Package: xvnc4viewer
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vnc4.
CVE-2008-4770[0]:
| The CMsgReader::readRect function in the VNC Viewer component in
| RealVNC VNC Free Edition 4.0 th
retitle 507587 CVE-2008-5282,CVE-2008-6005,CVE-2009-0323: multiple buffer
overflows
thanks
Hi
There is an additional CVE about buffer overflows.
CVE-2009-0323[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0
| and 11.0 allow remote attackers to execute arbitrary code vi
Package: phpicalendar
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for phpicalendar.
CVE-2008-5840[0]:
| PHP iCalendar 2.24 and earlier allows remote attackers to bypass
| authentication by setting t
Package: gedit
Severity: important
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gedit.
CVE-2009-0314[0]:
| Untrusted search path vulnerability in the Python module in gedit
| allows local users to execute arbitrary code via a Trojan horse Python
| file in the cu
Package: xchat
Severity: important
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xchat.
CVE-2009-0315[0]:
| Untrusted search path vulnerability in the Python module in xchat
| allows local users to execute arbitrary code via a Trojan horse Python
| file in the cu
Package: python-moinmoin
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moin.
CVE-2009-0260[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin befo
Package: libapache2-mod-auth-pgsql
Severity: wishlist
Hi
Please include the attached patch and send it to upstream.
The patch makes it possible to specify the client encoding
and uses proper escaping.
At this point, libapache2-mod-auth-pgsql is not vulnerable
to SQL injections, but if the client
reopen 349003
severity 349003 serious
thanks
Hi
I am still experiencing problems with the init script. I enter restart, but it
doesn't really startup wzdftpd.
The logfile correctly states things like:
Jan 21
16:57:57 /tmp/buildd/wzdftpd-0.8.3/backends/mysql/libmysql_main.c(FCN_INIT):199
Can't
Package: php5
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for php5.
CVE-2008-5557[0]:
| Heap-based buffer overflow in
| ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring
| extensi
Package: uw-imap
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for uw-imap.
CVE-2008-5514[0]:
| Off-by-one error in the rfc822_output_char function in the
| RFC822BUFFER routines in the Universit
Package: rsyslog
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rsyslog.
CVE-2008-5618[0]:
| imudp in rsyslog 4.x before 4.1.2, 3.21 before 3.21.9 beta, and 3.20
| before 3.20.2 generates a message even when it is sent by an
| un
On Thu, 25 Dec 2008 03:57:05 pm Lukas Ruf wrote:
> Dear Rene
>
> > Rene Engelhard [2008-12-24 14:54]:
>
> [...]
>
> Thanks for your elaboration.
>
> > Note Steffen didn't say /etc/passwd or so but any file on the system
> > the user has rights on.
>
> See your statement: what can I add :) "the us
Package: ppp
Version: 2.4.4rel-10.1
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ppp.
CVE-2008-5366[0]:
| The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local
| users to overwrite arbitrary files via a symlink a
Package: muttprint
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for muttprint.
CVE-2008-5368[0]:
| muttprint in muttprint 0.72d allows local users to overwrite arbitrary
| files via a symlink attack on the /tmp/muttprint.log temporary
Package: pvpgn
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pvpgn.
CVE-2008-5370[0]:
| pvpgn-support-installer in pvpgn 1.8.1 allows local users to overwrite
| arbitrary files via a symlink attack on the
| /tmp/pvpgn-support-1.
Package: screenie
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for screenie.
CVE-2008-5371[0]:
| screenie in screenie 1.30.0 allows local users to overwrite arbitrary
| files via a symlink attack on a /tmp/.screenie.# temporary
Package: sdm-terminal
Severity: minor
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sdm-terminal.
CVE-2008-5372[0]:
| sdm-login in sdm-terminal 0.4.0b allows local users to overwrite
| arbitrary files via a symlink attack on the /tmp/sdm.autologin.once
| temporar
Package: bacula-common
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for bacula-common.
CVE-2008-5373[0]:
| mtx-changer.Adic-Scalar-24 in bacula-common 2.4.2 allows local users
| to overwrite arbitrary files via a symlink attack on a /
Hi Pieter
I think I've tracked down this issue. Indeed there is a problem with the SQL
queries. If the package is used within setups, where authentification works
via the username and not via the email address, then this issue occurs.
I have fixed packages here[0], could you please give them a t
Hi Pieter
Thanks for your report. The new mysql_real_escape_string() function doesn't
remove the sign.
