Commit 1a943e8a authored by Neil McGovern's avatar Neil McGovern

We now list DTSAs online. Hopefully.


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@1798 e39458fd-73e7-0310-bf30-c45bca0a0e42
parent 83632fef
......@@ -5,35 +5,35 @@ August 26th, 2005
------------------------------------------------------------------------------
Package : kismet
Vulnerability : remote code execution
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2626 CAN-2005-2627
Vulnerability : various
Problem-Scope : remote
Debian-specific: No
CVE ID : CAN-2005-2626 CAN-2005-2627
Multiple security holes have been discovered in kismet:
CAN-2005-2627
CAN-2005-2627
Multiple integer underflows in Kismet allow remote attackers to execute
arbitrary code via (1) kernel headers in a pcap file or (2) data frame
dissection, which leads to heap-based buffer overflows.
Multiple integer underflows in Kismet allow remote attackers to execute
arbitrary code via (1) kernel headers in a pcap file or (2) data frame
dissection, which leads to heap-based buffer overflows.
CAN-2005-2626
CAN-2005-2626
Unspecified vulnerability in Kismet allows remote attackers to have an
unknown impact via unprintable characters in the SSID.
Unspecified vulnerability in Kismet allows remote attackers to have an
unknown impact via unprintable characters in the SSID.
For the testing distribution (etch) this is fixed in version
2005.08.R1-0.1etch1.
2005.08.R1-0.1etch1
For the unstable distribution (sid) this is fixed in version
2005.08.R1-1.
2005.08.R1-1
This upgrade is strongly recommended if you use kismet.
This upgrade is recommended if you use kismet.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -41,16 +41,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get install kismet
apt-get update && apt-get install kismet
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
......@@ -32,8 +32,8 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
......
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-11-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Andres Salomon
August 29th, 2005
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Package : maildrop
Vulnerability : local privilege escalation
Problem-Type : local
Debian-specific: yes
CVE ID : CAN-2005-2655
Problem-Scope : local
Debian-specific: Yes
CVE ID : CAN-2005-2655
The lockmail binary shipped with maildrop allows for an attacker to
obtain an effective gid as group "mail". Debian ships the binary with its
......@@ -18,16 +18,16 @@ attacker can execute an arbitrary command with an effective gid of the "mail"
group.
For the testing distribution (etch) this is fixed in version
1.5.3-1.1etch1.
1.5.3-1.1etch1
For the unstable distribution (sid) this is fixed in version
1.5.3-2.
1.5.3-2
This upgrade is strongly recommended if you use maildrop.
This upgrade is recommended if you use maildrop.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -35,16 +35,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get install maildrop
apt-get update && apt-get install maildrop
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-2-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Package : centericq
Vulnerability : multiple vulnerabilities
Problem-Type : local and remote
Debian-specific: no
CVE ID : CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914
Problem-Scope : local and remote
Debian-specific: No
CVE ID : CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914
centericq in testing is vulnerable to multiple security holes:
CAN-2005-2448
Multiple endianness errors in libgadu, which is embedded in centericq,
allow remote attackers to cause a denial of service (invalid behaviour in
applications) on big-endian systems.
Multiple endianness errors in libgadu, which is embedded in centericq,
allow remote attackers to cause a denial of service (invalid behaviour in
applications) on big-endian systems.
CAN-2005-2370
Multiple memory alignment errors in libgadu, which is embedded in
centericq, allows remote attackers to cause a denial of service (bus error)
on certain architectures such as SPARC via an incoming message.
Multiple memory alignment errors in libgadu, which is embedded in
centericq, allows remote attackers to cause a denial of service (bus error)
on certain architectures such as SPARC via an incoming message.
CAN-2005-2369
Multiple integer signedness errors in libgadu, which is embedded in
centericq, may allow remote attackers to cause a denial of service
or execute arbitrary code.
Multiple integer signedness errors in libgadu, which is embedded in
centericq, may allow remote attackers to cause a denial of service
or execute arbitrary code.
CAN-2005-1914
centericq creates temporary files with predictable file names, which
allows local users to overwrite arbitrary files via a symlink attack.
centericq creates temporary files with predictable file names, which
allows local users to overwrite arbitrary files via a symlink attack.
For the testing distribution (etch) this is fixed in version
4.20.0-8etch1.
4.20.0-8etch1
For the unstable distribution (sid) this is fixed in version
4.20.0-9.
4.20.0-9
This upgrade is recommended if you use centericq.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -53,16 +53,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get upgrade
apt-get update && apt-get install centericq
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-3-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Package : clamav
Vulnerability : denial of service and privilege escalation
Problem-Type : remote
Debian-specific: no
Problem-Scope : remote
Debian-specific: No
CVE ID : CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922 CAN-2005-2450
Multiple security holes were found in clamav:
CAN-2005-2070
The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long
timeouts, allows remote attackers to cause a denial of service by keeping
an open connection, which prevents ClamAV from reloading.
The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long
timeouts, allows remote attackers to cause a denial of service by keeping
an open connection, which prevents ClamAV from reloading.
