[check] DSA vulnerabilities sarge

To: debian-security@lists.debian.org
Subject: [check] DSA vulnerabilities sarge
From: maximilian attems <debian@sternwelten.at>
Date: Tue, 14 Oct 2003 11:28:12 +0200
Message-id: <[🔎] 20031014092811.GA1722@mail.sternwelten.at>
Mail-followup-to: debian-security@lists.debian.org
hi,

i checked almost all DSA since woody release (DSA > 133)
the resume is: on a clean exposed sarge install the vast 
majority of DSA is resolved, but you better not run 
kde, sendmail, mysql, perl (cgi), php, tomcat or imagemagick.

you'll find below the report listing security alerts affecting
sarge, and the resolved ones (by new upstream release and|or 
new package, which went into sarge until now).
the report lacks at the time about 50 DSA, where 
the reference to sid is "this problem will be fixed soon".
in the next week i'll look deeper in their cases,
for the moment i only parsed the DSA themselves.

as a side note this work would be easier if the DSA
would generally list "fixed by upstream version 2.2.22"
this information rarely shows up on a DSA,
i tend to think that such notice would improve their 
outstanding quality!

i hope this helps for further and broader testing of sarge,
i know the debian security faq concerning testing,
but perhaps someone out there wants to provide an 
unofficial security mirror especially after kde goes in?
perhaps in a month or so unresolved issues should get 
their bug report, what do you think?

i will try to keep you informed weekly on progress,
suggestions or corrections are welcome!!!

a++
ma(ks|x(imilian)?)


 DSA affecting Sarge/Testing:
[19 Sep 2003] DSA-388_kdebase - several vulnerabilities
sarge 4:2.2.2-14
[17 Sep 2003] DSA-384_sendmail - buffer overflows
sarge 8.12.9-5
sid fixed in version 8.12.10-1
[13 Sep 2003] DSA-381_mysql - buffer overflow
sarge 4.0.13-3
upstream version until 4.0.14 vulnerable
[11 Aug 2003] DSA-371_perl - cross-site scripting
sarge 5.8.0-18
sid fixed in version 5.8.0-19
[08 Aug 2003] DSA-369_zblast - buffer overflow
sarge 1.2pre-5 
sid fixed in version 1.2.1-7
[05 Aug 2003] DSA-365_phpgroupware - several vulnerabilities
bug #201980
upstream release fixes reported bugs 0.9.14.006
[01 Aug 2003] DSA-361_kdelibs,_kdelibs-crypto - several vulnerabilities
sarge 4:2.2.2-13
no seperate kdelibs-crypto
sid fixed in version 4:3.1.3-1
[31 Jul 2003] DSA-359_atari800 - buffer overflows
sarge 1.2.2-1
bug #203707
upstream version 1.3.1-2 fixes reported bug
[29 Jul 2003] DSA-354_xconq - buffer overflows
sarge 7.4.1-2.1
bug #202963 still open
[22 Jul 2003] DSA-352_fdclone - insecure temporary directory
sarge 2.04a-1
sid fixed in version 2.04-1
[16 Jul 2003] DSA-351_php4 - cross-site scripting
sarge 4:4.1.2-6
bug #200736
upstream version php4_4.3.2+rc3 fixed XSS vulnerabilities
[08 Jul 2003] DSA-343_skk,_ddskk - insecure temporary file
sarge skk 10.62a-6 ddskk 12.2.rel.0-2
upstream fixed in 12.1.cvs.20030622-1
[07 Jul 2003] DSA-342_mozart - unsafe mailcap configuration
sarge 1.2.3.20011204-3
sid fixed in version 1.2.5.20030212-2
[08 Jul 2003] DSA-346_phpsysinfo - directory traversal
sarge 2.0-3
bug #200543 still open
[27 Jun 2003] DSA-331_imagemagick - insecure temporary file
sarge 4:5.4.4.5-1
sid fixed in version 4:5.5.7-1
[19 May 2003] DSA-306_ircii-pana - buffer overflows, integer overflow
sarge 1:1.0-0c19.20030512-1
sid fixed in version 1.0-0c19-8
[30 Apr 2003] DSA-296_kdebase - insecure execution
sarge 4:2.2.2-14
[23 Apr 2003] DSA-293_kdelibs - insecure execution
sarge 4:2.2.2-13
[17 Apr 2003] DSA-289_rinetd - incorrect memory resizing
