Package: vim
Version: 1:7.0.109
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes multiple security flaws in
vim [1]. these issues are currently reserved in the CVE tracker, but
redhat describes the probems as:
Multiple security
Package: anjuta
Version: 1.2.4a-5
Severity: grave
i just tested the etch - lenny transition, and anjuta failed to upgrade
properly. the error follows:
Preparing to replace anjuta 1:1.2.4a-5 (using
.../anjuta_2%3a2.4.2-1_amd64.deb) ...
Unpacking replacement anjuta ...
dpkg: error processing
Package: xscreensaver
Version: 5.05-3
Severity: grave
i just tested the etch - lenny transition on two of my systems, and
xscreensaver ended up locking me out of both of them.
version 4.24 of the xscreensaver daemon was running when i started the
upgrade. i went off to work on some other
Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure
hello all,
any news on the patches for ghostscript in stable (CVE-2007-6725,
CVE-2008-6679, and CVE-2009-0196)? these issues have been sitting
unfixed for quite a while now. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe.
Package: gnutls26
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) ids were
published for gnutls26.
CVE-2009-1417[0]:
| gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and
| expiration times of X.509 certificates, which allows remote
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote:
Hi,
I wondered if any fix is likely to be available for CVE-2008-5519
(information disclosure, looks potentially quite severe) any time
soon or if any more help is needed?
hi,
no one has claimed this (that i've seen), and the
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote:
Package: cron
Version: 3.0pl1-105
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch
Hi,
I was reviewing a list of old bugs
On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote:
Package: eggdrop
Severity: grave
Tags: security
Justification: user security hole
Hi,
turns out my patch has a bug in it which opens this up for a
buffer overflow again in case strlen(ctcpbuf) returns 0:
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
which was filed against the gnutls26 package:
#528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability
does it make sense to close this bug since
On Fri, 15 May 2009 20:15:49 +0200, Andreas Metzler wrote:
On 2009-05-15 Michael S. Gilbert michael.s.gilb...@gmail.com wrote:
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
which was filed against
On Fri, 15 May 2009 20:50:47 +0200, Nico Golde wrote:
Hi,
* Michael S. Gilbert michael.s.gilb...@gmail.com [2009-05-15 19:45]:
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
which was filed against
this is CVE-2008-0388:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0388
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
On Mon, 18 May 2009 06:49:48 +0200, Ola Lundqvist wrote:
Thanks. However this applies only to the windows version as that
functions do not even exist in the linux/unix version.
ok, yes, i see that now. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a
package: openoffice.org-common
severity: grave
version: 1:3.1.0-2
the latest version of openoffice will not install because a mkdir
fails:
mkdir: cannot create directory '/var/lib/openoffice/share/config': No
such file or directory
if i manually create the directory, the installation works:
$
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1~lenny1 0.10.4-4
Severity: serious
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for gstreamer0.10-plugins-good.
CVE-2009-1932[0]:
| Multiple integer overflows in the (1) user_info_callback,
package: ecryptfs-utils
version: 68-1
version: 75-1
severity: serious
tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for ecryptfs-utils.
CVE-2009-1296[0]:
|Chris Jones discovered that the eCryptfs support utilities would
|report the mount passphrase
reopen 517639
found 517639 1.8.7.72-3
found 517639 1.8.5-4etch4
thank you
hi,
this bug is still present in the stable releases. please coordinate
with the security team (t...@security.debian.org) to prepare updated
packages. thanks.
--
To UNSUBSCRIBE, email to
package: webkit
severity: serious
tags: security
hello,
it has been discovered that all of the major web browsers use a
predictable pseudo-random number generator (PRNG). please see
reference [0]. the robust solution is to switch to a provably
unpredictable PRNG such as Blum Blum Shub [1,2].
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for dbus.
CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
|
found 532720 1.0.2-1+etch2
thank you
note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
package: cupsys
version: 1.2.7-4
severity: serious
tags: security
hi,
cups may be affected by a security issue in its usb backend [0]. the
advisories state that this affects mac os x, but it is unclear if
other os'es are affected. i've submitted a bug upstream requesting
more info [1]. you
package: samba
version: 3.0.24-6
severity: serious
tags: security , patch
hi,
the following CVEs were issued for samba.
