stable distribution
CVE-2009-3229
Authenticated users can shut down the backend server by re-LOAD-ing
libraries in $libdir/plugins, if any libraries are present there.
(The old stable distribution (etch) is not affected by this issue.)
CVE-2009-3230
Authenticated non-superusers can gain database superuser privileges if
they can create functions and tables due to incorrect execution of
It was discovered that Tk, a cross-platform graphical toolkit for Tcl
performs insufficient input validation in the code used to load GIF
images, which may lead to the execution of arbitrary code.
For the stable distribution (etch), this problem has been fixed in
version 8.3.5-6etch1.
Due to the technical limitation in the Debian archive scripts the update
for the old stable distribution (sarge) cannot be released in sync with
the update for the stable distribution. It will be provided in the next
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 2.0.0.13-0etch1.
The Mozilla products from the old stable distribution (sarge) are no
longer supported.
Chris Evans discovered that mimeTeX contained certain directives that may be
unsuitable for handling untrusted user input. A remote attacker can obtain
sensitive information.
For the oldstable distribution (etch), these problems have been fixed in
version 1.50-1+etch1.
Due to a bug in the archive system, the fix for the stable distribution
(lenny) will be released as version 1.50-1+lenny1 once it is available.
Juan Pablo Lopez Yacubian discovered that incorrect handling of invalid
URLs could be used for spoofing the location bar and the SSL certificate
status of a web page.
Xulrunner is no longer supported for the old stable distribution (etch).
For the stable distribution (lenny), this problem has been fixed in
version 1.9.0.13-0lenny1.
For the unstable distribution (sid), this problem has been fixed in
Matt Murphy discovered that cscope, a source code browsing tool, does not
verify the length of file names sourced in include statements, which may
potentially lead to the execution of arbitrary code through specially
crafted source code files.
For the stable distribution (lenny), this problem has been fixed in
version 15.6-6+lenny1.
Due to a technical limitation in the Debian archive management scripts
the update for the old stable distribution (etch) cannot be released
synchronously. It will be fixed in version 15.6-2+etch1 soon.
CVE-2008-0594
Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing
protections could be bypassed with <div> elements.
For the stable distribution (etch), these problems have been fixed in
version 1.0.12~pre080131b-0etch2.
The Mozilla releases from the old stable distribution (sarge) are no
longer supported with security updates.
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 1.8.0.15~pre080323b-0etch1.
The Mozilla products from the old stable distribution (sarge) are
no longer supported.
implementation of the Java platform, can enter an infinite loop when
processing certain input strings. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
network, leading to a denial-of-service attack.
For the old stable distribution (lenny), this problem has been fixed
in version 6b18-1.8.3-2~lenny1.
Note that this update introduces an OpenJDK package based on the
IcedTea release 1.8.3 into the old stable distribution. This
addresses several dozen security vulnerabilities, most of which are
Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag
Library, may lead to denial of service through symlink attacks.
This update to DSA 1365-2 provides fixes packages for the stable
distribution (etch).
We recommend that you upgrade your id3lib3.8.3 packages.
Upgrade Instructions
CVE-2008-0594
Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing
protections could be bypassed with <div> elements.
For the stable distribution (etch), these problems have been fixed in
version 1.0.12~pre080131b-0etch1.
The Mozilla releases from the old stable distribution (sarge) are no
longer supported with security updates.
Heap-based buffer overflow in the CCITTFaxStream::lookChar method in
xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute
arbitrary code via a PDF file that contains a crafted CCITTFaxDecode
filter.
For the stable distribution (etch), these problems have been fixed in version
1:1.6.1-2etch2.
Updates for the old stable distribution (sarge), will be made available
as soon as possible.
Duncan Gilmore discovered that yarssr, an RSS aggregator and reader,
performs insufficient input sanitising, which could result in the
execution of arbitrary shell commands if a malformed feed is read.