sarge 0.62-1
sid fixed in version 0.62-2
[12 Apr 2003] DSA-284_kdegraphics - insecure execution
sarge 4:2.2.25
[28 Feb 2003] DSA-256_mhc - insecure temporary file
sarge 0.25+20010625-7
sid fixed in version 0.25+20030224-1
[12 Feb 2003] DSA-250_w3mmee-ssl - missing HTML quoting
sarge 0.3.p23.3-1.5
sid fixed in version 0.3.p24.17-3
[24 Jan 2003] DSA-243_kdemultimedia - several vulnerabilities
sarge 4:2.2.25
[24 Jan 2003] DSA-242_kdebase - several vulnerabilities
sarge 4:2.2.2-14
[24 Jan 2003] DSA-241_kdeutils - several vulnerabilities
sarge 4:2.2.25
[23 Jan 2003] DSA-240_kdegames - several vulnerabilities
sarge 4:2.2.2-2
[23 Jan 2003] DSA-239_kdesdk - several vulnerabilities
sarge 4:2.2.25
[23 Jan 2003] DSA-238_kdepim - several vulnerabilities
sarge 4:2.2.2-5
[22 Jan 2003] DSA-237_kdenetwork - several vulnerabilities
sarge 4:2.2.2-14.1
[22 Jan 2003] DSA-236_kdelibs - several vulnerabilities
sarge 4:2.2.2-13
[22 Jan 2003] DSA-235_kdegraphics - several vulnerabilities
sarge 4:2.2.25
[22 Jan 2003] DSA-234_kdeadmin - several vulnerabilities
sarge 4:2.2.25
[09 Jan 2003] DSA-225_tomcat4 - source disclosure
sarge 4.0.4-4
sid fixed in version 4.1.16-1
[20 Dec 2002] DSA-214_kdnetwork - buffer overflows
sarge 4:2.2.2-14.1
sid fixed 2.2.2-14.20
[11 Nov 2002] DSA-193_kdenetwork - buffer overflow
sarge 4:2.2.2-14.1
sid fixed in version 2.2.2-14.3
[04 Oct 2002] DSA-170_tomcat4 - source code disclosure
sarge 4.0.4-4
sid fixed in version 4.1.12-1
[18 Sep 2002] DSA-168_php - bypassing safe_mode, CRLF injection
sarge 4.1.2-6
sid fixed in version  4.2.3-3



TODO: deeper look in the following security alerts
mostly "this problem will be fixed soon" +..
[28 Sep 2003] DSA-391_freesweep - buffer overflow
[26 Sep 2003] DSA-390_marbles - buffer overflow
[18 Sep 2003] DSA-386_libmailtools-perl - input validation bug
[17 Sep 2003] DSA-383_ssh-krb5 - possible remote vulnerability
bug #211219
[16 Sep 2003] DSA-382_ssh - possible remote vulnerability
[04 Sep 2003] DSA-377_wu-ftpd - insecure program execution
[16 Aug 2003] DSA-373_autorespond - buffer overflow
[08 Aug 2003] DSA-368_xpcd - buffer overflow
[03 Aug 2003] DSA-363_postfix - denial of service, bounce-scanning
[01 Aug 2003] DSA-360_xfstt - several vulnerabilities
[31 Jul 2003] DSA-357_wu-ftpd - remote root exploit
[29 Jun 2003] DSA-337_gtksee - buffer overflow
sarge 0.5.2-0.1
 bug #76346 closed with new upstream release
 but still concerns?
[19 Jun 2003] DSA-328_webfs - buffer overflow
[16 Jun 2003] DSA-323_noweb - insecure temporary files
[16 Jun 2003] DSA-322_typespeed - buffer overflow
[13 Jun 2003] DSA-321_radiusd-cistron - buffer overflow
[11 Jun 2003] DSA-315_gnocatan - buffer overflows, denial of service
[11 Jun 2003] DSA-314_atftp - buffer overflow
[06 Jun 2003] DSA-309_eterm - buffer overflow
[06 Jun 2003] DSA-308_gzip - insecure temporary files
[07 May 2003] DSA-302_fuzz - privilege escalation
[06 May 2003] DSA-300_balsa - buffer overflow
[23 Apr 2003] DSA-294_gkrellm-newsticker - missing quoting, incomplete parser
[03 Apr 2003] DSA-276_linux-kernel-s390 - local privilege escalation
[13 Mar 2003] DSA-260_file - buffer overflow
[12 Mar 2003] DSA-259_qpopper - mail user privilege escalation
[28 Jan 2003] DSA-245_dhcp3 - ignored counter boundary
[21 Jan 2003] DSA-233_cvs - doubly freed memory
[16 Jan 2003] DSA-230_bugzilla - insecure permissions, spurious backup files
[02 Jan 2003] DSA-220_squirrelmail - cross site scripting
[30 Dec 2002] DSA-218_bugzilla - cross site scripting
[19 Dec 2002] DSA-213_libpng - buffer overflow
???