CVE-2009-2906 [0]:
| smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4
| before 3.4.2 allows remote authenticated users to cause a denial of
Package: openexr6
Version: 1.6.1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for openexr6.
CVE-2009-1720[0]:
| Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow
| context-dependent attackers to cause a denial of service
Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) id was
published for camlimages. advi statically links to camlimages, so any
issues in that package are also applicable to advi. There were already
updates to camlimages
package: ffmpeg
version: 0.cvs20060823-8
severity: serious
tags: security
hi,
ffmpeg has been found to be vulnerable to many crashers [0],[1]. this
may enable remote compromise of a system.
please coordinate with upstream and the security team to push out
updates for these issues.
mike
[0]
On Sat, 10 Oct 2009 07:10:51 +0200 Christian Perrier wrote:
Version: 3.4.2-1
Quoting Michael S Gilbert (michael.s.gilb...@gmail.com):
package: samba
version: 3.0.24-6
severity: serious
tags: security , patch
hi,
the following CVEs were issued for samba.
Fixed in 3.4.2
package: iceweasel
version: 3.5
severity: critical
tags: security
hello, a remote shellcode injection has been disclosed for firefox [0],
[1]. the advisory says that version 3.5 has been verified as
vulnerable, but older versions are very likely susseptable as well. i
have not checked.
this is
forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
package: dbus
version: 1.2.16-1
severity: grave
hello, dbus is currently uninstallable on sid; erroring with the
following message:
chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No
such file or directory
this can be fixed with a 'mkdir -p':
$ sudo mkdir -p
On Thu, 16 Jul 2009 21:26:53 +0200, Chiel Kooijman wrote:
Package: base
Severity: critical
Tags: security
Justification: root security hole
I tried to edit /etc/fstab as user (forgot to use `sudo') but, as I
noticed later, the partition that contains the root (/) files was full.
After
reassign 537299 vim
retitle 537299 vim: potential data loss on saturated disk partitions
tag 537299 - security
thanks
On Thu, 16 Jul 2009 23:26:26 +0200, Chiel Kooijman wrote:
Thanks for your reply,
I guess you're right.
It hadn't occurred to me yet that it could have happened at the moment
package: libio-socket-ssl-perl
version: 1.01-1
severity: serious
tags: security , patch
a security issue has been fixed in the latest upstream version of
libio-socket-ssl-perl [0]. see patch [1]. please coordinate with the
security team to prepare updates for the stable releases. thank you.
package: mediawiki
version: 1:1.15.0-1
severity: serious
tags: security
hello, multiple vulnerabilies have been fixed in upstream mediawiki
1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are
not vulnerable) [0]. please update unstable to this version. thanks.
[0]
package: htmldoc
version: 1.8.27-2
severity: serious
tags: security , patch
hello, a security advisory has been issued for htmldoc [0]. patches
available from gentoo [1]. please coordinate with the security team to
prepare updates for the stable releases. thank you.
[0]
while this bug is still open, would it make sense to disable the gcc
option/optimization/bug/flaw that allows this vulnerability to exist?
the -fno-delete-null-pointer-checks flag will completely disable
this option kernel-wide [1].
obviously there is a tradeoff here. the null pointer
tag 524806 patch
thanks
derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5. i am fairly certain all of these CVEs are addressed in this one.
note vulnerable code not present in etch for CVE-2009-0755/1188.
please test; i've done some basic testing with existing pdfs on my
reopen 535909
fixed 535909 1:3.0.1-3
thanks
This bug has been solved with 1:3.0.1-2 before the bug was opened.
