Hi,
there have been two vulnerabilities found in GForge 4.5. Are these
applicable to Debian's GForge 3.1 as well?
http://marc.theaimsgroup.com/?l=bugtraqm=112259845904350w=2
Cheers,
Moritz
___
Secure-testing-team mailing list
Hi,
I've just commited an initial version of a text file that we
should use to track information about packages that embed
local copies of other sources packages and therefore need
further fixing if a security problem arises in one of the
packages.
Cheers,
Moritz
Joey Hess wrote:
- Problem-Type should be renamed to Problem Scope or Vulnerability
Scope. OTOH it might be dropped completely, it's hard to decide
in several cases (e.g. when s/o processes some file that triggers
a vulnerability the attack vector may very well be remote, if this
Stefan Fritsch wrote:
Something very simple knocked up at http://www.halon.org.uk/tmp/test.php
Is something like this what's needed?
I guess that's ok (with some headers added). Or do we also need html
versions of the DTSAs with links to CVE entries, etc?
If this should be done, it would
Micah Anderson wrote:
Micah Anderson wrote:
Neither of these advisories is a typical DTSA, as we normally we only do
advisories for things that are blocked from reaching testing by some other
issue, but I think that it would be good to do these two advisories
because
of the sheer
Hi,
let's remove entries for vulnerabilities that do not manifest in
binary packages from the CAN/list. Filing a bug report for completeness
is fine, but it's beginning to clutter testing-security.html.
Debian is a binary oriented distribution and we don't give security
support for /usr/local
Hi Horms,
two more potential local DoS issues from the current review round
of patches for the next .13 stable release:
Cheers,
Moritz
From: Chris Wright [EMAIL PROTECTED]
Newsgroups: gmane.linux.kernel
Subject: [PATCH 02/11] [PATCH] Lost sockfd_put() in routing_ioctl()
Date: Wed, 14 Sep
Joey Hess wrote:
Now that 2.6.12 is finally in testing and work is well underway to
remove 2.6.8, I think we can switch to tracking security holes in the
new kernel now. There are several items listed as unfixed in 2.6.8, would
it be possible for someone to double check if any of these also
Hi,
as discussed we should implement some changes to our CAN/list and possibly
finalize it as well.
1. The unfixed tag should be pulled out from the brackets and moved to
the place, where the actual fix would belong to. This makes things
much more structured and logical.
CAN-2005-3011
Florian Weimer wrote:
CAN-2005-3011 (texindex in texinfo 4.7 and earlier allows local users to
overwrite ...)
- texinfo unfixed (bug #328265; low)
Please use some characters which cannot be part of version numbers,
for example:
- texinfo unfixed (bug #328265; low)
Hi,
I've started adding some user tags for bugs we already track in our tracker.
The usertag user is 'secure-testing-team@lists.alioth.debian.org' and the
tag is 'tracked'.
So, once a bug is in our tracker we can add it by sending a mail to [EMAIL
PROTECTED]
with the following body:
| user
Joey Hess wrote:
consider the following case: Package foo has a bug, the bug affects stable
or oldstable, but the fix for sid/testing consists in the removal of foo
or it has already been removed for other reasons.
not-affected doesn't fit, because older releases of Debian _are_ affected,
Hi,
as usual; to minimize the overhead I'm sending these again by email and not
through the BTS.
CAN-2005-3110:
DoS on SMP, potentially 2.4 and 2.6
http://sourceforge.net/mailarchive/forum.php?thread_id=6800453forum_id=8572
CAN-2005-3109:
Local DoS through oops by mounting a non-HFS+ filesystem
Hi Horms / security team,
I found three more security related reports/patches on linux-kernel.
Cheers,
Moritz
From: David Howells [EMAIL PROTECTED]
Plug request_key_auth memleak. This can be triggered by unprivileged
users, so is local DoS.
