Debian 5.3 2008-11-19T19:32:46.188-04:00 Debian GNU/Linux 3.0 lftp What information can i put there? 2004-01-05 Ulf Härnhammar discovered a buffer overflow in lftp, a set of sophisticated command-line FTP/HTTP client programs. An attacker could create a carefully crafted directory on a website so that the execution of an 'ls' or 'rels' command would lead to the execution of arbitrary code on the client machine. Debian GNU/Linux 3.0 ethereal What information can i put there? 2004-01-05 Several vulnerabilities were discovered upstream in ethereal, a network traffic analyzer. The Common Vulnerabilities and Exposures project identifies the following problems: A buffer overflow allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. Via certain malformed ISAKMP or MEGACO packets remote attackers are able to cause a denial of service (crash). A heap-based buffer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. The SMB dissector allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of selected packets. The Q.931 dissector allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. Debian GNU/Linux 3.0 screen What information can i put there? 2004-01-05 Timo Sirainen reported a vulnerability in screen, a terminal multiplexor with VT100/ANSI terminal emulation, that can lead an attacker to gain group utmp privileges. Debian GNU/Linux 3.0 bind What information can i put there? 2004-01-05 A vulnerability was discovered in BIND, a domain name server, whereby a malicious name server could return authoritative negative responses with a large TTL (time-to-live) value, thereby rendering a domain name unreachable. A successful attack would require that a vulnerable BIND instance submit a query to a malicious nameserver. The bind9 package is not affected by this vulnerability. Debian GNU/Linux 3.0 libnids What information can i put there? 2004-01-05 A vulnerability was discovered in libnids, a library used to analyze IP network traffic, whereby a carefully crafted TCP datagram could cause memory corruption and potentially execute arbitrary code with the privileges of the user executing a program which uses libnids (such as dsniff). Debian GNU/Linux 3.0 mpg321 What information can i put there? 2004-01-05 A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). Debian GNU/Linux 3.0 nd What information can i put there? 2004-01-05 Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd. Debian GNU/Linux 3.0 kernel-source-2.4.18, kernel-image-2.4.18-1-i386 What information can i put there? 2004-01-06 Paul Starzetz <a href="http://isec.pl/vulnerabilities/isec-0013-mremap.txt">discovered</A> a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug, since it doesn't support the MREMAP_FIXED flag (as <a href="http://seclists.org/lists/fulldisclosure/2004/Jan/0095.html">clarified later</A>). Debian GNU/Linux 3.0 jabber What information can i put there? 2004-01-06 A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service. Debian GNU/Linux 3.0 zebra What information can i put there? 2004-01-06 Two vulnerabilities were discovered in zebra, an IP routing daemon: Debian GNU/Linux 3.0 fsp What information can i put there? 2004-01-06 A vulnerability was discovered in fsp, client utilities for File Service Protocol (FSP), whereby a remote user could both escape from the FSP root directory (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1022">CAN-2003-1022</a>), and also overflow a fixed-length buffer to execute arbitrary code (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0011">CAN-2004-0011</a>). Debian GNU/Linux 3.0 kernel-patch-2.4.18-powerpc, kernel-image-2.4.18-1-alpha What information can i put there? 2004-01-07 Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Andrew Morton discovered a missing boundary check for the brk system call which can be used to craft a local root exploit. Debian GNU/Linux 3.0 vbox3 What information can i put there? 2004-01-07 A bug was discovered in vbox3, a voice response system for isdn4linux, whereby root privileges were not properly relinquished before executing a user-supplied tcl script. By exploiting this vulnerability, a local user could gain root privileges. Debian GNU/Linux 3.0 phpgroupware What information can i put there? 2004-01-09 The authors of phpgroupware, a web based groupware system written in PHP, discovered several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following problems: In the "calendar" module, "save extension" was not enforced for holiday files. As a result, server-side php scripts may be placed in directories that then could be accessed remotely and cause the webserver to execute those. This was resolved by enforcing the extension ".txt" for holiday files. Some SQL injection problems (non-escaping of values used in SQL strings) the "calendar" and "infolog" modules. Additionally, the Debian maintainer adjusted the permissions on world writable directories that were accidentally created by former postinst during the installation. Debian GNU/Linux 3.0 jitterbug What information can i put there? 2004-01-12 Steve Kemp discovered a security related problem in jitterbug, a simple CGI based bug tracking and reporting tool. Unfortunately the program executions do not properly sanitize input, which allows an attacker to execute arbitrary commands on the server hosting the bug database. As mitigating factors these attacks are only available to non-guest users, and accounts for these people must be setup by the administrator making them "trusted". Debian GNU/Linux 3.0 mod-auth-shadow What information can i put there? 2004-01-12 David B Harris discovered a problem with mod-auth-shadow, an Apache module which authenticates users against the system shadow password database, where the expiration status of the user's account and password were not enforced. This vulnerability would allow an otherwise authorized user to successfully authenticate, when the attempt should be rejected due to the expiration parameters. Debian GNU/Linux 3.0 cvs What information can i put there? 2004-01-13 The account management of the CVS pserver (which is used to give remote access to CVS repositories) uses a <kbd>CVSROOT/passwd</kbd> file in each repository which contains the accounts and their authentication information as well as the name of the local unix account to use when a pserver account is used. Since CVS performed no checking on what unix account was specified anyone who could modify the <kbd>CVSROOT/passwd</kbd> could gain access to all local users on the CVS server, including root. This has been fixed in upstream version 1.11.11 by preventing pserver from running as root. For Debian this problem is solved in version 1.11.1p1debian-9 in two different ways: Additionally, CVS pserver had a bug in parsing module requests which could be used to create files and directories outside a repository. This has been fixed upstream in version 1.11.11 and Debian version 1.11.1p1debian-9. Finally, the umask used for &ldquo;cvs init&rdquo; and &ldquo;cvs-makerepos&rdquo; has been changed to prevent repositories from being created with group write permissions. Debian GNU/Linux 3.0 kernel-image-2.4.17-ia64 What information can i put there? 2004-01-15 The IA-64 maintainers fixed several security related bugs in the Linux kernel 2.4.17 used for the IA-64 architecture, mostly by backporting fixes from 2.4.18. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project: Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process which is spawned by the kernel. The virtual file /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. An integer overflow in brk system call (do_brk function) for Linux kernel 2.4.22 and earlier allows local users to gain root privileges. The mremap system call (do_mremap) in Linux kernel 2.4 and 2.6 does not properly perform boundary checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA. Debian GNU/Linux 3.0 mc What information can i put there? 2004-01-16 A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander. Debian GNU/Linux 3.0 tcpdump What information can i put there? 2004-01-16 Multiple vulnerabilities were discovered in tcpdump, a tool for inspecting network traffic. If a vulnerable version of tcpdump attempted to examine a maliciously constructed packet, a number of buffer overflows could be exploited to crash tcpdump, or potentially execute arbitrary code with the privileges of the tcpdump process. Debian GNU/Linux 3.0 netpbm-free What information can i put there? 2004-01-18 netpbm is a graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. Debian GNU/Linux 3.0 kernel-patch-2.4.17-mips What information can i put there? 2004-01-19 Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Debian GNU/Linux 3.0 slocate What information can i put there? 2004-01-20 A vulnerability was discovered in slocate, a program to index and search for files, whereby a specially crafted database could overflow a heap-based buffer. This vulnerability could be exploited by a local attacker to gain the privileges of the "slocate" group, which can access the global database containing a list of pathnames of all files on the system, including those which should only be visible to privileged users. This problem, and a category of potential similar problems, have been fixed by modifying slocate to drop privileges before reading a user-supplied database. Debian GNU/Linux 3.0 gnupg What information can i put there? 2004-01-26 Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. This update disables the use of this type of key. Debian GNU/Linux 3.0 trr19 What information can i put there? 