Neil McGovern
2005-Sep-03 15:02 UTC
[Secure-testing-commits] r1798 - data/DTSA website website/DTSA
Author: neilm
Date: 2005-09-03 15:02:10 +0000 (Sat, 03 Sep 2005)
New Revision: 1798
Added:
website/DTSA/DTSA-1-1.html
website/DTSA/DTSA-10-1.html
website/DTSA/DTSA-11-1.html
website/DTSA/DTSA-2-1.html
website/DTSA/DTSA-3-1.html
website/DTSA/DTSA-4-1.html
website/DTSA/DTSA-5-1.html
website/DTSA/DTSA-6-1.html
website/DTSA/DTSA-7-1.html
website/DTSA/DTSA-8-2.html
website/DTSA/DTSA-9-1.html
website/list.html
Modified:
data/DTSA/DTSA-1-1
data/DTSA/DTSA-10-1
data/DTSA/DTSA-11-1
data/DTSA/DTSA-2-1
data/DTSA/DTSA-3-1
data/DTSA/DTSA-4-1
data/DTSA/DTSA-5-1
data/DTSA/DTSA-6-1
data/DTSA/DTSA-7-1
data/DTSA/DTSA-8-1
data/DTSA/DTSA-8-2
data/DTSA/DTSA-9-1
data/DTSA/dtsa
data/DTSA/list
website/index.html
Log:
We now list DTSAs online. Hopefully.
Modified: data/DTSA/DTSA-1-1
==================================================================---
data/DTSA/DTSA-1-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-1-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -5,35 +5,35 @@
------------------------------------------------------------------------------
Package : kismet
-Vulnerability : remote code execution
-Problem-Type : remote
-Debian-specific: no
-CVE ID : CAN-2005-2626 CAN-2005-2627
+Vulnerability : various
+Problem-Scope : remote
+Debian-specific: No
+CVE ID : CAN-2005-2626 CAN-2005-2627
Multiple security holes have been discovered in kismet:
- CAN-2005-2627
+CAN-2005-2627
- Multiple integer underflows in Kismet allow remote attackers to execute
- arbitrary code via (1) kernel headers in a pcap file or (2) data frame
- dissection, which leads to heap-based buffer overflows.
+Multiple integer underflows in Kismet allow remote attackers to execute
+arbitrary code via (1) kernel headers in a pcap file or (2) data frame
+dissection, which leads to heap-based buffer overflows.
- CAN-2005-2626
+CAN-2005-2626
- Unspecified vulnerability in Kismet allows remote attackers to have an
- unknown impact via unprintable characters in the SSID.
+Unspecified vulnerability in Kismet allows remote attackers to have an
+unknown impact via unprintable characters in the SSID.
For the testing distribution (etch) this is fixed in version
-2005.08.R1-0.1etch1.
+2005.08.R1-0.1etch1
For the unstable distribution (sid) this is fixed in version
-2005.08.R1-1.
+2005.08.R1-1
-This upgrade is strongly recommended if you use kismet.
+This upgrade is recommended if you use kismet.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -41,16 +41,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
- apt-get update && apt-get install kismet
+apt-get update && apt-get install kismet
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-10-1
==================================================================---
data/DTSA/DTSA-10-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-10-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -32,8 +32,8 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
-deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
Modified: data/DTSA/DTSA-11-1
==================================================================---
data/DTSA/DTSA-11-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-11-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,14 +1,14 @@
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-11-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Andres Salomon
August 29th, 2005
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Package : maildrop
Vulnerability : local privilege escalation
-Problem-Type : local
-Debian-specific: yes
-CVE ID : CAN-2005-2655
+Problem-Scope : local
+Debian-specific: Yes
+CVE ID : CAN-2005-2655
The lockmail binary shipped with maildrop allows for an attacker to
obtain an effective gid as group "mail". Debian ships the binary
with its
@@ -18,16 +18,16 @@
group.
For the testing distribution (etch) this is fixed in version
-1.5.3-1.1etch1.
+1.5.3-1.1etch1
For the unstable distribution (sid) this is fixed in version
-1.5.3-2.
+1.5.3-2
-This upgrade is strongly recommended if you use maildrop.
+This upgrade is recommended if you use maildrop.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -35,16 +35,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
- apt-get update && apt-get install maildrop
+apt-get update && apt-get install maildrop
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-2-1
==================================================================---
data/DTSA/DTSA-2-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-2-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,51 +1,51 @@
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-2-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Package : centericq
Vulnerability : multiple vulnerabilities
-Problem-Type : local and remote
-Debian-specific: no
-CVE ID : CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914
+Problem-Scope : local and remote
+Debian-specific: No
+CVE ID : CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914
centericq in testing is vulnerable to multiple security holes:
CAN-2005-2448
- Multiple endianness errors in libgadu, which is embedded in centericq,
- allow remote attackers to cause a denial of service (invalid behaviour in
- applications) on big-endian systems.
+Multiple endianness errors in libgadu, which is embedded in centericq,
+allow remote attackers to cause a denial of service (invalid behaviour in
+applications) on big-endian systems.
CAN-2005-2370
- Multiple memory alignment errors in libgadu, which is embedded in
- centericq, allows remote attackers to cause a denial of service (bus error)
- on certain architectures such as SPARC via an incoming message.
+Multiple memory alignment errors in libgadu, which is embedded in
+centericq, allows remote attackers to cause a denial of service (bus error)
+on certain architectures such as SPARC via an incoming message.
CAN-2005-2369
- Multiple integer signedness errors in libgadu, which is embedded in
- centericq, may allow remote attackers to cause a denial of service
- or execute arbitrary code.