Signed-off-by: Chris Wright [EMAIL
Florian Weimer wrote:
+CAN-2005- [Missing safemode checks in PHP's _php_image_output
functions]
+ - php5 5.0.5-2
+ - php4 4:4.4.0-3
According to Debian's stable security bug fixing policy, these aren't
security vulnerabilities. Shall we track them nevertheless?
As this
Florian Weimer wrote:
According to Debian's stable security bug fixing policy, these aren't
security vulnerabilities. Shall we track them nevertheless?
As this hasn't been specifically publicly announced, we should do so?
I don't know. I've been told it's the policy, and I've
Hi,
I found this in an Ubuntu advisory, no CVE assignment seems yet to have
been made.
Robert Derr discovered a memory leak in the system call auditing code.
On a kernel which has the CONFIG_AUDITSYSCALL option enabled, this
leads to memory exhaustion and eventually a Denial of Service. A local
Noèl Köthe wrote:
this issue, it will be publicly released in 60 days on 12/12/2005.
Unfortunately, secure-testing-team@lists.alioth.debian.org is a
public mailing list, so it's no longer possible to hide this issue.
Its already public from the wget mailinglist from where I've got
Florian Weimer wrote:
It's just two more lines per DSA.
Well yes, but collection the information for these lines is the
time-consuming
part :-)
Don't think so. For current DSAs, the .dsc files are still on
security.debian.org, so it's probably possible to automate this to
some
Florian Weimer wrote:
Shall I undo my local FIXES/FIXED-BY changes, add the propagation code
for {...}, and merge back my local changes for tracking sarge/woody,
then?
Fine with me.
Cheers,
Moritz
___
Secure-testing-team mailing list
Martin Schulze wrote:
Thijs Kinkhorst wrote:
Another security problem has been found in mantis. Insufficient
input sanitising of the t_core_path parameter may be exploited to
perform
arbitrary file inclusion. Please see
http://secunia.com/secunia_research/2005-46/advisory/
Thijs Kinkhorst wrote:
All affect Sarge.
I've prepared updated packages for sarge. My updated package for sid is
still pending with my sponsor Luk Claes. The updated packages for sarge
are available here:
http://www.a-eskwadraat.nl/~kink/mantis_sec/
They are not signed since I'm not a
Thijs Kinkhorst wrote:
On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
The included patches look fine and correlate to what I extracted from the
interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
The mantis bug is non-public, but according to the description
Martin Zobel-Helas wrote:
I would do it, but i am on the LinuxWorldExpo in Frankfurt the next
days and doing booth duties for debian. So help would be appreciated.
I'll do.
Cheers,
Moritz
___
Secure-testing-team mailing list
Hi folks,
if you have some time available please work on some of the TODOs. The
list has grown quite a bit and many of these hide real issues that need
to be addressed. Several of them can also be handled rather simply by
mailing the maintainer or upstream.
Cheers,
Moritz
Thijs Kinkhorst wrote:
This is just a quick note that Debian is not vulnerable to
CVE-2005-3799, phpBB 2.0.18 allows remote attackers to obtain sensitive
information via a large SQL query, since this is a path disclosure
vulnerability.
Thanks for the notice, we already assumed it being a
Florian Weimer wrote:
* Moritz Muehlenhoff:
+CVE-2005- [Another fib_lookup DoS]
+ - linux-2.6 unfixed
+CVE-2005- [DoS in i82365 driver]
+ - linux-2.6 unfixed
Would it be possible to add a cross-reference in such cases,
preferably to MARC, or a bug number? Otherwise
Florian Weimer wrote:
+CVE-2005- [Another fib_lookup DoS]
+ - linux-2.6 unfixed
+CVE-2005- [DoS in i82365 driver]
+ - linux-2.6 unfixed
Would it be possible to add a cross-reference in such cases,
preferably to MARC, or a bug number? Otherwise, it's hard to figure
out
Florian Weimer wrote:
CVE-2004-1347 (X Display Manager (XDM) on Solaris 8 allows remote
attackers to cause ...)