CAN-2005-1923
The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote
attackers to cause a denial of service (CPU consumption by infinite loop)
via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff,
which causes a zero-length read.
The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote
attackers to cause a denial of service (CPU consumption by infinite loop)
via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff,
which causes a zero-length read.
CAN-2005-2056
The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote
attackers to cause a denial of service (application crash) via a crafted
Quantum archive.
The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote
attackers to cause a denial of service (application crash) via a crafted
Quantum archive.
CAN-2005-1922
The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote
attackers to cause a denial of service (file descriptor and memory
consumption) via a crafted file that causes repeated errors in the
cli_msexpand function.
The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote
attackers to cause a denial of service (file descriptor and memory
consumption) via a crafted file that causes repeated errors in the
cli_msexpand function.
CAN-2005-2450
Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file
format processors in libclamav for Clam AntiVirus (ClamAV) allow remote
attackers to gain privileges via a crafted e-mail message.
Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file
format processors in libclamav for Clam AntiVirus (ClamAV) allow remote
attackers to gain privileges via a crafted e-mail message.
For the testing distribution (etch) this is fixed in version
0.86.2-4etch1.
0.86.2-4etch1
For the unstable distribution (sid) this is fixed in version
0.86.2-1.
0.86.2-1
This upgrade is strongly recommended if you use clamav.
This upgrade is recommended if you use clamav.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -62,16 +62,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get upgrade
apt-get update && apt-get install upgrade
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-4-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Package : ekg
Vulnerability : multiple vulnerabilities
Problem-Type : local and remote
Debian-specific: no
CVE ID : CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448
Problem-Scope : local and remote
Debian-specific: No
CVE ID : CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448
Multiple vulnerabilities were discovered in ekg:
CAN-2005-1916
Eric Romang discovered insecure temporary file creation and arbitrary
command execution in a contributed script that can be exploited by a local
attacker.
Eric Romang discovered insecure temporary file creation and arbitrary
command execution in a contributed script that can be exploited by a local
attacker.
CAN-2005-1851
Marcin Owsiany and Wojtek Kaniewski discovered potential shell command
injection in a contributed script.
Marcin Owsiany and Wojtek Kaniewski discovered potential shell command
injection in a contributed script.
CAN-2005-1850
Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file
creation in contributed scripts.
Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file
creation in contributed scripts.
CAN-2005-1852
Multiple integer overflows in libgadu, as used in ekg, allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via an incoming message.
Multiple integer overflows in libgadu, as used in ekg, allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via an incoming message.
CAN-2005-2448
Multiple endianness errors in libgadu in ekg allow remote attackers to
cause a denial of service (invalid behaviour in applications) on
big-endian systems.
Multiple endianness errors in libgadu in ekg allow remote attackers to
cause a denial of service (invalid behaviour in applications) on
big-endian systems.
For the testing distribution (etch) this is fixed in version
1:1.5+20050808+1.6rc3-0etch1.
1:1.5+20050808+1.6rc3-0etch1
For the unstable distribution (sid) this is fixed in version
1:1.5+20050808+1.6rc3-1.
1:1.5+20050808+1.6rc3-1
This upgrade is recommended if you use ekg.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -58,16 +58,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get install libgadu3 ekg
apt-get update && apt-get install libgadu3 ekg
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-5-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Package : gaim
Vulnerability : multiple remote vulnerabilities
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103
Problem-Scope : remote
Debian-specific: No
CVE ID : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103
Multiple security holes were found in gaim:
CAN-2005-2102
The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
service (application crash) via a filename that contains invalid UTF-8
characters.
The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
service (application crash) via a filename that contains invalid UTF-8
characters.
CAN-2005-2370
Multiple memory alignment errors in libgadu, as used in gaim and other
packages, allow remote attackers to cause a denial of service (bus error)
on certain architectures such as SPARC via an incoming message.
Multiple memory alignment errors in libgadu, as used in gaim and other
packages, allow remote attackers to cause a denial of service (bus error)
on certain architectures such as SPARC via an incoming message.
CAN-2005-2103
Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
to cause a denial of service (application crash) and possibly execute
arbitrary code via an away message with a large number of AIM substitution
strings, such as %t or %n.
Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
to cause a denial of service (application crash) and possibly execute
arbitrary code via an away message with a large number of AIM substitution
strings, such as %t or %n.
For the testing distribution (etch) this is fixed in version
1:1.4.0-5etch2.
1:1.4.0-5etch2
For the unstable distribution (sid) this is fixed in version
1:1.4.0-5.
1:1.4.0-5
This upgrade is strongly recommended if you use gaim.
This upgrade is recommended if you use gaim.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -49,16 +49,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get install gaim
apt-get update && apt-get install gaim
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-6-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Neil McGovern
August 28th, 2005
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
Package : cgiwrap
Vulnerability : multiple vulnerabilities
Problem-Type : remote
Debian-specific: yes,no
Problem-Scope : remote
Debian-specific: No
CVE ID :
Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap:
Minimum UID does not include all system users
The CGIwrap program will not seteuid itself to uids below the 'minimum' uid
to prevent scripts from being misused to compromise the system. However,
the Debian package sets the minimum uid to 100 when it should be 1000.