+Multiple integer signedness errors in libgadu, which is embedded in
+centericq, may allow remote attackers to cause a denial of service
+or execute arbitrary code.
CAN-2005-1914
- centericq creates temporary files with predictable file names, which
- allows local users to overwrite arbitrary files via a symlink attack.
+centericq creates temporary files with predictable file names, which
+allows local users to overwrite arbitrary files via a symlink attack.
For the testing distribution (etch) this is fixed in version
-4.20.0-8etch1.
+4.20.0-8etch1
For the unstable distribution (sid) this is fixed in version
-4.20.0-9.
+4.20.0-9
This upgrade is recommended if you use centericq.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -53,16 +53,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
- apt-get update && apt-get upgrade
+apt-get update && apt-get install centericq
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-3-1
==================================================================---
data/DTSA/DTSA-3-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-3-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,60 +1,60 @@
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-3-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Package : clamav
Vulnerability : denial of service and privilege escalation
-Problem-Type : remote
-Debian-specific: no
+Problem-Scope : remote
+Debian-specific: No
CVE ID : CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922
CAN-2005-2450
Multiple security holes were found in clamav:
CAN-2005-2070
- The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long
- timeouts, allows remote attackers to cause a denial of service by keeping
- an open connection, which prevents ClamAV from reloading.
+The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long
+timeouts, allows remote attackers to cause a denial of service by keeping
+an open connection, which prevents ClamAV from reloading.
CAN-2005-1923
- The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote
- attackers to cause a denial of service (CPU consumption by infinite loop)
- via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff,
- which causes a zero-length read.
+The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote
+attackers to cause a denial of service (CPU consumption by infinite loop)
+via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff,
+which causes a zero-length read.
CAN-2005-2056
- The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote
- attackers to cause a denial of service (application crash) via a crafted
- Quantum archive.
+The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote
+attackers to cause a denial of service (application crash) via a crafted
+Quantum archive.
CAN-2005-1922
- The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote
- attackers to cause a denial of service (file descriptor and memory
- consumption) via a crafted file that causes repeated errors in the
- cli_msexpand function.
+The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote
+attackers to cause a denial of service (file descriptor and memory
+consumption) via a crafted file that causes repeated errors in the
+cli_msexpand function.
CAN-2005-2450
- Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file
- format processors in libclamav for Clam AntiVirus (ClamAV) allow remote
- attackers to gain privileges via a crafted e-mail message.
+Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file
+format processors in libclamav for Clam AntiVirus (ClamAV) allow remote
+attackers to gain privileges via a crafted e-mail message.
For the testing distribution (etch) this is fixed in version
-0.86.2-4etch1.
+0.86.2-4etch1
For the unstable distribution (sid) this is fixed in version
-0.86.2-1.
+0.86.2-1
-This upgrade is strongly recommended if you use clamav.
+This upgrade is recommended if you use clamav.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -62,16 +62,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
- apt-get update && apt-get upgrade
+apt-get update && apt-get install upgrade
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-4-1
==================================================================---
data/DTSA/DTSA-4-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-4-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,56 +1,56 @@
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-4-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Package : ekg
Vulnerability : multiple vulnerabilities
-Problem-Type : local and remote
-Debian-specific: no
-CVE ID : CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852
CAN-2005-2448
+Problem-Scope : local and remote
+Debian-specific: No
+CVE ID : CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852
CAN-2005-2448
Multiple vulnerabilities were discovered in ekg:
CAN-2005-1916
- Eric Romang discovered insecure temporary file creation and arbitrary
- command execution in a contributed script that can be exploited by a local
- attacker.
+Eric Romang discovered insecure temporary file creation and arbitrary
+command execution in a contributed script that can be exploited by a local
+attacker.
CAN-2005-1851
- Marcin Owsiany and Wojtek Kaniewski discovered potential shell command
- injection in a contributed script.
+Marcin Owsiany and Wojtek Kaniewski discovered potential shell command
+injection in a contributed script.
CAN-2005-1850
- Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file
- creation in contributed scripts.
+Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file
+creation in contributed scripts.
CAN-2005-1852
- Multiple integer overflows in libgadu, as used in ekg, allows remote
- attackers to cause a denial of service (crash) and possibly execute
- arbitrary code via an incoming message.
+Multiple integer overflows in libgadu, as used in ekg, allows remote
+attackers to cause a denial of service (crash) and possibly execute
+arbitrary code via an incoming message.
CAN-2005-2448
- Multiple endianness errors in libgadu in ekg allow remote attackers to
- cause a denial of service (invalid behaviour in applications) on
- big-endian systems.
+Multiple endianness errors in libgadu in ekg allow remote attackers to
+cause a denial of service (invalid behaviour in applications) on
+big-endian systems.
For the testing distribution (etch) this is fixed in version
-1:1.5+20050808+1.6rc3-0etch1.
+1:1.5+20050808+1.6rc3-0etch1
For the unstable distribution (sid) this is fixed in version
-1:1.5+20050808+1.6rc3-1.
+1:1.5+20050808+1.6rc3-1
This upgrade is recommended if you use ekg.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -58,16 +58,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
- apt-get update && apt-get install libgadu3 ekg
+apt-get update && apt-get install libgadu3 ekg
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-5-1
==================================================================---
data/DTSA/DTSA-5-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-5-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,47 +1,47 @@
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-5-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Package : gaim
Vulnerability : multiple remote vulnerabilities
-Problem-Type : remote
-Debian-specific: no
-CVE ID : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103
+Problem-Scope : remote
+Debian-specific: No
+CVE ID : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103
Multiple security holes were found in gaim:
CAN-2005-2102
- The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
- service (application crash) via a filename that contains invalid UTF-8
- characters.