sarge 1.0.15-4 libpng3 1.2.5.0-4
sid fixed in version 1.0.12-7 for libpng and in version 1.2.5-8 for libpng3
[17 Dec 2002] DSA-212_mysql - multiple problems
[13 Dec 2002] DSA-210_lynx - CRLF injection
[12 Dec 2002] DSA-209_wget - directory traversal
[10 Dec 2002] DSA-206_tcpdump - denial of service
[05 Dec 2002] DSA-204_kdelibs - arbitrary program execution
[07 Nov 2002] DSA-190_wmaker - buffer overflow
[05 Nov 2002] DSA-188_apache-ssl - several vulnerabilities
[04 Nov 2002] DSA-187_apache - several vulnerabilities
[09 Oct 2002] DSA-173_bugzilla - privilege escalation
[30 Jul 2002] DSA-136_openssl - multiple remote exploits
[02 Jul 2002] DSA-135_libapache-mod-ssl - buffer overflow / DoS
[24 Jun 2002] DSA-134_ssh - remote exploit


resolved security alerts by fixed in upstream version -
named in DSA, which already went to testing/sarge: 
[28 Mar 2003] DSA-274_mutt - buffer overflow
sarge 1.5.4-1
fixed in upstream version 1.4.0 and above
[15 Mar 2003] DSA-262_samba - remote exploit
 sarge 3.0.0beta2+3.0.0rc4-1
 fixed in upstream version 2.2.8
[04 Mar 2003] DSA-257_sendmail - remote exploit
 sarge 8.12.9-5
 fixed in upstream release 8.12.8
[10 Dec 2002] DSA-205_gtetrinet - buffer overflow
  sarge 0.7.4-1
  fixed in upstream version 0.4.4
[22 Nov 2002] DSA-200_samba - remote exploit
 sarge  3.0.0beta2+3.0.0rc4-1
 fixed in upstream version 2.2.7
[12 Sep 2002] DSA-165_postgresql - buffer overflows
 sarge 7.3.2r1-5
 fixed in the upstream release 7.2.2
[09 Sep 2002] DSA-163_mhonarc - cross site scripting
 sarge 2.6.8-2
 fixed in upstream version 2.5.3
[06 Aug 2002] DSA-144_wwwoffle - improper input handling
 sarge 2.7h-3
 fixed in upstream version 2.7d
[01 Aug 2002] DSA-138_gallery - remote exploit
 sarge 1.4-3
 fixed in upstream version 1.3.1
[30 Jul 2002] DSA-137_mm - insecure temporary files
sarge 1.1.3-6.1
 fixed in the upstream version 1.2.0


resolved security alerts by fixed sid version - 
named in DSA, which already went to testing/sarge:
[01 Oct 2003] DSA-393_openssl - denial of service
sarge 0.9.7c-1
sid fixed in version 0.9.7c-1
[29 Sep 2003] DSA-392_webfs - buffer overflows, file and directory exposure
sarge 1.20
sid fixed in version 1.20
[20 Sep 2003] DSA-389_ipmasq - insecure packet filtering rules
sarge 3.5.12
sid fixed in version 3.5.12
[18 Sep 2003] DSA-385_hztty - buffer overflows
sarge 2.0-6
sid fixed in version 2.0-6
[12 Sep 2003] DSA-380_xfree86 - buffer overflows, denial of service
sarge 4.2.1-12
sid fixed in version 4.2.1-12
[11 Sep 2003] DSA-379_sane-backends - several vulnerabilities
sarge 1.0.12-5
sid fixed in version 1.0.11-1
[07 Sep 2003] DSA-378_mah-jong - buffer overflows, denial of service
sarge 1.5.6-2
sid fixed in version 1.5.6-2
[04 Sep 2003] DSA-376_exim - buffer overflow
sarge 3.36-8
sid fixed in version 3.36-8
[29 Aug 2003] DSA-375_node - buffer overflow, format string
sarge 0.3.2-1
sid fixed in verion 0.3.2-1
[16 Aug 2003] DSA-372_netris - buffer overflow
sarge  0.52-1
sid fixed in version  0.52-1
[08 Aug 2003] DSA-370_pam-pgsql - format string
sarge 0.5.2-7
sid fixed in version 0.5.2-7
[08 Aug 2003] DSA-367_xtokkaetama - buffer overflow
sarge 1.0b-9
sid fixed in version 1.0b-9
[05 Aug 2003] DSA-366_eroaster - insecure temporary file
sarge 2.1.0.0.6-12