However, it didn't cause any problems in my setup and the reports I got from
some test users. I will start investigating the issue again. Feel free to
ping me on IRC (OFTC, nick "white"), wher
Package: bash-doc
Severity: normal
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cmus.
CVE-2008-5374[0]:
| bash-doc 3.2 allows local users to overwrite arbitrary files via a
| symlink attack on a /tmp/cb#.? temporary file, related to the (1)
|
Package: cmus
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cmus.
CVE-2008-5375[0]:
| cmus-status-display in cmus 2.2.0 allows local users to overwrite
| arbitrary files via a symlink attack on the /tmp/cmus-status temporary
| f
Hi
Also crip seems to be vulnerable as well after a quick glance.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: crip
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for crip.
CVE-2008-5376[0]:
| editcomment in crip 3.7 allows local users to overwrite arbitrary
| files via a symlink attack on a /tmp/*.tag.tmp temporary file.
This bug c
Package: xine-lib
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2008-5237[0]:
| Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
| earlier versions, allow remote attackers to cause a denial of se
Hi Ludovic
Please note the RFA, go ahead, if you are interested in the package and want
to take it over.
> Xoscope would be much more useful if support for comedilib was added.
> Just a dependency change. I can help if you need.
Ah great. Haven't tested it, but if you did, feel free to go ahead w
Package: foomatic-db-engine
Version: 3.0.2-20080211-1
Severity: important
Hi
I have the problem that my printers are both detected (I am using a
modified version of printconf), but the device uris are mixed up.
Therefore, my Epson points to the HP printer and vice-versa :)
I believe the problem
severity 509024 normal
thanks
On Wed, 17 Dec 2008 06:03:45 pm Nico Golde wrote:
> Hi,
>
> * Steffen Joeris [2008-12-17 17:53]:
> > The patch for CVE-2007-2739 seems to be incomplete as already discussed
> > via private mail. Just using htmlspecialchars(), instead of the rep
Package: php-xajax
Severity: grave
Justification: user security hole
Tags: security
Hi
The patch for CVE-2007-2739 seems to be incomplete as already discussed
via private mail. Just using htmlspecialchars(), instead of the replace
calls should do the trick.
I've requested a new CVE id for this an
Package: arb
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for arb.
CVE-2008-5378[0]:
| arb-kill in arb 0.0.20071207.1 allows local users to overwrite
| arbitrary files via a symlink attack on a /tmp/arb_pids_*_* temporary
| file.
Package: netdisco-mibs-installer
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for netdisco-mibs-installer.
CVE-2008-5379[0]:
| netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary
| fi
Hi
I forgot to declare the int before the loop :(, so the patch broke current
standard behaviour. Please find the updated patch attached.
Cheers
Steffen
--- ../foomatic-gui/foomatic/detect.py 2008-12-10 14:19:26.0 +0100
+++ foomatic/detect.py 2008-12-11 10:57:29.0 +0100
@@ -142,1
Package: foomatic-db
Version: 20080211-2+nmu1
Severity: wishlist
Hi
printconf doesn't detect this komdruck printer. I've attached the
output for this printer. Hope this helps for adding support
entries for these printers. Please let me know, if you need any other
details.
Cheers
Steffen
* Resta
Package: foomatic-db
Version: 20080211-2+nmu1
Severity: wishlist
Hi
printconf doesn't detect certain Epson printers. I've attached the
output for two of them below. Hope this helps for adding support
entries for these printers.
Thanks in advance :)
Cheers
Steffen
* Restarting Common Unix Printi
Package: python-foomatic
Severity: normal
Hi
detect_usb_printers() in detect.py fails to detect the USB printer, if
it doesn't exist on /dev/usb/lp0 . If I have two USB printers attached
and then remove the first one, udev removes /dev/usb/lp0, but keeps
/dev/usb/lp1 for the second one. The attac
Package: iceweasel
Version: 3.0.4-1
Severity: normal
Hi
I am using iceweasel in a KDE environment here. After I've attached a
device (let's say a USB stick), it gets detected by KDE. However, it
does not show up in the iceweasel file picker, when I go to "Open File".
It seems to work though under
Hi Niko
Sorry for the delay.
On Sat, 6 Dec 2008 11:12:08 pm Niko Tyni wrote:
> fixed 479317 perl/5.8.8-7
> found 479317 perl/5.8.8-7etch5
> found 479317 perl/5.10.0-1
> thanks
>
> Hi security team,
>
> I'm sorry to report that we have a regression with perl/5.8.8-7etch5.
>
> As reported in #47931
Hi
One thing I forgot. I guess it would be good to check the encoding, especially
when you have user input. Otherwise, printconf would crash. I am using the
attached patch.