+The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
+service (application crash) via a filename that contains invalid UTF-8
+characters.
CAN-2005-2370
- Multiple memory alignment errors in libgadu, as used in gaim and other
- packages, allow remote attackers to cause a denial of service (bus error)
- on certain architectures such as SPARC via an incoming message.
+Multiple memory alignment errors in libgadu, as used in gaim and other
+packages, allow remote attackers to cause a denial of service (bus error)
+on certain architectures such as SPARC via an incoming message.
CAN-2005-2103
- Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
- to cause a denial of service (application crash) and possibly execute
- arbitrary code via an away message with a large number of AIM substitution
- strings, such as %t or %n.
+Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
+to cause a denial of service (application crash) and possibly execute
+arbitrary code via an away message with a large number of AIM substitution
+strings, such as %t or %n.
For the testing distribution (etch) this is fixed in version
-1:1.4.0-5etch2.
+1:1.4.0-5etch2
For the unstable distribution (sid) this is fixed in version
-1:1.4.0-5.
+1:1.4.0-5
-This upgrade is strongly recommended if you use gaim.
+This upgrade is recommended if you use gaim.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -49,16 +49,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
- apt-get update && apt-get install gaim
+apt-get update && apt-get install gaim
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-6-1
==================================================================---
data/DTSA/DTSA-6-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-6-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,41 +1,42 @@
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-6-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Neil McGovern
August 28th, 2005
------------------------------------------------------------------------------
+------------------------------------------------------------------------------
Package : cgiwrap
Vulnerability : multiple vulnerabilities
-Problem-Type : remote
-Debian-specific: yes,no
+Problem-Scope : remote
+Debian-specific: No
+CVE ID :
Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap:
Minimum UID does not include all system users
- The CGIwrap program will not seteuid itself to uids below the
''minimum'' uid
- to prevent scripts from being misused to compromise the system. However,
- the Debian package sets the minimum uid to 100 when it should be 1000.
+The CGIwrap program will not seteuid itself to uids below the
''minimum'' uid
+to prevent scripts from being misused to compromise the system. However,
+the Debian package sets the minimum uid to 100 when it should be 1000.
CGIs can be used to disclose system information
- The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
- (actually symbolink links, which link to cgiwrap and are called
''cgiwrap''
- and ''nph-cgiwrap'' or link to php-cgiwrap). These CGIs
should not be
- installed in production environments as they disclose internal and
- potentially sensible information.
+The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
+(actually symbolink links, which link to cgiwrap and are called
''cgiwrap''
+and ''nph-cgiwrap'' or link to php-cgiwrap). These CGIs should
not be
+installed in production environments as they disclose internal and
+potentially sensible information.
For the testing distribution (etch) this is fixed in version
-3.9-3.0etch1.
+3.9-3.0etch1
For the unstable distribution (sid) this is fixed in version
-3.9-3.1.
+3.9-3.1
-This upgrade is encouraged if you use cgiwrap.
+This upgrade is recommended if you use cgiwrap.
-The Debian testing security team does not track security issues for the
-stable distribution (woody). If stable is vulnerable, the Debian security
-team will make an announcement once a fix is ready.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -43,8 +44,8 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
- deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
- deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
@@ -55,6 +56,6 @@
If you use php-cgiwrap:
apt-get update && apt-get install php-cgiwrap
+
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-
Modified: data/DTSA/DTSA-7-1
==================================================================---
data/DTSA/DTSA-7-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-7-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -16,6 +16,8 @@
fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will
be covered by a separate advisory.
+Note that this is the same security fix put into stable in DSA-777.
+
For the testing distribution (etch) this is fixed in version
2:1.7.8-1sarge1
@@ -24,7 +26,9 @@
This upgrade is recommended if you use mozilla.
-Note that this is the same security fix put into stable in DSA-777.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -32,15 +36,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
-deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
-apt-get update && apt-get upgrade
+apt-get update && apt-get install mozilla
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
Modified: data/DTSA/DTSA-8-1
==================================================================---
data/DTSA/DTSA-8-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-8-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,15 +1,22 @@
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-8-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
-August 28th, 2005
+September 1st, 2005
------------------------------------------------------------------------------
Package : mozilla-firefox
-Vulnerability : several vulnerabilities
+Vulnerability : several vulnerabilities (update)
Problem-Scope : remote
Debian-specific: No
-CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261
CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266
CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
+CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261
CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266
CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
+We experienced that the update for Mozilla Firefox from DTSA-8-1
+unfortunately was a regression in several cases. Since the usual
+praxis of backporting apparently does not work, this update is
+basically version 1.0.6 with the version number rolled back, and hence
+still named 1.0.4-*. For completeness below is the original advisory
+text:
+
Several problems were discovered in Mozilla Firefox:
CAN-2004-0718 CAN-2005-1937
@@ -75,16 +82,20 @@
The Mozilla browser family does not properly clone base objects, which allows
remote attackers to execute arbitrary code.
+Note that this is the same set of security fixes put into stable in
+DSA-775 and DSA-779, and updated in DSA-779-2.
+
For the testing distribution (etch) this is fixed in version
-1.0.4-2sarge2
+1.0.4-2sarge3
For the unstable distribution (sid) this is fixed in version
1.0.6-3
This upgrade is recommended if you use mozilla-firefox.
-Note that this is the same set of security fixes put into stable in
-DSA-775 and DSA-779.