2004-01-28 Steve Kemp discovered a problem in trr19, a type trainer application for GNU Emacs, which is written as a pair of setgid() binaries and wrapper programs which execute commands for GNU Emacs. However, the binaries don't drop privileges before executing a command, allowing an attacker to gain access to the local group games. Debian GNU/Linux 3.0 perl What information can i put there? 2004-02-01 Paul Szabo discovered a number of similar bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users. Debian GNU/Linux 3.0 crawl What information can i put there? 2004-02-03 Steve Kemp from the Debian Security Audit Project discovered a problem in crawl, another console based dungeon exploration game, in the vein of nethack and rogue. The program uses several environment variables as inputs but doesn't apply a size check before copying one of them into a fixed size buffer. Debian GNU/Linux 3.0 kernel-patch-2.4.17-mips What information can i put there? 2004-02-04 Red Hat and SuSE kernel and security teams revealed an integer overflow in the do_brk() function of the Linux kernel allows local users to gain root privileges. Debian GNU/Linux 3.0 gaim What information can i put there? 2004-02-05 Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows: When the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution. When parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen. When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting a URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution. When an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use an HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships. However, the connection to Yahoo doesn't work in the version in Debian stable. Internally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution. When allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution. Debian GNU/Linux 3.0 mpg123 What information can i put there? 2004-02-06 A vulnerability was discovered in mpg123, a command-line mp3 player, whereby a response from a remote HTTP server could overflow a buffer allocated on the heap, potentially permitting execution of arbitrary code with the privileges of the user invoking mpg123. In order for this vulnerability to be exploited, mpg123 would need to request an mp3 stream from a malicious remote server via HTTP. Debian GNU/Linux 3.0 mailman What information can i put there? 2004-02-08 Several vulnerabilities have been fixed in the mailman package: The cross-site scripting vulnerabilities could allow an attacker to perform administrative operations without authorization, by stealing a session cookie. Debian GNU/Linux 3.0 cgiemail What information can i put there? 2004-02-11 A vulnerability was discovered in cgiemail, a CGI program used to email the contents of an HTML form, whereby it could be used to send email to arbitrary addresses. This type of vulnerability is commonly exploited to send unsolicited commercial email (spam). Debian GNU/Linux 3.0 kernel-source-2.4.18, kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-image-2.4.18-i386bf, kernel-patch-2.4.18-powerpc What information can i put there? 2004-02-18 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Debian GNU/Linux 3.0 kernel-image-2.4.16-lart, kernel-image-2.4.16-netwinder, kernel-image-2.4.16-riscpc, kernel-patch-2.4.16-arm What information can i put there? 2004-02-18 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the ARM kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. Paul Starzetz <a href="http://isec.pl/vulnerabilities/isec-0013-mremap.txt">discovered</a> a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Debian GNU/Linux 3.0 kernel-source-2.4.17, kernel-patch-2.4.17-apus What information can i put there? 2004-02-18 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. Paul Starzetz <a href="http://isec.pl/vulnerabilities/isec-0013-mremap.txt">discovered</a> a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Debian GNU/Linux 3.0 kernel-patch-2.4.17-mips What information can i put there? 2004-02-18 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Debian GNU/Linux 3.0 kernel-patch-2.4.17-s390, kernel-image-2.4.17-s390 What information can i put there? 2004-02-19 Several security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall). Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. A vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops"). The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. Paul Starzetz <a href="http://isec.pl/vulnerabilities/isec-0013-mremap.txt">discovered</a> a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Debian GNU/Linux 3.0 xfree86 What information can i put there? 2004-02-19 A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project: Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084. Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083. Miscellaneous additional flaws in XFree86's handling of font files. xdm does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. Denial-of-service attacks against the X server by clients using the GLX extension and Direct Rendering Infrastructure are possible due to unchecked client data (out-of-bounds array indexes [CAN-2004-0093] and integer signedness errors [CAN-2004-0094]). Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, CAN-2004-0093 and CAN-2004-0094 would require a connection to the X server. By default, display managers in Debian start the X server with a configuration which only accepts local connections, but if the configuration is changed to allow remote connections, or X servers are started by other means, then these bugs could be exploited remotely. Since the X server usually runs with root privileges, these bugs could potentially be exploited to gain root privileges. No attack vector for CAN-2003-0690 is known at this time. Debian GNU/Linux 3.0 kernel-image-2.4.17-ia64 What information can i put there? 2004-02-20 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Debian GNU/Linux 3.0 lbreakout2 What information can i put there? 2004-02-21 Ulf Härnhammar from the Debian Security Audit Project discovered a vulnerability in lbreakout2, a game, where proper bounds checking was not performed on environment variables. This bug could be exploited by a local attacker to gain the privileges of group "games". Debian GNU/Linux 3.0 synaesthesia What information can i put there? 2004-02-21 Ulf Härnhammar from the Debian Security Audit Project discovered a vulnerability in synaesthesia, a program which represents sounds visually. synaesthesia created its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means. Debian GNU/Linux 3.0 hsftp What information can i put there? 2004-02-22 Ulf Härnhammar from the Debian Security Audit Project discovered a format string vulnerability in hsftp. This vulnerability could be exploited by an attacker able to create files on a remote server with carefully crafted names, to which a user would connect using hsftp. When the user requests a directory listing, particular bytes in memory could be overwritten, potentially allowing arbitrary code to be executed with the privileges of the user invoking hsftp. Note that while hsftp is installed setuid root, it only uses these privileges to acquire locked memory, and then relinquishes them. Debian GNU/Linux 3.0 pwlib What information can i put there? 2004-02-22 Multiple vulnerabilities were discovered in pwlib, a library used to aid in writing portable applications, whereby a remote attacker could cause a denial of service or potentially execute arbitrary code. This library is most notably used in several applications implementing the H.323 teleconferencing protocol, including the OpenH323 suite, gnomemeeting and asterisk. Debian GNU/Linux 3.0 metamail What information can i put there? 2004-02-24 Ulf Härnhammar discovered two format string bugs (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0104">CAN-2004-0104</a>) and two buffer overflow bugs (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0105">CAN-2004-0105</a>) in metamail, an implementation of MIME. An attacker could create a carefully-crafted mail message which will execute arbitrary code as the victim when it is opened and parsed through metamail. We have been devoting some effort to trying to avoid shipping metamail in the future. It became unmaintainable and these are probably not the last of the vulnerabilities. Debian GNU/Linux 3.0 kernel-source-2.4.19, kernel-patch-2.4.19-mips What information can i put there? 2004-02-27 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. Paul Starzetz <a href="http://isec.pl/vulnerabilities/isec-0013-mremap.txt">discovered</a> a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Debian GNU/Linux 3.0 xboing What information can i put there? 2004-02-27 Steve Kemp discovered a number of buffer overflow vulnerabilities in xboing, a game, which could be exploited by a local attacker to gain gid "games". Debian GNU/Linux 3.0 libapache-mod-python What information can i put there? 2004-02-29 The Apache Software Foundation announced that some versions of mod_python contain a bug which, when processing a request with a malformed query string, could cause the corresponding Apache child to crash. This bug could be exploited by a remote attacker to cause a denial of service. Debian GNU/Linux 3.0 kernel-source-2.2.20, kernel-image-2.2.20-i386, kernel-image-2.2.20-reiserfs-i386, kernel-image-2.2.20-amiga, kernel-image-2.2.20-atari, kernel-image-2.2.20-bvme6000, kernel-image-2.2.20-mac, kernel-image-2.2.20-mvme147, kernel-image-2.2.20-mvme16x, kernel-patch-2.2.20-powerpc What information can i put there? 