sid fixed in version 2.1.0.0.6-12
[04 Aug 2003] DSA-364_man-db - buffer overflows, arbitrary command execution
sarge 2.4.2-2
sid fixed in version 2.4.1-13
[31 Jul 2003] DSA-358_linux-kernel-2.4.18 - several vulnerabilities
sarge 2.4.20-11
sid fixed in version 2.4.20-9
[30 Jul 2003] DSA-356_xtokkaetama - buffer overflows
sarge 1.0b-9
sid fixed in version 1.0b-8
[30 Jul 2003] DSA-355_gallery - cross-site scripting
sarge 1.4-3
sid fixed in version 1.3.4-3
[29 Jul 2003] DSA-353_sup - insecure temporary file
sarge 1.8-9
sid fixed in version 1.8-9
[15 Jul 2003] DSA-350_falconseye - buffer overflow
sarge 1.9.3-12
sid fixed in version 1.9.3-9
[14 Jul 2003] DSA-349_nfs-utils - buffer overflow
sarge 1.0.5-3
sid fixed in version 1:1.0.3-2
[08 Jul 2003] DSA-347_teapop - SQL injection
sarge 0.3.5-2
sid fixed in version 0.3.5-2
[08 Jul 2003] DSA-345_xbl - buffer overflow
sarge 1.1.2-1
sid fixed in version 1.0k-6
[08 Jul 2003] DSA-344_unzip - directory traversal
sarge 5.50-3
sid fixed in version 5.50-3
[19 Jun 2003] DSA-327_xbl - buffer overflows
sarge 1.1.2-1
sid fixed in version 1.0k-5
[19 Jun 2003] DSA-325_eldav - insecure temporary file
sarge 0.7.2-2
sid fixed in version 0.7.2-1
[18 Jun 2003] DSA-324_ethereal - several vulnerabilities
sarge 0.9.13-1
sid fixed in version 0.9.13-1
[07 Jul 2003] DSA-341_liece - insecure temporary file
sarge  2.0+0.20030527cvs-2
sid fixed in version 2.0+0.20030527cvs-1
[06 Jul 2003] DSA-340_x-face-el - insecure temporary file
sarge 1.3.6.24-1
sid fixed in version 1.3.6.23-1
[06 Jul 2003] DSA-339_semi - insecure temporary file
sarge 1.14.5+20030813-2
sid fixed in version 1.14.5+20030609-1
[29 Jun 2003] DSA-338_proftpd - SQL injection
sarge 1.2.8-14
sid fixed in version 1.2.8-8
[29 Jun 2003] DSA-336_linux-kernel-2.2.20 - several vulnerabilities
sarge 2.2.25-2
sid fixed in version 2.2.25-2
[28 Jun 2003] DSA-334_xgalaga - buffer overflows
sarge 2.0.34-27
sid fixed in version 2.0.34-22
[27 Jun 2003] DSA-333_acm - integer overflow
sarge 5.0-14
sid fixed in version 5.0-10
[27 Jun 2003] DSA-332_linux-kernel-2.4.17 - several vulnerabilities
sarge 2.4.20-11
sid fixed in version 2.4.20-8
[23 Jun 2003] DSA-330_tcptraceroute - failure to drop root privileges
sarge 1.4-5
sid fixed in version 1.4-4
[20 Jun 2003] DSA-329_osh - buffer overflows
osh 1.7-12
sid fixed in version 1.7-12
[13 Jun 2003] DSA-320_mikmod - buffer overflow
sarge 3.1.6-7
sid fixed in version 3.1.6-6
[12 Jun 2003] DSA-319_webmin - session ID spoofing
sarge 1.100a-2
sid fixed in version 1.070-1
[12 Jun 2003] DSA-318_lyskom-server - denial of service
sarge 2.0.7-3
sid fixed in version 2.0.7-2
[11 Jun 2003] DSA-317_cupsys - denial of service
sarge 1.1.19final-1.4
sid fixed in version 1.1.19final-1
[11 Jun 2003] DSA-316_nethack - buffer overflow, incorrect permissions
sarge nethack  3.4.1-1.2 slashem 0.0.6E4F8-6
sid fixed in version  3.4.1-1.1
sid fixed in version 0.0.6E4F8-6
[11 Jun 2003] DSA-313_ethereal - buffer overflows, integer overflows
sarge 0.9.13-1
sid fixed in version 0.9.12-1
[09 Jun 2003] DSA-312_kernel-patch-2.4.18-powerpc - several vulnerabilities
sarge 2.4.20-4
sid fixed in version 2.4.20-2
[08 Jun 2003] DSA-311_linux-kernel-2.4.18 - several vulnerabilities
sarge 2.4.20-11
sid fixed in version 2.4.20-2