- NOT-FOR-US: xdm on Solaris
+ -xdm not-affected (xdm on Solaris)
IIRC, this issue had already been fixed in XFree86 as an ordinary bug
at that time it was rediscovered
Stefan Fritsch wrote:
On Sunday 18 December 2005 13:21, Moritz Muehlenhoff wrote:
note in narrative-introduction that oldstable is now fully
supported
this is not really true. AIUI, when we checked the old CVEs last year,
we did not check whether versions in woody were affected. In many
Stefan Fritsch wrote:
On Monday 19 December 2005 18:37, Moritz Muehlenhoff wrote:
Woody is fully supported to the same extent that Sarge is supported
by the tracker. It just has more false positives. See the svn
commit logs for more information.
Woody may also have false negatives, i.e
Florian Weimer wrote:
[distribution-tags] - packagename no-dsa (This explains, why there is no
DSA)
I'm wondering if this is the correct format. Wouldn't it make sense
to generate a web page for http://www.debian.org/security/ from this
data? If yes, you might want to have a bit more
Florian Weimer wrote:
Florian Weimer wrote:
[distribution-tags] - packagename no-dsa (This explains, why there is
no DSA)
I'm wondering if this is the correct format. Wouldn't it make sense
to generate a web page for http://www.debian.org/security/ from this
data? If yes, you
Florian Weimer wrote:
===
--- data/CVE/list 2006-01-14 17:00:45 UTC (rev 3296)
+++ data/CVE/list 2006-01-15 12:03:20 UTC (rev 3297)
@@ -2826,6 +2826,7 @@
CVE-2005-3627 (Stream.cc in Xpdf, as used in products such as gpdf,
Florian Weimer wrote:
I intend to send a real debsecan announcement to debian-devel and
debian-security. A draft is included below. Comments are
appreciated.
Before bringing this to a wider audience more false positives and
non-issues should be weeded out (or at least document it very
Florian Weimer wrote:
remove mydns dupe
-CVE-2006- [mydns remote DoS]
- - mydns 1.1.0+pre-3 (medium)
CVE-2006-0353 (unix_random.c in lshd for lsh 2.0.1 leaks file descriptors
related to ...)
{DSA-956-1}
- lsh-utils 2.0.1cdbs-4 (low; bug #349303)
@@ -3718,7 +3716,7
SALVETTI Djoumé wrote:
Author: djoume-guest
Date: 2006-03-10 20:35:44 + (Fri, 10 Mar 2006)
New Revision: 3588
Modified:
data/CVE/list
Log:
* some NFUs
* flex issue, I'm looking for someone aware about the
coordination with ubuntu about this issue.
CVE-2006-0975 (Multiple
Hi,
I need to submit my thesis by end of this month and I'll travel through
Mexico two weeks ahead of DebConf, so I won't be able to process CVE/list
updates and merge information from debian-devel-changes in CVE/list until
DebConf. I'd would be great if someone steps in, especially for the
Stefan Fritsch wrote:
On Sunday 09 April 2006 22:22, Moritz Muehlenhoff wrote:
I need to submit my thesis by end of this month and I'll travel
through Mexico two weeks ahead of DebConf, so I won't be able to
process CVE/list updates and merge information from
debian-devel-changes in CVE
Djoume SALVETTI wrote:
Le lun 05 jun 2006 13:53:39 GMT Djoume SALVETTI [EMAIL PROTECTED] a écrit :
It's usually better to add - mozilla-thunderbird removed
annotations. Otherwise, you might need to edit the CVE/list file for
the DSA.
Ok, so I'll add a :
- mozilla-firefox
Francesco Poli wrote:
I'm not sure I understand correctly.
Are you basically saying that the testing security holes page[1] is not
accurate anymore?
Yes, all recent work has been put into idssi.enyo.de/tracker.
