diff options
| author | Neil McGovern <neilm@debian.org> | 2005-09-03 15:02:10 +0000 |
|---|---|---|
| committer | Neil McGovern <neilm@debian.org> | 2005-09-03 15:02:10 +0000 |
| commit | 5984e4102b14619e00ecd7edb47892715b6b4369 (patch) | |
| tree | e91eb9a734cc902c794b89b3f154abede641feb6 /website | |
| parent | 0e713fcf86a7f235a9de8f6b257fafcc1bfc17f0 (diff) | |
We now list DTSAs online. Hopefully.
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@1798 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'website')
| -rw-r--r-- | website/DTSA/DTSA-1-1.html | 54 | ||||
| -rw-r--r-- | website/DTSA/DTSA-10-1.html | 51 | ||||
| -rw-r--r-- | website/DTSA/DTSA-11-1.html | 47 | ||||
| -rw-r--r-- | website/DTSA/DTSA-2-1.html | 68 | ||||
| -rw-r--r-- | website/DTSA/DTSA-3-1.html | 78 | ||||
| -rw-r--r-- | website/DTSA/DTSA-4-1.html | 74 | ||||
| -rw-r--r-- | website/DTSA/DTSA-5-1.html | 63 | ||||
| -rw-r--r-- | website/DTSA/DTSA-6-1.html | 60 | ||||
| -rw-r--r-- | website/DTSA/DTSA-7-1.html | 49 | ||||
| -rw-r--r-- | website/DTSA/DTSA-8-2.html | 127 | ||||
| -rw-r--r-- | website/DTSA/DTSA-9-1.html | 44 | ||||
| -rw-r--r-- | website/index.html | 6 | ||||
| -rw-r--r-- | website/list.html | 21 |
13 files changed, 741 insertions, 1 deletions
diff --git a/website/DTSA/DTSA-1-1.html b/website/DTSA/DTSA-1-1.html new file mode 100644 index 0000000000..0eab116b4d --- /dev/null +++ b/website/DTSA/DTSA-1-1.html @@ -0,0 +1,54 @@ +<h2>DTSA-1-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 26th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:kismet'>kismet</a></dd> +<dt>Vulnerability:</dt> +<dd>various</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2626'>CAN-2005-2626</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2627'>CAN-2005-2627</a> +<br></dd> +<br><dt>More information:</dt> +<dd>Multiple security holes have been discovered in kismet: <br> + <br> +CAN-2005-2627 <br> + <br> +Multiple integer underflows in Kismet allow remote attackers to execute <br> +arbitrary code via (1) kernel headers in a pcap file or (2) data frame <br> +dissection, which leads to heap-based buffer overflows. <br> + <br> +CAN-2005-2626 <br> + <br> +Unspecified vulnerability in Kismet allows remote attackers to have an <br> +unknown impact via unprintable characters in the SSID. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 2005.08.R1-0.1etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 2005.08.R1-1</dt> +<br><dt>This upgrade is recommended if you use kismet.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install kismet</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-10-1.html b/website/DTSA/DTSA-10-1.html new file mode 100644 index 0000000000..0c14f49b57 --- /dev/null +++ b/website/DTSA/DTSA-10-1.html @@ -0,0 +1,51 @@ +<h2>DTSA-10-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 29th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:pcre3'>pcre3</a></dd> +<dt>Vulnerability:</dt> +<dd>buffer overflow</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491'>CAN-2005-2491</a> +<br></dd> +<br><dt>More information:</dt> +<dd>An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions <br> +(PCRE) allows attackers to execute arbitrary code via quantifier values in <br> +regular expressions, which leads to a heap-based buffer overflow. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 6.3-0.1etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 6.3-1</dt> +<br><dt>This upgrade is recommended if you use pcre3.<dt> +<br><dt>-Before installing the update, please note that you will need to restart all +daemons that link with libpcre3 for the security fix to be used. Either +reboot your machine after the upgrade, or make a list of processes that are +using libpcre3, and restart them after the upgrade. To generate the list, +run this command before you upgrade:</dt> +<dd>lsof /usr/lib/libpcre.so.3<dd> + +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install libpcre3</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-11-1.html b/website/DTSA/DTSA-11-1.html new file mode 100644 index 0000000000..ea4f16841b --- /dev/null +++ b/website/DTSA/DTSA-11-1.html @@ -0,0 +1,47 @@ +<h2>DTSA-11-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 