thanks for the update. please coordinate with the security team to
prepare updates for the stable releases.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
package: php5
version: 5.2.0-8+etch13
severity: serious
tags: security , patch
it has been disclosed that php is potentially vulnerable to remote
memory dislosure [0]. patches are available for 5.2.10 and 5.3.0, but
older versions are likely affected (as well as php4). please check and
the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3. see:
http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/
http://core.trac.wordpress.org/changeset/11765
http://core.trac.wordpress.org/changeset/11766
http://core.trac.wordpress.org/changeset/11768
package: rubygems1.9
version: 1.3.1
tags: security
severity: serious
hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files. confirmed for 1.3.x, but older
versions may also be affected. please check and help the security
team prepare updates
On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:
Hello Michael,
Michael S. Gilbert wrote:
package: rubygems1.9
version: 1.3.1
tags: security
severity: serious
hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files
On Sun, 9 Aug 2009 11:00:50 +0200 Sylvain Le Gall wrote:
Hello,
On Sat, Aug 08, 2009 at 11:01:45PM -0400, Michael S. Gilbert wrote:
reopen 535909
fixed 535909 1:3.0.1-3
thanks
This bug has been solved with 1:3.0.1-2 before the bug was opened.
thanks for the update. please
On Sun, 09 Aug 2009 17:01:38 +0900 Daigo Moriwaki wrote:
Hello Michael,
Michael S. Gilbert wrote:
In Debian, executables from gems install into a particular directory
specific to
RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of the system
directory
/usr/bin. There should
On Mon, 10 Aug 2009 08:24:06 -0500, Gunnar Wolf wrote:
Michael S. Gilbert dijo [Sun, Aug 09, 2009 at 11:58:04PM -0400]:
I tried testgem downloaded from
http://bugs.gentoo.org/show_bug.cgi?id=278566.
% sudo gem install testgem-0.0.1.gem
Successfully installed testgem-0.0.1
1
Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for libvorbis.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products,
Package: xulrunner
Version: 1.9.1.1-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for xulrunner.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows
On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows context-dependent
| attackers to cause a denial of service (memory corruption and
|
On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote:
On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote:
Package: xulrunner
Version: 1.9.1.1-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published
severity 532689 important
thanks
denial-of-services are not serious. this should probably be fixed
with CVE-2009-0642 which is actually serious. please coordinate with
the security team to prepare updates for the stable releases on these.
--
To UNSUBSCRIBE, email to
Package: nautilus
Version: 2.20-7
Severity: grave
Tags: security
as you have probably seen by now, there has been a lot of coverage
about the potential avenue for exploits via kde and gnome application
launchers (it looks like xfce is safe, for now) [1], [2], [3].
the core of the problem is that
Package: konqueror
Version: 4:3.5.9.dfsg.1-6
Severity: grave
Tags: security
as you have probably seen by now, there has been a lot of coverage
about the potential avenue for exploits via kde and gnome application
launchers (it looks like xfce is safe, for now) [1], [2], [3].
the core of the
you can track progress for this bug in kde here [1]
[1] http://bugs.debian.org/515106
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
On Sun, 01 Mar 2009 10:16:27 +0100 wrote:
(although if that's the case, i think that there is a problem
with debian's documentation [1] since it appears to indicate that any
and all security holes are to be reported as grave).
It says “Most security bugs should also be set at critical or
package: xfce4-clipman
severity: serious
version: 2:1.1.0-2
hello,
both xfce4-clipman and xfce4-clipman-plugin install the file
'/usr/share/applications/xfce4-clipman-plugin.desktop', which causes
xfce4-clipman's installation to fail:
Unpacking xfce4-clipman (from
package: xfs
version: 1:1.0.8-4
severity: serious
the latest xfs update is currently uninstallable on unstable. the error is:
Setting up xfs (1:1.0.8-4) ...
Installing new version of config file /etc/init.d/xfs ...
usermod: user debian-xfs is currently logged in
dpkg: error processing
package: clamav
severity: grave
tags: security
hi,
ubuntu recently patched a problem in clamav [1]. the description is:
It was discovered that ClamAV did not properly verify its input when
processing TAR archives. A remote attacker could send a specially
crafted TAR file and cause a
Package: php5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) ids were
published for php5.