2004-03-02 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. Debian GNU/Linux 3.0 kernel-source-2.2.22, kernel-image-2.2.22-alpha What information can i put there? 2004-03-02 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. Debian GNU/Linux 3.0 libxml, libxml2 What information can i put there? 2004-03-03 libxml2 is a library for manipulating XML files. Yuuichi Teranishi (&#23546;&#35199; &#35029;&#19968;) discovered a flaw in libxml, the GNOME XML library. When fetching a remote resource via FTP or HTTP, the library uses special parsing routines which can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml1 or libxml2 that parses remote resources and allows the attacker to craft the URL, then this flaw could be used to execute arbitrary code. Debian GNU/Linux 3.0 kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc What information can i put there? 2004-03-06 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. Debian GNU/Linux 3.0 wu-ftpd What information can i put there? 2004-03-08 Two vulnerabilities were discovered in wu-ftpd: Glenn Stewart discovered that users could bypass the directory access restrictions imposed by the restricted-gid option by changing the permissions on their home directory. On a subsequent login, when access to the user's home directory was denied, wu-ftpd would fall back to the root directory. A buffer overflow existed in wu-ftpd's code which deals with S/key authentication. Debian GNU/Linux 3.0 python2.2 What information can i put there? 2004-10-10 This security advisory corrects DSA 458-2 which caused a problem in the gethostbyaddr routine. The original advisory said: Sebastian Schmidt discovered a buffer overflow bug in Python's getaddrinfo function, which could allow an IPv6 address, supplied by a remote attacker via DNS, to overwrite memory on the stack. This bug only exists in python 2.2 and 2.2.1, and only when IPv6 support is disabled. The python2.2 package in Debian woody meets these conditions (the 'python' package does not). Debian GNU/Linux 3.0 kdelibs, kdelibs-crypto What information can i put there? 2004-03-10 A vulnerability was discovered in KDE where the path restrictions on cookies could be bypassed using encoded relative path components (e.g., "/../"). This means that a cookie which should only be sent by the browser to an application running at /app1, the browser could inadvertently include it with a request sent to /app2 on the same server. Debian GNU/Linux 3.0 sysstat What information can i put there? 2004-03-10 Alan Cox discovered that the isag utility (which graphically displays data collected by the sysstat tools), creates a temporary file without taking proper precautions. This vulnerability could allow a local attacker to overwrite files with the privileges of the user invoking isag. Debian GNU/Linux 3.0 calife What information can i put there? 2004-03-11 Leon Juranic discovered a buffer overflow related to the getpass(3) library function in calife, a program which provides super user privileges to specific users. A local attacker could potentially exploit this vulnerability, given knowledge of a local user's password and the presence of at least one entry in /etc/calife.auth, to execute arbitrary code with root privileges. Debian GNU/Linux 3.0 xitalk What information can i put there? 2004-03-12 Steve Kemp from the Debian Security Audit Project discovered a problem in xitalk, a talk intercept utility for the X Window System. A local user can exploit this problem and execute arbitrary commands under the GID utmp. This could be used by an attacker to remove traces from the utmp file. Debian GNU/Linux 3.0 samba What information can i put there? 2004-03-12 Samba, a LanManager-like file and printer server for Unix, was found to contain a vulnerability whereby a local user could use the "smbmnt" utility, which is setuid root, to mount a file share from a remote server which contained setuid programs under the control of the user. These programs could then be executed to gain privileges on the local system. Debian GNU/Linux 3.0 gdk-pixbuf What information can i put there? 2004-03-16 Thomas Kristensen discovered a vulnerability in gdk-pixbuf (binary package libgdk-pixbuf2), the GdkPixBuf image library for Gtk, that can cause the surrounding application to crash. To exploit this problem, a remote attacker could send a carefully-crafted BMP file via mail, which would cause e.g. Evolution to crash but is probably not limited to Evolution. Debian GNU/Linux 3.0 openssl,openssl094,openssl095 What information can i put there? 2004-03-17 Two vulnerabilities were discovered in openssl, an implementation of the SSL protocol, using the Codenomicon TLS Test Tool. More information can be found in the following <a href="http://www.uniras.gov.uk/vuls/2004/224012/index.htm">NISCC Vulnerability Advisory</a> and this <a href="http://www.openssl.org/news/secadv_20040317.txt">OpenSSL advisory</a>. The Common Vulnerabilities and Exposures project identified the following vulnerabilities: Null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. A bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop). Debian GNU/Linux 3.0 kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus What information can i put there? 2004-03-18 Paul Starzetz and Wojciech Purczynski of isec.pl <a href="http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt">\ discovered</a> a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. Debian GNU/Linux 3.0 ecartis What information can i put there? 2004-03-23 Timo Sirainen discovered two vulnerabilities in ecartis, a mailing list manager. Failure to validate user input could lead to disclosure of mailing list passwords Multiple buffer overflows Debian GNU/Linux 3.0 emil What information can i put there? 2004-03-24 Ulf Härnhammar discovered a number of vulnerabilities in emil, a filter for converting Internet mail messages. The vulnerabilities fall into two categories: Buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) the decode_uuencode function. These bugs could allow a carefully crafted email message to cause the execution of arbitrary code supplied with the message when it is acted upon by emil. Format string bugs in statements which print various error messages. The exploit potential of these bugs has not been established, and is probably configuration-dependent. Debian GNU/Linux 3.0 pam-pgsql What information can i put there? 2004-03-29 Primoz Bratanic discovered a bug in libpam-pgsql, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements. Debian GNU/Linux 3.0 kernel-image-2.4.17-hppa What information can i put there? 2004-04-01 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the hppa kernel 2.4.17 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Debian GNU/Linux 3.0 interchange What information can i put there? 2004-04-02 A vulnerability was discovered recently in Interchange, an e-commerce and general HTTP database display system. This vulnerability can be exploited by an attacker to expose the content of arbitrary variables. An attacker may learn SQL access information for your Interchange application and use this information to read and manipulate sensitive data. Debian GNU/Linux 3.0 fte What information can i put there? 2004-04-03 Steve Kemp and Jaguar discovered a number of buffer overflow vulnerabilities in vfte, a version of the fte editor which runs on the Linux console, found in the package fte-console. This program is setuid root in order to perform certain types of low-level operations on the console. Due to these bugs, setuid privilege has been removed from vfte, making it only usable by root. We recommend using the terminal version (in the fte-terminal package) instead, which runs on any capable terminal including the Linux console. Debian GNU/Linux 3.0 oftpd What information can i put there? 2004-04-03 A vulnerability was discovered in oftpd, an anonymous FTP server, whereby a remote attacker could cause the oftpd process to crash by specifying a large value in a PORT command. Debian GNU/Linux 3.0 squid What information can i put there? 2004-04-03 A vulnerability was discovered in squid, an Internet object cache, whereby access control lists based on URLs could be bypassed (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189">CAN-2004-0189</a>). Two other bugs were also fixed with patches squid-2.4.STABLE7-url_escape.patch (a buffer overrun which does not appear to be exploitable) and squid-2.4.STABLE7-url_port.patch (a potential denial of service). Debian GNU/Linux 3.0 kernel-image-2.4.18-hppa What information can i put there? 2004-04-05 Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PA-RISC kernel 2.4.18 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Please note that the source package has to include a lot of updates in order to compile the package, which wasn't possible with the old source package. Debian GNU/Linux 3.0 heimdal What information can i put there? 2004-04-06 According to a <a href="http://www.pdc.kth.se/heimdal/advisory/2004-04-01/">\ security advisory</a> from the heimdal project, heimdal, a suite of software implementing the Kerberos protocol, has "a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path." Debian GNU/Linux 3.0 xine-ui What information can i put there? 2004-04-06 Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine. This update also removes the bug reporting facility since bug reports can't be processed upstream anymore. Debian GNU/Linux 3.0 tcpdump What information can i put there? 