29th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:maildrop'>maildrop</a></dd> +<dt>Vulnerability:</dt> +<dd>local privilege escalation</dd> +<dt>Problem-Scope:</dt> +<dd>local</dd> +<dt>Debian-specific:</dt> +<dd>Yes<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2655'>CAN-2005-2655</a> +<br></dd> +<br><dt>More information:</dt> +<dd>The lockmail binary shipped with maildrop allows for an attacker to <br> +obtain an effective gid as group "mail". Debian ships the binary with its <br> +setgid bit set, but the program does not drop privileges when run. It takes <br> +an argument that is executed, and since it does not drop privileges, an <br> +attacker can execute an arbitrary command with an effective gid of the "mail" <br> +group. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 1.5.3-1.1etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 1.5.3-2</dt> +<br><dt>This upgrade is recommended if you use maildrop.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install maildrop</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-2-1.html b/website/DTSA/DTSA-2-1.html new file mode 100644 index 0000000000..4f6dd20313 --- /dev/null +++ b/website/DTSA/DTSA-2-1.html @@ -0,0 +1,68 @@ +<h2>DTSA-2-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 28th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:centericq'>centericq</a></dd> +<dt>Vulnerability:</dt> +<dd>multiple vulnerabilities</dd> +<dt>Problem-Scope:</dt> +<dd>local and remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2448'>CAN-2005-2448</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370'>CAN-2005-2370</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2369'>CAN-2005-2369</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1914'>CAN-2005-1914</a> +<br></dd> +<br><dt>More information:</dt> +<dd>centericq in testing is vulnerable to multiple security holes: <br> + <br> +CAN-2005-2448 <br> + <br> +Multiple endianness errors in libgadu, which is embedded in centericq, <br> +allow remote attackers to cause a denial of service (invalid behaviour in <br> +applications) on big-endian systems. <br> + <br> +CAN-2005-2370 <br> + <br> +Multiple memory alignment errors in libgadu, which is embedded in <br> +centericq, allows remote attackers to cause a denial of service (bus error) <br> +on certain architectures such as SPARC via an incoming message. <br> + <br> +CAN-2005-2369 <br> + <br> +Multiple integer signedness errors in libgadu, which is embedded in <br> +centericq, may allow remote attackers to cause a denial of service <br> +or execute arbitrary code. <br> + <br> +CAN-2005-1914 <br> + <br> +centericq creates temporary files with predictable file names, which <br> +allows local users to overwrite arbitrary files via a symlink attack. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 4.20.0-8etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 4.20.0-9</dt> +<br><dt>This upgrade is recommended if you use centericq.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install centericq</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-3-1.html b/website/DTSA/DTSA-3-1.html new file mode 100644 index 0000000000..5c35002f92 --- /dev/null +++ b/website/DTSA/DTSA-3-1.html @@ -0,0 +1,78 @@ +<h2>DTSA-3-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 28th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:clamav'>clamav</a></dd> +<dt>Vulnerability:</dt> +<dd>denial of service and privilege escalation</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2070'>CAN-2005-2070</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1923'>CAN-2005-1923</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2056'>CAN-2005-2056</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1922'>CAN-2005-1922</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2450'>CAN-2005-2450</a> +<br></dd> +<br><dt>More information:</dt> +<dd>Multiple security holes were found in clamav: <br> + <br> +CAN-2005-2070 <br> + <br> +The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long <br> +timeouts, allows remote attackers to cause a denial of service by keeping <br> +an open connection, which prevents ClamAV from reloading. <br> + <br> +CAN-2005-1923 <br> + <br> +The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote <br> +attackers to cause a denial of service (CPU consumption by infinite loop) <br> +via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff, <br> +which causes a zero-length read. <br> + <br> +CAN-2005-2056 <br> + <br> +The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote <br> +attackers to cause a denial of service (application crash) via a crafted <br> +Quantum archive. <br> + <br> +CAN-2005-1922 <br> + <br> +The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote <br> +attackers to cause a denial of service (file descriptor and memory <br> +consumption) via a crafted file that causes repeated errors in the <br> +cli_msexpand function. <br> + <br> +CAN-2005-2450 <br> + <br> +Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file <br> +format processors in libclamav for Clam AntiVirus (ClamAV) allow remote <br> +attackers to gain privileges via a crafted e-mail message. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 0.86.2-4etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 0.86.2-1</dt> +<br><dt>This upgrade is recommended if you use clamav.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get upgrade</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-4-1.html b/website/DTSA/DTSA-4-1.html new file mode 100644 index 0000000000..fc298731f1 --- /dev/null +++ b/website/DTSA/DTSA-4-1.html @@ -0,0 +1,74 @@ +<h2>DTSA-4-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 28th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:ekg'>ekg</a></dd> +<dt>Vulnerability:</dt> +<dd>multiple vulnerabilities</dd> +<dt>Problem-Scope:</dt> +<dd>local and remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1916'>CAN-2005-1916</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1851'>CAN-2005-1851</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1850'>CAN-2005-1850</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1852'>CAN-2005-1852</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2448'>CAN-2005-2448</a> +<br></dd> +<br><dt>More information:</dt> +<dd>Multiple vulnerabilities were discovered in ekg: <br> + <br> +CAN-2005-1916 <br> + <br> +Eric Romang discovered insecure temporary file creation and arbitrary <br> +command execution in a contributed script that can be exploited by a local <br> +attacker. <br> + <br> +CAN-2005-1851 <br> + <br> +Marcin Owsiany and Wojtek Kaniewski discovered potential shell command <br> +injection in a contributed script. <br> + <br> +CAN-2005-1850 <br> + <br> +Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file <br> +creation in contributed scripts. <br> + <br> +CAN-2005-1852 <br> + <br> +Multiple integer overflows in libgadu, as used in ekg, allows remote <br> +attackers to cause a denial of service (crash) and possibly execute <br> +arbitrary code via an incoming message. <br> + <br> +CAN-2005-2448 <br> + <br> +Multiple endianness errors in libgadu in ekg allow remote attackers to <br> +cause a denial of service (invalid behaviour in applications) on <br> +big-endian systems. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 1:1.5+20050808+1.6rc3-0etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 1:1.5+20050808+1.6rc3-1</dt> +<br><dt>This upgrade is recommended if you use ekg.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install libgadu3 ekg</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-5-1.html b/website/DTSA/DTSA-5-1.html new file mode 100644 index 0000000000..9942eebe8c --- /dev/null +++ b/website/DTSA/DTSA-5-1.html @@ -0,0 +1,63 @@ +<h2>DTSA-5-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 28th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:gaim'>gaim</a></dd> +<dt>Vulnerability:</dt> +<dd>multiple remote vulnerabilities</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102'>CAN-2005-2102</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370'>CAN-2005-2370</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103'>CAN-2005-2103</a> +<br></dd> +<br><dt>More information:</dt> +<dd>Multiple security holes were found in gaim: <br> + <br> +CAN-2005-2102 <br> + <br> +The AIM/ICQ module in Gaim allows remote attackers to cause a denial of <br> +service (application crash) via a filename that contains invalid UTF-8 <br> +characters. <br> + <br> +CAN-2005-2370 <br> + <br> +Multiple memory alignment errors in libgadu, as used in gaim and other <br> +packages, allow remote attackers to cause a denial of service (bus error) <br> +on certain architectures such as SPARC via an incoming message. <br> + <br> +CAN-2005-2103 <br> + <br> +Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers <br> +to cause a denial of service (application crash) and possibly execute <br> +arbitrary code via an away message with a large number of AIM substitution <br> +strings, such as %t or %n. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 1:1.4.0-5etch2</dt> +<dt>For the unstable distribution (sid) this is fixed in version 1:1.4.0-5</dt> +<br><dt>This upgrade is recommended if you use gaim.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install gaim</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-6-1.html b/website/DTSA/DTSA-6-1.html new file mode 100644 index 0000000000..847e472d74 --- /dev/null +++ b/website/DTSA/DTSA-6-1.html @@ -0,0 +1,60 @@ +<h2>DTSA-6-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 28th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:cgiwrap'>cgiwrap</a></dd> +<dt>Vulnerability:</dt> +<dd>multiple vulnerabilities</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name='></a> +<br></dd> +<br><dt>More information:</dt> +<dd>Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap: <br> + <br> +Minimum UID does not include all system users <br> + <br> +The CGIwrap program will not seteuid itself to uids below the 'minimum' uid <br> +to prevent scripts from being misused to compromise the system. However, <br> +the Debian package sets the minimum uid to 100 when it should be 1000. <br> + <br> +CGIs can be used to disclose system information <br> + <br> +The cgiwrap (and php-cgiwrap) package installs some debugging CGIs <br> +(actually symbolink links, which link to cgiwrap and are called 'cgiwrap' <br> +and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be <br> +installed in production environments as they disclose internal and <br> +potentially sensible information. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 3.9-3.0etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 3.9-3.1</dt> +<br><dt>This upgrade is recommended if you use cgiwrap.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dt>If you use cgiwrap:</dt> +<dd>apt-get update && apt-get install cgiwrap</dd> +<dd>If you use php-cgiwrap:<dd> +<dt>apt-get update && apt-get install php-cgiwrap</dt> + +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-7-1.html b/website/DTSA/DTSA-7-1.html new file mode 100644 index 0000000000..53293e8397 --- /dev/null +++ b/website/DTSA/DTSA-7-1.html @@ -0,0 +1,49 @@ +<h2>DTSA-7-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 28th, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:mozilla'>mozilla</a></dd> +<dt>Vulnerability:</dt> +<dd>frame injection spoofing</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718'>CAN-2004-0718</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937'>CAN-2005-1937</a> +<br></dd> +<br><dt>More information:</dt> +<dd>A vulnerability has been discovered in Mozilla that allows remote attackers <br> +to inject arbitrary Javascript from one page into the frameset of another <br> +site. Thunderbird is not affected by this and Galeon will be automatically <br> +fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will <br> +be covered by a separate advisory. <br> + <br> +Note that this is the same security fix put into stable in DSA-777. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 2:1.7.8-1sarge1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 2:1.7.10-1</dt> +<br><dt>This upgrade is recommended if you use mozilla.