The CGIwrap program will not seteuid itself to uids below the 'minimum' uid
to prevent scripts from being misused to compromise the system. However,
the Debian package sets the minimum uid to 100 when it should be 1000.
CGIs can be used to disclose system information
The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
(actually symbolink links, which link to cgiwrap and are called 'cgiwrap'
and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be
installed in production environments as they disclose internal and
potentially sensible information.
The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
(actually symbolink links, which link to cgiwrap and are called 'cgiwrap'
and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be
installed in production environments as they disclose internal and
potentially sensible information.
For the testing distribution (etch) this is fixed in version
3.9-3.0etch1.
3.9-3.0etch1
For the unstable distribution (sid) this is fixed in version
3.9-3.1.
3.9-3.1
This upgrade is encouraged if you use cgiwrap.
This upgrade is recommended if you use cgiwrap.
The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -43,8 +44,8 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
......@@ -55,6 +56,6 @@ If you use cgiwrap:
If you use php-cgiwrap:
apt-get update && apt-get install php-cgiwrap
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
......@@ -16,6 +16,8 @@ site. Thunderbird is not affected by this and Galeon will be automatically
fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will
be covered by a separate advisory.
Note that this is the same security fix put into stable in DSA-777.
For the testing distribution (etch) this is fixed in version
2:1.7.8-1sarge1
......@@ -24,7 +26,9 @@ For the unstable distribution (sid) this is fixed in version
This upgrade is recommended if you use mozilla.
Note that this is the same security fix put into stable in DSA-777.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -32,15 +36,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get upgrade
apt-get update && apt-get install mozilla
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-8-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
August 28th, 2005
September 1st, 2005
------------------------------------------------------------------------------
Package : mozilla-firefox
Vulnerability : several vulnerabilities
Vulnerability : several vulnerabilities (update)
Problem-Scope : remote
Debian-specific: No
CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
We experienced that the update for Mozilla Firefox from DTSA-8-1
unfortunately was a regression in several cases. Since the usual
praxis of backporting apparently does not work, this update is
basically version 1.0.6 with the version number rolled back, and hence
still named 1.0.4-*. For completeness below is the original advisory
text:
Several problems were discovered in Mozilla Firefox:
......@@ -75,16 +82,20 @@ CAN-2005-2270
The Mozilla browser family does not properly clone base objects, which allows
remote attackers to execute arbitrary code.
Note that this is the same set of security fixes put into stable in
DSA-775 and DSA-779, and updated in DSA-779-2.
For the testing distribution (etch) this is fixed in version
1.0.4-2sarge2
1.0.4-2sarge3
For the unstable distribution (sid) this is fixed in version
1.0.6-3
This upgrade is recommended if you use mozilla-firefox.
Note that this is the same set of security fixes put into stable in
DSA-775 and DSA-779.
The Debian testing security team does not track security issues for then
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.
Upgrade Instructions
--------------------
......@@ -92,15 +103,15 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
To install the update, run this command as root:
apt-get update && apt-get install mozilla-firefox
apt-get update && apt-get install mozilla-firefoxFIXME, I'm broken
For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/
------------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-8-2 http://secure-testing.debian.net
Debian Testing Security Advisory DTSA-8-1 http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org Joey Hess
September 1st, 2005
------------------------------------------------------------------------------
......@@ -103,8 +103,8 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
......
......@@ -32,8 +32,8 @@ Upgrade Instructions
To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing-mirrors.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc
......
......@@ -92,7 +92,7 @@ def process_dtsa(id):
def construct_dtsa_list(date, dtsa_id, cve, src, vuln_type, testing_fix):
l_f = open(os.getcwd() + "/list", "a")
# What do we need the date for?
l_f.write("[01 Jan 1969] " + dtsa_id + " " + src + " - " + vuln_type + "\n")
l_f.write("[" + date + "] " + dtsa_id + " " + src + " - " + vuln_type + "\n")
cves = ""
if len(cve) > 0:
for i in cve:
......@@ -193,7 +193,7 @@ def export_ascii(src, date, vuln_type, cve, testing_fix, sid_fix, descr, vendor_
# ascii.write("Vendor advisory: " + vendor_advisory + "\n")
# else:
# ascii.write("Vendor advisory: Not available\n")
cves = "CVE ID : "
cves = "CVE ID : "
if len(cve) > 0:
for i in cve:
cves += i
......
[29 Aug 2005] DTSA-11-1 maildrop - local privilege escalation
{CAN-2005-2655}
- maildrop 1.5.3-1.1etch1 (high)
[31 Aug 2005] DTSA-10-1 pcre3 - buffer overflow
{CAN-2005-2491}
- pcre3 6.3-0.1etch1 (high)
[31 Aug 2005] DTSA-9-1 bluez-utils - bad device name escaping
{CAN-2005-2547}
- bluez-utils 2.19-0.1etch1 (high)
[28 Aug 2005] DTSA-8-2 mozilla-firefox - several vulnerabilities
{CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270}
- mozilla-firefox 1.0.4-2sarge3 (high)
[28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing
{CAN-2004-0718 CAN-2005-1937}