2004-04-06 tcpdump, a tool for network monitoring and data acquisition, was found to contain two vulnerabilities whereby tcpdump could be caused to crash through attempts to read from invalid memory locations. This bug is triggered by certain invalid ISAKMP packets. Debian GNU/Linux 3.0 kernel-source-2.4.18 kernel-image-2.4.18-1-alpha kernel-image-2.4.18-1-i386 kernel-image-2.4.18-i386bf kernel-patch-2.4.18-powerpc What information can i put there? 2004-04-14 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.18 for the alpha, i386 and powerpc architectures. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. The following security matrix explains which kernel versions for which architectures are already fixed. Kernel images in the unstable Debian distribution (sid) will be fixed soon. We recommend that you upgrade your kernel packages immediately, either with a Debian provided kernel or with a self compiled one. <a href="CAN-2004-0109">Vulnerability matrix</a> for CAN-2004-0109 Debian GNU/Linux 3.0 kernel-image-2.4.17-hppa kernel-image-2.4.18-hppa What information can i put there? 2004-04-14 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 and 2.4.18 for the hppa (PA-RISC) architecture. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. Debian GNU/Linux 3.0 kernel-image-2.4.17-ia64 What information can i put there? 2004-04-14 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the IA-64 architecture. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. Debian GNU/Linux 3.0 kernel-source-2.4.17 kernel-patch-2.4.17-apus kernel-patch-2.4.17-s390 kernel-image-2.4.17-s390 What information can i put there? 2004-04-14 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the PowerPC/apus and S/390 architectures. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. The following security matrix explains which kernel versions for which architectures are already fixed. We recommend that you upgrade your kernel packages immediately, either with a Debian provided kernel or with a self compiled one. <a href="CAN-2004-0109">Vulnerability matrix</a> for CAN-2004-0109 Debian GNU/Linux 3.0 mysql What information can i put there? 2004-04-14 Two vulnerabilities have been discovered in mysql, a common database system. Two scripts contained in the package don't create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking the MySQL server, which is often the root user. The Common Vulnerabilities and Exposures identifies the following problems: The script mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack. The script mysqld_multi in MySQL allows local users to overwrite arbitrary files via a symlink attack. Debian GNU/Linux 3.0 xonix What information can i put there? 2004-04-14 Steve Kemp discovered a vulnerability in xonix, a game, where an external program was invoked while retaining setgid privileges. A local attacker could exploit this vulnerability to gain gid "games". Debian GNU/Linux 3.0 ssmtp What information can i put there? 2004-04-14 Max Vozeler discovered two format string vulnerabilities in ssmtp, a simple mail transport agent. Untrusted values in the functions die() and log_event() were passed to printf-like functions as format strings. These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root). Debian GNU/Linux 3.0 cvs What information can i put there? 2004-04-16 Two vulnerabilities have been discovered and fixed in CVS: Sebastian Krahmer discovered a vulnerability whereby a malicious CVS pserver could create arbitrary files on the client system during an update or checkout operation, by supplying absolute pathnames in RCS diffs. Derek Robert Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing "../". Debian GNU/Linux 3.0 neon What information can i put there? 2004-04-16 Multiple format string vulnerabilities were discovered in neon, an HTTP and WebDAV client library. These vulnerabilities could potentially be exploited by a malicious WebDAV server to execute arbitrary code with the privileges of the process using libneon. Debian GNU/Linux 3.0 logcheck What information can i put there? 2004-04-16 Christian Jaeger reported a bug in logcheck which could potentially be exploited by a local user to overwrite files with root privileges. logcheck utilized a temporary directory under /var/tmp without taking security precautions. While this directory is created when logcheck is installed, and while it exists there is no vulnerability, if at any time this directory is removed, the potential for exploitation exists. Debian GNU/Linux 3.0 kernel-source-2.4.17 kernel-patch-2.4.17-mips What information can i put there? 2004-04-17 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the MIPS and MIPSel architectures. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. The following security matrix explains which kernel versions for which architectures are already fixed and which will be removed instead. We recommend that you upgrade your kernel packages immediately, either with a Debian provided kernel or with a self compiled one. <a href="CAN-2004-0109">Vulnerability matrix</a> for CAN-2004-0109 Debian GNU/Linux 3.0 zope What information can i put there? 2004-04-17 A vulnerability has been discovered in the index support of the ZCatalog plug-in in Zope, an open source web application server. A flaw in the security settings of ZCatalog allows anonymous users to call arbitrary methods of catalog indexes. The vulnerability also allows untrusted code to do the same. Debian GNU/Linux 3.0 kernel-source-2.4.19 kernel-patch-2.4.19-mips What information can i put there? 2004-04-17 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.19 for the MIPS architecture. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. The following security matrix explains which kernel versions for which architectures are already fixed and which will be removed instead. We recommend that you upgrade your kernel packages immediately, either with a Debian provided kernel or with a self compiled one. <a href="CAN-2004-0109">Vulnerability matrix</a> for CAN-2004-0109 Debian GNU/Linux 3.0 iproute What information can i put there? 2004-04-18 Herbert Xu reported that local users could cause a denial of service against iproute, a set of tools for controlling networking in Linux kernels. iproute uses the netlink interface to communicate with the kernel, but failed to verify that the messages it received came from the kernel (rather than from other user processes). Debian GNU/Linux 3.0 xchat What information can i put there? 2004-04-21 A buffer overflow has been discovered in the Socks-5 proxy code of XChat, an IRC client for X similar to AmIRC. This allows an attacker to execute arbitrary code on the users' machine. Debian GNU/Linux 3.0 ident2 What information can i put there? 2004-04-21 Jack &lt;<email "jack@rapturesecurity.org">&gt; discovered a buffer overflow in ident2, an implementation of the ident protocol (RFC1413), where a buffer in the child_service function was slightly too small to hold all of the data which could be written into it. This vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the ident2 daemon (by default, the "identd" user). Debian GNU/Linux 3.0 kernel-source-2.4.16 kernel-patch-2.4.16-arm kernel-image-2.4.16-lart kernel-image-2.4.16-netwinder kernel-image-2.4.16-riscpc What information can i put there? 2004-04-26 Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.16 for the ARM architecture. The Common Vulnerabilities and Exposures project identifies the following problems that will be fixed with this update: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case a local attacker could obtain sensitive information (such as cryptographic keys in another worst case) which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. Andreas Kies discovered a denial of service condition in the Sound Blaster driver in Linux. He also developed a correction for this. These problems are also fixed by upstream in Linux 2.4.26 and will be fixed in Linux 2.6.6. The following security matrix explains which kernel versions for which architectures are already fixed and which will be removed instead. We recommend that you upgrade your kernel packages immediately, either with a Debian provided kernel or with a self compiled one. <a href="CAN-2004-0109">Vulnerability matrix</a> for CAN-2004-0109 Debian GNU/Linux 3.0 eterm What information can i put there? 2004-04-29 H.D. Moore discovered several terminal emulator security issues. One of them covers escape codes that are interpreted by the terminal emulator. This could be exploited by an attacker to insert malicious commands hidden for the user, who has to hit enter to continue, which would also execute the hidden commands. Debian GNU/Linux 3.0 mc What information can i put there? 2004-04-29 Jacub Jelinek discovered several vulnerabilities in the Midnight Commander, a powerful file manager for GNU/Linux systems. The problems were classified as follows: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0226">CAN-2004-0226</a> Buffer overflows <br><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0231">CAN-2004-0231</a> Insecure temporary file and directory creations <br><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0232">CAN-2004-0232</a> Format string problems Debian GNU/Linux 3.0 libpng, libpng3 What information can i put there? 