Cheers
Steffen
@@ -78,7 +78,7 @@ _invalidre = re.compile(r'([^A-Za-z0-9_])')
def print_fill(text, *args):
if args:
Package: printconf
Severity: wishlist
Tags: patch
Hi
I had the case where I needed all printers added to a certain group.
Since cups was in use (and it appears to be the default anyway), I started
to implement some cups classes support. Right now I ended up adding a
commandline option to printcon
Package: printconf
Severity: normal
Tags: patch
Hi
If I attach parallel printers without reloading the kernel modules
printconf does not have a way of knowing about these new printers,
since /proc/sys/dev/parport/parport*/autoprobe is not updated.
The attached patch reloads the kernel modules. No
On Wed, 3 Dec 2008 07:55:42 pm Joost Yervante Damad wrote:
> On Wednesday 03 December 2008 15:10:12 Frederic Peters wrote:
> > Mark Purcell wrote:
> > > On Monday 24 November 2008 22:58:38 Steffen Joeris wrote:
> > > > Packages for lenny and sid build fine with the p
Package: printconf
Severity: wishlist
Tags: patch
Hi
With the patch in #507666 setup_queue() understands the spooler
argument, which could now be set manually by printconf.
The attached patch does the work for me, can you include it into the
debian version?
Cheers
Steffen
--- /usr/bin/printconf
Package: python-foomatic
Severity: wishlist
Tags: patch
Hi
I needed to manually specify the spooler, because I couldn't rely on
the system configuration file. Therefore, I needed the patch below
added to foomatic.py so that it understands a spooler argument
(for example given by printconf).
Chee
Package: amaya
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for amaya.
CVE-2008-5282[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1
| allow remote attackers to execute arbi
Package: foomatic-db
Version: 20080211-2+nmu1
Severity: minor
Hi
I got the following message on my system:
Printer on parallel:/dev/lp0 was not automatically configurable by Debian.
Please submit the following information to [EMAIL PROTECTED]:
PJL,MLC,BIDI-ECP,PCL,DW-PCL
Hewlett-Pa
Hi Andrea
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
>
> First of all thank you for reporting this.
>
> Upstream's solution it's not so bad in my opinion. Moreover I think
> using official patch should protect us from future bugs.
Don
Package: wordpress
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.
CVE-2008-5278[0]:
Cross-site scripting (XSS) vulnerability in the self_link function in
in the RSS Feed Generator (wp-includes/feed.php) for Wor
Package: moodle
Severity: serious
Justification: Unknown
Hi
The moodle package embeds several code copies.
At the moment the list includes:
libphp-phpmailer
tinymce
libphp-adodb
libphp-snoopy
kses
domxml-php4-to-php5.php
libmarkdown-php
There are a few others that are simply not yet packaged f
Package: cups
Version: 1.3.8-1lenny3
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Martin
Cups upstream just fixed another integer overflow[0], which was introduced
due to an incomplete fix for CVE-2008-1722. The upstream commit can be
found here[1]. A CVE id has been
Hi Martin
> I just received the attached message from No-IP.com. This affects
> stable and testing.
I might be tired, but where does this differ from #506179, which is fixed in
unstable?
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: printconf
Severity: wishlist
Tags: patch
Hi
It would be nice to specify the preferred papersize via commandline option.
The attached patch works here, could you consider adding it?
Cheers
Steffen
--- aa-printconf2008-11-26 09:22:14.0 +0100
+++ /usr/bin/aa-printconf
Package: printconf
Severity: wishlist
Tags: patch
Hi
I would like to have printconf accepting customized/preferred ppd files
offered by the local admins. The attached patch worked for me.
Would you consider adding something similar?
Cheers
Steffen
--- usr/bin/aa-printconf 2008-11-25 08:54:57.000
Package: wireshark
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
the following remotely exploitable vulnerability in Wireshark's
SMTP dissector has been reported:
References:
http://packetstormsecurity.org/0811-advisories/wireshark104-dos.txt
http://bugs.gentoo.org/sh
Hi
> CVE-2008-4868[1]:
> | Unspecified vulnerability in the avcodec_close function in
> | libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
> | has unknown impact and attack vectors, related to a free "on random
> | pointers."
Forget about this one, it seems to be fixed in our
Package: ffmpeg-debian
Version: 0.svn20080206-14
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ffmpeg.
CVE-2008-4869[0]:
| FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attacke
Hi
Please also see this advisory[0] as an additional issue.