[08 Jun 2003] DSA-310_xaos - improper setuid-root execution
sarge 3.1r-4
sid fixed in version 3.1r-4
[27 May 2003] DSA-307_gps - multiple vulnerabilities
sarge 1.1.0-1
sid fixed in version 1.1.0-1
[15 May 2003] DSA-305_sendmail - insecure temporary files
sarge 8.12.9-5
sid fixed in version 8.12.9-5
[15 May 2003] DSA-304_lv - privilege escalation
sarge 4.49.5-2
sid fixed in version 4.49.5-2
[15 May 2003] DSA-303_mysql - privilege escalation
sarge 4.0.13-3
sid fixed in version 4.0.12-2
[07 May 2003] DSA-301_libgtop - buffer overflow
sarge 1.0.13-8
sid fixed in version 1.0.13-4
[06 May 2003] DSA-299_leksbot - improper setuid-root execution
sarge 1.2-7
sid fixed in version 1.2-7
[02 May 2003] DSA-298_epic4 - buffer overflows
sarge 1:1.1.11.20030409-2.1
sid fixed in version 1.1.11.20030409-1
[01 May 2003] DSA-297_snort - integer overflow, buffer overflow
sarge 2.0.1-3
sid fixed in version 2.0.0-1
[30 Apr 2003] DSA-295_pptpd - buffer overflow
sarge 1.1.4-0.b3.2
sid fixed in version 1.1.4-0.b3.2
[22 Apr 2003] DSA-292_mime-support - insecure temporary file creation
sarge 3.23-1
sid fixed in version 3.23-1
[22 Apr 2003] DSA-291_ircii - buffer overflows
sarge 20030315-1
sid fixed in version 20030315-1
[17 Apr 2003] DSA-290_sendmail-wide - char-to-int conversion
sarge 8.12.10+3.5Wbeta-1
sid fixed in version 8.12.10+3.5Wbeta-1
[17 Apr 2003] DSA-288_openssl - several vulnerabilities
sarge 0.9.7c-1
sid fixed in version 0.9.7c-1
[15 Apr 2003] DSA-287_epic - buffer overflows
sarge  3.004-20
sid fixed in version  3.004-19
[14 Apr 2003] DSA-286_gs-common - insecure temporary file
sarge 0.3.3.1
sid fixed in version 0.3.3.1
[14 Apr 2003] DSA-285_lprng - insecure temporary file
sarge 3.8.22-2
sid fixed in version 3.8.20-4
[11 Apr 2003] DSA-283_xfsdump - insecure file creation
sarge 2.2.13-1
sid fixed in version 2.2.8-1
[09 Apr 2003] DSA-282_glibc - integer overflow
sarge 2.3.2-7
sid fixed in version 2.3.1-16
[04 Apr 2003] DSA-278_sendmail - char-to-int conversion
sarge 8.12.9-5
sid fixed in version 8.12.9-1
[03 Apr 2003] DSA-277_apcupsd - buffer overflows, format string
sarge 3.8.5-1.3
sid fixed in version 3.8.5-1.2
[02 Apr 2003] DSA-275_lpr-ppd - buffer overflow
sarge 1:0.72-3
sid fixed in version 0.72-3
[28 Mar 2003] DSA-272_dietlibc - integer overflow
sarge 0.22-3cvs20030714.1
sid fixed in version 0.22-2
[27 Mar 2003] DSA-270_linux-kernel-mips - local privilege escalation
sarge 2.4.19-0.020911.8
sid fixed in version 2.4.19-0.020911.6
[26 Mar 2003] DSA-269_heimdal - Cryptographic weakness
sarge 0.5.2-2
sid fixed in version 0.5.2-1
[25 Mar 2003] DSA-268_mutt - buffer overflow
sarge 1.5.4-1
sid fixed in version 1.5.4-1
[24 Mar 2003] DSA-267_lpr - buffer overflow
sarge 1:2000.05.07-5
sid fixed in version 2000.05.07-4.20
[24 Mar 2003] DSA-266_krb5 - several vulnerabilities
sarge 0.5.2-2
sid fixed in version 0.5.2-1
[21 Mar 2003] DSA-265_bonsai - several vulnerabilities
sarge  1.3+cvs20030317-6
sid fixed in version 1.3+cvs20030317-1
[19 Mar 2003] DSA-264_lxr - missing filename sanitizing
sarge 0.3.1-1
sid fixed in version 0.3-4
[17 Mar 2003] DSA-263_netpbm-free - math overflow errors
sarge 2:9.25-5
sid fixed in version 9.20-9
[10 Mar 2003] DSA-258_ethereal - format string vulnerability
sarge 0.9.13-1
sid fixed in version 0.9.9-2
