Next Page >>
stable
CVE-2007-6336
It was discovered that on off-by-one in the MS-ZIP decompression
code may lead to the execution of arbitrary code.
For the stable distribution (etch), these problems have been fixed in
version 0.90.1-3etch8.
The old stable distribution (sarge) is not affected by these problems.
However, since the clamav version from Sarge cannot process all current
Clam malware signatures any longer, support for the ClamAV in Sarge is
CVE-2009-4143
Memory corruption via session interruption.
In the stable distribution (lenny), this update also includes bug fixes
(bug #529278, #556459, #565387, #523073) that were to be included in a
stable point release as version 5.2.6.dfsg.1-1+lenny5.
For the stable distribution (lenny), these problems have been fixed in
Jan Lieskovsky discovered an error in expat, an XML parsing C library,
when parsing certain UTF-8 sequences, which can be exploited to crash an
application using the library.
For the old stable distribution (etch), this problem has been fixed in
version 1.95.8-3.4+etch2.
For the stable distribution (lenny), this problem has been fixed in
version 2.0.1-4+lenny2.
Several remote vulnerabilities have been discovered in the PHP 5
hypertext preprocessor. The Common Vulnerabilities and Exposures
project identifies the following problems:
The following issues have been fixed in both the stable (lenny)
and the oldstable (etch) distributions:
CVE-2009-2687 CVE-2009-3292
The exif module did not properly handle malformed jpeg files,
official release announcement can be viewed at
<http://groups.google.com/group/memcached/browse_thread/thread/ \
ff96a9b88fb5d40e>.
The maintainer of MemcacheDB claimed to fix the issue in the
code repository, but unfortunately, has not released a stable
package containing it (see section V below for details). In the
meantime, the following unofficial patch can be applied to the
source tree of MemcacheDB v1.2.0:
- ----
CVE-2008-3963
Kay Roepke reported that the MySQL server would not properly handle
an empty bit-string literal in an SQL statement, allowing an
authenticated remote attacker to cause a denial of service (a crash)
in mysqld. This issue affects the oldstable distribution (etch), but
not the stable distribution (lenny).
CVE-2008-4456
Thomas Henlich reported that the MySQL commandline client application
The macro code validates access control lists insufficiently,
which could lead to information disclosure.
For the stable distribution (etch), these problems have been fixed in
version 1.5.3-1.2etch1. This update also includes a bugfix wrt the
encoding of password reminder mails, which doesn't have security
implications.
The old stable distribution (sarge) will not be updated due to
Silvio Cesare discovered an integer overflow in the parser for PE
headers.
For the stable distribution (etch), these problems have been fixed in
version 0.90.1dfsg-3etch10. In addition to these fixes, this update
also incorporates changes from the upcoming point release of the
stable distribution (non-free RAR handling code was removed).
The version of clamav in the old stable distribution (sarge) is no
Functions in index expressions could lead to privilege escalation. For
a more in depth explanation please see the upstream announce available
at http://www.postgresql.org/about/news.905.
The unstable distribution (sid) no longer contains postgres-7.4
For the stable distribution (etch), these problems have been fixed in
version 7.4.19-0etch1.
For the old stable distribution (sarge), some of these problems have been
It was discovered that Tk, a cross-platform graphical toolkit for Tcl
performs insufficient input validation in the code used to load GIF
images, which may lead to the execution of arbitrary code.
For the stable distribution (etch), this problem has been fixed in
version 8.3.5-6etch1.
Due to the technical limitation in the Debian archive scripts the update
for the old stable distribution (sarge) cannot be released in sync with
the update for the stable distribution. It will be provided in the next
Debian-specific: yes
CVE Id(s) : CVE-2010-0394
Debian Bug : 567039
The trac-git package released in DSA-1990-1 had a wrong dependency that
could not be satisfied in Debian stable. This update corrects this
problem. For reference, the original advisory text is provided below.
Stefan Goebel discovered that the Debian version of trac-git, the Git
add-on for the Trac issue tracking system, contains a flaw which
enables attackers to execute code on the web server running trac-git
network, is prone to integer underflow in the AES and RC4 decryption operations of
the crypto library. A remote attacker can cause crashes, heap corruption, or,
under extraordinarily unlikely conditions, arbitrary code execution.
For the old stable distribution (etch), this problem has been fixed in
version 1.4.4-7etch8.
For the stable distribution (lenny), this problem has been fixed in
version 1.6.dfsg.4~beta1-5lenny2.
related to the reinitialization of zlib. This could result in a remotely
exploitable denial of service vulnerability when using the Apache httpd
server in a configuration where mod_ssl, mod_php5, and the php5-curl
extension are loaded.
The old stable distribution (etch) is not affected by this issue.
For the stable distribution (lenny), this problem has been fixed in
version 0.9.8g-15+lenny6.
The packages for the arm architecture are not included in this advisory.
Max Kellermann discovered a heap-based buffer overflow in the handling
of ADPCM WAV files in libaudiofile. This flaw could result in a denial
of service (application crash) or possibly execution of arbitrary code
via a crafted WAV file.
The old stable distribution (etch), this problem will be fixed in
version 0.2.6-6+etch1.
The packages for the oldtable distribution are not included in this
advisory. An update will be released soon.