2004-04-30 Steve Grubb discovered a problem in the Portable Network Graphics library libpng which is utilised in several applications. When processing a broken PNG image, the error handling routine will access memory that is out of bounds when creating an error message. Depending on machine architecture, bounds checking and other protective measures, this problem could cause the program to crash if a defective or intentionally prepared PNG image file is handled by libpng. This could be used as a denial of service attack against various programs that link against this library. The following commands will show you which packages utilise this library and whose programs should probably restarted after an upgrade: The following security matrix explains which package versions will contain a correction. We recommend that you upgrade your libpng and related packages. Debian GNU/Linux 3.0 rsync What information can i put there? 2004-06-02 A vulnerability was discovered in rsync, a file transfer program, whereby a remote user could cause an rsync daemon to write files outside of the intended directory tree. This vulnerability is not exploitable when the daemon is configured with the 'chroot' option. Debian GNU/Linux 3.0 flim What information can i put there? 2004-05-01 Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for working with internet messages, where temporary files were created without taking appropriate precautions. This vulnerability could potentially be exploited by a local user to overwrite files with the privileges of the user running emacs. Debian GNU/Linux 3.0 exim What information can i put there? 2004-05-07 Georgi Guninski discovered two stack-based buffer overflows. They can not be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: When "sender_verify = true" is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4. When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4. Debian GNU/Linux 3.0 exim-tls What information can i put there? 2004-05-11 Georgi Guninski discovered two stack-based buffer overflows in exim and exim-tls. They cannot be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: When "sender_verify = true" is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4. <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400">CAN-2004-0400</a> <p>When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4. </ul> <p>For the stable distribution (woody) these problems have been fixed in version 3.35-3woody2. The unstable distribution (sid) does not contain exim-tls anymore. The functionality has been incorporated in the main exim versions which have these problems fixed in version 3.36-11 for exim 3 and in version 4.33-1 for exim 4. We recommend that you upgrade your exim-tls package. Debian GNU/Linux 3.0 mah-jong What information can i put there? 2004-05-13 A problem has been discovered in mah-jong, a variant of the original Mah-Jong game, that can be utilised to crash the game server after dereferencing a NULL pointer. This bug be exploited by any client that connects to the mah-jong server. Debian GNU/Linux 3.0 heimdal What information can i put there? 2004-05-18 Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4 component of heimdal, a free implementation of Kerberos 5. The problem is present in kadmind, a server for administrative access to the Kerberos database. This problem could perhaps be exploited to cause the daemon to read a negative amount of data which could lead to unexpected behaviour. Debian GNU/Linux 3.0 cvs What information can i put there? 2004-05-19 Stefan Esser discovered a heap overflow in the CVS server, which serves the popular Concurrent Versions System. Malformed "Entry" Lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory. This was proven to be exploitable. Debian GNU/Linux 3.0 neon What information can i put there? 2004-05-19 Stefan Esser discovered a problem in neon, an HTTP and WebDAV client library. User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable. Debian GNU/Linux 3.0 cadaver What information can i put there? 2004-05-19 Stefan Esser discovered a problem in neon, an HTTP and WebDAV client library, which is also present in cadaver, a command-line client for WebDAV server. User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable. Debian GNU/Linux 3.0 xpcd What information can i put there? 2004-05-22 Jaguar discovered a vulnerability in one component of xpcd, a PhotoCD viewer. xpcd-svga, part of xpcd which uses svgalib to display graphics on the console, would copy user-supplied data of arbitrary length into a fixed-size buffer in the pcd_open function. Debian GNU/Linux 3.0 gatos What information can i put there? 2004-05-29 Steve Kemp discovered a vulnerability in xatitv, one of the programs in the gatos package, which is used to display video with certain ATI video cards. xatitv is installed setuid root in order to gain direct access to the video hardware. It normally drops root privileges after successfully initializing itself. However, if initialization fails due to a missing configuration file, root privileges are not dropped, and xatitv executes the system(3) function to launch its configuration program without sanitizing user-supplied environment variables. By exploiting this vulnerability, a local user could gain root privileges if the configuration file does not exist. However, a default configuration file is supplied with the package, and so this vulnerability is not exploitable unless this file is removed by the administrator. Debian GNU/Linux 3.0 jftpgw What information can i put there? 2004-05-29 jaguar@felinemenace.org discovered a vulnerability in jftpgw, an FTP proxy program, whereby a remote user could potentially cause arbitrary code to be executed with the privileges of the jftpgw server process. By default, the server runs as user "nobody". <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0448">CAN-2004-0448</a>: format string vulnerability via syslog(3) in log() function Debian GNU/Linux 3.0 ethereal What information can i put there? 2004-05-30 Several buffer overflow vulnerabilities were discovered in ethereal, a network traffic analyzer. These vulnerabilities are described in the ethereal advisory "enpa-sa-00013". Of these, only some parts of <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176">CAN-2004-0176</a> affect the version of ethereal in Debian woody. <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0367">CAN-2004-0367</a> and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0365">CAN-2004-0365</a> are not applicable to this version. Debian GNU/Linux 3.0 gallery What information can i put there? 2004-06-02 A vulnerability was discovered in gallery, a web-based photo album written in php, whereby a remote attacker could gain access to the gallery "admin" user without proper authentication. No CVE candidate was available for this vulnerability at the time of release. Debian GNU/Linux 3.0 log2mail What information can i put there? 2004-06-03 jaguar@felinemenace.org discovered a format string vulnerability in log2mail, whereby a user able to log a specially crafted message to a logfile monitored by log2mail (for example, via syslog) could cause arbitrary code to be executed with the privileges of the log2mail process. By default, this process runs as user 'log2mail', which is a member of group 'adm' (which has access to read system logfiles). <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0450">CAN-2004-0450</a>: log2mail format string vulnerability via syslog(3) in printlog() Debian GNU/Linux 3.0 kernel-source-2.2.20, kernel-image-sparc-2.2 What information can i put there? 2004-06-04 Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. Debian GNU/Linux 3.0 lha What information can i put there? 2004-06-05 Two vulnerabilities were discovered in lha: Debian GNU/Linux 3.0 postgresql What information can i put there? 2004-06-07 A buffer overflow has been discovered in the ODBC driver of PostgreSQL, an object-relational SQL database, descended from POSTGRES. It is possible to exploit this problem and crash the surrounding application. Hence, a PHP script using php4-odbc can be utilised to crash the surrounding Apache webserver. Other parts of postgresql are not affected. Debian GNU/Linux 3.0 cvs What information can i put there? 2004-06-10 Derek Robert Price discovered a potential buffer overflow vulnerability in the CVS server, based on a malformed Entry, which serves the popular Concurrent Versions System. Debian GNU/Linux 3.0 kdelibs What information can i put there? 2004-06-14 iDEFENSE identified a vulnerability in the Opera web browser that could be used by remote attackers to create or truncate arbitrary files on the victims machine. The KDE team discovered that a similar <a href="http://www.kde.org/info/security/advisory-20040517-1.txt">\ vulnerability</a> exists in KDE. A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. Debian GNU/Linux 3.0 cvs What information can i put there? 2004-06-15 Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerabilities and Exposures project identifies the following problems: Debian GNU/Linux 3.0 krb5 What information can i put there? 2004-06-16 In their advisory MITKRB5-SA-2004-001, the MIT Kerberos announced the existence of buffer overflow vulnerabilities in the krb5_aname_to_localname function. This function is only used if aname_to_localname is enabled in the configuration (this is not enabled by default). Debian GNU/Linux 3.0 sup What information can i put there? 2004-06-18 <email jaguar@felinemenace.org> discovered a format string vulnerability in sup, a set of programs to synchronize collections of files across a number of machines, whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process (this process does not run automatically by default). <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0451">\ CAN-2004-0451</a>: format string vulnerabilities in sup via syslog(3) in logquit, logerr, loginfo functions Debian GNU/Linux 3.0 super What information can i put there? 