Description:
A vulnerability has been reported in Nagios, which can be exploited by
malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests
without pe
Hi
This is what upstream uses at the moment:
http://code.google.com/p/smarty-php/source/detail?r=2797&path=/trunk/libs/Smarty_Compiler.class.php
Also this issue has been given CVE-2008-4811 and CVE-2008-4810. I am trying to
clarify the situation with other vendors. In the meanwhile, please have
On Tue, 4 Nov 2008 03:40:22 pm Michael Gilbert wrote:
> Dear release team,
>
> Thank you for making a decision on the direction for bug #449497 in
> foo2zjs [1]. I believe that this is a reasonable choice for now due
> to the impending release. However, I would really like to see an
> honest and
On Sun, 2 Nov 2008 11:34:28 pm Steffen Joeris wrote:
> On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote:
> > Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :
> > > Thanks for spotting this problem.
> > >
> > > The referred [2] patch is ac
On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote:
> Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :
> > Thanks for spotting this problem.
> >
> > The referred [2] patch is actually not exactly apllicable to the version
> > of class.phpmailer.php shipped in phpgroupware 0.9.1
Package: phpgroupware
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Peter,
the following CVE (Common Vulnerabilities & Exposures) id was
published for egroupware-core.
CVE-2007-3215[0]:
| PHPMailer 1.7, when configured to use sendmail, allows remote
| attackers to exe
Hi Charlie
> Thanks for the bug report.
>
> I have addressed this issue in ampache-3.4.3-1 which is currently on
> m.d.n [1] awaiting sponsoring.
>
> With Lenny so close to release I am contacting my usual sponsor for
> guidance on which would be the best solution for this bug:
> a. use supplied
Package: opendb
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for opendb.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote atta
Package: mediamate
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mediamate.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remot
Package: pixelpost
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pixelpost.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remot
Package: mahara
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mahara.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote atta
Package: ampache
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ampache.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote at
Package: libphp-snoopy
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libphp-snoopy.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allo
Package: snmpd
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following announcement has been released by net-snmp upstream:
SECURITY ISSUE: A bug in the getbulk handling code could let anyone
with even minimal access crash the agent. If you have open access
to y
On Wed, 29 Oct 2008 09:43:07 pm Marcin Owsiany wrote:
> On Wed, Oct 29, 2008 at 09:14:30PM +1100, Steffen Joeris wrote:
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for libgadu3.
>
> Finally :-) I have the packages ready from the da
Package: libgadu3
Version: 1:1.8.0+r592-2
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgadu3.
CVE-2008-4776:
libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description wi
Package: xen-3
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xen-3.
CVE-2008-4405[0]:
| xend in Xen 3.0.3 does not properly limit the contents of the
| /local/domain xenstore directory tree, and does not properly restrict
| a gu
reassgin 449497 tech-ctte,foo2zjs
thanks
Dear Technical Committee Members
Currently, there is a dispute about a certain part of the foo2zjs package.
Unfortunately, we do not seem to be able to solve it and thus require your
assistance. We have tried to get a paragraph together to state the prob
Hi
I am upset that you again raised the severity without consulting anyone. The
package as it stands is DFSG free and the getweb script is there for the
convenience of the users as well as the documentation. Your arguments haven't
changed my opinion. However, it doesn't look like we are finding
Package: wordpress
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.
CVE-2008-4671[0]:
| Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in
| Wordpress MU (WPMU) before 2.6 allows remote attackers to inj
severity 449497 important
thanks
On Sun, 26 Oct 2008 11:40:34 pm Joost Yervante Damad wrote:
> Hi Luca,
>
> > [3] not that I checked with such printers, I'm only in touch with one
> > that needs a non-free firmware
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15
>
> So you
On Sun, 26 Oct 2008 10:12:49 pm Luca Capello wrote:
> Hi there!
>
> On Sun, 26 Oct 2008 08:03:46 +0100, Steffen Joeris wrote:
> > On Sun, 26 Oct 2008 07:38:51 +0100. Joost Yervante Damad wrote:
> >> I understand your sentiment, and it is indeed a "grey" are
Hi
Sorry for the confusing statement here.
> > > I understand your sentiment, and it is indeed a "grey" area situation.
> > > If I take policy literary, I think this package is fine in main, but it
> > > is not as simple...
> > >
> > > In order to get this bug rolling (and lenny released ;-) ), ca
Hi
> I understand your sentiment, and it is indeed a "grey" area situation. If I
> take policy literary, I think this package is fine in main, but it is not
> as simple...
