Debian 5.3 2008-11-19T19:32:38.188-04:00 Debian GNU/Linux 2.2 mutt What information can i put there? 2002-01-03 Debian GNU/Linux 2.2 exim What information can i put there? 2002-01-03 Patrice Fournier discovered a bug in all versions of Exim older than Exim 3.34 and Exim 3.952. The Exim maintainer, Philip Hazel, <a href="http://www.exim.org/pipermail/exim-announce/2001q4/000048.html">\ writes</a> about this issue: "The problem exists only in the case of a run time configuration which directs or routes an address to a pipe transport without checking the local part of the address in any way. This does not apply, for example, to pipes run from alias or forward files, because the local part is checked to ensure that it is the name of an alias or of a local user. The bug's effect is that, instead of obeying the correct pipe command, a broken Exim runs the command encoded in the local part of the address." This problem has been fixed in Exim version 3.12-10.2 for the stable distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and unstable distribution. We recommend that you upgrade your exim package. Debian GNU/Linux 2.2 libgtop What information can i put there? 2002-01-09 Two different problems where found in libgtop-daemon: Since libgtop_daemon runs as user nobody both bugs could be used to gain access as the nobody user to a system running libgtop_daemon. Both problems have been fixed in version 1.0.6-1.1 and we recommend you upgrade your libgtop-daemon package immediately. Debian GNU/Linux 2.2 XChat What information can i put there? 2002-01-12 zen-parse found a <a href="http://online.securityfocus.com/archive/1/249113">\ vulnerability</a> in the XChat IRC client that allows an attacker to take over the users IRC session. It is possible to trick XChat IRC clients into sending arbitrary commands to the IRC server they are on, potentially allowing social engineering attacks, channel takeovers, and denial of service. This problem exists in versions 1.4.2 and 1.4.3. Later versions of XChat are vulnerable as well, but this behaviour is controlled by the configuration variable ťpercasciiŤ, which defaults to 0. If it is set to 1 then the problem becomes apparent in 1.6/1.8 as well. This problem has been fixed in upstream version 1.8.7 and in version 1.4.3-1 for the current stable Debian release (2.2) with a patch provided from the upstream author Peter Zelezny. We recommend that you upgrade your XChat packages immediately, since this problem is already actively being exploited. Debian GNU/Linux 2.2 gzip What information can i put there? 2002-01-13 GOBBLES found a buffer overflow in gzip that occurs when compressing files with really long filenames. Even though GOBBLES claims to have developed an exploit to take advantage of this bug, it has been said by others that this <a href="http://online.securityfocus.com/bid/3712">\ problem</a> is not likely to be exploitable as other security incidents. Additionally, the Debian version of gzip from the stable release does not segfault, and hence does not directly inherit this problem. However, better be safe than sorry, so we have prepared an update for you. Please make sure you are running an up-to-date version from stable/unstable/testing with at least version 1.2.4-33. Debian GNU/Linux 2.2 sudo What information can i put there? 2002-01-14 Sebastian Krahmer from SuSE found a vulnerability in <code>sudo</code> which could easily lead into a local root exploit. This problem has been fixed in upstream version 1.6.4 as well as in version 1.6.2p2-2.1 for the stable release of Debian GNU/Linux. We recommend that you upgrade your sudo packages immediately. Debian GNU/Linux 2.2 at What information can i put there? 2002-01-16 zen-parse found a bug in the current implementation of at which leads into a heap corruption vulnerability which in turn could potentially lead into an exploit of the daemon user. We recommend that you upgrade your at packages. Unfortunately, the bugfix from DSA 102-1 wasn't propagated properly due to a packaging bug. While the file parsetime.y was fixed, and yy.tab.c should be generated from it, yy.tab.c from the original source was still used. This has been fixed in DSA-102-2. Debian GNU/Linux 2.2 glibc What information can i put there? 2002-01-13 A buffer overflow has been found in the globbing code for glibc. This is the code which is used to glob patterns for filenames and is commonly used in applications like shells and FTP servers. This has been fixed in version 2.1.3-20 and we recommend that you upgrade your libc package immediately. Debian GNU/Linux 2.2 cipe What information can i put there? 2002-01-14 Larry McVoy found a bug in the packet handling code for the CIPE VPN package: it did not check if a received packet was too short and could crash. This has been fixed in version 1.3.0-3, and we recommend that you upgrade your CIPE packages immediately. Please note that the package only contains the required kernel patch, you will have to manually build the kernel modules for your kernel with the updated source from the <code>cipe-source</code> package. Debian GNU/Linux 2.2 enscript What information can i put there? 2002-01-21 The version of enscript (a tool to convert ASCII text to different formats) in potato has been found to create temporary files insecurely. This has been fixed in version 1.6.2-4.1. Debian GNU/Linux 2.2 rsync What information can i put there? 2002-01-26 This has been fixed in version 2.3.2-1.3 and we recommend you upgrade your rsync package immediately. Unfortunately the patch used to fix that problem broke rsync. This has been fixed in version 2.3.2-1.5 and we recommend you upgrade to that version immediately. Debian GNU/Linux 2.2 jgroff What information can i put there? 2002-01-30 Debian GNU/Linux 2.2 wmtv What information can i put there? 2002-02-07 Nicolas Boullis found some security problems in the wmtv package (a dockable video4linux TV player for windowmaker) which is distributed in Debian GNU/Linux 2.2. With the current version of wmtv, the configuration file is written back as the superuser, and without any further checks. A malicious user might use that to damage important files. This problem has been fixed in version 0.6.5-2potato2 for the stable distribution by dropping privileges as soon as possible and only regaining them where required. In the current testing/unstable distribution this problem has been fixed in version 0.6.5-9 and above by not requiring privileges anymore. Both contain fixes for two potential buffer overflows as well. We recommend that you upgrade your wmtv packages immediately. Debian GNU/Linux 2.2 faqomatic What information can i put there? 2002-02-13 Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin. Cross-Site Scripting is a type of problem that allows a malicious person to make another person run some JavaScript in their browser. The JavaScript is executed on the victims machine and is in the context of the website running the Faq-O-Matic Frequently Asked Question manager. This problem has been fixed in version 2.603-1.2 for the stable Debian distribution and version 2.712-2 for the current testing/unstable distribution. We recommend that you upgrade your faqomatic package if you have it installed. Debian GNU/Linux 2.2 cupsys What information can i put there? 2002-02-13 The authors of CUPS, the Common UNIX Printing System, have found a potential buffer overflow bug in the code of the CUPS daemon where it reads the names of attributes. This affects all versions of CUPS. This problem has been fixed in version 1.0.4-10 for the stable Debian distribution and version 1.1.13-2 for the current testing/unstable distribution. We recommend that you upgrade your CUPS packages immediately if you have them installed. Debian GNU/Linux 2.2 ucd-snmp What information can i put there? 2002-02-14 The Secure Programming Group of the Oulu University did a study on SNMP implementations and uncovered multiple problems which can cause problems ranging from Denial of Service attacks to remote exploits. New UCD-SNMP packages have been prepared to fix these problems as well as a few others. The complete list of fixed problems is: (thanks to Caldera for most of the work on those patches) The new version is 4.1.1-2.1 and we recommend you upgrade your snmp packages immediately. Debian GNU/Linux 2.2 hanterm What information can i put there? 2002-02-16 A set of buffer overflow problems have been found in hanterm, a Hangul terminal for X11 derived from xterm, that will read and display Korean characters in its terminal window. The font handling code in hanterm uses hard limited string variables but didn't check for boundaries. This problem can be exploited by a malicious user to gain access to the utmp group which is able to write the wtmp and utmp files. These files record login and logout activities. This problem has been fixed in version 3.3.1p17-5.2 for the stable Debian distribution. A fixed package for the current testing/unstable distribution is not yet available but will have a version number higher than 3.3.1p18-6.1. We recommend that you upgrade your hanterm packages immediately if you have them installed. Known exploits are already available. Debian GNU/Linux 2.2 ncurses What information can i put there? 2002-02-18 Several buffer overflows were fixed in the "ncurses" library in November 2000. Unfortunately, one was missed. This can lead to crashes when using ncurses applications in large windows. The <a href="http://cve.mitre.org/">Common Vulnerabilities and Exposures project</a> has assigned the name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0062">\ CAN-2002-0062</a> to this issue. This problem has been fixed for the stable release of Debian in version 5.0-6.0potato2. The testing and unstable releases contain ncurses 5.2, which is not affected by this problem. There are no known exploits for this problem, but we recommend that all users upgrade ncurses immediately. Debian GNU/Linux 2.2 gnujsp What information can i put there? 2002-02-21 Thomas Springer found a vulnerability in GNUJSP, a Java servlet that allows you to insert Java source code into HTML files. The problem can be used to bypass access restrictions in the web server. An attacker can view the contents of directories and download files directly rather then receiving their HTML output. This means that the source code of scripts could also be revealed. The problem was fixed by Stefan Gybas, who maintains the Debian package of GNUJSP. It is fixed in version 1.0.0-5 for the stable release of Debian GNU/Linux. The versions in testing and unstable are the same as the one in stable so they are vulnerable, too. You can install the fixed version this advisory refers to on these systems to solve the problem as this package is architecture independent. We recommend that you upgrade your gnujsp package immediately. Debian GNU/Linux 2.2 php3, php4 What information can i put there? 