2004-06-19 Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Debian GNU/Linux 3.0 www-sql What information can i put there? 2004-06-19 Ulf Härnhammar discovered a buffer overflow vulnerability in www-sql, a CGI program which enables the creation of dynamic web pages by embedding SQL statements in HTML. By exploiting this vulnerability, a local user could cause the execution of arbitrary code by creating a web page and processing it with www-sql. Debian GNU/Linux 3.0 rlpr What information can i put there? 2004-06-19 <email jaguar@felinemenace.org> discovered a format string vulnerability in rlpr, a utility for lpd printing without using /etc/printcap. While investigating this vulnerability, a buffer overflow was also discovered in related code. By exploiting one of these vulnerabilities, a local or remote user could potentially cause arbitrary code to be executed with the privileges of 1) the rlprd process (remote), or 2) root (local). <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0393">\ CAN-2004-0393</a>: format string vulnerability via syslog(3) in msg() function in rlpr <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0454">\ CAN-2004-0454</a>: buffer overflow in msg() function in rlpr Debian GNU/Linux 3.0 apache What information can i put there? 2004-06-24 Georgi Guninski discovered a buffer overflow bug in Apache's mod_proxy module, whereby a remote user could potentially cause arbitrary code to be executed with the privileges of an Apache httpd child process (by default, user www-data). Note that this bug is only exploitable if the mod_proxy module is in use. Note that this bug exists in a module in the apache-common package, shared by apache, apache-ssl and apache-perl, so this update is sufficient to correct the bug for all three builds of Apache httpd. However, on systems using apache-ssl or apache-perl, httpd will not automatically be restarted. Debian GNU/Linux 3.0 webmin What information can i put there? 2004-07-03 Two vulnerabilities were discovered in webmin: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0582">CAN-2004-0582</a>: Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module. <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0583">CAN-2004-0583</a>: The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords. Debian GNU/Linux 3.0 pavuk What information can i put there? 2004-07-03 Ulf Härnhammar discovered a vulnerability in pavuk, a file retrieval program, whereby an oversized HTTP 305 response sent by a malicious server could cause arbitrary code to be executed with the privileges of the pavuk process. Debian GNU/Linux 3.0 ethereal What information can i put there? 2004-07-17 Several denial of service vulnerabilities were discovered in ethereal, a network traffic analyzer. These vulnerabilities are described in the ethereal advisory "enpa-sa-00015". Of these, only one (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0635">CAN-2004-0635</a>) affects the version of ethereal in Debian woody. This vulnerability could be exploited by a remote attacker to crash ethereal with an invalid SNMP packet. Debian GNU/Linux 3.0 netkit-telnet-ssl What information can i put there? 2004-07-17 "b0f" discovered a format string vulnerability in netkit-telnet-ssl which could potentially allow a remote attacker to cause the execution of arbitrary code with the privileges of the telnet daemon (the 'telnetd' user by default). Debian GNU/Linux 3.0 l2tpd What information can i put there? 2004-07-17 Thomas Walpuski reported a buffer overflow in l2tpd, an implementation of the layer 2 tunneling protocol, whereby a remote attacker could potentially cause arbitrary code to be executed by transmitting a specially crafted packet. The exploitability of this vulnerability has not been verified. Debian GNU/Linux 3.0 php4 What information can i put there? 2004-07-20 Two vulnerabilities were discovered in php4: The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. Debian GNU/Linux 3.0 libapache-mod-ssl What information can i put there? 2004-07-27 Two vulnerabilities were discovered in libapache-mod-ssl: Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. Format string vulnerability in the ssl_log function in ssl_engine_log.c in mod_ssl 2.8.19 for Apache 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS. Debian GNU/Linux 3.0 courier What information can i put there? 2004-07-22 A cross-site scripting vulnerability was discovered in sqwebmail, a web mail application provided by the courier mail suite, whereby an attacker could cause web script to be executed within the security context of the sqwebmail application by injecting it via an email message. Debian GNU/Linux 3.0 mailreader What information can i put there? 2004-07-22 A directory traversal vulnerability was discovered in mailreader whereby remote attackers could view arbitrary files with the privileges of the nph-mr.cgi process (by default, www-data) via relative paths and a null byte in the configLanguage parameter. Debian GNU/Linux 3.0 squirrelmail What information can i put there? 2004-08-02 Four vulnerabilities were discovered in squirrelmail: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. Debian GNU/Linux 3.0 libpng What information can i put there? 2004-08-04 Chris Evans discovered several vulnerabilities in libpng: Multiple buffer overflows exist, including when handling transparency chunk data, which could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed Multiple NULL pointer dereferences in png_handle_iCPP() and elsewhere could be exploited to cause an application to crash when a specially crafted PNG image is processed Multiple integer overflows in the png_handle_sPLT(), png_read_png() functions and elsewhere could be exploited to cause an application to crash, or potentially arbitrary code to be executed, when a specially crafted PNG image is processed In addition, a bug related to <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363">CAN-2002-1363</a> was fixed: A buffer overflow could be caused by incorrect calculation of buffer offsets, possibly leading to the execution of arbitrary code Debian GNU/Linux 3.0 ruby What information can i put there? 2004-08-16 Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore, but not in Debian woody) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session. Debian GNU/Linux 3.0 rsync What information can i put there? 2004-08-17 The rsync developers have discovered a security related problem in rsync, a fast remote file copy program, which offers an attacker to access files outside of the defined directory. To exploit this path-sanitizing bug, rsync has to run in daemon mode with the chroot option being disabled. It does not affect the normal send/receive filenames that specify what files should be transferred. It does affect certain option paths that cause auxiliary files to be read or written. Debian GNU/Linux 3.0 kdelibs What information can i put there? 2004-08-17 The SUSE security team was alerted that in some cases the integrity of symlinks used by KDE are not ensured and that these symlinks can be pointing to stale locations. This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly. Debian GNU/Linux 3.0 mysql What information can i put there? 2004-08-18 Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method which is part of the mysql-server package. Debian GNU/Linux 3.0 icecast-server What information can i put there? 2004-08-24 Markus Wörle discovered a cross site scripting problem in status-display (list.cgi) of the icecast internal webserver, an MPEG layer III streaming server. The UserAgent variable is not properly html_escaped so that an attacker could cause the client to execute arbitrary Java script commands. Debian GNU/Linux 3.0 qt-copy What information can i put there? 2004-08-30 Several vulnerabilities were discovered in recent versions of Qt, a commonly used graphic widget set, used in KDE for example. The first problem allows an attacker to execute arbitrary code, while the other two only seem to pose a denial of service danger. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: Chris Evans has discovered a heap-based overflow when handling 8-bit RLE encoded BMP files. Marcus Meissner has discovered a crash condition in the XPM handling code, which is not yet fixed in Qt 3.3. Marcus Meissner has discovered a crash condition in the GIF handling code, which is not yet fixed in Qt 3.3. Debian GNU/Linux 3.0 krb5 What information can i put there? 2004-08-31 The MIT Kerberos Development Team has discovered a number of vulnerabilities in the MIT Kerberos Version 5 software. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: A double-free error may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients. Several double-free errors may allow authenticated attackers to execute arbitrary code on Kerberos application servers. A remotely exploitable denial of service vulnerability has been found in the KDC and libraries. Several double-free errors may allow remote attackers to execute arbitrary code on the server. This does not affect the version in woody. Debian GNU/Linux 3.0 webmin What information can i put there? 2004-09-14 Ludwig Nussel discovered a problem in webmin, a web-based administration toolkit. A temporary directory was used but without checking for the previous owner. This could allow an attacker to create the directory and place dangerous symbolic links inside. Debian GNU/Linux 3.0 cupsys What information can i put there? 