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install mozilla</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-8-2.html b/website/DTSA/DTSA-8-2.html new file mode 100644 index 0000000000..c77dec90b1 --- /dev/null +++ b/website/DTSA/DTSA-8-2.html @@ -0,0 +1,127 @@ +<h2>DTSA-8-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>September 1st, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:mozilla-firefox'>mozilla-firefox</a></dd> +<dt>Vulnerability:</dt> +<dd>several vulnerabilities (update)</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718'>CAN-2004-0718</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937'>CAN-2005-1937</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260'>CAN-2005-2260</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261'>CAN-2005-2261</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2262'>CAN-2005-2262</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2263'>CAN-2005-2263</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2264'>CAN-2005-2264</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265'>CAN-2005-2265</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266'>CAN-2005-2266</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2267'>CAN-2005-2267</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2268'>CAN-2005-2268</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269'>CAN-2005-2269</a> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270'>CAN-2005-2270</a> +<br></dd> +<br><dt>More information:</dt> +<dd>We experienced that the update for Mozilla Firefox from DTSA-8-1 <br> +unfortunately was a regression in several cases. Since the usual <br> +praxis of backporting apparently does not work, this update is <br> +basically version 1.0.6 with the version number rolled back, and hence <br> +still named 1.0.4-*. For completeness below is the original advisory <br> +text: <br> + <br> +Several problems were discovered in Mozilla Firefox: <br> + <br> +CAN-2004-0718 CAN-2005-1937 <br> + <br> +A vulnerability has been discovered in Mozilla Firefox that allows remote <br> +attackers to inject arbitrary Javascript from one page into the frameset of <br> +another site. <br> + <br> +CAN-2005-2260 <br> + <br> +The browser user interface does not properly distinguish between <br> +user-generated events and untrusted synthetic events, which makes it easier <br> +for remote attackers to perform dangerous actions that normally could only be <br> +performed manually by the user. <br> + <br> +CAN-2005-2261 <br> + <br> +XML scripts ran even when Javascript disabled. <br> + <br> +CAN-2005-2262 <br> + <br> +The user can be tricked to executing arbitrary JavaScript code by using a <br> +JavaScript URL as wallpaper. <br> + <br> +CAN-2005-2263 <br> + <br> +It is possible for a remote attacker to execute a callback function in the <br> +context of another domain (i.e. frame). <br> + <br> +CAN-2005-2264 <br> + <br> +By opening a malicious link in the sidebar it is possible for remote <br> +attackers to steal sensitive information. <br> + <br> +CAN-2005-2265 <br> + <br> +Missing input sanitising of InstallVersion.compareTo() can cause the <br> +application to crash. <br> + <br> +CAN-2005-2266 <br> + <br> +Remote attackers could steal sensitive information such as cookies and <br> +passwords from web sites by accessing data in alien frames. <br> + <br> +CAN-2005-2267 <br> + <br> +By using standalone applications such as Flash and QuickTime to open a <br> +javascript: URL, it is possible for a remote attacker to steal sensitive <br> +information and possibly execute arbitrary code. <br> + <br> +CAN-2005-2268 <br> + <br> +It is possible for a Javascript dialog box to spoof a dialog box from a <br> +trusted site and facilitates phishing attacks. <br> + <br> +CAN-2005-2269 <br> + <br> +Remote attackers could modify certain tag properties of DOM nodes that could <br> +lead to the execution of arbitrary script or code. <br> + <br> +CAN-2005-2270 <br> + <br> +The Mozilla browser family does not properly clone base objects, which allows <br> +remote attackers to execute arbitrary code. <br> + <br> +Note that this is the same set of security fixes put into stable in <br> +DSA-775 and DSA-779, and updated in DSA-779-2. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 1.0.4-2sarge3</dt> +<dt>For the unstable distribution (sid) this is fixed in version 1.0.6-3</dt> +<br><dt>This upgrade is recommended if you use mozilla-firefox.