2002-03-02 Stefan Esser, who is also a member of the PHP team, found several <a href="http://security.e-matters.de/advisories/012002.html">flaws</a> in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system. For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error. For the stable release of Debian these problems are fixed in version 3.0.18-0potato1.1 of PHP3 and version 4.0.3pl1-0potato3 of PHP4. For the unstable and testing release of Debian these problems are fixed in version 3.0.18-22 of PHP3 and version 4.1.2-1 of PHP4. There is no PHP4 in the stable and unstable distribution for the arm architecture due to a compiler error. We recommend that you upgrade your PHP packages immediately. Debian GNU/Linux 2.2 cfs What information can i put there? 2002-03-02 Zorgon found several buffer overflows in cfsd, a daemon that pushes encryption services into the Unix(tm) file system. We are not yet sure if these overflows can successfully be exploited to gain root access to the machine running the CFS daemon. However, since cfsd can easily be forced to die, a malicious user can easily perform a denial of service attack to it. This problem has been fixed in version 1.3.3-8.1 for the stable Debian distribution and in version 1.4.1-5 for the testing and unstable distribution of Debian. We recommend that you upgrade your cfs package immediately. Debian GNU/Linux 2.2 cvs What information can i put there? 2002-03-05 Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, though. This problem has been fixed in version 1.10.7-9 for the stable Debian distribution with help of Niels Heinen and in versions newer than 1.11.1p1debian-3 for the testing and unstable distribution of Debian (not yet uploaded, though). We recommend that you upgrade your CVS package. Debian GNU/Linux 2.2 xsane What information can i put there? 2002-03-05 Tim Waugh found several insecure uses of temporary files in the xsane program, which is used for scanning. This was fixed for Debian/stable by moving those files into a securely created directory within the /tmp directory. This problem has been fixed in version 0.50-5.1 for the stable Debian distribution and in version 0.84-0.1 for the testing and unstable distribution of Debian. We recommend that you upgrade your xsane package. Debian GNU/Linux 2.2 libapache-mod-ssl, apache-ssl What information can i put there? 2002-03-10 Ed Moyle recently <a href="http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html">\ found</a> a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks. To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. This problem has been fixed in version 1.3.9.13-4 of Apache-SSL and version 2.4.10-1.3.9-1potato1 of libapache-mod-ssl for the stable Debian distribution as well as in version 1.3.23.1+1.47-1 of Apache-SSL and version 2.8.7-1 of libapache-mod-ssl for the testing and unstable distribution of Debian. We recommend that you upgrade your Apache-SSL and mod_ssl packages. Debian GNU/Linux 2.2 xtell What information can i put there? 2002-03-11 Several security related problems have been found in the xtell package, a simple messaging client and server. In detail, these problems contain several buffer overflows, a problem in connection with symbolic links, unauthorized directory traversal when the path contains "..". These problems could lead into an attacker being able to execute arbitrary code on the server machine. The server runs with nobody privileges by default, so this would be the account to be exploited. They have been corrected by backporting changes from a newer upstream version by the Debian maintainer for xtell. These problems are fixed in version 1.91.1 in the stable distribution of Debian and in version 2.7 for the testing and unstable distribution of Debian. We recommend that you upgrade your xtell packages immediately. Debian GNU/Linux 2.2 zlib What information can i put there? 2002-03-11 The compression library zlib has a flaw in which it attempts to free memory more than once under certain conditions. This can possibly be exploited to run arbitrary code in a program that includes zlib. If a network application running as root is linked to zlib, this could potentially lead to a remote root compromise. No exploits are known at this time. This vulnerability is assigned the CVE candidate name of <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059">CAN-2002-0059</a>. The zlib vulnerability is fixed in the Debian zlib package version 1.1.3-5.1. A number of programs either link statically to zlib or include a private copy of zlib code. These programs must also be upgraded to eliminate the zlib vulnerability. The affected packages and fixed versions follow: Those using the pre-release (testing) version of Debian should upgrade to zlib 1.1.3-19.1 or a later version. Note that since this version of Debian has not yet been released it may not be available immediately for all architectures. Debian 2.2 (potato) is the latest supported release. We recommend that you upgrade your packages immediately. Note that you should restart all programs that use the shared zlib library in order for the fix to take effect. This is most easily done by rebooting the system. Debian GNU/Linux 2.2 listar What information can i put there? 2002-03-19 Janusz Niewiadomski and Wojciech Purczynski reported a buffer overflow in the address_match of listar (a listserv style mailing-list manager). This has been fixed in version 0.129a-2.potato1. Debian GNU/Linux 2.2 mtr What information can i put there? 2002-03-26 The authors of mtr released a new upstream version, noting a non-exploitable buffer overflow in their ChangeLog. Przemyslaw Frasunek, however, found an <a href="http://bugs.debian.org/137102">\ easy way</a> to exploit this bug, which allows an attacker to gain access to the raw socket, which makes IP spoofing and other malicious network activity possible. The problem has been fixed by the Debian maintainer in version 0.41-6 for the stable distribution of Debian by backporting the upstream fix and in version 0.48-1 for the testing/unstable distribution. We recommend that you upgrade your mtr package immediately. Debian GNU/Linux 2.2 analog What information can i put there? 2002-03-28 Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary Javascript code, for example, into an analog report produced by someone else and read by a third person. Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete. This problem has been fixed in the upstream version 5.22 of analog. Unfortunately patching the old version of analog in the stable distribution of Debian instead is a very large job that defeats us. We recommend that you upgrade your analog package immediately. Debian GNU/Linux 2.2 imp What information can i put there? 2002-04-16 A cross-site scripting (CSS) problem was discovered in Horde and IMP (a web based IMAP mail package). This was fixed upstream in Horde version 1.2.8 and IMP version 2.2.8. The relevant patches have been back-ported to version 1.2.6-0.potato.5 of the horde package and version 2.2.6-0.potato.5 of the imp package. This release also fixes a bug introduced by the PHP security fix from <a href="dsa-115">DSA-115-1</a>: Postgres support for PHP was changed in a subtle way which broke the Postgres support from IMP. Debian GNU/Linux 2.2 xpilot What information can i put there? 2002-04-17 An internal audit by the xpilot (a multi-player tactical manoeuvring game for X) maintainers revealed a buffer overflow in xpilot server. This overflow can be abused by remote attackers to gain access to the server under which the xpilot server is running. This has been fixed in upstream version 4.5.1 and version 4.1.0-4.U.4alpha2.4.potato1 of the Debian package. Debian GNU/Linux 2.2 sudo What information can i put there? 2002-04-26 fc found a buffer overflow in the variable expansion code used by sudo for its prompt. Since sudo is necessarily installed suid root a local user can use this to gain root access. This has been fixed in version 1.6.2-2.2 for the stable distribution of Debian and version 1.6.6-1 for the testing/unstable distribution. We recommend that you upgrade your sudo package immediately. Debian GNU/Linux 2.2 uucp What information can i put there? 2002-05-27 We have received reports that in.uucpd, an authentication agent in the uucp package, does not properly terminate certain long input strings. This has been corrected in uucp package version 1.06.1-11potato3 for Debian 2.2 (potato) and in version 1.06.1-18 for the upcoming (woody) release. We recommend you upgrade your uucp package immediately. Debian GNU/Linux 2.2 ethereal What information can i put there? 2002-06-01 Ethereal versions prior to 0.9.3 were vulnerable to an allocation error in the ASN.1 parser. This can be triggered when analyzing traffic using the SNMP, LDAP, COPS, or Kerberos protocols in ethereal. This vulnerability was announced in the ethereal security advisory <a href="http://www.ethereal.com/appnotes/enpa-sa-00003.html">enpa-sa-00003</a>. This issue has been corrected in ethereal version 0.8.0-3potato for Debian 2.2 (potato). Additionally, a number of vulnerabilities were discussed in ethereal security advisory <a href="http://www.ethereal.com/appnotes/enpa-sa-00004.html">enpa-sa-00004</a>; the version of ethereal in Debian 2.2 (potato) is not vulnerable to the issues raised in this later advisory. Users of the not-yet-released woody distribution should ensure that they are running ethereal 0.9.4-1 or a later version. We recommend you upgrade your ethereal package immediately. Debian GNU/Linux 2.2 apache What information can i put there? 2002-06-19 Mark Litchfield found a denial of service attack in the Apache web-server. While investigating the problem the Apache Software Foundation discovered that the code for handling invalid requests which use chunked encoding also might allow arbitrary code execution on 64 bit architectures. This has been fixed in version 1.3.9-14.1 of the Debian apache package, as well as upstream versions 1.3.26 and 2.0.37. We strongly recommend that you upgrade your apache package immediately. The package upgrade does not restart the apache server automatically, this will have to be done manually. Please make sure your configuration is correct ("<kbd>apachectl configtest</kbd>" will verify that for you) and restart it using "<kbd>/etc/init.d/apache restart</kbd>" Debian GNU/Linux 2.2 apache-ssl What information can i put there? 2002-06-19 Mark Litchfield found a denial of service attack in the Apache web-server. While investigating the problem the Apache Software Foundation discovered that the code for handling invalid requests which use chunked encoding also might allow arbitrary code execution on 64 bit architectures. This has been fixed in version 1.3.9.13-4.1 of the Debian apache-ssl package and we recommend that you upgrade your apache-ssl package immediately. An update for the soon to be released Debian GNU/Linux 3.0/woody distribution is not available at the moment. More Information: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392">CVE-2002-0392</a>, <a href="http://www.cert.org/advisories/CA-2002-17.html">VU#944335</a>. Debian GNU/Linux 2.2 apache-perl What information can i put there? 