2004-09-15 Alvaro Martinez Echevarria discovered a problem in CUPS, the Common UNIX Printing System. An attacker can easily disable browsing in CUPS by sending a specially crafted UDP datagram to port 631 where cupsd is running. Debian GNU/Linux 3.0 gdk-pixbuf What information can i put there? 2004-09-16 Chris Evans discovered several problems in gdk-pixbuf, the GdkPixBuf library used in Gtk. It is possible for an attacker to execute arbitrary code on the victims machine. Gdk-pixbuf for Gtk+1.2 is an external package. For Gtk+2.0 it's part of the main gtk package. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: Denial of service in bmp loader. Heap-based overflow in pixbuf_create_from_xpm. Integer overflow in the ico loader. Debian GNU/Linux 3.0 imagemagick What information can i put there? 2004-09-16 Marcus Meissner from SUSE has discovered several buffer overflows in the ImageMagick graphics library. An attacker could create a malicious image or video file in AVI, BMP, or DIB format that could crash the reading process. It might be possible that carefully crafted images could also allow to execute arbitrary code with the capabilities of the invoking process. Debian GNU/Linux 3.0 imlib What information can i put there? Marcus Meissner discovered a heap overflow error in imlib, an imaging library for X and X11, that could be abused by an attacker to execute arbitrary code on the victim's machine. The updated packages we have provided in DSA 548-1 did not seem to be sufficient, which should be fixed by this update. Debian GNU/Linux 3.0 gtk+2.0 What information can i put there? 2004-09-17 Chris Evans discovered several problems in gdk-pixbuf, the GdkPixBuf library used in Gtk. It is possible for an attacker to execute arbitrary code on the victims machine. Gdk-pixbuf for Gtk+1.2 is an external package. For Gtk+2.0 it's part of the main gtk package. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: Heap-based overflow in pixbuf_create_from_xpm. Stack-based overflow in xpm_extract_color. Integer overflow in the ico loader. Debian GNU/Linux 3.0 wv What information can i put there? 2004-09-20 iDEFENSE discovered a buffer overflow in the wv library, used to convert and preview Microsoft Word documents. An attacker could create a specially crafted document that could lead wvHtml to execute arbitrary code on the victims machine. Debian GNU/Linux 3.0 lukemftpd What information can i put there? 2004-09-21 Przemyslaw Frasunek discovered a vulnerability in tnftpd or lukemftpd respectively, the enhanced ftp daemon from NetBSD. An attacker could utilise this to execute arbitrary code on the server. Debian GNU/Linux 3.0 imlib2 What information can i put there? 2004-09-22 Marcus Meissner discovered a heap overflow error in imlib2, an imaging library for X and X11 and the successor of imlib, that may be utilised by an attacker to execute arbitrary code on the victims machine. Debian GNU/Linux 3.0 getmail What information can i put there? 2004-09-27 A security problem has been discovered in getmail, a POP3 and APOP mail gatherer and forwarder. An attacker with a shell account on the victims host could utilise getmail to overwrite arbitrary files when it is running as root. Debian GNU/Linux 3.0 sendmail What information can i put there? 2004-09-27 Hugo Espuny discovered a problem in sendmail, a commonly used program to deliver electronic mail. When installing "sasl-bin" to use sasl in connection with sendmail, the sendmail configuration script use fixed user/pass information to initialise the sasl database. Any spammer with Debian systems knowledge could utilise such a sendmail installation to relay spam. Debian GNU/Linux 3.0 freenet6 What information can i put there? 2004-09-30 Simon Josefsson noticed that the tspc.conf configuration file in freenet6, a client to configure an IPv6 tunnel to freenet6.net, is set world readable. This file can contain the username and the password used to contact the IPv6 tunnelbroker freenet6.net. Debian GNU/Linux 3.0 netkit-telnet What information can i put there? 2004-10-18 Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). Debian GNU/Linux 3.0 rp-pppoe, pppoe What information can i put there? 2004-10-04 Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system. Debian GNU/Linux 3.0 libapache-mod-dav What information can i put there? 2004-10-06 Julian Reschke reported a problem in mod_dav of Apache 2 in connection with a NULL pointer dereference. When running in a threaded model, especially with Apache 2, a segmentation fault can take out a whole process and hence create a denial of service for the whole server. Debian GNU/Linux 3.0 net-acct What information can i put there? 2004-10-06 Stefan Nordhausen has identified a local security hole in net-acct, a user-mode IP accounting daemon. Old and redundant code from some time way back in the past created a temporary file in an insecure fashion. Debian GNU/Linux 3.0 lesstif1-1 What information can i put there? 2004-10-07 Chris Evans discovered several stack and integer overflows in the libXpm library which is included in LessTif. Debian GNU/Linux 3.0 xfree86 What information can i put there? 2004-10-11 Chris Evans discovered several stack and integer overflows in the libXpm library which is provided by X.Org, XFree86 and LessTif. Debian GNU/Linux 3.0 mysql What information can i put there? 2004-10-11 Several problems have been discovered in MySQL, a commonly used SQL database on Unix servers. The following problems have been identified by the Common Vulnerabilities and Exposures Project: Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. Debian GNU/Linux 3.0 cyrus-sasl What information can i put there? 2004-10-14 This advisory is an addition to DSA 563-1 and 563-2 which weren't able to supersede the library on sparc and arm due to a different version number for them in the stable archive. Other architectures were updated properly. Another problem was reported in connection with sendmail, though, which should be fixed with this update as well. Debian GNU/Linux 3.0 mpg123 What information can i put there? 2004-10-13 Davide Del Vecchio discovered a vulnerability in mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. A malicious MPEG layer 2/3 file could cause the header checks in mpg123 to fail, which could in turn allow arbitrary code to be executed with the privileges of the user running mpg123. Debian GNU/Linux 3.0 sox What information can i put there? 2004-10-13 Ulf Härnhammar has reported two vulnerabilities in SoX, a universal sound sample translator, which may be exploited by malicious people to compromise a user's system with a specially crafted .wav file. Debian GNU/Linux 3.0 cupsys What information can i put there? 2004-10-14 An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files. The used patch only eliminates the authentication information in the device URI which is logged in the error_log file. It does not eliminate the URI from the environment and process table, which is why the CUPS developers recommend that system administrators do not code authentication information in device URIs in the first place. Debian GNU/Linux 3.0 tiff What information can i put there? 2004-10-15 Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. An attacker could prepare a specially crafted TIFF graphic that would cause the client to execute arbitrary code or crash. The Common Vulnerabilities and Exposures Project has identified the following problems: Chris Evans discovered several problems in the RLE (run length encoding) decoders that could lead to arbitrary code execution. Matthias Clasen discovered a division by zero through an integer overflow. Dmitry V. Levin discovered several integer overflows that caused malloc issues which can result to either plain crash or memory corruption. Debian GNU/Linux 3.0 cyrus-sasl-mit What information can i put there? 2004-10-16 A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. The MIT version of the Cyrus implementation of the SASL library provides bindings against MIT GSSAPI and MIT Kerberos4. Debian GNU/Linux 3.0 netkit-telnet-ssl What information can i put there? 2004-10-18 Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). Debian GNU/Linux 3.0 libpng What information can i put there? 2004-10-20 Several integer overflows have been discovered by its upstream developers in libpng, a commonly used library to display PNG graphics. They could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed. Debian GNU/Linux 3.0 libpng3 What information can i put there? 2004-10-20 Several integer overflows have been discovered by its upstream developers in libpng, a commonly used library to display PNG graphics. They could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed. Debian GNU/Linux 3.0 ecartis What information can i put there? 2004-10-21 A problem has been discovered in ecartis, a mailing-list manager, which allows an attacker in the same domain as the list admin to gain administrator privileges and alter list settings. Debian GNU/Linux 3.0 cupsys What information can i put there? 2004-10-21 Chris Evans discovered several integer overflows in xpdf, that are also present in CUPS, the Common UNIX Printing System, which can be exploited remotely by a specially crafted PDF document. Debian GNU/Linux 3.0 cabextract What information can i put there? 2004-10-28 The upstream developers discovered a problem in cabextract, a tool to extract cabinet files. The program was able to overwrite files in upper directories. This could lead an attacker to overwrite arbitrary files. Debian GNU/Linux 3.0 catdoc What information can i put there? 