[27 Feb 2003] DSA-255_tcpdump - infinite loop
sarge 3.7.2-1
sid fixed in version 3.7.1-1.2
[27 Feb 2003] DSA-254_traceroute-nanog - buffer overflow
sarge 6.3.9-2
sid fixed in version 6.3.0-1
[24 Feb 2003] DSA-253_openssl - information leak
sarge 0.9.7c-1
sid fixed in version 0.9.7a-1
[21 Feb 2003] DSA-252_slocate - buffer overflow
sarge 2.7-1
sid fixed in version 2.7-1
[14 Feb 2003] DSA-251_w3m - missing HTML quoting
sarge 0.4.1-4
sid fixed in version 0.3.2.2-1
[11 Feb 2003] DSA-249_w3mmee - missing HTML quoting
sarge 0.3.p24.18-3
sid fixed in version 0.3.p24.17-3
[31 Jan 2003] DSA-248_hypermail - buffer overflows
sarge 2.1.7-2
sid fixed in version 2.1.6-1
[30 Jan 2003] DSA-247_courier-ssl - missing input sanitizing
sarge 0.42.2-7
sid fixed in version 0.40.2-3
[29 Jan 2003] DSA-246_tomcat - information exposure, cross site scripting
sarge  4.0.4-4
sid fixed in version 3.3.1a-1
[20 Jan 2003] DSA-232_cupsys - several vulnerabilities
sarge 1.1.19final-1.4
sid fixed in version 1.1.18-1
[17 Jan 2003] DSA-231_dhcp3 - stack overflows
sarge 3.0+3.0.1rc11-5
sid fixed in version 3.0+3.0.1rc11-1
[27 Jan 2003] DSA-244_noffle - buffer overflows
sarge 1.1.5-4
sid fixed in version 1.1.2-1
[15 Jan 2003] DSA-229_imp - SQL injection
sarge 3.2.2-2
sid fixed in version version 2.2.6-7
[14 Jan 2003] DSA-228_libmcrypt - buffer overflows and memory leak
sarge 2.5.5-1
sid fixed in version 2.5.5-1
[13 Jan 2003] DSA-227_openldap2 - buffer overflows and other bugs
sarge 2.1.22-1
sid fixed in version 2.1.22-1
[10 Jan 2003] DSA-226_xpdf-i - integer overflow
sarge 2.02pl1-1
sid fixed in version 2.01-2
[08 Jan 2003] DSA-224_canna - buffer overflow and more
sarge 3.6p4-1
sid fixed in version 3.6p1-1
[07 Jan 2003] DSA-223_geneweb - information exposure
sarge 4.09-12
sid fixed in version 4.09-12
[06 Jan 2003] DSA-222_xpdf - integer overflow
sarge 2.02pl1-1
sid fixed in version 2.01-2
[03 Jan 2003] DSA-221_mhonarc - cross site scripting
sarge 2.6.8-2
sid fixed in version 2.5.14-1
[31 Dec 2002] DSA-219_dhcpcd - remote command execution
sarge 1:1.3.22pl4-9
sid fixed  in version 1.3.22pl2-2
[27 Dec 2002] DSA-217_typespeed - buffer overflow
sarge 0.4.2-2
sid fixed in version 0.4.2-2
[24 Dec 2002] DSA-216_fetchmail - buffer overflow
sarge 6.2.4-1
sid fixed in version 6.2.0-1
[23 Dec 2002] DSA-215_cyrus-imapd - buffer overflow
sarge 1.5.19-13
sid fixed in version 1.5.19-9.10
[12 Dec 2002] DSA-208_perl - broken safe compartment
sarge 5.8.0-18
sid fixed in version 5.8.0-14
[11 Dec 2002] DSA-207_tetex-bin - arbitrary command execution
sarge 2.0.2-4.3
sid fixed in version 1.0.7+20021025-4
[04 Dec 2002] DSA-203_smb2www - arbitrary command execution
sarge 980804-21
sid fixed in version 980804-17
[03 Dec 2002] DSA-202_im - insecure temporary files
sarge 1:145-4
sid fixed in version 141-20
[02 Dec 2002] DSA-201_freeswan - denial of service
sarge 1.96-1.2
sid fixed in version 1.99-1
[19 Nov 2002] DSA-199_mhonarc - cross site scripting
sarge 2.6.8-2
sid fixed in version 2.5.13-1
[18 Nov 2002] DSA-198_nullmailer - denial of service
sarge 1.00RC7-18
sid fixed in version 1.00RC5-17
[15 Nov 2002] DSA-197_courier - buffer overflow
sarge 0.42.2-7
sid fixed in version 0.40.0-1
[14 Nov 2002] DSA-196_bind - several vulnerabilities
sarge  1:8.4.1.0-2