2002-06-20 Mark Litchfield found a denial of service attack in the Apache web-server. While investigating the problem the Apache Software Foundation discovered that the code for handling invalid requests which use chunked encoding also might allow arbitrary code execution. This has been fixed in version 1.3.9-14.1-1.21.20000309-1 of the Debian apache-perl package and we recommend that you upgrade your apache-perl package immediately. An update for the soon to be released Debian GNU/Linux 3.0/woody distribution will be available soon. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 ssh What information can i put there? 2002-06-24 ISS X-Force released an advisory about an OpenSSH "Remote Challenge Vulnerability". Unfortunately, the advisory was incorrect on some points, leading to widespread confusion about the impact of this vulnerability. No version of OpenSSH in Debian is affected by the SKEY and BSD_AUTH authentication methods described in the ISS advisory. However, Debian does include OpenSSH servers with the PAM feature described as vulnerable in the later advisory by the OpenSSH team. (This vulnerable feature is authentication using PAM via the keyboard-interactive mechanism [kbdint].) This vulnerability affects OpenSSH versions 2.3.1 through 3.3. No exploit is currently known for the PAM/kbdint vulnerability, but the details are publicly known. All of these vulnerabilities were corrected in OpenSSH 3.4. In addition to the vulnerabilities fixes outlined above, our OpenSSH packages version 3.3 and higher support the new privilege separation feature from Niels Provos, which changes ssh to use a separate non-privileged process to handle most of the work. Vulnerabilities in the unprivileged parts of OpenSSH will lead to compromise of an unprivileged account restricted to an empty chroot, rather than a direct root compromise. Privilege separation should help to mitigate the risks of any future OpenSSH compromise. Debian 2.2 (potato) shipped with an ssh package based on OpenSSH 1.2.3, and is not vulnerable to the vulnerabilities covered by this advisory. Users still running a version 1.2.3 ssh package do not have an immediate need to upgrade to OpenSSH 3.4. Users who upgraded to the OpenSSH version 3.3 packages released in previous iterations of DSA-134 should upgrade to the new version 3.4 OpenSSH packages, as the version 3.3 packages are vulnerable. We suggest that users running OpenSSH 1.2.3 consider a move to OpenSSH 3.4 to take advantage of the privilege separation feature. (Though, again, we have no specific knowledge of any vulnerability in OpenSSH 1.2.3. Please carefully read the caveats listed below before upgrading from OpenSSH 1.2.3.) We recommend that any users running a back-ported version of OpenSSH version 2.0 or higher on potato move to OpenSSH 3.4. The current pre-release version of Debian (woody) includes an OpenSSH version 3.0.2p1 package (ssh), which is vulnerable to the PAM/kbdint problem described above. We recommend that users upgrade to OpenSSH 3.4 and enable privilege separation. Please carefully read the release notes below before upgrading. Updated packages for ssh-krb5 (an OpenSSH package supporting kerberos authentication) are currently being developed. Users who cannot currently upgrade their OpenSSH packages may work around the known vulnerabilities by disabling the vulnerable features: make sure the following lines are uncommented and present in /etc/ssh/sshd_config and restart ssh There should be no other PAMAuthenticationViaKbdInt or ChallengeResponseAuthentication entries in sshd_config. That concludes the vulnerability section of this advisory. What follows are release notes related to the OpenSSH 3.4 package and the privilege separation feature. URLs for the OpenSSH 3.4 packages are at the bottom. Some notes on possible issues associated with this upgrade: Some issues from previous OpenSSH 3.3p1 packages corrected in this advisory (not a complete changelog): Again, we regret having to release packages with larger changes and less testing than is our usual practice; given the potential severity and non-specific nature of the original threat we decided that our users were best served by having packages available for evaluation as quickly as possible. We will send additional information as it comes to us, and will continue to work on the outstanding issues. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 libapache-mod-ssl What information can i put there? 2002-07-02 The libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all through specially crafted .htaccess files. This has been fixed in the libapache-mod-ssl_2.4.10-1.3.9-1potato2 package (for potato), and the libapache-mod-ssl_2.8.9-2 package (for woody). We recommend you upgrade as soon as possible. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 openssl What information can i put there? 2002-07-30 The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionally, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. CAN-2002-0655 references overflows in buffers used to hold ASCII representations of integers on 64 bit platforms. CAN-2002-0656 references buffer overflows in the SSL2 server implementation (by sending an invalid key to the server) and the SSL3 client implementation (by sending a large session id to the client). The SSL2 issue was also noticed by Neohapsis, who have privately demonstrated exploit code for this issue. CAN-2002-0659 references the ASN1 parser DoS issue. These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and openssl_0.9.6c-2.woody.1. These vulnerabilities are also present in Debian 2.2 (potato). Fixed packages are available in openssl094_0.9.4-6.potato.2 and openssl_0.9.6c-0.potato.4. A worm is actively exploiting this issue on internet-attached hosts; we recommend you upgrade your OpenSSL as soon as possible. Note that you must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.) If you are uncertain which programs are using SSL you may choose to reboot to ensure that all running daemons are using the new libraries. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 mm What information can i put there? 2002-07-30 Marcus Meissner and Sebastian Krahmer discovered and fixed a temporary file vulnerability in the mm shared memory library. This problem can be exploited to gain root access to a machine running Apache which is linked against this library, if shell access to the user &ldquo;www-data&rdquo; is already available (which could easily be triggered through PHP). This problem has been fixed in the upstream version 1.2.0 of mm, which will be uploaded to the unstable Debian distribution while this advisory is released. Fixed packages for potato (Debian 2.2) and woody (Debian 3.0) are linked below. We recommend that you upgrade your libmm packages immediately and restart your Apache server. Debian GNU/Linux 3.0 gallery What information can i put there? 2002-08-01 A problem was found in gallery (a web-based photo album toolkit): it was possible to pass in the GALLERY_BASEDIR variable remotely. This made it possible to execute commands under the uid of web-server. This has been fixed in version 1.2.5-7 of the Debian package and upstream version 1.3.1. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 super What information can i put there? 2002-08-01 GOBBLES found an insecure use of format strings in the super package. The included program super is intended to provide access to certain system users for particular users and programs, similar to the program sudo. Exploiting this format string vulnerability a local user can gain unauthorized root access. This problem has been fixed in version 3.12.2-2.1 for the old stable distribution (potato), in version 3.16.1-1.1 for the current stable distribution (woody) and in version 3.18.0-3 for the unstable distribution (sid). We recommend that you upgrade your super package immediately. Debian GNU/Linux 3.0 libpng, libpng3 What information can i put there? 2002-08-05 Developers of the PNG library have fixed a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications which could potentially allow an attacker to execute malicious code. Programs such as Galeon, Konqueror and various others make use of these libraries. In addition to that, the packages below fix another potential buffer overflow. The PNG libraries implement a safety margin which is also included in a newer upstream release. Thanks to Glenn Randers-Pehrson for informing us. To find out which packages depend on this library, you may want to execute the following commands: This problem has been fixed in version 1.0.12-3.woody.2 of libpng and version 1.2.1-1.1.woody.2 of libpng3 for the current stable distribution (woody) and in version 1.0.12-4 of libpng and version 1.2.1-2 of libpng3 for the unstable distribution (sid). The potato release of Debian does not seem to be vulnerable. We recommend that you upgrade your libpng packages immediately and restart programs and daemons that link to these libraries and read external data, such as web browsers. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 mpack What information can i put there? 2002-08-01 Eckehard Berns discovered a buffer overflow in the munpack program which is used for decoding (respectively) binary files in MIME (Multipurpose Internet Mail Extensions) format mail messages. If munpack is run on an appropriately malformed email (or news article) then it will crash, and perhaps can be made to run arbitrary code. Herbert Xu reported a second vulnerability which affected malformed filenames that refer to files in upper directories like "../a". The security impact is limited, though, because only a single leading "../" was accepted and only new files can be created (i.e. no files will be overwritten). Both problems have been fixed in version 1.5-5potato2 for the old stable distribution (potato), in version 1.5-7woody2 for the current stable distribution (woody) and in version 1.5-9 for the unstable distribution (sid). We recommend that you upgrade your mpack package immediately. Debian GNU/Linux 3.0 openafs What information can i put there? 2002-08-05 An integer overflow bug has been discovered in the RPC library used by the OpenAFS database server, which is derived from the SunRPC library. This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes. No exploits are known to exist yet. This problem has been fixed in version 1.2.3final2-6 for the current stable distribution (woody) and in version 1.2.6-1 for the unstable distribution (sid). Debian 2.2 (potato) is not affected since it doesn't contain OpenAFS packages. OpenAFS is only available for the architectures alpha, i386, powerpc, s390, sparc. Hence, we only provide fixed packages for these architectures. We recommend that you upgrade your openafs packages. Debian GNU/Linux 3.0 krb5 What information can i put there? 