@@
+libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix SQL injection via the $user paramter (Closes: #633637)
+Fixes: CVE-2011-2688
+
+ -- Steffen Joeris wh...@debian.org Mon, 18 Jul 2011 10:26:11 +1000
+
libapache2-mod
Hi Amaya,
Steffen Joeris wrote:
I had a quick look and didn't see that code included in debian as far
as I can see the package has the same version in all suites or am I
missing anything?
Oh, $DEITY, you are absolutely right, I looked at a locally patched
version and confused
Package: libav
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for libav.
CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0
Package: openswan
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-2147[0]:
| Openswan 2.2.x does not properly restrict permissions for (1)
| /var/run/starter.pid,
Package: libruby1.9.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136
Package: ruby1.9
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 and
Package: ruby1.8
Version: 1.8.7.334-5
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
|
Package: python3.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for python3.1.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
| before 3.2.1 process
Package: python2.6
Version: 2.6.6-10
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for python2.6.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
|
Package: erlang
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Please see http://www.kb.cert.org/vuls/id/178990 for all the information.
The upstream patch can be reviewed here:
https://github.com/erlang/otp/commit/f228601de45c5
Cheers,
Steffen
-BEGIN
severity 603749 normal
thx
It seems that the vulnerable file was introduced after 1.2.6, which is
currently in sid. So as long as a fixed version is uploaded next, everything
should be fine.
Cheers,
Steffen
signature.asc
Description: This is a digitally signed message part.
team
+ * Fix DoS due to wrong string handling (Closes: #596086)
+Fixes: CVE-2010-3072
+
+ -- Steffen Joeris wh...@debian.org Mon, 13 Sep 2010 17:07:51 +1000
+
squid3 (3.1.6-1) unstable; urgency=low
* New upstream release
diff -u squid3-3.1.6/debian/patches/00list squid3-3.1.6/debian
Hi Sam
Could you prepare updated packages for lenny and send a debdiff? We'll need to
release a DSA for this issue.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Hi Hideki
Indeed this should be fixed via a DSA and for unstable as well.
I am still having slight problems understanding the XSS issue here.
Apparently, to_native() is converting it to another encoding, but shouldn't it
do some escaping of certain characters to avoid having the usual html
Hi Hideki
Thanks for the information. Have you been able to reproduce the problem with
IE and checked the patch?
Cheers
Steffen
On Sun, 7 Mar 2010 19:10:12 +1100
Steffen Joeris steffen.joe...@skolelinux.de wrote:
Apparently, to_native() is converting it to another encoding
On Mon, 8 Mar 2010 03:01:39 am Hideki Yamane wrote:
Hi Steffen,
On Sun, 7 Mar 2010 21:47:53 +1100
Steffen Joeris steffen.joe...@skolelinux.de wrote:
Thanks for the information. Have you been able to reproduce the problem
with IE and checked the patch?
with IE6 and IE8, I cannot
Hi Mirco
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast f...@novell.com
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to
prevent possible buffer
Hi Andres
I've read your previous comments to the bugreport, but wanted to stress the
point that it will not be acceptable for mediabomb to use an internal copy of
prototypejs. We do not want a version of the package in squeeze that does not
use the system wide protoypejs. I understand that
Package: libgmime-2.0-2a
Severity: grave
Tags: security patch
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast f...@novell.com
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN):
reopen 559531
severity 559531 important
thanks
Hi
MSA-09-0025 and MSA-09-0029 don't seem to be fixed. Both issues are minor
security issues, so I am lowering the severity.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
-1.9.4/debian/changelog
--- audiere-1.9.4/debian/changelog
+++ audiere-1.9.4/debian/changelog
@@ -1,3 +1,11 @@
+audiere (1.9.4-3.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Fix FTBFS with GCC 4.4 (Closes: #505122)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris wh...@debian.org
Hi
FYI, This issue has been assigned CVE-2010-0301.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
descriptors
+Thanks to Julien Cristau
+
+ -- Steffen Joeris wh...@debian.org Fri, 29 Jan 2010 14:30:27 +0100
+
hybserv (1.9.2-4) unstable; urgency=low
* Update 01_fhs+mkdirfix.dpatch:
diff -u hybserv-1.9.2/debian/hybserv.postinst hybserv-1.9.2/debian/hybserv.postinst
--- hybserv-1.9.2
Hi
For the record, this issue got CVE-2010-0303 assigned.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: oftc-hybrid
Severity: grave
Tags: security patch
Hi
Please include the patch from DSA-1980-1, which fixes an integer
underflow (patch attached).