sid fixed in version 8.3.3-3
[12 Nov 2002] DSA-194_masqmail - buffer overflows
sarge 0.2.20-1
sid fixed in version 0.2.15-1
[08 Nov 2002] DSA-192_html2ps - arbitrary code execution
sarge 1.0b3-3.1
sid fixed in version 1.0b3-2
[07 Nov 2002] DSA-191_squirrelmail - cross site scripting
sarge 1:1.4.0-1
sid fixed in version 1.2.8-1.1
[06 Nov 2002] DSA-189_luxman - local root exploit
sarge 0.41-19.1
sid fixed in version 0.41-19
[01 Nov 2002] DSA-186_log2mail - buffer overflow
sarge 0.2.8-1.1
sid fixed in version 0.2.6-1
[31 Oct 2002] DSA-185_heimdal - buffer overflow
sarge 0.5.2-2
sid fixed in version 0.4e-22
[29 Oct 2002] DSA-183_krb5 - buffer overflow
sarge 1.3-2
sid fixed in version 1.1-11-8
[28 Oct 2002] DSA-182_kdegraphics - buffer overflow
sarge 4:2.2.25
sid fixed in version 2.2.2-6.9
[22 Oct 2002] DSA-181_libapache-mod-ssl - cross site scripting
sarge 2.8.14-3
sid fixed in version 2.8.9-2.3
[21 Oct 2002] DSA-180_nis - information leak
sarge 3.9-6.3
sid fixed in version 3.9-6.2
[18 Oct 2002] DSA-179_gnome-gv - buffer overflow
sarge 2.3.99-2
sid fixed in version 1.99.7-9
[17 Oct 2002] DSA-178_heimdal - remote command execution
sarge 0.5.2-2
sid fixed in version 0.4e-21
[16 Oct 2002] DSA-176_gv - buffer overflow
sarge 1:3.5.8-30.1
sid fixed in version 3.5.8-27
[15 Oct 2002] DSA-175_syslog-ng - buffer overflow
sarge 1.6.0rc1+20030310-2
sid fixed in version 1.5.21-1
[14 Oct 2002] DSA-174_heartbeat - buffer overflow
sarge 1.0.3-2
sid fixed in version 0.4.9.2-1
[07 Oct 2002] DSA-171_fetchmail - buffer overflows
sarge  6.2.4-1
sid fixed in version 6.1.0-1
[25 Sep 2002] DSA-169_htcheck - cross site scripting
sarge 1:1.2.1-1
sid fixed in version 1.1-1.2
[16 Sep 2002] DSA-167_kdelibs - cross site scripting
sarge 4:2.2.2-14
sid fixed in version 2.2.2-14
[13 Sep 2002] DSA-166_purity - buffer overflows
sarge 1-17
sid fixed in version 1-16
[10 Sep 2002] DSA-164_cacti - arbitrary code execution
sarge 0.6.8a-13.1
sid fixed in version 0.6.8a-2
[06 Sep 2002] DSA-162_ethereal - buffer overflow
sarge 0.9.13-1
sid fixed in version 0.9.6-1
[03 Sep 2002] DSA-160_scrollkeeper - insecure temporary file creation
sarge 0.3.12-2
sid fixed in version 0.3.11-2
[28 Aug 2002] DSA-159_python - insecure temporary files
sarge 2.2.3-3
sid fixed in version 2.2.1-8
[27 Aug 2002] DSA-158_gaim - arbitrary program execution
sarge 1:0.64-3
sid fixed in version 0.59.1-2
[23 Aug 2002] DSA-157_irssi-text - denial of service
sarge 0.8.6-4
sid fixed in version 0.8.5-2
[22 Aug 2002] DSA-156_epic4-script-light - arbitrary script execution
sarge 1:2.7.30p5-3
sid fixed in version 2.7.30p5-2
[17 Aug 2002] DSA-155_kdelibs - privacy escalation with Konqueror
sarge 4:2.2.2-14
sid fixed in version 2.2.2-14
[15 Aug 2002] DSA-154_fam - privilege escalation
sarge 2.6.10-1.1
sid fixed in version 2.6.8-1
[13 Aug 2002] DSA-152_l2tpd - missing random seed
sarge 0.69-1
sid fixed in version 0.68-1
[13 Aug 2002] DSA-151_xinetd - pipe exposure
sarge 1:2.3.12-2
sid fixed in version 2.3.7-1
[13 Aug 2002] DSA-150_interchange - illegal file exposition
sarge 4.8.7-1
sid fixed in version 4.8.6-1
[13 Aug 2002] DSA-149_glibc - integer overflow
sarge 2.3.2-7
sid fixed in version  2.2.5-13
[12 Aug 2002] DSA-148_hylafax - buffer overflows and format string