2002-08-05 An integer overflow bug has been discovered in the RPC library used by the Kerberos 5 administration system, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful. No exploits are known to exist yet. This problem has been fixed in version 1.2.4-5woody1 for the current stable distribution (woody) and in version 1.2.5-2 for the unstable distribution (sid). Debian 2.2 (potato) is not affected since it doesn't contain krb5 packages. We recommend that you upgrade your kerberos packages immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 wwwoffle What information can i put there? 2002-08-06 A problem with wwwoffle has been discovered. The web proxy didn't handle input data with negative Content-Length settings properly which causes the processing child to crash. It is at this time not obvious how this can lead to an exploitable vulnerability; however, it's better to be safe than sorry, so here's an update. Additionally, in the woody version empty passwords will be treated as wrong when trying to authenticate. In the woody version we also replaced CanonicaliseHost() with the latest routine from 2.7d, offered by upstream. This stops bad IPv6 format IP addresses in URLs from causing problems (memory overwriting, potential exploits). This problem has been fixed in version 2.5c-10.4 for the old stable distribution (potato), in version 2.7a-1.2 for the current stable distribution (woody) and in version 2.7d-1 for the unstable distribution (sid). We recommend that you upgrade your wwwoffle packages. Debian GNU/Linux 3.0 tinyproxy What information can i put there? 2002-08-07 The authors of tinyproxy, a lightweight HTTP proxy, discovered a bug in the handling of some invalid proxy requests. Under some circumstances, an invalid request may result in allocated memory being freed twice. This can potentially result in the execution of arbitrary code. This problem has been fixed in version 1.4.3-2woody2 for the current stable distribution (woody) and in version 1.4.3-3 for the unstable distribution (sid). The old stable distribution (potato) is not affected by this problem. We recommend that you upgrade your tinyproxy package immediately. Debian GNU/Linux 3.0 dietlibc What information can i put there? 2002-08-08 An integer overflow bug has been discovered in the RPC library used by dietlibc, a libc optimized for small size, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the calloc, fread and fwrite code. They are also more strict regarding hostile DNS packets that could lead to a vulnerability otherwise. These problems have been fixed in version 0.12-2.4 for the current stable distribution (woody) and in version 0.20-0cvs20020808 for the unstable distribution (sid). Debian 2.2 (potato) is not affected since it doesn't contain dietlibc packages. We recommend that you upgrade your dietlibc packages immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 mailman What information can i put there? 2002-08-08 A cross-site scripting vulnerability was discovered in mailman, a software to manage electronic mailing lists. When a properly crafted URL is accessed with Internet Explorer (other browsers don't seem to be affected), the resulting webpage is rendered similar to the real one, but the javascript component is executed as well, which could be used by an attacker to get access to sensitive information. The new version for Debian 2.2 also includes backports of security related patches from mailman 2.0.11. This problem has been fixed in version 2.0.11-1woody4 for the current stable distribution (woody), in version 1.1-10.1 for the old stable distribution (potato) and in version 2.0.12-1 for the unstable distribution (sid). We recommend that you upgrade your mailman package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 hylafax What information can i put there? 2002-08-12 A set of problems have been discovered in Hylafax, a flexible client/server fax software distributed with many GNU/Linux distributions. Quoting SecurityFocus the problems are in detail: These problems have been fixed in version 4.0.2-14.3 for the old stable distribution (potato), in version 4.1.1-1.1 for the current stable distribution (woody) and in version 4.1.2-2.1 for the unstable distribution (sid). We recommend that you upgrade your hylafax packages. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 glibc What information can i put there? 2002-08-13 An integer overflow bug has been discovered in the RPC library used by GNU libc, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the malloc code. They also contain a fix from Andreas Schwab to reduce linebuflen in parallel to bumping up the buffer pointer in the NSS DNS code. This problem has been fixed in version 2.1.3-23 for the old stable distribution (potato), in version 2.2.5-11.1 for the current stable distribution (woody) and in version 2.2.5-13 for the unstable distribution (sid). We recommend that you upgrade your libc6 packages immediately. Debian GNU/Linux 3.0 interchange What information can i put there? 2002-08-13 A problem has been discovered in Interchange, an e-commerce and general HTTP database display system, which can lead to an attacker being able to read any file to which the user of the Interchange daemon has sufficient permissions, when Interchange runs in "INET mode" (internet domain socket). This is not the default setting in Debian packages, but configurable with Debconf and via configuration file. We also believe that this bug cannot exploited on a regular Debian system. This problem has been fixed by the package maintainer in version 4.8.3.20020306-1.woody.1 for the current stable distribution (woody) and in version 4.8.6-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't ship the Interchange system. We recommend that you upgrade your interchange packages. Debian GNU/Linux 3.0 xinetd What information can i put there? 2002-08-13 Solar Designer found a vulnerability in xinetd, a replacement for the BSD derived inetd. File descriptors for the signal pipe introduced in version 2.3.4 are leaked into services started from xinetd. The descriptors could be used to talk to xinetd resulting in crashing it entirely. This is usually called a denial of service. This problem has been fixed by the package maintainer in version 2.3.4-1.2 for the current stable distribution (woody) and in version 2.3.7-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the signal pipe. We recommend that you upgrade your xinetd packages. Debian GNU/Linux 3.0 l2tpd What information can i put there? 2002-08-13 Current versions of l2tpd, a layer 2 tunneling client/server program, forgot to initialize the random generator which made it vulnerable since all generated random number were 100% guessable. When dealing with the size of the value in an attribute value pair, too many bytes were able to be copied, which could lead into the vendor field being overwritten. These problems have been fixed in version 0.67-1.1 for the current stable distribution (woody) and in version 0.68-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the l2tpd package. We recommend that you upgrade your l2tpd packages. Debian GNU/Linux 3.0 mantis What information can i put there? 2002-08-14 Joao Gouveia discovered an uninitialized variable which was insecurely used with file inclusions in the mantis package, a php based bug tracking system. The Debian Security Team found even more similar problems. When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system. Jeroen Latour discovered that Mantis did not check all user input, especially if they do not come directly from form fields. This opens up a wide variety of SQL poisoning vulnerabilities on systems without magic_quotes_gpc enabled. Most of these vulnerabilities are only exploitable in a limited manner, since it is no longer possible to execute multiple queries using one call to mysql_query(). There is one query which can be tricked into changing an account's access level. Jeroen Latour also reported that it is possible to instruct Mantis to show reporters only the bugs that they reported, by setting the limit_reporters option to ON. However, when formatting the output suitable for printing, the program did not check the limit_reporters option and thus allowed reporters to see the summaries of bugs they did not report. Jeroen Latour discovered that the page responsible for displaying a list of bugs in a particular project, did not check whether the user actually has access to the project, which is transmitted by a cookie variable. It accidentally trusted the fact that only projects accessible to the user were listed in the drop-down menu. This provides a malicious user with an opportunity to display the bugs of a private project selected. These problems have been fixed in version 0.17.1-2.2 for the current stable distribution (woody) and in version 0.17.4a-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the mantis package. Additional information: We recommend that you upgrade your mantis packages immediately. Debian GNU/Linux 3.0 fam What information can i put there? 2002-08-15 A <a href="http://oss.sgi.com/bugzilla/show_bug.cgi?id=151">flaw</a> was discovered in FAM's group handling. In the effect users are unable to read FAM directories they have group read and execute permissions on. However, also unprivileged users can potentially learn names of files that only users in root's group should be able to view. This problem been fixed in version 2.6.6.1-5.2 for the current stable stable distribution (woody) and in version 2.6.8-1 (or any later version) for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain fam packages. We recommend that you upgrade your fam packages. Debian GNU/Linux 3.0 kdelibs What information can i put there? 2002-08-17 Due to a security engineering oversight, the SSL library from KDE, which Konqueror uses, doesn't check whether an intermediate certificate for a connection is signed by the certificate authority as safe for the purpose, but accepts it when it is signed. This makes it possible for anyone with a valid VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, and abuse Konqueror users. A local root exploit using artsd has been discovered which exploited an insecure use of a format string. The exploit wasn't working on a Debian system since artsd wasn't running setuid root. Neither artsd nor artswrapper need to be setuid root anymore since current computer systems are fast enough to handle the audio data in time. These problems have been fixed in version 2.2.2-13.woody.2 for the current stable distribution (woody). The old stable distribution (potato) is not affected, since it doesn't contain KDE packages. The unstable distribution (sid) is not yet fixed, but new packages are expected in the future, the fixed version will be version 2.2.2-14 or higher. We recommend that you upgrade your kdelibs and libarts packages and restart Konqueror. Debian GNU/Linux 3.0 epic4-script-light What information can i put there? 