CVE-2008-5814[0]:
| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
|
Package: xine-lib
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) id was
published for xine-lib.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
|
package: linux-2.6
severity: grave
tags: security
as seen in recent articles and discussions, the linux kernel is
currently vulnerable to rootkit attacks via the /dev/mem device. one
article [1] mentions that there is an existing patch for the problem,
but does not link to it. perhaps this fix
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote:
On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
as seen in recent articles and discussions, the linux kernel is
currently vulnerable to rootkit attacks via the /dev/mem device. one
article [1] mentions
reopen 524373
thanks
On Thu, 16 Apr 2009 16:53:38 -0400 Noah Meyerhans wrote:
On Thu, Apr 16, 2009 at 04:21:10PM -0400, Michael S. Gilbert wrote:
i think that any flaw that allows an attacker to elevate his pwnage from
root to hidden should always be considered a grave security issue
btw, redhat-based distros are thought to be invulnerable to these
attacks due their incorporation of execshield (in particular, due to
address space randomization). perhaps it's high time that debian
consider doing the same?
i know that execshield is not in the vanilla kernel, but when it comes
fyi, see upstream changelog as well:
http://sourceforge.net/project/shownotes.php?group_id=9655release_id=673233
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
On Fri, 10 Apr 2009 18:18:00 +0100 Darren Salt wrote:
This does not apply to xine-lib. You mean CVE-2009-0698, which is fixed in
unstable (and should soon be fixed in, at least, stable too; it probably
applies to oldstable too, but I've not looked yet).
not that i nor anyone else should trust
package: ghostscript
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) ids were
published for ghostscript.
CVE-2007-6725[0]:
| The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
| other versions, allows remote attackers to cause a denial
package: poppler
severity: grave
tags: security
hello,
ubuntu recently patched the following poppler issues [0]:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
package: cups
severity: grave
tags: security
hello,
redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183
these
On Sat, 25 Apr 2009 01:15:11 + Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
which was filed against the nautilus package:
#515104: nautilus: potential exploits via application launchers
awesome! any chance of backporting this to lenny
On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote:
Hi,
turns out CVE-2008-6679 also is fixed since 8.64.
The only unfixed issue in this report is CVE-2009-0196.
Michael, please better check the code next time, this would
have save me a lot of time this evening.
I appologize. I have
Package: clamav
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) ids were
published for clamav.
CVE-2008-5525[0]:
| ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is
| used, allows remote attackers to bypass detection of malware in an
|
hi,
any news on this one? since this is being tracked with critical
severity, it really should be handled as swiftly as possible (it's been
six months now since the original disclosure). suse has issued updates
for CVE-2008-5824, perhaps their patches may be helpful [1]. thanks.
mike
[1]
package: pango
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities Exposures) id was
published for pango1.0.
CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization. Pango suffers from a multiplicative integer
reopen 520052
found 520052 1.0.1-4
fixed 520052 1.1.7-1
thanks
yes, i, as the original reporter, spent a non-insignificant amount of
time to determine that webkit is indeed affected. in fact, i believe
that my description in the original report is very complete and
describes the extent of the
CVE-2008-4723 is the wrong CVE, which is for firefox. it should be
CVE-2008-4724
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
since this is a minor issue, would you be interested in pushing out
fixes for this problem in a stable proposed update? if so, please
contact the security team.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
reopen 532689
thank you
this bug isn't entirely fixed yet since stable is still affected.
please coordinate with the security team to prepare updates for lenny.
thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Package: libpng
Version: 1.2.15~beta5-1+etch2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for libpng.
CVE-2009-2042[0]:
| libpng before 1.2.37 does not properly parse 1-bit interlaced images
| with width values that are not
On Thu, 25 Jun 2009 22:33:10 + Moritz Muehlenhoff wrote:
lynx supports neither Javascript nor multipart/form-data, so it's not
affected.