Cheers,
Moritz
___
Francesco Poli wrote:
Hi everyone again! :)
There's something I cannot quite understand about
http://idssi.enyo.de/tracker/status/release/stable
On that status page there are two rows about mpg123:
mpg123 (non-free) CVE-2006-1655
DSA-1074-1
There
Stefan Fritsch wrote:
Author: stef-guest
Date: 2006-07-31 17:58:15 + (Mon, 31 Jul 2006)
New Revision: 4478
Modified:
data/CVE/list
Log:
- track MFSA-2006-46 to -56
- firefox has been fixed
Modified: data/CVE/list
Stefan Fritsch wrote:
- mozilla-firefox removed
- mozilla-firefox unfixed
[sarge] - mozilla-firefox unfixed
Or am I missing something?
It's more or less the same, but removed was thought for packages,
which have been removed as a whole without ever having been fixed.
Well,
I started to raise severities of several security bugs. Unfortunately
many maintainers only care for these :-/
Please also file bugs for code duplication (embedding a copy) and
package duplication (needlessly introducing multiple versions in
a stable release), with at least severity important and
Francesco Poli wrote:
* Francesco Poli:
Now, I'm giving a look at
http://svn.debian.org/wsvn/secure-testing/
I cannot find many copyright or permission notices around...
The source files which actually contain valuable IP has the GPL
boilerplate.
I don't know what you mean
dann frazier wrote:
On Wed, Aug 16, 2006 at 05:07:31AM +0200, Goswin von Brederlow wrote:
Could we quantify that somewhat? Is one security bug enough? Are 10?
Do we have a delegate that could audit and veto a package already
other than the release team? Is that the domain of QA or security?
Can someone please apply some sed magic and rewrite all open TODOs
as NOT-FOR-US: Data pre-dating the Security Tracker? Nearly 5000
open TODOs keep attention away from the real issues that need
evaluation.
Cheers,
Moritz
___
We use a quite open system for maintaining our data, but some notes
to ensure a continuing high level of data quality:
- Do not add not-affected entries unless it's very obvious (like
Windows-specific issues) or clearly stated inside a bug log or
home page.
- Severity ratings have been
On Sat, Jan 13, 2007 at 06:41:11PM +0100, Florian Weimer wrote:
* Moritz Muehlenhoff:
- Severity ratings have been repeatedly picked up by news sites
taking it as an official position of the Debian project and
indirectly the Security Team. This means that severity ratings
should
Alex de Oliveira Silva wrote:
Hallo Moritz. Wie geht`s? :)
Welcome to the secret cabal of German speaking Debian people. :-)
- Severity ratings have been repeatedly picked up by news sites
taking it as an official position of the Debian project and
indirectly the Security Team. This
Florian Weimer wrote:
- unimportant are PHP Safe mode bugs, path disclosure (doesn't
matter on Debian), and issues for which we only ship vulnerable
source code which isn't compiled into the package.
Plus all the junk reports about security issues, which are non-issues
in practice,
Hideki Yamane wrote:
Hi list,
firefox package in unstable was removed.
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409883
Please think about removing firefox from Vulnerable source
packages in the unstable suite page.
This is done automatically as the Security Tracker
Hi,
I've commited a temporary tracking file for the MOPB to SVN.
(data/mopb.txt). I'm away for the rest of the weekend, so it
doesn't cover all issues yet. I hope to catch up in a few days,
so that it can be updated daily after that. Additions, review
and corrections welcome.
Cheers,
On Thu, Apr 05, 2007 at 07:40:06PM +0200, Florian Weimer wrote:
* Moritz Muehlenhoff:
CVE-2007-1614 (Stack-based buffer overflow in the zzip_open_shared_io
function in ...)
- NOT-FOR-US: ZZIPlib
+ - zziplib unfixed (unknown)
+ NOTE:
http://www.securitylab.ru/forum/read.php
sean finney wrote:
hey guys,
to quote a little godfather...
Just when I thought that I was out they pull me back in
You don't have a chance. Stefan Esser is the Luca Brasi of PHP Security.
On Mon, 2007-04-30 at 23:44 +0200, Stefan Fritsch wrote:
On Montag, 30. April 2007,
Florian,
if you find the time; a new tag non-issue would much appreciated.