2002-08-22 All versions of the EPIC script Light prior to 2.7.30p5 (on the 2.7 branch) and prior to 2.8pre10 (on the 2.8 branch) running on any platform are vulnerable to a remotely-exploitable bug, which can lead to nearly arbitrary code execution. This problem has been fixed in version 2.7.30p5-1.1 for the current stable distribution (woody) and in version 2.7.30p5-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the Light package. We recommend that you upgrade your epic4-script-light package and restart your IRC client. Debian GNU/Linux 3.0 irssi-text What information can i put there? 2002-08-23 The IRC client irssi is vulnerable to a denial of service condition. The problem occurs when a user attempts to join a channel that has an overly long topic description. When a certain string is appended to the topic, irssi will crash. This problem has been fixed in version 0.8.4-3.1 for the current stable distribution (woody) and in version 0.8.5-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since the corresponding portions of code are not present. The same applies to irssi-gnome and irssi-gtk, which don't seem to be affected as well. We recommend that you upgrade your irssi-text package. Debian GNU/Linux 3.0 gaim What information can i put there? 2002-08-27 The developers of Gaim, an instant messenger client that combines several different networks, found a vulnerability in the hyperlink handling code. The 'Manual' browser command passes an untrusted string to the shell without escaping or reliable quoting, permitting an attacker to execute arbitrary commands on the users machine. Unfortunately, Gaim doesn't display the hyperlink before the user clicks on it. Users who use other inbuilt browser commands aren't vulnerable. This problem has been fixed in version 0.58-2.2 for the current stable distribution (woody) and in version 0.59.1-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't ship the Gaim program. The fixed version of Gaim no longer passes the user's manual browser command to the shell. Commands which contain the %s in quotes will need to be amended, so they don't contain any quotes. The 'Manual' browser command can be edited in the 'General' pane of the 'Preferences' dialog, which can be accessed by clicking 'Options' from the login window, or 'Tools' and then 'Preferences' from the menu bar in the buddy list window. We recommend that you upgrade your gaim package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 python What information can i put there? 2002-08-28 Zack Weinberg discovered an insecure use of a temporary file in os._execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code. This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.1 of Python 1.5, in version 2.1.3-3.1 of Python 2.1 and in version 2.2.1-4.1 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato12 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-24 of Python 1.5, in version 2.1.3-6a of Python 2.1 and in version 2.2.1-8 of Python 2.2. Python 2.3 is not affected by this problem. We recommend that you upgrade your Python packages immediately. Debian GNU/Linux 3.0 scrollkeeper What information can i put there? 2002-09-03 Spybreak discovered a problem in scrollkeeper, a free electronic cataloging system for documentation. The scrollkeeper-get-cl program creates temporary files in an insecure manner in /tmp using guessable filenames. Since scrollkeeper is called automatically when a user logs into a Gnome session, an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 0.3.6-3.1 for the current stable distribution (woody) and in version 0.3.11-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the scrollkeeper package. We recommend that you upgrade your scrollkeeper packages immediately. Debian GNU/Linux 3.0 mantis What information can i put there? 2002-09-04 A problem with user privileges has been discovered in the Mantis package, a PHP based bug tracking system. The Mantis system didn't check whether a user is permitted to view a bug, but displays it right away if the user entered a valid bug id. Another bug in Mantis caused the 'View Bugs' page to list bugs from both public and private projects when no projects are accessible to the current user. These problems have been fixed in version 0.17.1-2.5 for the current stable distribution (woody) and in version 0.17.5-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the mantis package. Additional information: We recommend that you upgrade your mantis packages. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 ethereal What information can i put there? 2002-09-06 Ethereal developers discovered a buffer overflow in the ISIS protocol dissector. It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems. This problem has been fixed in version 0.9.4-1woody2 for the current stable distribution (woody), in version 0.8.0-4potato.1 for the old stable distribution (potato) and in version 0.9.6-1 for the unstable distribution (sid). We recommend that you upgrade your ethereal packages. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 mhonarc What information can i put there? 2002-09-09 Jason Molenda and Hiromitsu Takagi <a href="http://online.securityfocus.com/archive/1/268455">found</a> ways to exploit cross site scripting bugs in mhonarc, a mail to HTML converter. When processing maliciously crafted mails of type text/html mhonarc does not deactivate all scripting parts properly. This is fixed in upstream version 2.5.3. If you are worried about security, it is recommended that you disable support of text/html messages in your mail archives. There is no guarantee that the mhtxthtml.pl library is robust enough to eliminate all possible exploits that can occur with HTML data. To exclude HTML data, you can use the MIMEEXCS resource. For example: The type "text/x-html" is probably not used any more, but is good to include it, just-in-case. If you are concerned that this could block out the entire contents of some messages, then you could do the following instead: This treats the HTML as text/plain. The above problems have been fixed in version 2.5.2-1.1 for the current stable distribution (woody), in version 2.4.4-1.1 for the old stable distribution (potato) and in version 2.5.11-1 for the unstable distribution (sid). We recommend that you upgrade your mhonarc packages. Debian GNU/Linux 3.0 cacti What information can i put there? 2002-09-10 A problem in cacti, a PHP based frontend to rrdtool for monitoring systems and services, has been discovered. This could lead into cacti executing arbitrary program code under the user id of the web server. This problem, however, is only persistent to users who already have administrator privileges in the cacti system. This problem has been fixed by removing any dollar signs and backticks from the title string in version 0.6.7-2.1 for the current stable distribution (woody) and in version 0.6.8a-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain the cacti package. We recommend that you upgrade your cacti package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 postgresql What information can i put there? 2002-09-12 Mordred Labs and others found several vulnerabilities in PostgreSQL, an object-relational SQL database. They are inherited from several buffer overflows and integer overflows. Specially crafted long date and time input, currency, repeat data and long timezone names could cause the PostgreSQL server to crash as well as specially crafted input data for lpad() and rpad(). More buffer/integer overflows were found in circle_poly(), path_encode() and path_addr(). Except for the last three, these problems are fixed in the upstream release 7.2.2 of PostgreSQL which is the recommended version to use. Most of these problems do not exist in the version of PostgreSQL that Debian ships in the potato release since the corresponding functionality is not yet implemented. However, PostgreSQL 6.5.3 is quite old and may bear more risks than we are aware of, which may include further buffer overflows, and certainly include bugs that threaten the integrity of your data. You are strongly advised not to use this release but to upgrade your system to Debian 3.0 (stable) including PostgreSQL release 7.2.1 instead, where many bugs have been fixed and new features introduced to increase compatibility with the SQL standards. If you consider an upgrade, please make sure to dump the entire database system using the pg_dumpall utility. Please take into consideration that the newer PostgreSQL is more strict in its input handling. This means that tests like "foo = NULL" which are not valid won't be accepted anymore. It also means that when using UNICODE encoding, ISO 8859-1 and ISO 8859-15 are no longer valid encodings to use when inserting data into the relation. In such a case you are advised to convert the dump in question using <kbd>recode latin1..utf-16</kbd>. These problems have been fixed in version 7.2.1-2woody2 for the current stable distribution (woody) and in version 7.2.2-2 for the unstable distribution (sid). The old stable distribution (potato) is partially affected and we ship a fixed version 6.5.3-27.2 for it. We recommend that you upgrade your PostgreSQL packages. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 purity What information can i put there? 2002-09-13 Two buffer overflows have been discovered in purity, a game for nerds and hackers, which is installed setgid games on a Debian system. This problem could be exploited to gain unauthorized access to the group games. A malicious user could alter the highscore of several games. This problem has been fixed in version 1-14.2 for the current stable distribution (woody), in version 1-9.1 for the old stable distribution (potato) and in version 1-16 for the unstable distribution (sid). We recommend that you upgrade your purity packages. Debian GNU/Linux 3.0 Konquerer What information can i put there? 2002-09-16 A cross site scripting problem has been discovered in Konqueror, a famous browser for KDE and other programs using KHTML. The KDE team <a href="http://www.kde.org/info/security/advisory-20020908-2.txt">reports</a> that Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, JavaScript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks. This problem has been fixed in version 2.2.2-13.woody.3 for the current stable distribution (woody) and in version 2.2.2-14 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it didn't ship KDE. We recommend that you upgrade your kdelibs package and restart Konqueror. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 PHP3, PHP4 What information can i put there? 2002-09-18 Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though. Wojciech Purczynski also found out that arbitrary ASCII control characters may be injected into string arguments of the mail() function. If mail() arguments are taken from user's input it may give the user ability to alter message content including mail headers. Ulf Härnhammar discovered that file() and fopen() are vulnerable to CRLF injection. An attacker could use it to escape certain restrictions and add arbitrary text to alleged HTTP requests that are passed through. However this only happens if something is passed to these functions which is neither a valid file name nor a valid url. Any string that contains control chars cannot be a valid url. Before you pass a string that should be a url to any function you must use urlencode() to encode it. Three problems have been identified in PHP: These problems have been fixed in version 3.0.18-23.1woody1 for PHP3 and 4.1.2-5 for PHP4 for the current stable distribution (woody), in version 3.0.18-0potato1.2 for PHP3 and 4.0.3pl1-0potato4 for PHP4 in the old stable distribution (potato) and in version 3.0.18-23.2 for PHP3 and 4.2.3-3 for PHP4 for the unstable distribution (sid). We recommend that you upgrade your PHP packages. Debian GNU/Linux 3.0 htcheck What information can i put there? 2002-09-25 Ulf Härnhammar <a href="http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103184269605160">\ discovered</a> a problem in ht://Check's PHP interface. The PHP interface displays information unchecked which was gathered from crawled external web servers. This could lead into a cross site scripting attack if somebody has control over the server responses of a remote web server which is crawled by ht://Check. This problem has been fixed in version 1.1-1.1 for the current stable distribution (woody) and in version 1.1-1.2 for the unstable release (sid). The old stable release (potato) does not contain the htcheck package. We recommend that you upgrade your htcheck package immediately. Debian GNU/Linux 3.0 tomcat4 What information can i put there? 2002-10-04 A security vulnerability has been found in all Tomcat 4.x releases. This problem allows an attacker to use a specially crafted URL to return the unprocessed source code of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraints, without the need for being properly authenticated. This problem has been fixed in version 4.0.3-3woody1 for the current stable distribution (woody) and in version 4.1.12-1 for the unstable release (sid). The old stable release (potato) does not contain tomcat packages. Also, packages for tomcat3 are not vulnerable to this problem. We recommend that you upgrade your tomcat package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 fetchmail, fetchmail-ssl What information can i put there? 2002-10-07 Stefan Esser <a href="http://security.e-matters.de/advisories/032002.html">\ discovered</a> several buffer overflows and a broken boundary check within fetchmail. If fetchmail is running in multidrop mode these flaws can be used by remote attackers to crash it or to execute arbitrary code under the user id of the user running fetchmail. Depending on the configuration this even allows a remote root compromise. These problems have been fixed in version 5.9.11-6.1 for both fetchmail and fetchmail-ssl for the current stable distribution (woody), in version 5.3.3-4.2 for fetchmail for the old stable distribution (potato) and in version 6.1.0-1 for both fetchmail and fetchmail-ssl for the unstable distribution (sid). There are no fetchmail-ssl packages for the old stable distribution (potato) and thus no updates. We recommend that you upgrade your fetchmail packages immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 tkmail What information can i put there? 2002-10-08 It has been discovered that tkmail creates temporary files insecurely. Exploiting this an attacker with local access can easily create and overwrite files as another user. This problem has been fixed in version 4.0beta9-8.1 for the current stable distribution (woody), in version 4.0beta9-4.1 for the old stable distribution (potato) and in version 4.0beta9-9 for the unstable distribution (sid). We recommend that you upgrade your tkmail packages. Debian GNU/Linux 3.0 bugzilla What information can i put there? 2002-10-09 The developers of Bugzilla, a web-based bug tracking system, discovered a problem in the handling of more than 47 groups. When a new product is added to an installation with 47 groups or more and "usebuggroups" is enabled, the new group will be assigned a groupset bit using Perl math that is not exact beyond 2⁴⁸. This results in the new group being defined with a "bit" that has several bits set. As users are given access to the new group, those users will also gain access to spurious lower group privileges. Also, group bits were not always reused when groups were deleted. This problem has been fixed in version 2.14.2-0woody2 for the current stable distribution (woody) and will soon be fixed in the unstable distribution (sid). The old stable distribution (potato) doesn't contain a bugzilla package. We recommend that you upgrade your bugzilla package. Debian GNU/Linux 3.0 heartbeat What information can i put there? 2002-10-14 Nathan Wallwork <a href="http://linux-ha.org/security/sec01.txt">\ discovered</a> a buffer overflow in heartbeat, a subsystem for High-Availability Linux. A remote attacker could send a specially crafted UDP packet that overflows a buffer, leaving heartbeat to execute arbitrary code as root. This problem has been fixed in version 0.4.9.0l-7.2 for the current stable distribution (woody) and version 0.4.9.2-1 for the unstable distribution (sid). The old stable distribution (potato) doesn't contain a heartbeat package. We recommend that you upgrade your heartbeat package immediately if you run internet connected servers that are heartbeat-monitored. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 syslog-ng What information can i put there? 2002-10-15 Balazs Scheidler <a href="http://www.balabit.hu/static/zsa/ZSA-2002-014-en.txt">\ discovered</a> a problem in the way syslog-ng handles macro expansion. When a macro is expanded a static length buffer is used accompanied by a counter. However, when constant characters are appended, the counter is not updated properly, leading to incorrect boundary checking. An attacker may be able to use specially crafted log messages inserted via UDP which overflows the buffer. This problem has been fixed in version 1.5.15-1.1 for the current stable distribution (woody), in version 1.4.0rc3-3.2 for the old stable distribution (potato) and version 1.5.21-1 for the unstable distribution (sid). We recommend that you upgrade your syslog-ng package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 gv What information can i put there? 2002-10-16 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 3.5.8-26.1 for the current stable distribution (woody), in version 3.5.8-17.1 for the old stable distribution (potato) and version 3.5.8-27 for the unstable distribution (sid). We recommend that you upgrade your gv package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 heimdal What information can i put there? 2002-10-17 The SuSE Security Team has reviewed critical parts of the Heimdal package such as the kadmind and kdc server. While doing so several potential buffer overflows and other bugs have been uncovered and fixed. Remote attackers can probably gain remote root access on systems without fixes. Since these services usually run on authentication servers these bugs are considered very serious. These problems have been fixed in version 0.4e-7.woody.4 for the current stable distribution (woody), in version 0.2l-7.4 for the old stable distribution (potato) and version 0.4e-21 for the unstable distribution (sid). We recommend that you upgrade your Heimdal packages immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 gnome-gv What information can i put there? 2002-10-18 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in gnome-gv. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 1.1.96-3.1 for the current stable distribution (woody), in version 0.82-2.1 for the old stable distribution (potato) and version 1.99.7-9 for the unstable distribution (sid). We recommend that you upgrade your gnome-gv package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 nis What information can i put there? 2002-10-21 Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname. This problem has been fixed in version 3.9-6.1 for the current stable distribution (woody), in version 3.8-2.1 for the old stable distribution (potato) and in version 3.9-6.2 for the unstable distribution (sid). We recommend that you upgrade your nis package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 libapache-mod-ssl What information can i put there? 2002-10-22 Joe Orton discovered a cross site scripting problem in mod_ssl, an Apache module that adds Strong cryptography (i.e. HTTPS support) to the webserver. The module will return the server name unescaped in the response to an HTTP request on an SSL port. Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" (default in the Debian package of Apache) and wildcard DNS. This is very unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it already escapes this HTML. With this setting turned on, whenever Apache needs to construct a self-referencing URL (a URL that refers back to the server the response is coming from) it will use ServerName and Port to form a "canonical" name. With this setting off, Apache will use the hostname:port that the client supplied, when possible. This also affects SERVER_NAME and SERVER_PORT in CGI scripts. This problem has been fixed in version 2.8.9-2.1 for the current stable distribution (woody), in version 2.4.10-1.3.9-1potato4 for the old stable distribution (potato) and version 2.8.9-2.3 for the unstable distribution (sid). We recommend that you upgrade your libapache-mod-ssl package. Debian GNU/Linux 3.0 kdegraphics What information can i put there? 2002-10-28 Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in kghostview which is part of the KDE-Graphics package. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. This problem has been fixed in version 2.2.2-6.8 for the current stable distribution (woody) and in version 2.2.2-6.9 for the unstable distribution (sid). The old stable distribution (potato) is not affected since no KDE is included. We recommend that you upgrade your kghostview package. Debian GNU/Linux 3.0 krb5 What information can i put there? 