For the stable distribution (etch), this problem has been fixed in
version 0.2.2-1etch1.
Due to a technical limitation of the archive management scripts, the
fix for the old stable distribution (sarge) needs to be postponed
by a few days.
Debian Bug : 438540
Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag
Library, may lead to denial of service through symlink attacks.
For the oldstable distribution (sarge) this problem has been fixed in
version 3.8.3-4.1sarge1.
Due to a technical limitation in the archive management scripts the fix
for the stable distribution (etch) can only be released in a few days.
CVE-2009-1957
CVE-2009-1958
The charon daemon can crash when processing certain crafted IKEv2
packets. (The old stable distribution (etch) was not affected by
these two problems because it lacks IKEv2 support.)
CVE-2009-2185
CVE-2009-2661
Mike Wiacek discovered that a buffer overflow in the ARC2 implementation
of Python Crypto, a collection of cryptographic algorithms and protocols
for Python allows denial of service and potentially the execution of
arbitrary code.
For the stable distribution (lenny), this problem has been fixed in
version 2.0.1+dfsg1-2.3+lenny0.
Due to a technical limitation in the Debian archive management scripts
the update for the old stable distribution (etch) cannot be released
synchronously. It will be fixed in version 2.0.1+dfsg1-1.2+etch0 soon.
CVE-2008-0594
Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing
protections could be bypassed with <div> elements.
For the stable distribution (etch), these problems have been fixed in
version 1.0.12~pre080131b-0etch2.
The Mozilla releases from the old stable distribution (sarge) are no
longer supported with security updates.
name in the Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority.
For the oldstable distribution (etch), this problem has been fixed in
version 4:3.5.5a.dfsg.1-8etch3
Due to a bug in the archive system, the fix for the stable distribution
(lenny), will be released as version 4:3.5.10.dfsg.1-0lenny3 once it is
available.
(application crash) or possibly execute arbitrary code via a crafted PNG
file that triggers a free of an uninitialized pointer in (1) the
png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit
gamma tables. (CVE-2009-0040)
For the old stable distribution (etch), these problems have been fixed
in version1.2.15~beta5-1+etch2.
For the stable distribution (lenny), these problems have been fixed in
version 1.2.27-2+lenny2. (Only CVE-2008-5907, CVE-2008-5907 and
CVE-2009-0040 affect the stable distribution.)
Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks.
For the stable distribution (etch), these problems have been fixed in
version 1.0.13~pre080323b-0etch1.
The Mozilla products of the old stable distribution (sarge) are no
longer supported.
Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing
protections could be bypassed with <div> elements.
For the stable distribution (etch), these problems have been fixed in
version 2.0.0.12-0etch1.
The Mozilla products from the old stable distribution (sarge) are no
longer supported with security updates.
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1-0etch1.
The Mozilla products in the old stable distribution (sarge) are no
longer supported with security updates.
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1-0etch2.
The Mozilla products in the old stable distribution (sarge) are no
longer supported with security updates.
- ------------------------------------------------------------------------
Package : clamav
Security support for clamav, an anti-virus utility for Unix, has been
discontinued for the stable distribution (lenny) and the oldstable
distribution (etch). Clamav Upstream has stopped supporting the
releases in etch and lenny. Also, it is not easily possible to receive
signature updates for the virus scanner with our released versions
anymore. We recommend that all clamav users consider switching to the
version in debian-volatile, which receives regular updates and security
It was discovered that pdns-recursor, the PowerDNS recursive name server,
contains a cache poisoning vulnerability which may allow attackers to trick the
server into serving incorrect DNS data (CVE-2009-4010).
This DSA provides a security update for the old stable distribution
(etch), similar to the previous update in DSA-1968-1. (Note that the
etch version of pdns-recursor was not vulnerable to CVE-2009-4009.)
Extra care should be applied when installing this update. It is an etch
backport of the lenny version of the package (3.1.7 with security fixes
|