Examples:
- foo non-issue (Doesn't cross security-boundaries)
- foo non-issue (Expected bahaviour)
Right now, we mark these as unfixed (unimportant), which isn't
terribly clean.
Cheers,
Moritz
Florian Weimer wrote:
* Noah Meyerhans:
Modified:
data/CVE/list
Log:
DSA-1287-1 fixes ldap-account-manager issues
Is there are particular reason why you edit CVE/list instead of DSA/list?
Just wondering.
Noah,
there's an easier way to add DSAs: Simply add them to DSA/list and
On Wed, May 09, 2007 at 12:16:44PM +0200, Thijs Kinkhorst wrote:
On Wednesday 9 May 2007 00:12, you wrote:
Hmm, I not sure about this. The issue at hand seems like a generic design
issue in PHP that's unlikely to be ever fixed inside the interpreter. I
would assume that limits to recursion
Florian Weimer wrote:
* Stefan Fritsch:
I have fixed the information in the tracker. Can somebody fix the DSA
on security.d.o?
DSAs traditionally do not mention epochs. dpkg hides them from end
users as well. 8-/
I'm not sure if that should be changed.
Yes, epochs are being kept
We have too many unfixed entries w/o bugs. Unless you specifically
know that the maintainer or the security team is working on a fix
(of if it's about the kernel) please always file bugs, maintainers of
our more obscure and junky packages typically don't know about many
security problems.
On Sat, Jun 02, 2007 at 06:09:37PM +0200, Stefan Fritsch wrote:
On Samstag, 2. Juni 2007, Florian Weimer wrote:
CVE-2007-2849 (KnowledgeTree Document Management (aka
KnowledgeTree Open Source) ...) - NOT-FOR-US: KnowledgeTree
+ - knowledgetree unfixed
+ TODO: file bug
Oops. Does
On Thu, Jun 21, 2007 at 08:22:06PM +0200, Sam Hocevar wrote:
Dear security and testing-security teams,
I have prepared sarge and etch packages for the VideoLAN-SA-0702
advisory (found at http://www.videolan.org/sa0702.html). I took the
liberty to fix other DoS and buffer overflow bugs
On Sat, Jul 28, 2007 at 12:17:18PM -0500, David Moreno Garza wrote:
Moritz Muehlenhoff wrote:
Package: lists.debian.org
Severity: wishlist
Please create [EMAIL PROTECTED] This should be
the list, where all the work behind the Debian Security Tracker [1]
is coordinated.
Right
3ROn Tue, Aug 21, 2007 at 06:09:56PM +0200, Luk Claes wrote:
Moritz Muehlenhoff wrote:
Steffen Joeris wrote:
On the other hand, I was wondering,
why we stopped sending DTSA announcements.
Because it singles out a couple of packages, while you need to update daily
anyway
Stefan Fritsch wrote:
I was talking to nion last night and we were unsure about the
following. The DTSA announcements always included some nice
additional information and I would guess that sysadmins appreciate
these information in the announcement. Therefore, we were wondering,
if
On Sat, Oct 13, 2007 at 03:56:02PM +0200, Stefan Fritsch wrote:
On Thursday 11 October 2007, Thijs Kinkhorst wrote:
On Thu, October 11, 2007 05:49, [EMAIL PROTECTED] wrote:
@@ -104,12 +122,15 @@
Nico Golde (nion) and Steffen Joeris (white) have been added as
new members of the Testing
Florian Weimer wrote:
* Nico Golde:
Hi Ted,
* Ted Percival [EMAIL PROTECTED] [2007-10-15 09:03]:
ccontrol staticly links in dietlibc. I guess it should be added to the
list of packages with embedded code, unless static linking is handled
separately.
BTW did you consider to use
Nico Golde wrote:
I started restructuring the embedded code copies file
because it has become very chaotic over the time and I think
it can be well structured using a similar format as in the
CVE list.
I converted the xpdf entry to the new format:
On Thu, Feb 07, 2008 at 08:56:15PM +0100, Gregory Colpart wrote:
On Thu, Feb 07, 2008 at 07:57:56PM +0100, Nico Golde wrote:
Why not just sending a mail to the vendor-sec list?