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2008-5824
Debian bug : 510205
This advisory adds the packages for the old stable distribution (etch),
with the exception of the mips packages. The updates for the mips
architecture will be released when they become available.
The packages for the stable distribution (lenny) have been released
in DSA-1972-1. For reference, the advisory text is provided below.
It was discovered that it is possible to perform a denial of service
attack via RTP comfort noise payload with a long data length
(AST-2009-010).
For the stable distribution (lenny), these problems have been fixed in
version 1:1.4.21.2~dfsg-3+lenny1.
The security support for asterisk in the oldstable distribution (etch)
has been discontinued before the end of the regular Etch security
maintenance life cycle. You are strongly encouraged to upgrade to
to run with elevated privileges and thus potentially executing arbitrary
code with the object's chrome privileges. (MFSA 2009-32)
For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.11-0lenny1.
As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
The expat updates released in DSA-1953-1 caused a regression: In some
cases, expat would abort with the message "error in processing external
entity reference".
For the old stable distribution (etch), this problem has been fixed in
version 1.95.8-3.4+etch3.
For the stable distribution (lenny), this problem has been fixed in
version 2.0.1-4+lenny3.
CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp
module allowed remote authenticated attackers to bypass intended access
restrictions and send arbitrary FTP commands to an FTP server.
For the stable distribution (lenny), these problems have been fixed in
version 2.2.9-10+lenny6. This version also includes some non-security
bug fixes that were scheduled for inclusion in the next stable point
release (Debian 5.0.4).
The oldstable distribution (etch), these problems have been fixed in
CVE-2009-3829
An integer overflow was discovered in the ERF parser.
This update also includes fixes for three minor issues, which were
scheduled for the next stable point update. (CVE-2008-1829,
CVE-2009-2562, CVE-2009-3241). Also CVE-2009-1268 was fixed for Etch.
Since this security update was issued prior to the release of the
point update, the fixes were included.
For the old stable distribution (etch), this problem has been fixed in
CVE-2009-3229
Authenticated users can shut down the backend server by re-LOAD-ing
libraries in $libdir/plugins, if any libraries are present there.
(The old stable distribution (etch) is not affected by this issue.)
CVE-2009-3230
Authenticated non-superusers can gain database superuser privileges if
they can create functions and tables due to incorrect execution of
Peter Valchev discovered an error in expat, an XML parsing C library,
when parsing certain UTF-8 sequences, which can be exploited to crash an
application using the library.
For the old stable distribution (etch), this problem has been fixed in
version 1.95.8-3.4+etch1.
For the stable distribution (lenny), this problem has been fixed in
version 2.0.1-4+lenny1.
Brian Mastenbrook discovered that rails, the MVC ruby based framework
geared for web application development, is prone to cross-site scripting
attacks via malformed strings in the form helper.
For the stable distribution (lenny), this problem has been fixed in
version 2.1.0-7.
For the oldstable distribution (etch) security support has been
discontinued. It has been reported that rails in oldstable is unusable
and several features that are affected by security issues are broken due
CVE Id(s) : CVE-2009-2409
Certificates with MD2 hash signatures are no longer accepted by OpenSSL,
since they're no longer considered cryptographically secure.
For the stable distribution (lenny), this problem has been fixed in
version 0.9.8g-15+lenny5.
For the old stable distribution (etch), this problem has been fixed in
version 0.9.8c-4etch9 for openssl and version 0.9.7k-3.1etch5 for
openssl097.
Multiple integer overflows in XInitImage function in xwd.c for
ImageMagick, allow user-assisted remote attackers to cause a denial of
service (crash) or obtain sensitive information via crafted images with
large or negative values that trigger a buffer overflow. It only affects
the oldstable distribution (etch).
CVE-2007-1797
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted DCM image, or the colors or comments field in a
It was discovered that eggdrop is vulnerable to a denial of service
attack, that allows remote attackers to cause a crash via a crafted
PRIVMSG.
For the stable distribution (lenny), these problems have been fixed in
version 1.6.19-1.1+lenny1.
For the old stable distribution (etch), these problems have been fixed in
version 1.6.18-1etch2.
Bernd Jendrissek discovered a potentially exploitable crash when viewing
a multipart/alternative mail message with a text/enhanced part.
(MFSA 2009-33)
For the stable distribution (lenny), these problems have been fixed in
version 2.0.0.22-0lenny1.
As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
moz_bug_r_a4 discovered an issue in the JavaScript engine that could be
used to perform cross-site scripting attacks. (MFSA 2009-40)
For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.12-0lenny1.
As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
though we have no such exploit and are not aware of any such exploits in
use in the wild. In versions of MIT Kerberos shipped by Debian, this
bug can only be triggered in configurations that allow large numbers of
open file descriptors in a process.
For the stable distribution (etch), these problems have been fixed in
version 1.4.4-7etch5.
For the old stable distribution (sarge), these problems have been fixed
in version krb5 1.3.6-2sarge6.
CVE-2008-0594
Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing
protections could be bypassed with <div> elements.
For the stable distribution (etch), these problems have been fixed in
version 1.0.12~pre080131b-0etch2.
The Mozilla releases from the old stable distribution (sarge) are no
longer supported with security updates.
Next Page>>
|