>
> In order to get this bug rolling (and lenny released ;-) ), can you all
> live with me splitting up the package in two pack
severity 449497 wishlist
tags 449497 wontfix
thx
I am well aware that upstream author dislikes all sorts of distribution and
does not want them to ship foo2zjs. However, the non-free stuff was stripped
away from the package, including a lot of the icm files. Please take the
effort yourself to c
Package: dovecot-common
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for dovecot.
CVE-2008-4577[0]:
| The ACL plugin in Dovecot before 1.1.4 treats negative access rights
| as if they are positive access rights, which allows atta
fixed 502680 1:1.1.3-1
thanks
Hi
As indicated in the original mail, the bug is fixed in sid, so no need for
this bugreport. However, now that it's there, I've marked it as fixed for sid
accordingly. The question about the severity however still remains and thus
how to fix it for lenny and etch
Package: strongswan
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for strongswan.
CVE-2008-4551[0]:
| strongSwan 4.2.6 and earlier allows remote attackers to cause a denial
| of service (daemon c
Package: dbus
Version: 1.2.1-3
Severity: important
Tags: security, patch
Hi
There is a potential DoS in dbus. Please see the upstream bug for
more explanations[0]. The patch is attached[1] to the bug and there is
also a Red Hat bug[2] about it. I am still unsure about the severity
and want to fig
On Sun, 5 Oct 2008 08:25:15 pm Moritz Muehlenhoff wrote:
> On Wed, May 28, 2008 at 12:43:54AM +0200, Javier Fernández-Sanguino Peña
wrote:
> > severity 483160 important
> > thanks
> >
> > On Wed, May 28, 2008 at 01:11:44AM +1000, Steffen Joeris wrote:
> > >
Package: mediawiki
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mediawiki.
CVE-2008-4408[0]:
Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0,
and possibly other versions before 1.13.2 allows remote attacker
Package: libpng
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.
CVE-2008-3964[0]:
| Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4
| before 1.4.0beta34, allow context-dependent attackers to cause
Package: rails
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rails.
CVE-2008-4094[0]:
| Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1
| allow remote attackers to execute arbit
Package: mercurial
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mercurial.
CVE-2008-4297[0]:
| Mercurial before 1.0.2 does not enforce the allowpull permission
| setting for a pull operation from hgweb, which allows remote atta
Package: viewvc
Severity: normal
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for viewvc.
CVE-2008-4325[0]:
| lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the
| HTTP request for the Content-Type header in the HTTP response,
Package: mplayer
Version: 1.0~rc2-17
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
mplayer is vulnerable to several integer overflows.
This issue is now public and can be fixed in unstable.
Testing is already fixed and stable will follow soon.
More information can be
tags 500114 patch
thanks
Hi
There is an upstream patch for this issue[0]. Could you please make sure
it reaches lenny via migration from unstable? I guess for stable (etch), you
could go via stable-proposed-updates.
Thanks in advance.
Cheers
Steffen
[0]: http://cvs.horde.org/diff.php/turba/tes
Package: imp4
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for imp4.
CVE-2008-4182[0]:
| Cross-site scripting (XSS) vulnerability in imp/test.php in Horde
| Turba Contact Manager H3 2.2.1, and possibly other Horde Project
|
On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote:
> On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote:
> > Package: webkit
> > Severity: grave
> > Tags: security, patch
> > Justification: user security hole
> >
> > Hi,
> > the following
Package: fraad2
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
fraad2 is affected by a heap overflow, please see the upstream
announcement[0] for more information. Also see the gentoo security
bug for further information[1]. The upstream patch can be found here[2].
As
Package: webkit
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for webkit.
CVE-2008-3950[0]:
| Off-by-one error in the
| _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in
| Web
Package: movabletype-opensource
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for movabletype-opensource.
CVE-2008-4079[0]:
| Cross-site scripting (XSS) vulnerability in Movable Type (MT) 4.x
| through 4.20, and 3.36 and earlier; Mo
Hi
This issue is now being tracked as CVE-2008-3963.
Please mention the CVE id in the changelog, when you fix this bug.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: mono
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mono.
CVE-2008-3906[0]:
| CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
| remote attackers to inject arbitrary HTTP headers and conduct HTTP
|
Package: ssmtp
Severity: important
Tags: security, patch
Hi
Maurice van der Pot of Gentoo reported a bug in ssmtp 2.62:
The from_format() function in ssmtp.c will call strdup() on an
unitialized memory if the user's gecos is unset and "FromLineOverride"
is disabled in the configuration. This mi
101 - 200 of 725 matches
Mail list logo