sarge 1:4.1.7-0.4
sid fixed in version 4.1.2-2.1
[08 Aug 2002] DSA-147_mailman - cross-site scripting
sarge 2.1.2-7
sid fixed in version 2.0.12-1
[08 Aug 2002] DSA-146_dietlibc - integer overflow
sarge 0.22-3cvs20030714.1
sid fixed  in version 0.20-0cvs20020808
[07 Aug 2002] DSA-145_tinyproxy - doubly freed memory
sarge 1.6.1-2
sid fixed in version 1.4.3-3
[05 Aug 2002] DSA-143_krb5 - integer overflow
sarge 1.3-2
sid fixed in version 1.2.5-2
[05 Aug 2002] DSA-142_openafs - integer overflow
sarge  1.2.9-2
sid fixed in version 1.2.6-1
[01 Aug 2002] DSA-141_mpack - buffer overflow
sarge 1.6-1
sid fixed in version 1.5-9
[05 Aug 2002] DSA-140_libpng - buffer overflow
sarge 1.2.5.0-4 lipng2  1.0.15-4
sid fixed in version 1.2.1-2, in version 1.0.12-4 of libpng2
[01 Aug 2002] DSA-139_super - format string vulnerability
sarge 3.20.1-2
sid fixed in version 3.18.0-3


resolved security alerts by closed bug report 
(bug named in DSA):
[02 Aug 2003] DSA-362_mindi - insecure temporary file
sarge 0.86-1
bug #203825
upstream version 0.86-1 fixes reported bug
[11 Jul 2003] DSA-348_traceroute-nanog - integer overflow, buffer overflow
sarge 6.3.9-2
bug #200875
upstream version 6.3.6-3 fixed integer overflow
[19 Jun 2003] DSA-326_orville-write - buffer overflows
 sarge 2.54-1
 bug #170747 
 upstream version 2.54-1 fixed local buffer overflow



resolved security alerts because of several different reasons:
[11 Oct 2003] DSA-394_openssl095 - ASN.1 parsing vulnerability
package not in testing or sid
[18 Sep 2003] DSA-387_gopher - buffer overflows
package removed
[26 Aug 2003] DSA-374_libpam-smb - buffer overflow
package removed
[28 Jun 2003] DSA-335_mantis - incorrect permissions
package not in sarge
sid fixed in version 0.17.5-6
[08 Apr 2003] DSA-281_moxftp - buffer overflow
package not in sarge
sid fixed in version 2.2-18.20
[07 Apr 2003] DSA-280_samba - buffer overflow
sid not affected  since it contains version 3.0 
[07 Apr 2003] DSA-279_metrics - insecure temporary file creation
package removed
[28 Mar 2003] DSA-273_krb4 - Cryptographic weakness
sarge contains krb5
[27 Mar 2003] DSA-271_ecartis - unauthorized password change
package not in sarge
sid fixed in version 1.0.0+cvs.20030321-1
[14 Mar 2003] DSA-261_tcpdump - infinite loop
sid not affected
[13 Dec 2002] DSA-211_micq - denial of service
package not in sarge
sid fixed in version 0.4.9.4-1
[13 Nov 2002] DSA-195_apache-perl - several vulnerabilities
package not in sarge
sid fixed in version 1.3.26-1.1-1.27-3-1
[08 Oct 2002] DSA-172_tkmail - insecure temporary files
package not in sarge
sid fixed in version 4.0beta9-9
[04 Sep 2002] DSA-161_mantis - privilege escalation
package not in sarge
sid fixed in version 0.17.5-2
[30 Oct 2002] DSA-184_krb4 - buffer overflow
sarge contains krb5
[17 Oct 2002] DSA-177_pam - serious security violation
sid and testing not affected
[14 Aug 2002] DSA-153_mantis - cross site code execution and privilege escalation
package not in sarge 
sid fixed in version 0.17.4a-2
Attachment: pgp1NoFm0DgZ_.pgp
Description: PGP signature
Reply to:
Prev by Date: apache DOS cont'd
Next by Date: Re: apache DOS cont'd
Previous by thread: Re: apache DOS cont'd
Next by thread: Need advise aobut allowing only sftp on woody
Index(es):
- Date
- Thread