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
@@ -92,15 +103,15 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
-deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
-apt-get update && apt-get install mozilla-firefox
+apt-get update && apt-get install mozilla-firefoxFIXME, I''m
broken
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
Modified: data/DTSA/DTSA-8-2
==================================================================---
data/DTSA/DTSA-8-2 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-8-2 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,5 +1,5 @@
------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-8-2 http://secure-testing.debian.net
+Debian Testing Security Advisory DTSA-8-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
September 1st, 2005
------------------------------------------------------------------------------
@@ -103,8 +103,8 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
-deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
Modified: data/DTSA/DTSA-9-1
==================================================================---
data/DTSA/DTSA-9-1 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/DTSA-9-1 2005-09-03 15:02:10 UTC (rev 1798)
@@ -32,8 +32,8 @@
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
-deb http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
Modified: data/DTSA/dtsa
==================================================================---
data/DTSA/dtsa 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/dtsa 2005-09-03 15:02:10 UTC (rev 1798)
@@ -92,7 +92,7 @@
def construct_dtsa_list(date, dtsa_id, cve, src, vuln_type, testing_fix):
l_f = open(os.getcwd() + "/list", "a")
# What do we need the date for?
- l_f.write("[01 Jan 1969] " + dtsa_id + " " + src + "
- " + vuln_type + "\n")
+ l_f.write("[" + date + "] " + dtsa_id + " " +
src + " - " + vuln_type + "\n")
cves = ""
if len(cve) > 0:
for i in cve:
@@ -193,7 +193,7 @@
# ascii.write("Vendor advisory: " + vendor_advisory +
"\n")
# else:
# ascii.write("Vendor advisory: Not available\n")
- cves = "CVE ID : "
+ cves = "CVE ID : "
if len(cve) > 0:
for i in cve:
cves += i
Modified: data/DTSA/list
==================================================================---
data/DTSA/list 2005-09-03 14:46:03 UTC (rev 1797)
+++ data/DTSA/list 2005-09-03 15:02:10 UTC (rev 1798)
@@ -1,32 +1,34 @@
-[29 Aug 2005] DTSA-11-1 maildrop - local privilege escalation
- {CAN-2005-2655}
- - maildrop 1.5.3-1.1etch1 (high)
-[31 Aug 2005] DTSA-10-1 pcre3 - buffer overflow
- {CAN-2005-2491}
- - pcre3 6.3-0.1etch1 (high)
-[31 Aug 2005] DTSA-9-1 bluez-utils - bad device name escaping
- {CAN-2005-2547}
- - bluez-utils 2.19-0.1etch1 (high)
-[28 Aug 2005] DTSA-8-2 mozilla-firefox - several vulnerabilities
- {CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262
CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267
CAN-2005-2268 CAN-2005-2269 CAN-2005-2270}
- - mozilla-firefox 1.0.4-2sarge3 (high)
-[28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing
- {CAN-2004-0718 CAN-2005-1937}
- - mozilla 2:1.7.8-1sarge1 (high)
-[28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities
- - cgiwrap 3.9-3.0etch1 (low)
-[27 Aug 2005] DTSA-5-1 gaim - multiple remote vulnerabilities
- {CAN-2005-2102 CAN-2005-2370 CAN-2005-2103}
- - gaim 1:1.4.0-5etch2 (high)
-[27 Aug 2005] DTSA-4-1 ekg - multiple vulnerabilities
- {CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448}
- - ekg 1:1.5+20050808+1.6rc3-0etch1 (low)
-[27 Aug 2005] DTSA-3-1 clamav - denial of service and privilege escalation
- {CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922 CAN-2005-2450}
- - clamav 0.86.2-4etch1 (high)
-[27 Aug 2005] DTSA-2-1 centericq - multiple vulnerabilities
- {CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914}
- - centericq 4.20.0-8etch1 (medium)
-[26 Aug 2005] DTSA-1-1 kismet - remote code execution
- {CAN-2005-2626 CAN-2005-2627}
- - kismet 2005.08.R1-0.1etch1 (high)
+[August 26th, 2005] DTSA-1-1 kismet - various
+ {CAN-2005-2626 CAN-2005-2627 }
+ - kismet 2005.08.R1-0.1etch1
+[August 28th, 2005] DTSA-2-1 centericq - multiple vulnerabilities
+ {CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914 }
+ - centericq 4.20.0-8etch1
+[August 28th, 2005] DTSA-3-1 clamav - denial of service and privilege
escalation
+ {CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922 CAN-2005-2450 }
+ - clamav 0.86.2-4etch1
+[August 28th, 2005] DTSA-4-1 ekg - multiple vulnerabilities
+ {CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448 }
+ - ekg 1:1.5+20050808+1.6rc3-0etch1
+[August 28th, 2005] DTSA-5-1 gaim - multiple remote vulnerabilities
+ {CAN-2005-2102 CAN-2005-2370 CAN-2005-2103 }
+ - gaim 1:1.4.0-5etch2
+[August 28th, 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities
+ { }
+ - cgiwrap 3.9-3.0etch1
+[August 28th, 2005] DTSA-7-1 mozilla - frame injection spoofing
+ {CAN-2004-0718 CAN-2005-1937 }
+ - mozilla 2:1.7.8-1sarge1
+[September 1st, 2005] DTSA-8-2 mozilla-firefox - several vulnerabilities
(update)
+ {CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262
CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267
CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 }
+ - mozilla-firefox 1.0.4-2sarge3
+ TODO: unreleased
+[August 31st, 2005] DTSA-9-1 bluez-utils - bad device name escaping
+ {CAN-2005-2547 }
+ - bluez-utils 2.19-0.1etch1
+[August 29th, 2005] DTSA-10-1 pcre3 - buffer overflow
+ {CAN-2005-2491 }
+ - pcre3 6.3-0.1etch1
+[August 29th, 2005] DTSA-11-1 maildrop - local privilege escalation
+ {CAN-2005-2655 }
+ - maildrop 1.5.3-1.1etch1
Added: website/DTSA/DTSA-1-1.html
==================================================================---
website/DTSA/DTSA-1-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-1-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,54 @@
+<h2>DTSA-1-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 26th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:kismet''>kismet</a></dd>
+<dt>Vulnerability:</dt>
+<dd>various</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2626''>CAN-2005-2626</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2627''>CAN-2005-2627</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>Multiple security holes have been discovered in
kismet: <br>
+ <br>
+CAN-2005-2627 <br>
+ <br>
+Multiple integer underflows in Kismet allow remote attackers to
execute <br>
+arbitrary code via (1) kernel headers in a pcap file or (2) data