i am trying to track the deeper cause here (the fact that all of the
web browsers use a predictable PRNG), rather than the symptom (this
particular
Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to
Package: cups
Version: 1.3.8-1+lenny6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to
reopen 534973
fixed 534973 1:1.5.2-5
thanks
hello,
please assist the security team to prepare updates for this issue in
the stable releases. thank you.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
hello,
i just encountered this problem after upgrading xorg in unstable as
well. i use the dvorak keyboard, but now gdm and x have switched to
qwerty by default. i have tried reverting to libxi6 1.1.4 from
testing, but that did not solve the problem. i also tried setting up
the following in
reopen 532522
forwarded 532522 http://www.dillo.org/bugtrack/Dquery.html
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
package: dillo
version: 0.8.5-4
severity: serious
tags: security
hello,
it has been found that dillo is vulnerable to an integer overflow. the
text of the problem is:
|Dillo, an open source graphical web browser, suffers from an integer
|overflow which may lead to a potentially exploitable
fixed 533347 1.0.8-1
thanks
some more info about this issue can be found here [1]. please
coordinate with the security team to prepare updated packages for the
stable releases. thanks.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=501929
--
To UNSUBSCRIBE, email to
package: webkit
version: 1.0.1-4
severity: grave
tags: security
hello,
webkit has recently been hit by a deluge of security issues [1],[2].
i've been trying to figure out the state of these problems and where
debian is affected, but apple's security announcements have been
notoriously sparse.
forwarded 535793 https://bugs.webkit.org/show_bug.cgi?id=26973
thanks
i've started a discussion on these issues in the upstream bug report
in the above link.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On 7/5/09, Kiko Piris wrote:
Can’t upgrade nagios3 to 3.0.6-5, aptitude complains :
| The following packages have unmet dependencies:
| nagios3: Depends: libltdl3 (= 1.5.2-2) which is a virtual package.
And since that version solves DSA-1825-1, setting severity to grave.
Regards
--
forwarded 532520
http://lists.gnu.org/archive/html/lynx-dev/2009-07/msg0.html
thanks
it looks like the lynx situation for this issue isn't so simple.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
from some of the upstream discussion, it looks like libbsd provides an
arc4random cryptographically secure PRNG, which lynx prefers when
available. an appropriate fix for this issue thus would be to depend on
libbsd0 and make sure lynx makes use of its arc4random.
mike
--
To UNSUBSCRIBE,
On Sun, 5 Jul 2009 08:43:27 +0200 Kiko Piris wrote:
| # apt-cache policy nagios3
| nagios3:
| Installed: 3.0.6-4+b1
| Candidate: 3.0.6-5
| Version table:
| 3.0.6-5 0
| 500 http://mir1.ovh.net unstable/main Packages
| *** 3.0.6-4+b1 0
| 100 /var/lib/dpkg/status
On Sun, 5 Jul 2009 20:25:47 +0200 Kiko Piris wrote:
Yes, I can see it now.
But, according to the file date on a couple of mirrors I just checked,
it seems to have “appeared” this morning at 11:19 CEST (just a couple of
hours after my bugreport).
fixed in latest unstable upload. closing.
Package: phpmyadmin
Version: 4:2.9.1.1-10
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for phpmyadmin.
CVE-2009-2284[0]:
| Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
| allows remote attackers to inject
package: rails
version: 1.1.6-3
severity: serious
tags: security
hello,
it has been found that rails is vulnerable to a password bypass [1]. this will
be
fixed in upstream version 2.3.3.
[1]
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
--
To
package: camlimages
version: 2.20-8
severity: serious
tags: security
hello,
camlimages is vulnerable to several integer overflows [1]. this has
not yet been fixed upstream, but has been addressed by redhat [2].
[1] http://www.ocert.org/advisories/ocert-2009-009.html
[2]
On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
version 1:1.5.2-5 that I released to unstable is suitable for stable
aswell. Prior to this bugfix unstable and stable both contained
version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
build it for stable aswell?
Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for apache2.
CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server
reopen 535488
reopen 535489
thanks
On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
Hello Michael,
Michael S. Gilbert [2009-07-02 12:35 -0400]:
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer
package: wordpress
version: 2.0.10-1etch3
severity: serious
tags: security
an advisory, CORE-2009-0515, has been issued for wordpress. there are issues
with unchecked privilidges and many potential information disclosures. see [1].
this is fixed in upstream version 2.8.1. please coordinate
1 - 100 of 108 matches
Mail list logo