2002-10-29 Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. The MIT krb5 implementation includes support for version 4, including a complete v4 library, server side support for krb4, and limited client support for v4. This problem has been fixed in version 1.2.4-5woody3 for the current stable distribution (woody) and in version 1.2.6-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since no krb5 packages are included. We recommend that you upgrade your krb5 packages immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 krb4 What information can i put there? 2002-10-30 Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. This problem has been fixed in version 1.1-8-2.2 for the current stable distribution (woody), in version 1.0-2.2 for the old stable distribution (potato) and in version 1.1-11-8 for the unstable distribution (sid). We recommend that you upgrade your krb4 packages immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 heimdal What information can i put there? 2002-10-31 A stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server was discovered, which is provided by Heimdal as well. A working exploit for this kadmind bug is already circulating, hence it is considered serious. The broken library also contains a vulnerability which could lead to another root exploit. These problems have been fixed in version 0.4e-7.woody.5 for the current stable distribution (woody), in version 0.2l-7.6 for the old stable distribution (potato) and in version 0.4e-22 for the unstable distribution (sid). We recommend that you upgrade your heimdal packages immediately. Debian GNU/Linux 3.0 log2mail What information can i put there? 2002-11-01 Enrico Zini discovered a buffer overflow in log2mail, a daemon for watching logfiles and sending lines with matching patterns via mail. The log2mail daemon is started upon system boot and runs as root. A specially crafted (remote) log message could overflow a static buffer, potentially leaving log2mail to execute arbitrary code as root. This problem has been fixed in version 0.2.5.1 the current stable distribution (woody) and in version 0.2.6-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a log2mail package. We recommend that you upgrade your log2mail package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 apache What information can i put there? 2002-11-04 According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several remotely exploitable vulnerabilities have been found in the Apache package, a commonly used webserver. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: This is the same vulnerability as CAN-2002-1233, which was fixed in potato already but got lost later and was never applied upstream. These problems have been fixed in version 1.3.26-0woody3 for the current stable distribution (woody) and in 1.3.9-14.3 for the old stable distribution (potato). Corrected packages for the unstable distribution (sid) are expected soon. We recommend that you upgrade your Apache package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 apache-ssl What information can i put there? 2002-11-05 According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache package, a commonly used webserver. Most of the code is shared between the Apache and Apache-SSL packages, so vulnerabilities are shared as well. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack, or steal cookies from other web site users. Vulnerabilities in the included legacy programs htdigest, htpasswd and ApacheBench can be exploited when called via CGI. Additionally the insecure temporary file creation in htdigest and htpasswd can also be exploited locally. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: This is the same vulnerability as CAN-2002-1233, which was fixed in potato already but got lost later and was never applied upstream. (binaries not included in apache-ssl package though) These problems have been fixed in version 1.3.26.1+1.48-0woody3 for the current stable distribution (woody) and in 1.3.9.13-4.2 for the old stable distribution (potato). Corrected packages for the unstable distribution (sid) are expected soon. We recommend that you upgrade your Apache-SSL package immediately. Debian GNU/Linux 3.0 luxman What information can i put there? 2002-11-06 iDEFENSE <a href="http://www.idefense.com/advisory/11.06.02.txt">\ reported</a> about a vulnerability in LuxMan, a maze game for GNU/Linux, similar to the PacMan arcade game. When successfully exploited a local attacker gains read-write access to the memory, leading to a local root compromise in many ways, examples of which include scanning the file for fragments of the master password file and modifying kernel memory to re-map system calls. This problem has been fixed in version 0.41-17.1 for the current stable distribution (woody) and in version 0.41-19 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a luxman package. We recommend that you upgrade your luxman package immediately. Debian GNU/Linux 3.0 wmaker What information can i put there? 2002-11-07 Al Viro found a problem in the image handling code use in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes). This problem has been fixed in version 0.80.0-4.1 for the current stable distribution (woody). Packages for the mipsel architecture are not yet available. Debian GNU/Linux 3.0 squirrelmail What information can i put there? 2002-11-07 Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: These problems have been fixed in version 1.2.6-1.1 for the current stable distribution (woody) and in version 1.2.8-1.1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package. We recommend that you upgrade your squirrelmail package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 html2ps What information can i put there? 2002-11-08 The SuSE Security Team found a vulnerability in html2ps, an HTML to PostScript converter, that opened files based on unsanitized input insecurely. This problem can be exploited when html2ps is installed as filter within lprng and the attacker has previously gained access to the lp account. These problems have been fixed in version 1.0b3-1.1 for the current stable distribution (woody), in version 1.0b1-8.1 for the old stable distribution (potato) and in version 1.0b3-2 for the unstable distribution (sid). We recommend that you upgrade your html2ps package. Debian GNU/Linux 3.0 kdenetwork What information can i put there? 2002-11-11 iDEFENSE <a href="http://www.idefense.com/advisory/11.11.02.txt">\ reports</a> a security vulnerability in the klisa package, that provides a LAN information service similar to "Network Neighbourhood", which was discovered by Texonet. It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. This problem has been fixed in version 2.2.2-14.2 for the current stable distribution (woody) and in version 2.2.2-14.3 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a kdenetwork package. We recommend that you upgrade your klisa package immediately. Debian GNU/Linux 3.0 masqmail What information can i put there? 2002-11-12 A set of buffer overflows have been discovered in masqmail, a mail transport agent for hosts without permanent internet connection. In addition to this privileges were dropped only after reading a user supplied configuration file. Together this could be exploited to gain unauthorized root access to the machine on which masqmail is installed. These problems have been fixed in version 0.1.16-2.1 for the current stable distribution (woody) and in version 0.2.15-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a masqmail package. We recommend that you upgrade your masqmail package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 apache-perl What information can i put there? 2002-11-13 According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache server package, a commonly used webserver. Most of the code is shared between the Apache and Apache-Perl packages, so vulnerabilities are shared as well. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross site scripting attack, or steal cookies from other web site users. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: These problems have been fixed in version 1.3.26-1-1.26-0woody2 for the current stable distribution (woody), in 1.3.9-14.1-1.21.20000309-1.1 for the old stable distribution (potato) and in version 1.3.26-1.1-1.27-3-1 for the unstable distribution (sid). We recommend that you upgrade your Apache-Perl package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 bind What information can i put there? 2002-11-14 [Bind version 9, the bind9 package, is not affected by these problems.] ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses. Circumstantial evidence suggests that the Internet Software Consortium (ISC), maintainers of BIND, was made aware of these issues in mid-October. Distributors of Open Source operating systems, including Debian, were notified of these vulnerabilities via CERT about 12 hours before the release of the advisories on November 12th. This notification did not include any details that allowed us to identify the vulnerable code, much less prepare timely fixes. Unfortunately ISS and the ISC released their security advisories with only descriptions of the vulnerabilities, without any patches. Even though there were no signs that these exploits are known to the black-hat community, and there were no reports of active attacks, such attacks could have been developed in the meantime - with no fixes available. We can all express our regret at the inability of the ironically named Internet Software Consortium to work with the Internet community in handling this problem. Hopefully this will not become a model for dealing with security issues in the future. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: These problems have been fixed in version 8.3.3-2.0woody1 for the current stable distribution (woody), in version 8.2.3-0.potato.3 for the previous stable distribution (potato) and in version 8.3.3-3 for the unstable distribution (sid). The fixed packages for unstable will enter the archive today. We recommend that you upgrade your bind package immediately, update to bind9, or switch to another DNS server implementation. Debian GNU/Linux 3.0 courier What information can i put there? 2002-11-15 A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem. This problem has been fixed in version 0.37.3-2.3 for the current stable distribution (woody) and in version 0.40.0-1 for the unstable distribution (sid). The old stable distribution (potato) does not contain Courier sqwebmail packages. <code>courier-ssl</code> packages are also not affected since they don't expose an sqwebmail package. We recommend that you upgrade your sqwebmail package immediately. Debian GNU/Linux 3.0 nullmailer What information can i put there? 