frame <br>
+dissection, which leads to heap-based buffer overflows. <br>
+ <br>
+CAN-2005-2626 <br>
+ <br>
+Unspecified vulnerability in Kismet allows remote attackers to have
an <br>
+unknown impact via unprintable characters in the SSID. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 2005.08.R1-0.1etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
2005.08.R1-1</dt>
+<br><dt>This upgrade is recommended if you use kismet.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install kismet</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-10-1.html
==================================================================---
website/DTSA/DTSA-10-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-10-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,51 @@
+<h2>DTSA-10-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 29th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:pcre3''>pcre3</a></dd>
+<dt>Vulnerability:</dt>
+<dd>buffer overflow</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491''>CAN-2005-2491</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>An integer overflow in pcre_compile.c in Perl Compatible Regular
Expressions <br>
+(PCRE) allows attackers to execute arbitrary code via quantifier values
in <br>
+regular expressions, which leads to a heap-based buffer
overflow. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 6.3-0.1etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
6.3-1</dt>
+<br><dt>This upgrade is recommended if you use pcre3.<dt>
+<br><dt>-Before installing the update, please note that you will
need to restart all
+daemons that link with libpcre3 for the security fix to be used. Either
+reboot your machine after the upgrade, or make a list of processes that are
+using libpcre3, and restart them after the upgrade. To generate the list,
+run this command before you upgrade:</dt>
+<dd>lsof /usr/lib/libpcre.so.3<dd>
+
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install libpcre3</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-11-1.html
==================================================================---
website/DTSA/DTSA-11-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-11-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,47 @@
+<h2>DTSA-11-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 29th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:maildrop''>maildrop</a></dd>
+<dt>Vulnerability:</dt>
+<dd>local privilege escalation</dd>
+<dt>Problem-Scope:</dt>
+<dd>local</dd>
+<dt>Debian-specific:</dt>
+<dd>Yes<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2655''>CAN-2005-2655</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>The lockmail binary shipped with maildrop allows for an attacker
to <br>
+obtain an effective gid as group "mail". Debian ships the binary
with its <br>
+setgid bit set, but the program does not drop privileges when run. It
takes <br>
+an argument that is executed, and since it does not drop privileges,
an <br>
+attacker can execute an arbitrary command with an effective gid of the
"mail" <br>
+group. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 1.5.3-1.1etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
1.5.3-2</dt>
+<br><dt>This upgrade is recommended if you use maildrop.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install maildrop</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-2-1.html
==================================================================---
website/DTSA/DTSA-2-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-2-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,68 @@
+<h2>DTSA-2-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 28th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:centericq''>centericq</a></dd>
+<dt>Vulnerability:</dt>
+<dd>multiple vulnerabilities</dd>
+<dt>Problem-Scope:</dt>
+<dd>local and remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2448''>CAN-2005-2448</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370''>CAN-2005-2370</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2369''>CAN-2005-2369</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1914''>CAN-2005-1914</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>centericq in testing is vulnerable to multiple security
holes: <br>
+ <br>
+CAN-2005-2448 <br>
+ <br>
+Multiple endianness errors in libgadu, which is embedded in
centericq, <br>
+allow remote attackers to cause a denial of service (invalid behaviour
in <br>
+applications) on big-endian systems. <br>
+ <br>
+CAN-2005-2370 <br>
+ <br>
+Multiple memory alignment errors in libgadu, which is embedded
in <br>
+centericq, allows remote attackers to cause a denial of service (bus
error) <br>
+on certain architectures such as SPARC via an incoming
message. <br>
+ <br>
+CAN-2005-2369 <br>
+ <br>
+Multiple integer signedness errors in libgadu, which is embedded
in <br>
+centericq, may allow remote attackers to cause a denial of
service <br>
+or execute arbitrary code. <br>
+ <br>
+CAN-2005-1914 <br>
+ <br>
+centericq creates temporary files with predictable file names,
which <br>
+allows local users to overwrite arbitrary files via a symlink
attack. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 4.20.0-8etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
4.20.0-9</dt>
+<br><dt>This upgrade is recommended if you use centericq.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install centericq</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-3-1.html
==================================================================---
website/DTSA/DTSA-3-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-3-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,78 @@
+<h2>DTSA-3-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 28th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:clamav''>clamav</a></dd>
+<dt>Vulnerability:</dt>
+<dd>denial of service and privilege escalation</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2070''>CAN-2005-2070</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1923''>CAN-2005-1923</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2056''>CAN-2005-2056</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1922''>CAN-2005-1922</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2450''>CAN-2005-2450</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>Multiple security holes were found in clamav: <br>
+ <br>
+CAN-2005-2070 <br>
