point release
description here are also by him.
* details
If an ioQuake3 client for UNIX-like systems connects to a malicious id Tech
3 (Point Release 1.32 compatible) server, the server can force execution of
arbitrary shell commands on the client's system.
* CVE
CVE-2011-1412 has been assigned for this issue.
attacks via additional sections in a response sent for resolution
of a recursive client query, which is not properly handled when the
response is processed at the same time as requesting DNSSEC records
(DO). (CVE-2009-4022).
Additionally BIND has been upgraded to the latest point release or
closest supported version by ISC.
_______________________________________________________________________
References:
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-3228 CVE-2009-3238 CVE-2009-3547 CVE-2009-3612
CVE-2009-3620 CVE-2009-3621 CVE-2009-3638
Notice: Debian 5.0.4, the next point release of Debian 'lenny', will
include a new default value for the mmap_min_addr tunable. This
change will add an additional safeguard against a class of security
vulnerabilities known as "NULL pointer dereference" vulnerabilities,
but it will need to be overridden when using certain applications.
Additional information about this change, including instructions for
randomization and needs to be updated as well. For information on
BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
see DSA-1605-1.
The updated bind9 packages contain changes originally scheduled for
the next stable point release, including the changed IP address of
L.ROOT-SERVERS.NET (Debian bug #449148).
For the stable distribution (etch), this problem has been fixed in
version 9.3.4-2etch3.
attacks via additional sections in a response sent for resolution
of a recursive client query, which is not properly handled when the
response is processed at the same time as requesting DNSSEC records
(DO). (CVE-2009-4022).
Additionally BIND has been upgraded to the latest point release or
closest supported version by ISC.
Update:
Packages for 2008.0 are being provided due to extended support for
security fix for CVE-2011-1768 (Debian: #633738)
For the oldstable distribution (lenny), this problem has been fixed in version
2.6.26-26lenny4. Updates for arm and alpha are not yet available, but will be
released as soon as possible. Updates for the hppa and ia64 architectures will
be included in the upcoming 5.0.9 point release.
The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:
Debian 5.0 (lenny)
VIII. TIMELINE
---------------------------------------
11/24/2010: Initial vendor disclosure
11/25/2010: Vendor response that they had fixed the issue & updated the existing version (1.2.8)
11/25/2010: Replied to vendor inquiring if a new point release would be made and affected versions
11/26/2010: Vendor response noting a version increment was coming & vulnerable versions confirmation
11/26/2010: Pulse CMS Basic 1.2.9 released
12/05/2010: Public disclosure
Memory corruption via session interruption.
In the stable distribution (lenny), this update also includes bug fixes
(bug #529278, #556459, #565387, #523073) that were to be included in a
stable point release as version 5.2.6.dfsg.1-1+lenny5.
For the stable distribution (lenny), these problems have been fixed in
version 5.2.6.dfsg.1-1+lenny6.
web browser. For apache2, there will be an update which allows to
re-enable insecure renegotiation.
This version of openssl is not compatible with older versions of tor.
You have to use at least tor version 0.2.1.26-1~lenny+1, which has
been included in the point release 5.0.7 of Debian stable.
Currently we are not aware of other software with similar compatibility
problems.
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2010-2542
Debian bug : 595728 590026
The Debian stable point release 5.0.6 included updated packages of
the Git revision control system in order to fix a security issue.
Unfortunately, the update introduced a regression which could make
it impossible to clone or create git repositories. This upgrade
fixes this regression, which is tracked as Debian bug #595728.
This problem does not apply to BIND 8 when used exclusively as an
authoritative DNS server. It is theoretically possible to safely use
BIND 8 in this way, but updating to BIND 9 is strongly recommended.
BIND 8 (that is, the bind package) will be removed from the etch
distribution in a future point release.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Debian-specific: no
CVE Id(s) : CVE-2009-2695 CVE-2009-2903 CVE-2009-2908 CVE-2009-2909
CVE-2009-2910 CVE-2009-3001 CVE-2009-3002 CVE-2009-3286
CVE-2009-3290 CVE-2009-3613
Notice: Debian 5.0.4, the next point release of Debian 'lenny',
will include a new default value for the mmap_min_addr tunable.
This change will add an additional safeguard against a class of security
vulnerabilities known as "NULL pointer dereference" vulnerabilities, but
it will need to be overridden when using certain applications.
Additional information about this change, including instructions for
|
