Joey Hess
2005-Aug-28 20:19 UTC
[secure-testing-announce] [DTSA-5-1] New gaim packages fix multiple remote vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------------- Debian Testing Security Advisory DTSA-5-1 http://secure-testing.debian.net secure-testing-team@lists.alioth.debian.org Joey Hess August 28th, 2005 - ----------------------------------------------------------------------------- Package : gaim Vulnerability : multiple remote vulnerabilities Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103 Multiple security holes were found in gaim: CAN-2005-2102 The AIM/ICQ module in Gaim allows remote attackers to cause a denial of service (application crash) via a filename that contains invalid UTF-8 characters. CAN-2005-2370 Multiple memory alignment errors in libgadu, as used in gaim and other packages, allow remote attackers to cause a denial of service (bus error) on certain architectures such as SPARC via an incoming message. CAN-2005-2103 Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an away message with a large number of AIM substitution strings, such as %t or %n. For the testing distribution (etch) this is fixed in version 1:1.4.0-5etch2. For the unstable distribution (sid) this is fixed in version 1:1.4.0-5. This upgrade is strongly recommended if you use gaim. The Debian testing security team does not track security issues for the stable distribution (woody). If stable is vulnerable, the Debian security team will make an announcement once a fix is ready. Upgrade Instructions - -------------------- To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list: deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free The archive signing key can be downloaded from http://secure-testing.debian.net/ziyi-2005-7.asc To install the update, run this command as root: apt-get update && apt-get install gaim For further information about the Debian testing security team, please refer to http://secure-testing.debian.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEhrI2tp5zXiKP0wRAoAOAKCg7sN6lMnIisZ7YDduNwpjHof9+ACfWcRT mIolWkSNlIHdwDwVKXYPh10=+HKc -----END PGP SIGNATURE-----