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9 @@
}
Package: ircd-ratbox
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed two issues in ircd-ratbox, patches attached. Please
include them in the next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9
Package: ircd-hybrid
Version: 1:7.2.2.dfsg.2-6.1
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed an issue in ircd-hybrid, patch attached. Please
include this patch in your next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++
dependency in init LSB header to use $network rather than
+$local_fs to make sure networking is available during boot and to
+make the package installation work again (Closes: #563784)
+Thanks to Petter Reinholdtsen
+
+ -- Steffen Joeris wh...@debian.org Sat, 23 Jan 2010 13:08:40 +0100
Hi
Unfortunately, the package still doesn't work, but please find the patch for
the initialising error from the newer compiler below.
Cheers
Steffen
--- insight-6.7.1.dfsg.1.orig/gdb/eval.c
+++ insight-6.7.1.dfsg.1/gdb/eval.c
@@ -1627,6 +1627,8 @@
if (nargs != ndimensions)
Hi Andrew
Following up on this bugreport, if I take the current argus-server package
from unstable and try to rebuild it, I'll end up without the argus (or
argus_linux) binary in the package[0]. There seems to be a change in the
libpcap package's API. Also, you've used the pcap_read() and
-16.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Use pcap_dispatch() rather than the private functions
+pcap_offline_read()/pcap_read() and fix a few compilation errors
+(Closes: #557807)
+
+ -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 15:16:59 +0100
+
argus (1:2.0.6
by adjusting configure.ac and debian/rules
+(Closes: #565287) Thanks to Peter Green
+
+ -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 21:39:05 +0100
+
gwget2 (1.0.4-1) unstable; urgency=low
* New upstream release. Closes: #533658, #552715.
diff -u gwget2-1.0.4/debian/rules gwget2
GCC compiler (Closes: #505626)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 23:08:35 +0100
+
mm3d (1.3.7-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- mm3d-1.3.7.orig/src/mm3dcore/tool.h
+++ mm3d-1.3.7/src
Package: gzip
Version: 1.3.12-8
Severity: grave
Tags: security patch
Hi Bdale, Carl
Carl, I saw too late that you're a new co-maintainer so I only
forwarded the pre-notification to Bdale (who is probably busy at LCA).
i
the following CVE (Common Vulnerabilities Exposures) id was
published for
Hi Christoph
I've prepared an NMU for dc-qt (versioned as 0.2.0.alpha-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Thanks for your work.
I am not really maintaining the package anymore. I guess I should check
whether the alternatives are good
Hi Adam
These issues have been assigned CVE ids, see below:
CVE-2009-4214[0]:
| Cross-site scripting (XSS) vulnerability in the strip_tags function in
| Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
| attackers to inject arbitrary web script or HTML via vectors involving
|
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and
Hi Luigi
By the way, drupal5 is also affected by at least one of these issues. Can we
remove drupal5 from debian or is there a reason for keeping it? It would be
easier foaev it gone, then we'd only have to track one package.
Cheers
Steffen
--
To UNSUBSCRIBE, email to
+
+ * Non-maintainer upload
+ * Add libmagickcore2-extra as build-depends since imagemagick has
+reorganised the plugin packages (thanks to Stuart Prescott)
+(Closes: #560604)
+
+ -- Steffen Joeris wh...@debian.org Wed, 23 Dec 2009 22:19:35 +0100
+
qemulator (0.5-3) unstable; urgency=low
by the security team
+ * Fix several cross-site scriptings via different vectors
+Fixes: CVE-2009-4032
+
+ -- Steffen Joeris wh...@debian.org Wed, 16 Dec 2009 12:06:20 +0100
+
cacti (0.8.7e-1) unstable; urgency=low
* New upstream release (Closes: #541490).
diff -u cacti-0.8.7e/debian/patches
Package: cacti
Severity: grave
Tags: security
Hi Sean
the following CVE (Common Vulnerabilities Exposures) id was
published for cacti.
CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the Data Input Method for the Linux -
Package: cups
Version: 1.4.1-5
Severity: grave
Tags: security patch
Hi Martin
The recent DSA (DSA-1933-1) fixed a few cross-site scripting issues.
Please include the patch in the unstable/testing distribution.
Cheers
Steffen
diff -u cupsys-1.2.2/debian/changelog cupsys-1.2.2/debian/changelog
On Sun, 11 Oct 2009 07:38:01 am Mehdi Dogguy wrote:
Michael S Gilbert a écrit :
Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) id was
published for camlimages. advi statically links to camlimages, so
Package: newt
Severity: grave
Tags: security patch
Hi
There is a buffer overflow in textbox.c. This issue is CVE-2009-2905.
In textbox.c the following patch has been applied.
- result = malloc(strlen(text) + (strlen(text) / width) + 2);
+ result = malloc(strlen(text) +
Package: viewvc
Severity: grave
Tags: security patch
Hi
According to upstream:
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
patch for integer overflows to also cover other
+image types (Closes: #540146)
+Fixes: CVE-2009-2660
+
+ -- Steffen Joeris wh...@debian.org Sat, 08 Aug 2009 07:05:38 +
+
camlimages (1:3.0.1-2) unstable; urgency=low
[ Mehdi Dogguy ]
diff -u camlimages-3.0.1/debian/patches
Package: dhcp3-server
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for dhcp3.
CVE-2009-1892[0]:
| dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and
| hardware ethernet configuration settings are both used,
Hi
So I had another look at the issue. Indeed, set_nss_error was undefined, so I
used a different function. Also, I think there was another regression with
displaying signed and encrypted S/MIME messages. Could you please test these
updated packages[0] in your environments and tell me, whether
-maintainer upload by the security team
+ * Fix XSS via the backend parameter (Closes: #536554)
+Fixes: CVE-2009-2360
+
+ -- Steffen Joeris wh...@debian.org Sat, 11 Jul 2009 06:02:56 +
+
sork-passwd-h3 (3.1-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- sork
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote
team
+ * Fix cross-site scripting vulnerability, which can be exploited via
+the userid, userdescrip, useremail, grp and grpdescrip parameters
+(Closes: #530271)
+Fixes: CVE-2009-1732
+
+ -- Steffen Joeris wh...@debian.org Mon, 06 Jul 2009 08:09:24 +
+
ipplan (4.91a-1) unstable
On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote:
The existing patch is correct - using htmlspecialchars will have the
effect of placing escaped stings in the database. It will also have
the effect of double escaping each time you edit a field.
My patch replaces the display template
Hi Richard
I am not sure about your patch.
Setting a maximum length does not fix a potential xss issue. Why not using
htmlspecialchars() to take care of escaping? I have attached a potential patch
for that. Of course, it would be good to check the rest of the code as well
and see whether it is
Package: plone3
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for plone3.
CVE-2009-0662[0]:
| The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product
| for Plone, does not properly handle the login form, which
Hi Rene
Unfortunately, this doesn't apply as dpd code seems to have moved out of
demux.c (I didn't find any of the patch context). Have you had contact with
openswan upstream concerning this bug?
Isn't the vulnerable code in programs/pluto/ikev1.c?
Cheers
Steffen
--
To UNSUBSCRIBE, email
vulnerability when used with multibyte
+encodings by using mysql_real_escape_string()
+
+ -- Steffen Joeris wh...@debian.org Mon, 30 Mar 2009 11:21:06 +0200
+
auth2db (0.2.5-2+dfsg-1) unstable; urgency=medium
* New debian-specific+upstream release (Closes: #493132):
diff -u auth2db-0.2.5-2+dfsg
upload by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris wh...@debian.org Tue, 24 Mar 2009 13:20:43 +
+
openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high
* Non-maintainer upload.
diff -u openswan-2.4.12+dfsg
by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris wh...@debian.org Tue, 24 Mar 2009 12:31:39 +
+
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
diff -u
Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for xine-lib.
CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for proftpd.
CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection
; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Include upstream patch to fix DoS via error in request processing
+code (Closes: #514142)
+
+ -- Steffen Joeris wh...@debian.org Thu, 05 Feb 2009 18:28:57 +
+
squid (2.7.STABLE3-4) unstable; urgency=low
* debian/rules
diff
Package: audacity
Version: 1.3.5-2
Severity: grave
Tags: security
Justification: user security hole
There is a buffer overflow in audacity apparently affecting the etch
and lenny version. You can find a reproducer here[0].
However, I just took a random .gro file and when importing it under
Package: squid
Severity: grave
Tags: security
Justification: user security hole
Hi
A DoS issue has been reported[0] for squid. So far I cannot see the
vulnerable code in the stable release, but it would be nice, if you
could check that as well. Lenny seems to be affected and needs fixing.
I've
fixed 514138 1.3.6-1
thanks
Hi Benjamin
On Wed, 4 Feb 2009 04:29:05 pm Benjamin Drung wrote:
The upcoming audacity 1.3.7-1 does not crash if I open the generated
file from [0]. According to the Gentoo bug tracker [1] audacity 1.3.6
does not have this bug any more. You can find
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for gst-plugins-good0.10.
CVE-2009-0386[0]:
| Heap-based buffer overflow in the
Package: phpicalendar
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for phpicalendar.
CVE-2008-5840[0]:
| PHP iCalendar 2.24 and earlier allows remote attackers to bypass
| authentication by setting
retitle 507587 CVE-2008-5282,CVE-2008-6005,CVE-2009-0323: multiple buffer
overflows
thanks
Hi
There is an additional CVE about buffer overflows.
CVE-2009-0323[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0
| and 11.0 allow remote attackers to execute arbitrary code
Package: xvnc4viewer
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for vnc4.
CVE-2008-4770[0]:
| The CMsgReader::readRect function in the VNC Viewer component in
| RealVNC VNC Free Edition 4.0
Package: python-moinmoin
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for moin.
CVE-2009-0260[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin
Package: php5
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for php5.
CVE-2008-5557[0]:
| Heap-based buffer overflow in
| ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring
|
Package: uw-imap
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for uw-imap.
CVE-2008-5514[0]:
| Off-by-one error in the rfc822_output_char function in the
| RFC822BUFFER routines in the
Package: php-xajax
Severity: grave
Justification: user security hole
Tags: security
Hi
The patch for CVE-2007-2739 seems to be incomplete as already discussed
via private mail. Just using htmlspecialchars(), instead of the replace
calls should do the trick.
I've requested a new CVE id for this
severity 509024 normal
thanks
On Wed, 17 Dec 2008 06:03:45 pm Nico Golde wrote:
Hi,
* Steffen Joeris steffen.joe...@skolelinux.de [2008-12-17 17:53]:
The patch for CVE-2007-2739 seems to be incomplete as already discussed
via private mail. Just using htmlspecialchars(), instead
Package: netdisco-mibs-installer
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for netdisco-mibs-installer.
CVE-2008-5379[0]:
| netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary
|
On Wed, 3 Dec 2008 07:55:42 pm Joost Yervante Damad wrote:
On Wednesday 03 December 2008 15:10:12 Frederic Peters wrote:
Mark Purcell wrote:
On Monday 24 November 2008 22:58:38 Steffen Joeris wrote:
Packages for lenny and sid build fine with the patch, I haven't
tested them though
Package: amaya
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for amaya.
CVE-2008-5282[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1
| allow remote attackers to execute
Package: cups
Version: 1.3.8-1lenny3
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Martin
Cups upstream just fixed another integer overflow[0], which was introduced
due to an incomplete fix for CVE-2008-1722. The upstream commit can be
found here[1]. A CVE id has
Package: moodle
Severity: serious
Justification: Unknown
Hi
The moodle package embeds several code copies.