+ <br>
+The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using
long <br>
+timeouts, allows remote attackers to cause a denial of service by
keeping <br>
+an open connection, which prevents ClamAV from reloading. <br>
+ <br>
+CAN-2005-1923 <br>
+ <br>
+The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows
remote <br>
+attackers to cause a denial of service (CPU consumption by infinite
loop) <br>
+via a cabinet (CAB) file with the cffile_FolderOffset field set to
0xff, <br>
+which causes a zero-length read. <br>
+ <br>
+CAN-2005-2056 <br>
+ <br>
+The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows
remote <br>
+attackers to cause a denial of service (application crash) via a
crafted <br>
+Quantum archive. <br>
+ <br>
+CAN-2005-1922 <br>
+ <br>
+The MS-Expand file handling in Clam AntiVirus (ClamAV) allows
remote <br>
+attackers to cause a denial of service (file descriptor and
memory <br>
+consumption) via a crafted file that causes repeated errors in
the <br>
+cli_msexpand function. <br>
+ <br>
+CAN-2005-2450 <br>
+ <br>
+Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG
file <br>
+format processors in libclamav for Clam AntiVirus (ClamAV) allow
remote <br>
+attackers to gain privileges via a crafted e-mail message. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 0.86.2-4etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
0.86.2-1</dt>
+<br><dt>This upgrade is recommended if you use clamav.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get upgrade</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-4-1.html
==================================================================---
website/DTSA/DTSA-4-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-4-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,74 @@
+<h2>DTSA-4-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 28th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:ekg''>ekg</a></dd>
+<dt>Vulnerability:</dt>
+<dd>multiple vulnerabilities</dd>
+<dt>Problem-Scope:</dt>
+<dd>local and remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1916''>CAN-2005-1916</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1851''>CAN-2005-1851</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1850''>CAN-2005-1850</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1852''>CAN-2005-1852</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2448''>CAN-2005-2448</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>Multiple vulnerabilities were discovered in ekg: <br>
+ <br>
+CAN-2005-1916 <br>
+ <br>
+Eric Romang discovered insecure temporary file creation and
arbitrary <br>
+command execution in a contributed script that can be exploited by a
local <br>
+attacker. <br>
+ <br>
+CAN-2005-1851 <br>
+ <br>
+Marcin Owsiany and Wojtek Kaniewski discovered potential shell
command <br>
+injection in a contributed script. <br>
+ <br>
+CAN-2005-1850 <br>
+ <br>
+Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary
file <br>
+creation in contributed scripts. <br>
+ <br>
+CAN-2005-1852 <br>
+ <br>
+Multiple integer overflows in libgadu, as used in ekg, allows
remote <br>
+attackers to cause a denial of service (crash) and possibly
execute <br>
+arbitrary code via an incoming message. <br>
+ <br>
+CAN-2005-2448 <br>
+ <br>
+Multiple endianness errors in libgadu in ekg allow remote attackers
to <br>
+cause a denial of service (invalid behaviour in applications)
on <br>
+big-endian systems. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 1:1.5+20050808+1.6rc3-0etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
1:1.5+20050808+1.6rc3-1</dt>
+<br><dt>This upgrade is recommended if you use ekg.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install libgadu3 ekg</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-5-1.html
==================================================================---
website/DTSA/DTSA-5-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-5-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,63 @@
+<h2>DTSA-5-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 28th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:gaim''>gaim</a></dd>
+<dt>Vulnerability:</dt>
+<dd>multiple remote vulnerabilities</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102''>CAN-2005-2102</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370''>CAN-2005-2370</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103''>CAN-2005-2103</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>Multiple security holes were found in gaim: <br>
+ <br>
+CAN-2005-2102 <br>
+ <br>
+The AIM/ICQ module in Gaim allows remote attackers to cause a denial
of <br>
+service (application crash) via a filename that contains invalid
UTF-8 <br>
+characters. <br>
+ <br>
+CAN-2005-2370 <br>
+ <br>
+Multiple memory alignment errors in libgadu, as used in gaim and
other <br>
+packages, allow remote attackers to cause a denial of service (bus
error) <br>
+on certain architectures such as SPARC via an incoming
message. <br>
+ <br>
+CAN-2005-2103 <br>
+ <br>
+Buffer overflow in the AIM and ICQ module in Gaim allows remote
attackers <br>
+to cause a denial of service (application crash) and possibly
execute <br>
+arbitrary code via an away message with a large number of AIM
substitution <br>
+strings, such as %t or %n. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 1:1.4.0-5etch2</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
1:1.4.0-5</dt>
+<br><dt>This upgrade is recommended if you use gaim.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install gaim</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-6-1.html
==================================================================---
website/DTSA/DTSA-6-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-6-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,60 @@
+<h2>DTSA-6-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 28th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:cgiwrap''>cgiwrap</a></dd>
+<dt>Vulnerability:</dt>
+<dd>multiple vulnerabilities</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=''></a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>Javier Fernández-Sanguino Peña discovered various vulnerabilities in
cgiwrap: <br>
+ <br>
+Minimum UID does not include all system users <br>
+ <br>
+The CGIwrap program will not seteuid itself to uids below the
''minimum'' uid <br>
+to prevent scripts from being misused to compromise the system.