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install mozilla-firefox</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/DTSA/DTSA-9-1.html b/website/DTSA/DTSA-9-1.html new file mode 100644 index 0000000000..ef6428a822 --- /dev/null +++ b/website/DTSA/DTSA-9-1.html @@ -0,0 +1,44 @@ +<h2>DTSA-9-1</h2> +<dl> +<dt>Date Reported:</dt> +<dd>August 31st, 2005</dd> +<dt>Affected Package:</dt> +<dd><a href='http://packages.debian.org/src:bluez-utils'>bluez-utils</a></dd> +<dt>Vulnerability:</dt> +<dd>bad device name escaping</dd> +<dt>Problem-Scope:</dt> +<dd>remote</dd> +<dt>Debian-specific:</dt> +<dd>No<br></dd> +<dt>CVE:</dt> +<dd> +<a href='http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2547'>CAN-2005-2547</a> +<br></dd> +<br><dt>More information:</dt> +<dd>A bug in bluez-utils allows remote attackers to execute arbitrary commands <br> +via shell metacharacters in the Bluetooth device name when invoking the PIN <br> +helper. <br> +</dd> +<br><dt>For the testing distribution (etch) this is fixed in version 2.19-0.1etch1</dt> +<dt>For the unstable distribution (sid) this is fixed in version 2.19-1</dt> +<br><dt>This upgrade is recommended if you use bluez-utils.<dt> +<br><dt>If you have the secure testing lines in your sources.list, you can update by running this command as root:</dt> + +<dd>apt-get update && apt-get install bluez-utils</dd> +<br> + +<dt>The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.</dt> + +<br> +<dt>To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:<dt> +<br> +<dd>deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<dd>deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free</dd> +<br> +<dt>The archive signing key can be downloaded from<dt> +<dd><a href='http://secure-testing.debian.net/ziyi-2005-7.asc'>http://secure-testing.debian.net/ziyi-2005-7.asc</a><dd> + +<br> + +<dt>For further information about the Debian testing security team, please refer to <a href='http://secure-testing.debian.net/'>http://secure-testing.debian.net/</a></dt> + diff --git a/website/index.html b/website/index.html index 1c32a882ae..8500e35a9b 100644 --- a/website/index.html +++ b/website/index.html @@ -44,6 +44,7 @@ deb http://secure-testing-mirrors.debian.net/debian-security-updates etch/security-updates main contrib non-free deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch/security-updates main contrib non-free </pre> + These are also available from this <a href='list.html'>list</a>.<br> The archive signing key used for this repository is <a href="ziyi-2005-7.asc">here</a>. </p> @@ -131,7 +132,10 @@ <li>Prepare the update and fill out the .adv template <li>Make sure everything is ready. <li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li> - <li>svn add DTSA-n-1; svn commit</li> + <li>edit DTSA-n-1 and DTSA-n-1.html, fix the installation instructions.</li> + <li>mv DTSA-n-1.html ../../website/DTSA/</li> + <li>cd ../../website; ../bin/updatehtmllist --output list.html ../data/DTSA/list</li> + <li>cd ../; svn add data/DTSA/DTSA-n-1 website/DTSA/DTSA-n-1.html; svn commit</li> <li>Edit data/DTSA/hints/yourname, and add a hint to make dtsasync propigate the update from etch-proposed-updates to etch. Commit the file and wait 15 minutes for the dtsasync run, diff --git a/website/list.html b/website/list.html new file mode 100644 index 0000000000..9bc83f7174 --- /dev/null +++ b/website/list.html @@ -0,0 +1,21 @@ +<!-- header --> +<dl> +<dt>[August 26th, 2005] <a href='DTSA/DTSA-1-1.html'>DTSA-1-1 kismet</a></dt> +<dd>various</dd> +<dt>[August 28th, 2005] <a href='DTSA/DTSA-2-1.html'>DTSA-2-1 centericq</a></dt> +<dd>multiple vulnerabilities</dd> +<dt>[August 28th, 2005] <a href='DTSA/DTSA-3-1.html'>DTSA-3-1 clamav</a></dt> +<dd>denial of service and privilege escalation</dd> +<dt>[August 28th, 2005] <a href='DTSA/DTSA-4-1.html'>DTSA-4-1 ekg</a></dt> +<dd>multiple vulnerabilities</dd> +<dt>[August 28th, 2005] <a href='DTSA/DTSA-5-1.html'>DTSA-5-1 gaim</a></dt> +<dd>multiple remote vulnerabilities</dd> +<dt>[August 28th, 2005] <a href='DTSA/DTSA-6-1.html'>DTSA-6-1 cgiwrap</a></dt> +<dd>multiple vulnerabilities</dd> +<dt>[August 28th, 2005] <a href='DTSA/DTSA-7-1.html'>DTSA-7-1 mozilla</a></dt> +<dd>frame injection spoofing</dd> +<dt>[August 31st, 2005] <a href='DTSA/DTSA-9-1.html'>DTSA-9-1 bluez-utils</a></dt> +<dd>bad device name escaping</dd> +<dt>[August 29th, 2005] <a href='DTSA/DTSA-10-1.html'>DTSA-10-1 pcre3</a></dt> +<dd>buffer overflow</dd> +</dl> |