At the moment the list includes:
libphp-phpmailer
tinymce
libphp-adodb
libphp-snoopy
kses
domxml-php4-to-php5.php
libmarkdown-php
There are a few others that are simply not yet packaged
Hi Martin
I just received the attached message from No-IP.com. This affects
stable and testing.
I might be tired, but where does this differ from #506179, which is fixed in
unstable?
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: wireshark
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
the following remotely exploitable vulnerability in Wireshark's
SMTP dissector has been reported:
References:
http://packetstormsecurity.org/0811-advisories/wireshark104-dos.txt
Hi
Please also see this advisory[0] as an additional issue.
Description:
A vulnerability has been reported in Nagios, which can be exploited by
malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests
without
Package: ffmpeg-debian
Version: 0.svn20080206-14
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for ffmpeg.
CVE-2008-4869[0]:
| FFmpeg 0.4.9, as used by MPlayer, allows context-dependent
Hi
CVE-2008-4868[1]:
| Unspecified vulnerability in the avcodec_close function in
| libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
| has unknown impact and attack vectors, related to a free on random
| pointers.
Forget about this one, it seems to be fixed in our
Package: phpgroupware
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Peter,
the following CVE (Common Vulnerabilities Exposures) id was
published for egroupware-core.
CVE-2007-3215[0]:
| PHPMailer 1.7, when configured to use sendmail, allows remote
| attackers to
On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote:
Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :
Thanks for spotting this problem.
The referred [2] patch is actually not exactly apllicable to the version
of class.phpmailer.php shipped in phpgroupware 0.9.11, and
On Sun, 2 Nov 2008 11:34:28 pm Steffen Joeris wrote:
On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote:
Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :
Thanks for spotting this problem.
The referred [2] patch is actually not exactly apllicable to the
version
Package: snmpd
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following announcement has been released by net-snmp upstream:
SECURITY ISSUE: A bug in the getbulk handling code could let anyone
with even minimal access crash the agent. If you have open access
to
Package: libphp-snoopy
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for libphp-snoopy.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier
Package: ampache
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for ampache.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote
Package: mahara
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for mahara.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote
Package: pixelpost
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for pixelpost.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows
Package: mediamate
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for mediamate.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows
Package: opendb
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for opendb.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote
Hi Charlie
Thanks for the bug report.
I have addressed this issue in ampache-3.4.3-1 which is currently on
m.d.n [1] awaiting sponsoring.
With Lenny so close to release I am contacting my usual sponsor for
guidance on which would be the best solution for this bug:
a. use supplied patch,
reassgin 449497 tech-ctte,foo2zjs
thanks
Dear Technical Committee Members
Currently, there is a dispute about a certain part of the foo2zjs package.
Unfortunately, we do not seem to be able to solve it and thus require your
assistance. We have tried to get a paragraph together to state the
Hi
I am upset that you again raised the severity without consulting anyone. The
package as it stands is DFSG free and the getweb script is there for the
convenience of the users as well as the documentation. Your arguments haven't
changed my opinion. However, it doesn't look like we are
Hi
I understand your sentiment, and it is indeed a grey area situation. If I
take policy literary, I think this package is fine in main, but it is not
as simple...
In order to get this bug rolling (and lenny released ;-) ), can you all
live with me splitting up the package in two packages:
Hi
Sorry for the confusing statement here.
I understand your sentiment, and it is indeed a grey area situation.
If I take policy literary, I think this package is fine in main, but it
is not as simple...
In order to get this bug rolling (and lenny released ;-) ), can you all
On Sun, 26 Oct 2008 10:12:49 pm Luca Capello wrote:
Hi there!
On Sun, 26 Oct 2008 08:03:46 +0100, Steffen Joeris wrote:
On Sun, 26 Oct 2008 07:38:51 +0100. Joost Yervante Damad wrote:
I understand your sentiment, and it is indeed a grey area situation.
If I take policy literary, I think
severity 449497 important
thanks
On Sun, 26 Oct 2008 11:40:34 pm Joost Yervante Damad wrote:
Hi Luca,
[3] not that I checked with such printers, I'm only in touch with one
that needs a non-free firmware
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15
So you don't
1 - 100 of 275 matches
Mail list logo