2004-10-28 A temporary file problem has been discovered in xlsview from the catdoc suite, convertors from Word to TeX and plain text, which could lead to local users being able to overwrite arbitrary files via a symlink attack on predictable temporary file names. Debian GNU/Linux 3.0 squid What information can i put there? 2004-10-29 Several security vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. The Common Vulnerabilities and Exposures project identifies the following problems: It is possible to bypass access lists and scan arbitrary hosts and ports in the network through cachemgr.cgi, which is installed by default. This update disables this feature and introduces a configuration file (/etc/squid/cachemgr.conf) to control this behavior. The asn_parse_header function (asn1.c) in the SNMP module for Squid allows remote attackers to cause a denial of service via certain SNMP packets with negative length fields that causes a memory allocation error. Debian GNU/Linux 3.0 postgresql What information can i put there? 2004-10-29 Trustix Security Engineers identified insecure temporary file creation in a script included in the postgresql suite, an object-relational SQL database. This could lead an attacker to trick a user to overwrite arbitrary files he has write access to. Debian GNU/Linux 3.0 mpg123 What information can i put there? 2004-11-01 Carlos Barros has discovered a buffer overflow in the HTTP authentication routine of mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. If a user opened a malicious playlist or URL, an attacker might execute arbitrary code with the rights of the calling user. Debian GNU/Linux 3.0 abiword What information can i put there? 2004-11-01 A buffer overflow vulnerability has been discovered in the wv library, used for converting and previewing word documents. On exploitation an attacker could execute arbitrary code with the privileges of the user running the vulnerable application. Debian GNU/Linux 3.0 iptables What information can i put there? 2004-11-01 Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least. Debian GNU/Linux 3.0 xpdf What information can i put there? 2004-11-02 Chris Evans discovered several integer overflows in xpdf, a viewer for PDF files, which can be exploited remotely by a specially crafted PDF document and lead to the execution of arbitrary code. Debian GNU/Linux 3.0 libxml, libxml2 What information can i put there? 2004-11-02 "infamous41md" discovered several buffer overflows in libxml and libxml2, the XML C parser and toolkits for GNOME. Missing boundary checks could cause several buffers to be overflown, which may cause the client to execute arbitrary code. The following vulnerability matrix lists corrected versions of these libraries: Debian GNU/Linux 3.0 lvm10 What information can i put there? 2004-11-03 Trustix developers discovered insecure temporary file creation in a supplemental script in the lvm10 package that didn't check for existing temporary directories, allowing local users to overwrite files via a symlink attack. Debian GNU/Linux 3.0 dhcp What information can i put there? 2004-11-04 "infamous41md" noticed that the log functions in dhcp 2.x, which is still distributed in the stable Debian release, contained pass parameters to function that use format strings. One use seems to be exploitable in connection with a malicious DNS server. Debian GNU/Linux 3.0 shadow What information can i put there? 2004-11-05 A vulnerability has been discovered in the shadow suite which provides programs like chfn and chsh. It is possible for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. The problem was originally thought to be more severe. Debian GNU/Linux 3.0 ruby What information can i put there? 2004-11-08 The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles. Debian GNU/Linux 3.0 freeamp What information can i put there? 2004-11-08 Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf. Debian GNU/Linux 3.0 gzip What information can i put there? 2004-11-08 Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack. Debian GNU/Linux 3.0 libgd What information can i put there? 2004-11-09 "infamous41md" discovered several integer overflows in the PNG image decoding routines of the GD graphics library. This could lead to the execution of arbitrary code on the victim's machine. Debian GNU/Linux 3.0 gnats What information can i put there? 2004-11-09 Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code. Debian GNU/Linux 3.0 libgd2 What information can i put there? 2004-11-09 "infamous41md" discovered several integer overflows in the PNG image decoding routines of the GD graphics library. This could lead to the execution of arbitrary code on the victim's machine. Debian GNU/Linux 3.0 ez-ipupdate What information can i put there? 2004-11-12 Ulf Härnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate, a client for many dynamic DNS services. This problem can only be exploited if ez-ipupdate is running in daemon mode (most likely) with many but not all service types. Debian GNU/Linux 3.0 imagemagick What information can i put there? 2004-11-16 A vulnerability has been reported for ImageMagick, a commonly used image manipulation library. Due to a boundary error within the EXIF parsing routine, a specially crafted graphic image could lead to the execution of arbitrary code. Debian GNU/Linux 3.0 apache What information can i put there? 2004-11-17 Two vulnerabilities have been identified in the Apache 1.3 webserver: "Crazy Einstein" has discovered a vulnerability in the "mod_include" module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code. Larry Cashdollar has discovered a potential buffer overflow in the htpasswd utility, which could be exploited when user-supplied is passed to the program via a CGI (or PHP, or ePerl, ...) program. Debian GNU/Linux 3.0 bnc What information can i put there? 2004-11-24 Leon Juranic discovered that BNC, an IRC session bouncing proxy, does not always protect buffers from being overwritten. This could exploited by a malicious IRC server to overflow a buffer of limited size and execute arbitrary code on the client host. Debian GNU/Linux 3.0 sudo What information can i put there? 2004-11-24 Liam Helmer noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user, leaving possibilities to overload system routines. These vulnerabilities can only be exploited by users who have been granted limited super user privileges. Debian GNU/Linux 3.0 cyrus-imapd What information can i put there? 2004-11-25 Stefan Esser discovered several security related problems in the Cyrus IMAP daemon. Due to a bug in the command parser it is possible to access memory beyond the allocated buffer in two places which could lead to the execution of arbitrary code. Debian GNU/Linux 3.0 yardradius What information can i put there? 2004-11-25 Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0534">CAN-2001-0534</a>. This could lead to the execution of arbitrary code as root. Debian GNU/Linux 3.0 tetex-bin What information can i put there? 2004-11-25 Chris Evans discovered several integer overflows in xpdf, that are also present in tetex-bin, binary files for the teTeX distribution, which can be exploited remotely by a specially crafted PDF document and lead to the execution of arbitrary code. Debian GNU/Linux 3.0 samba What information can i put there? 2004-10-07 A vulnerability has been discovered in samba, a commonly used LanManager-like file and printer server for Unix. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection, though. Debian GNU/Linux 3.0 libgd1 What information can i put there? 2004-11-29 More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory <a href="dsa-589">DSA 589</a>. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine. Debian GNU/Linux 3.0 libgd2 What information can i put there? 2004-11-29 More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory <a href="dsa-591">DSA 591</a>. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine. Debian GNU/Linux 3.0 openssl What information can i put there? 2004-12-01 Trustix developers discovered insecure temporary file creation in a supplemental script (der_chop) of the openssl package which may allow local users to overwrite files via a symlink attack. Debian GNU/Linux 3.0 hpsockd What information can i put there? 2004-12-03 "infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect. Debian GNU/Linux 3.0 viewcvs What information can i put there? 2004-12-06 Haris Sehic discovered several vulnerabilities in viewcvs, a utility for viewing CVS and Subversion repositories via HTTP. When exporting a repository as a tar archive the hide_cvsroot and forbidden settings were not honoured enough. When upgrading the package for woody, please make a copy of your /etc/viewcvs/viewcvs.conf file if you have manually edited this file. Upon upgrade the debconf mechanism may alter it in a way so that viewcvs doesn't understand it anymore. Debian GNU/Linux 3.0 nfs-utils What information can i put there? 2004-12-08 SGI has discovered that rpc.statd from the nfs-utils package, the Network Status Monitor, did not ignore the "SIGPIPE". Hence, a client prematurely terminating the TCP connection could also terminate the server process. Debian GNU/Linux 3.0 xfree86 What information can i put there? 2004-12-10 Several developers have discovered a number of problems in the libXpm library which is provided by X.Org, XFree86 and LessTif. These bugs can be exploited by remote and/or local attackers to gain access to the system or to escalate their local privileges, by using a specially crafted XPM image.