However, <br>
+the Debian package sets the minimum uid to 100 when it should be
1000. <br>
+ <br>
+CGIs can be used to disclose system information <br>
+ <br>
+The cgiwrap (and php-cgiwrap) package installs some debugging
CGIs <br>
+(actually symbolink links, which link to cgiwrap and are called
''cgiwrap'' <br>
+and ''nph-cgiwrap'' or link to php-cgiwrap). These CGIs should
not be <br>
+installed in production environments as they disclose internal
and <br>
+potentially sensible information. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 3.9-3.0etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
3.9-3.1</dt>
+<br><dt>This upgrade is recommended if you use cgiwrap.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dt>If you use cgiwrap:</dt>
+<dd>apt-get update && apt-get install cgiwrap</dd>
+<dd>If you use php-cgiwrap:<dd>
+<dt>apt-get update && apt-get install php-cgiwrap</dt>
+
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-7-1.html
==================================================================---
website/DTSA/DTSA-7-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-7-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,49 @@
+<h2>DTSA-7-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 28th, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:mozilla''>mozilla</a></dd>
+<dt>Vulnerability:</dt>
+<dd>frame injection spoofing</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718''>CAN-2004-0718</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937''>CAN-2005-1937</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>A vulnerability has been discovered in Mozilla that allows remote
attackers <br>
+to inject arbitrary Javascript from one page into the frameset of
another <br>
+site. Thunderbird is not affected by this and Galeon will be
automatically <br>
+fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and
will <br>
+be covered by a separate advisory. <br>
+ <br>
+Note that this is the same security fix put into stable in
DSA-777. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 2:1.7.8-1sarge1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
2:1.7.10-1</dt>
+<br><dt>This upgrade is recommended if you use mozilla.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install mozilla</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-8-2.html
==================================================================---
website/DTSA/DTSA-8-2.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-8-2.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,127 @@
+<h2>DTSA-8-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>September 1st, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:mozilla-firefox''>mozilla-firefox</a></dd>
+<dt>Vulnerability:</dt>
+<dd>several vulnerabilities (update)</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718''>CAN-2004-0718</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937''>CAN-2005-1937</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260''>CAN-2005-2260</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261''>CAN-2005-2261</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2262''>CAN-2005-2262</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2263''>CAN-2005-2263</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2264''>CAN-2005-2264</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265''>CAN-2005-2265</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266''>CAN-2005-2266</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2267''>CAN-2005-2267</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2268''>CAN-2005-2268</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269''>CAN-2005-2269</a>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270''>CAN-2005-2270</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>We experienced that the update for Mozilla Firefox from
DTSA-8-1 <br>
+unfortunately was a regression in several cases. Since the
usual <br>
+praxis of backporting apparently does not work, this update
is <br>
+basically version 1.0.6 with the version number rolled back, and
hence <br>
+still named 1.0.4-*. For completeness below is the original
advisory <br>
+text: <br>
+ <br>
+Several problems were discovered in Mozilla Firefox: <br>
+ <br>
+CAN-2004-0718 CAN-2005-1937 <br>
+ <br>
+A vulnerability has been discovered in Mozilla Firefox that allows
remote <br>
+attackers to inject arbitrary Javascript from one page into the frameset
of <br>
+another site. <br>
+ <br>
+CAN-2005-2260 <br>
+ <br>
+The browser user interface does not properly distinguish
between <br>
+user-generated events and untrusted synthetic events, which makes it
easier <br>
+for remote attackers to perform dangerous actions that normally could only
be <br>
+performed manually by the user. <br>
+ <br>
+CAN-2005-2261 <br>
+ <br>
+XML scripts ran even when Javascript disabled. <br>
+ <br>
+CAN-2005-2262 <br>
+ <br>
+The user can be tricked to executing arbitrary JavaScript code by using
a <br>
+JavaScript URL as wallpaper. <br>
+ <br>
+CAN-2005-2263 <br>
+ <br>
+It is possible for a remote attacker to execute a callback function in
the <br>
+context of another domain (i.e. frame). <br>
+ <br>
+CAN-2005-2264 <br>
+ <br>
+By opening a malicious link in the sidebar it is possible for
remote <br>
+attackers to steal sensitive information. <br>
+ <br>
+CAN-2005-2265 <br>
+ <br>
+Missing input sanitising of InstallVersion.compareTo() can cause
the <br>
+application to crash. <br>
+ <br>
+CAN-2005-2266 <br>
+ <br>
+Remote attackers could steal sensitive information such as cookies
and <br>
+passwords from web sites by accessing data in alien frames. <br>
+ <br>
+CAN-2005-2267 <br>
+ <br>
+By using standalone applications such as Flash and QuickTime to open
a <br>
+javascript: URL, it is possible for a remote attacker to steal
sensitive <br>