Because Gregory and Ola are not on that mailing list, and can't be,
You can still be put in the CC
Hi,
since the beta1 of the Lenny installer the apt source for testing-security
is automatically added.
I think we should now move the daily annoucement mail to an official list
under lists.debian.org, e.g. debian-security-announce-testing
or debian-testing-security-announce.
Before that happens
Package: policykit
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugs.freedesktop.org/show_bug.cgi?id=15295
for details and a patch.
Cheers,
Moritz
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500,
Andreas Tille wrote:
I can't say anything about stable though.
Well, I assume they are aware of the issue and could bother me if I
could / should do something, right?
If there's indication that the currently known issues are just the tip of
the iceberg, please ask for a review by
On Sun, May 18, 2008 at 11:37:44PM +0200, Andreas Tille wrote:
On Sun, 18 May 2008, Moritz Muehlenhoff wrote:
If there's indication that the currently known issues are just the tip of
the iceberg, please ask for a review by debian-audit:
http://www.debian.org/security/audit/
Thanks
On Mon, Jun 02, 2008 at 07:24:22PM +0200, Florian Weimer wrote:
Do we need this functionality?
I'm working on some tracker improvements, and the (limited) ability to
track CVEs based on binary packages makes progress rather difficult.
I don't think we need it at all, tracking by source
On Mon, Jun 30, 2008 at 04:55:33PM +0200, Nico Golde wrote:
Hi,
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-06-29 17:08]:
[...]
Modified: data/CVE/list
===
--- data/CVE/list 2008-06-25 22:35:57 UTC (rev 9162)
+++
Package: libavformat52
Version: 0.svn20080206-9
Severity: grave
Tags: security
Justification: user security hole
I noticed the following issue when browsing ffmpeg commit logs:
http://svn.mplayerhq.hu/ffmpeg?view=revrevision=13993
https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
Cheers,
On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote:
On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:
Please unblock gallery 1.5.9-1. This is a security release that fixed
CVE-2008-3662 and CVE-2008-4129. The CVE's were not listed in the
changelog since I did
On Tue, Oct 07, 2008 at 11:37:03PM +0200, Adeodato Simó wrote:
* Michael Schultheiss [Tue, 07 Oct 2008 16:37:41 -0400]:
Adeodato Simó wrote:
Unless there's more effort by upstream and the maintainer to address
this
by isolated patches and more detailed descriptions of
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
Several vulnerabilities have been fixed in Apache Tomcat 6.0.18, see
below.
BTW, do we really need two Tomcat versions in Lenny? Is Tomcat 6
incompatible with 5.5?
Cheers,
Moritz
low: Cross-site
On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote:
Adeodato Simó wrote:
Unless there's more effort by upstream and the maintainer to address this
by isolated patches and more detailed descriptions of vulnerabilities
we should rather drop Gallery from Lenny.
I'm fine
Hi,
I went through all the open Lenny security issues and commented on them
briefly. If everyone picks two and fixes them (or brings the respective
maintainter into fixing them :-), we'll have a lot less work post release.
Cheers,
Moritz
dia / #504251
Unfixed, no maintainer reaction,
ruby1.9 / CVE-2008-3443
This one's unclear. This needs to be reproduced with the milw0rm
POC and checked with upstream (other Ruby regex issues were recently
fixed).
ruby1.9 / CVE-2008-3905
Maybe this is already fixed and was only forgotten in the changelog,
needs further checks
On Mon, Nov 17, 2008 at 03:17:12PM -0600, Raphael Geissert wrote:
Moritz Muehlenhoff wrote:
php5 / CVE-2008-4107
php-suhosin provides proper randomisation, but this needs more visible
documentation. Maybe the release notes or the existing
README.Debian.security?
Well, since
On Mon, Nov 17, 2008 at 06:55:13AM +0100, Moritz Muehlenhoff wrote:
Hi,
I went through all the open Lenny security issues and commented on them
briefly.