2002-11-18 A problem has been discovered in nullmailer, a simple relay-only mail transport agent for hosts that relay mail to a fixed set of smart relays. When a mail is to be delivered locally to a user that doesn't exist, nullmailer tries to deliver it, discovers a user unknown error and stops delivering. Unfortunately, it stops delivering entirely, not only this mail. Hence, it's very easy to craft a denial of service. This problem has been fixed in version 1.00RC5-16.1woody2 for the current stable distribution (woody) and in version 1.00RC5-17 for the unstable distribution (sid). The old stable distribution (potato) does not contain a nullmailer package. We recommend that you upgrade your nullmailer package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 mhonarc What information can i put there? 2002-11-19 Steven Christey discovered a cross site scripting vulnerability in mhonarc, a mail to HTML converter. Carefully crafted message headers can introduce cross site scripting when mhonarc is configured to display all headers lines on the web. However, it is often useful to restrict the displayed header lines to To, From and Subject, in which case the vulnerability cannot be exploited. This problem has been fixed in version 2.5.2-1.2 for the current stable distribution (woody), in version 2.4.4-1.2 for the old stable distribution (potato) and in version 2.5.13-1 for the unstable distribution (sid). We recommend that you upgrade your mhonarc package. Debian GNU/Linux 3.0 samba What information can i put there? 2002-11-22 Steve Langasek found an exploitable bug in the password handling code in samba: when converting from DOS code-page to little endian UCS2 unicode a buffer length was not checked and a buffer could be overflowed. There is no known exploit for this, but an upgrade is strongly recommended. This problem has been fixed in version 2.2.3a-12 of the Debian samba packages and upstream version 2.2.7. Debian GNU/Linux 3.0 freeswan What information can i put there? 2002-12-02 Bindview <a href="http://razor.bindview.com/publish/advisories/adv_ipsec.html">\ discovered</a> a problem in several IPSEC implementations that do not properly handle certain very short packets. IPSEC is a set of security extensions to IP which provide authentication and encryption. Free/SWan in Debian is affected by this and is said to cause a kernel panic. This problem has been fixed in version 1.96-1.4 for the current stable distribution (woody) and in version 1.99-1 for the unstable distribution (sid). The old stable distribution (potato) does not contain Free/SWan packages. We recommend that you upgrade your freeswan package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 im What information can i put there? 2002-12-03 Tatsuya Kinoshita discovered that IM, which contains interface commands and Perl libraries for E-mail and NetNews, creates temporary files insecurely. These problems have been fixed in version 141-18.1 for the current stable distribution (woody), in version 133-2.2 of the old stable distribution (potato) and in version 141-20 for the unstable distribution (sid). We recommend that you upgrade your IM package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 smb2www What information can i put there? 2002-12-04 Robert Luberda found a security problem in smb2www, a Windows Network client that is accessible through a web browser. This could lead a remote attacker to execute arbitrary programs under the user id www-data on the host where smb2www is running. This problem has been fixed in version 980804-16.1 for the current stable distribution (woody), in version 980804-8.1 of the old stable distribution (potato) and in version 980804-17 for the unstable distribution (sid). We recommend that you upgrade your smb2www package immediately. Debian GNU/Linux 3.0 kdelibs What information can i put there? 2002-12-05 The KDE team has <a href="http://www.kde.org/info/security/advisory-20021111-1.txt">\ discovered</a> a vulnerability in the support for various network protocols via the KIO. The implementation of the rlogin and telnet protocols allows a carefully crafted URL in an HTML page, HTML email or other KIO-enabled application to execute arbitrary commands on the system using the victim's account on the vulnerable machine. This problem has been fixed by disabling rlogin and telnet in version 2.2.2-13.woody.5 for the current stable distribution (woody). The old stable distribution (potato) is not affected since it doesn't contain KDE. A correction for the package in the unstable distribution (sid) is not yet available. We recommend that you upgrade your kdelibs3 package immediately. Debian GNU/Linux 3.0 tcpdump What information can i put there? 2002-12-10 The BGP decoding routines for tcpdump used incorrect bounds checking when copying data. This could be abused by introducing malicious traffic on a sniffed network for a denial of service attack against tcpdump, or possibly even remote code execution. This has been fixed in version 3.6.2-2.2. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 tetex-bin What information can i put there? 2002-12-11 The SuSE security team discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call the system() function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files. If dvips is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printer user (usually lp). This problem has been fixed in version 1.0.7+20011202-7.1 for the current stable distribution (woody), in version 1.0.6-7.3 for the old stable distribution (potato) and in version 1.0.7+20021025-4 for the unstable distribution (sid). xdvik-ja and dvipsk-ja are vulnerable as well, but link to the kpathsea library dynamically and will automatically be fixed after a new libkpathsea is installed. We recommend that you upgrade your tetex-lib package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 perl, perl-5.004, perl-5.005 What information can i put there? 2002-12-12 A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug. This problem has been fixed in version 5.6.1-8.2 for the current stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2 for the old stable distribution (potato) and in version 5.8.0-14 for the unstable distribution (sid). We recommend that you upgrade your Perl packages. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 wget What information can i put there? 2002-12-12 Two problems have been found in the wget package as distributed in Debian GNU/Linux: Both problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 lynx, lynx-ssl What information can i put there? 2002-12-13 lynx (a text-only web browser) did not properly check for illegal characters in all places, including processing of command line options, which could be used to insert extra HTTP headers in a request. For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1 of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package. For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2 of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 micq What information can i put there? 2002-12-13 Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE separator causes all versions to crash. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 mysql What information can i put there? 2002-12-17 While performing an audit of MySQL e-matters found several problems: For Debian GNU/Linux 3.0/woody this has been fixed in version 3.23.49-8.2 and version 3.22.32-6.3 for Debian GNU/Linux 2.2/potato. We recommend that you upgrade your mysql packages as soon as possible. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 libpng, libpng3 What information can i put there? 2002-12-19 Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. Debian GNU/Linux 3.0 kdenetwork What information can i put there? 2002-12-20 Olaf Kirch from SuSE Linux AG discovered another vulnerability in the klisa package, that provides a LAN information service similar to "Network Neighbourhood". The lisa daemon contains a buffer overflow vulnerability which potentially enables any local user, as well as any remote attacker on the LAN who is able to gain control of the LISa port (7741 by default), to obtain root privileges. In addition, a remote attacker potentially may be able to gain access to a victim's account by using an "rlan://" URL in an HTML page or via another KDE application. This problem has been fixed in version 2.2.2-14.5 for the current stable distribution (woody) and in version 2.2.2-14.20 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a kdenetwork package. We recommend that you upgrade your klisa package immediately. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 cyrus-imapd What information can i put there? 2002-12-23 Timo Sirainen discovered a buffer overflow in the Cyrus IMAP server, which could be exploited by a remote attacker prior to logging in. A malicious user could craft a request to run commands on the server under the UID and GID of the cyrus server. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 fetchmail What information can i put there? 2002-12-24 Stefan Esser of e-matters discovered a buffer overflow in fetchmail, an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder. When fetchmail retrieves a mail all headers that contain addresses are searched for local addresses. If a hostname is missing, fetchmail appends it but doesn't reserve enough space for it. This heap overflow can be used by remote attackers to crash it or to execute arbitrary code with the privileges of the user running fetchmail. Debian GNU/Linux 2.2 Debian GNU/Linux 3.0 typespeed What information can i put there? 2002-12-27 A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games. Debian GNU/Linux 3.0 bugzilla What information can i put there? 2002-12-30 A cross site scripting vulnerability has been reported for Bugzilla, a web-based bug tracking system. Bugzilla does not properly sanitize any input submitted by users for use in quips. As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Bugzilla. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. This vulnerability only affects users who have the 'quips' feature enabled and who upgraded from version 2.10 which did not exist inside of Debian. The Debian package history of Bugzilla starts with 1.13 and jumped to 2.13. However, users could have installed version 2.10 prior to the Debian package. Debian GNU/Linux 2.2 dhcpcd What information can i put there? 2002-12-31 Simon Kelly discovered a vulnerability in dhcpcd, an RFC2131 and RFC1541 compliant DHCP client daemon, that runs with root privileges on client machines. A malicious administrator of the regular or an untrusted DHCP server may execute any command with root privileges on the DHCP client machine by sending the command enclosed in shell metacharacters in one of the options provided by the DHCP server. This problem has been fixed in version 1.3.17pl2-8.1 for the old stable distribution (potato) and in version 1.3.22pl2-2 for the testing (sarge) and unstable (sid) distributions. The current stable distribution (woody) does not contain a dhcpcd package. We recommend that you upgrade your dhcpcd package (on the client machine).