+information and possibly execute arbitrary code. <br>
+ <br>
+CAN-2005-2268 <br>
+ <br>
+It is possible for a Javascript dialog box to spoof a dialog box from
a <br>
+trusted site and facilitates phishing attacks. <br>
+ <br>
+CAN-2005-2269 <br>
+ <br>
+Remote attackers could modify certain tag properties of DOM nodes that
could <br>
+lead to the execution of arbitrary script or code. <br>
+ <br>
+CAN-2005-2270 <br>
+ <br>
+The Mozilla browser family does not properly clone base objects, which
allows <br>
+remote attackers to execute arbitrary code. <br>
+ <br>
+Note that this is the same set of security fixes put into stable
in <br>
+DSA-775 and DSA-779, and updated in DSA-779-2. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 1.0.4-2sarge3</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
1.0.6-3</dt>
+<br><dt>This upgrade is recommended if you use
mozilla-firefox.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install mozilla-firefox</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Added: website/DTSA/DTSA-9-1.html
==================================================================---
website/DTSA/DTSA-9-1.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/DTSA/DTSA-9-1.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,44 @@
+<h2>DTSA-9-1</h2>
+<dl>
+<dt>Date Reported:</dt>
+<dd>August 31st, 2005</dd>
+<dt>Affected Package:</dt>
+<dd><a
href=''http://packages.debian.org/src:bluez-utils''>bluez-utils</a></dd>
+<dt>Vulnerability:</dt>
+<dd>bad device name escaping</dd>
+<dt>Problem-Scope:</dt>
+<dd>remote</dd>
+<dt>Debian-specific:</dt>
+<dd>No<br></dd>
+<dt>CVE:</dt>
+<dd>
+<a
href=''http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547''>CAN-2005-2547</a>
+<br></dd>
+<br><dt>More information:</dt>
+<dd>A bug in bluez-utils allows remote attackers to execute arbitrary
commands <br>
+via shell metacharacters in the Bluetooth device name when invoking the
PIN <br>
+helper. <br>
+</dd>
+<br><dt>For the testing distribution (etch) this is fixed in
version 2.19-0.1etch1</dt>
+<dt>For the unstable distribution (sid) this is fixed in version
2.19-1</dt>
+<br><dt>This upgrade is recommended if you use
bluez-utils.<dt>
+<br><dt>If you have the secure testing lines in your sources.list,
you can update by running this command as root:</dt>
+
+<dd>apt-get update && apt-get install bluez-utils</dd>
+<br>
+
+<dt>The Debian testing security team does not track security issues for
then stable (sarge) and oldstable (woody) distributions. If stable is
vulnerable, the Debian security team will make an announcement once a fix is
ready.</dt>
+
+<br>
+<dt>To use the Debian testing security archive, add the following lines
to your /etc/apt/sources.list:<dt>
+<br>
+<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<dd>deb-src
http://secure-testing-mirrors.debian.net/debian-security-updates
etch-proposed-updates/security-updates main contrib non-free</dd>
+<br>
+<dt>The archive signing key can be downloaded from<dt>
+<dd><a
href=''http://secure-testing.debian.net/ziyi-2005-7.asc''>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd>
+
+<br>
+
+<dt>For further information about the Debian testing security team,
please refer to <a
href=''http://secure-testing.debian.net/''>http://secure-testing.debian.net/</a></dt>
+
Modified: website/index.html
==================================================================---
website/index.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/index.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -44,6 +44,7 @@
deb http://secure-testing-mirrors.debian.net/debian-security-updates
etch/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates
etch/security-updates main contrib non-free
</pre>
+ These are also available from this <a
href=''list.html''>list</a>.<br>
The archive signing key used for this repository is <a
href="ziyi-2005-7.asc">here</a>.
</p>
@@ -131,7 +132,10 @@
<li>Prepare the update and fill out the .adv template
<li>Make sure everything is ready.
<li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li>
- <li>svn add DTSA-n-1; svn commit</li>
+ <li>edit DTSA-n-1 and DTSA-n-1.html, fix the installation
instructions.</li>
+ <li>mv DTSA-n-1.html ../../website/DTSA/</li>
+ <li>cd ../../website; ../bin/updatehtmllist --output list.html
../data/DTSA/list</li>
+ <li>cd ../; svn add data/DTSA/DTSA-n-1 website/DTSA/DTSA-n-1.html; svn
commit</li>
<li>Edit data/DTSA/hints/yourname, and add a hint to make dtsasync
propigate the update from etch-proposed-updates to etch.
Commit the file and wait 15 minutes for the dtsasync run,
Added: website/list.html
==================================================================---
website/list.html 2005-09-03 14:46:03 UTC (rev 1797)
+++ website/list.html 2005-09-03 15:02:10 UTC (rev 1798)
@@ -0,0 +1,21 @@
+<!-- header -->
+<dl>
+<dt>[August 26th, 2005] <a
href=''DTSA/DTSA-1-1.html''>DTSA-1-1
kismet</a></dt>
+<dd>various</dd>
+<dt>[August 28th, 2005] <a
href=''DTSA/DTSA-2-1.html''>DTSA-2-1
centericq</a></dt>
+<dd>multiple vulnerabilities</dd>
+<dt>[August 28th, 2005] <a
href=''DTSA/DTSA-3-1.html''>DTSA-3-1
clamav</a></dt>
+<dd>denial of service and privilege escalation</dd>
+<dt>[August 28th, 2005] <a
href=''DTSA/DTSA-4-1.html''>DTSA-4-1 ekg</a></dt>
+<dd>multiple vulnerabilities</dd>
+<dt>[August 28th, 2005] <a
href=''DTSA/DTSA-5-1.html''>DTSA-5-1
gaim</a></dt>
+<dd>multiple remote vulnerabilities</dd>
+<dt>[August 28th, 2005] <a
href=''DTSA/DTSA-6-1.html''>DTSA-6-1
cgiwrap</a></dt>
+<dd>multiple vulnerabilities</dd>
+<dt>[August 28th, 2005] <a
href=''DTSA/DTSA-7-1.html''>DTSA-7-1
mozilla</a></dt>
+<dd>frame injection spoofing</dd>
+<dt>[August 31st, 2005] <a
href=''DTSA/DTSA-9-1.html''>DTSA-9-1
bluez-utils</a></dt>
+<dd>bad device name escaping</dd>
+<dt>[August 29th, 2005] <a
href=''DTSA/DTSA-10-1.html''>DTSA-10-1
pcre3</a></dt>
+<dd>buffer overflow</dd>
+</dl>