Updated status below:
dovecot / CVE-2008-4578
Upstream patch for 1.1 in #502967, needs backport. The issue itself
looks harmless, might
On Tue, Nov 18, 2008 at 10:40:31PM +0100, Adeodato Simó wrote:
* Moritz Muehlenhoff [Wed, 12 Nov 2008 00:13:21 +0100]:
On Tue, Oct 07, 2008 at 04:37:41PM -0400, Michael Schultheiss wrote:
Adeodato Simó wrote:
Unless there's more effort by upstream and the maintainer to address
On Wed, Nov 19, 2008 at 04:07:27PM -0600, Raphael Geissert wrote:
Moritz Muehlenhoff wrote:
When filing bugs, please don't ask maintainers to refer to Secunia IDs.
The entries in there are often poorly researched and not suitable as
unique references among distributions. Rather point them
Package: enscript
Version: 1.6.4-12
Severity: grave
Tags: security
Justification: user security hole
Hi,
buffer overflows have been discovered in enscript:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306
I'm attaching a
On Wed, Nov 26, 2008 at 12:50:19AM -0800, Devin Carraway wrote:
On Mon, Nov 17, 2008 at 01:13:23PM -0800, Devin Carraway wrote:
mysql-dfsg-5.0 / CVE-2008-4098
Devin, you prepared the DSA. Since the upstream release is much more
recent than
Lenny and won't migrate, can you prepare
Package: devil
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see http://secunia.com/secunia_research/2008-59/ for details.
Cheers,
Moritz
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386
Package: bugzilla
Severity: grave
Tags: security
Justification: user security hole
Please see
http://www.bugzilla.org/security/2.22.6/ and
http://www.bugzilla.org/security/3.0.7/
Cheers,
Moritz
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500,
Package: python-crypto
Severity: grave
Tags: security
--
Name: CVE-2009-0544
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544
Reference: MLIST:[oss-security] 20090207 CVE Request: pycrypto
Reference: URL:http://www.openwall.com/lists/oss-security/2009/02/07/1
Package: net-snmp
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123
Upstream patch at
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=revrevision=17367
Cheers,
Moritz
-- System Information:
Debian Release: 5.0
APT prefers unstable
Package: destar
Severity: grave
Tags: security
Two vulnerabilities have been found in DeStar:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6539
Can you provide updated packages for stable-security (and potentially
Package: amaya
Severity: grave
Tags: security
CVE-2009-1209:
Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remote
attackers
to execute arbitrary code via a script tag with a long defer attribute.
http://www.milw0rm.com/exploits/8314
http://www.milw0rm.com/exploits/8321
I
Package: lcms
Severity: grave
Tags: security
The fixes from DSA 1745 need to be applied to unstable:
http://lists.debian.org/debian-security-announce/2009/msg00055.html
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386
Package: argyll
Severity: grave
Tags: security
Let's welcome argyll in the archive with an RC security bug :-)
argyll embeds a copy of icclib, which has recently been fixed in
a DSA for ghostscript. I'm attaching the patch from the DSA, please
pass it to argyll upstream and the maintainer of
Andreas Barth wrote:
Hi,
we had a short discussion today on these pages and the data on IRC.
The conclusions were / what needs to be done:
1. The web page should be moved into regular webwml (at least what's
needed), and a redirect be enabled;
When it's moved into webwml the
On Sun, Apr 12, 2009 at 06:56:34PM +0200, Ola Lundqvist wrote:
Hi Michael
It is a problem on Debian. I have successfully reproduced the problem.
The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
I have uploaded a fixed package to unstable now.
I agree that it it not a
Package: xpdf
Severity: serious
xpdf has seen it's last maintainer upload two years ago. A package
like xpdf with a long-standing track record of security issues
needs an active maintainer.
(An cleanest solution might be to drop xpdf altogether; the
correct way to implement a PDF viewer these
1 - 100 of 709 matches
Mail list logo