or if you need us to pay
for it


+ Get back to us soon

   - First round of CFP to end March 31
   - First speakers/talks to be announced week of April 2
   - CFP closes April 27, 2013, Recon 2013 speakers/talks announced May 5
   - So please send the above information to: cfp2013 (at) recon.cx

+ Recon registration opens soon.
   - http://recon.cx

  THIS FILE PASSED THROUGH...
   ___
  / DUAL   STANDARDS  \
 /   *   *   *   *   *   *   *   *   *   ***   \
/__  HS  AA  CD  OH  RD  SD  TR  MR  RS  CS  ARQ  SYN DeCUSHQ
  __\
   \-/
\   R E C 0 N  BBS   KNOWNW O R L D-W I D E  FOR 0-DAY WAREZ/
 .oo*\   ___   /
 O\_/ KRu1z1n' At 9600  1.5 Gigz Online \_/
 o
  O+--+
   o   514
   O  SERVING THE PHRESHEST CRACKS IN THE LATA
O  514
O   CHECK:
   O[*] 0-1(MAX) DAY
  O [*] H/P/A/V/C
  O [*] Demos/Artpacks
   O[*] 1200/2400/9600 BAUD
O   [*] 1500MB
 o.[ ] LAMERS
O
  ooo## BROUGHT TO YOU BY:
  SysopDataworm
  CoSysop..Aliss
  CoSysop..Strange Attractor
  CoSysop..TheGamble
  CoSysop..ChatBoss
   +1[514] 900 - 6PWN
   +1[337] 287 - 9777
   +1[LUL] Z69 - 3771