rootserverprojekt.de

Package : lighttpd
Vulnerability : DOS
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1531

It was discovered that lighttpd, a fast webserver with minimal memory
footprint, was didn't correctly handle SSL errors. This could allow
a remote attacker to disconnect all active SSL connections.

This security update fixes a regression in the previous one, which caused
SSL failures.

For the stable distribution (etch), this problem has been fixed in version
1.4.13-4etch8.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : openoffice.org
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE IDs : CVE-2007-5745 CVE-2007-5746 CVE-2007-5747 CVE-2008-0320

Several security related problems have been discovered in
OpenOffice.org, the free office suite. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-5745, CVE-2007-5747

Several bugs have been discovered in the way OpenOffice.org parses
Quattro Pro files that may lead to a overflow in the heap
potentially leading to the execution of arbitrary code.

CVE-2007-5746

Specially crafted EMF files can trigger a buffer overflow in the
heap that may lead to the execution of arbitrary code.

CVE-2008-0320

A bug has been discovered in the processing of OLE files that can
cause a buffer overflow in the heap potentially leading to the
execution of arbitrary code.

Recently reported problems in the ICU library are fixed in separate
libicu packages with DSA 1511 against which OpenOffice.org is linked.

For the old stable distribution (sarge) these problems have been fixed in
version 1.1.3-9sarge9.

For the stable distribution (etch) these problems have been fixed in
version 2.0.4.dfsg.2-7etch5.

For the testing (lenny) and unstable (sid) distributions these
problems have been fixed in version 2.4.0~ooh680m5-1.

We recommend that you upgrade your openoffice.org packages.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

Package : xpdf
Vulnerability : multiple
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-1693

Kees Cook discovered a vulnerability in xpdf, set set of tools for
display and conversion of Portable Document Format (PDF) files. The
Common Vulnerabilities and Exposures project identifies the following
problem:

CVE-2008-1693

Xpdf's handling of embedded fonts lacks sufficient validation
and type checking. If a maliciously-crafted PDF file is opened,
the vulnerability may allow the execution of arbitrary code with
the privileges of the user running xpdf.

For the stable distribution (etch), these problems have been fixed in
version 3.01-9.1+etch3.

For the unstable distribution (sid), these problems were fixed in
version 3.02-1.2.

We recommend that you upgrade your xpdf package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : suphp
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-1614
Debian Bug : 475431

It was discovered that suphp, an Apache module to run PHP scripts with
owner permissions handles symlinks insecurely, which may lead to
privilege escalation by local users.

For the stable distribution (etch), this problem has been fixed in
version 0.6.2-1+etch0.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your suphp packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)

Package : clamav
Vulnerability : buffer overflows
Problem type : remotee
Debian-specific: no
CVE Id(s) : CVE-2008-0314 CVE-2008-1100

Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2008-0314

Damian Put discovered that a buffer overflow in the handler for
PeSpin binaries may lead to the execution of arbitrary code.

CVE-2008-1100

Alin Rad Pop discovered that a buffer overflow in the handler for
Upack PE binaries may lead to the execution of arbitrary code.

no CVE yet

Damian Put and Thomas Pollet discovered that a buffer overflow in
the handler for WWPack-compressed PE binaries may lead to the
execution of arbitrary code.

For the stable distribution (etch) these problems have been fixed
in version 0.90.1-3etch11.

For the unstable distribution (sid) these problems have been fixed in
version 0.92.1~dfsg2-1

We recommend that you upgrade your clamav packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)

Package : mplayer
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1558

It was discovered that the MPlayer movie player performs insufficient
input sanitising on SDP session data, leading to potential execution
of arbitrary code through a malformed multimedia stream.

For the stable distribution (etch), this problem has been fixed in
version 1.0~rc1-12etch3.

For the unstable distribution (sid), this problem has been fixed in
version 1.0~rc2-10.

We recommend that you upgrade your mplayer package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)

Package : python2.4
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887

Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2007-2052

Piotr Engelking discovered that the strxfrm() function of the locale
module miscalculates the length of an internal buffer, which may
result in a minor information disclosure.

CVE-2007-4965

It was discovered that several integer overflows in the imageop
module may lead to the execution of arbitrary code, if a user is
tricked into processing malformed images. This issue is also
tracked as CVE-2008-1679 due to an initially incomplete patch.

CVE-2008-1721

Justin Ferguson discovered that a buffer overflow in the zlib
module may lead to the execution of arbitrary code.

CVE-2008-1887

Justin Ferguson discovered that insufficient input validation in
PyString_FromStringAndSize() may lead to the execution of arbitrary
code.

For the stable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.5-2.

We recommend that you upgrade your python2.4 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)

Package : ikiwiki
Vulnerability : cross-site request forgery
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0165
Debian Bug : 475445

It has been discovered that ikiwiki, a Wiki implementation, does not
guard password and content changes against cross-site request forgery
(CSRF) attacks.

For the stable distribution (etch), this problem has been fixed in
version 1.33.5.

For the unstable distribution (sid), this problem has been fixed in
version 2.42.

We recommend that you upgrade your ikiwiki package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : roundup
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1474
Debian Bug : 472643

Roundup, an issue tracking system, fails to properly escape HTML input,
allowing an attacker to inject client-side code (typically JavaScript)
into a document that may be viewed in the victim's browser.

For the stable distribution (etch), this problem has been fixed in version
1.2.1-5+etch1.

We recommend that you upgrade your roundup packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : iceweasel
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1380

It was discovered that crashes in the Javascript engine of Iceweasel,
an unbranded version of the Firefox browser could potentially lead to
the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 2.0.0.14-0etch1

For the unstable distribution (sid), this problem has been fixed in
version 2.0.0.14-1.

We recommend that you upgrade your iceweasel package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)

Package : perl
Vulnerability : heap buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2008-1927
Debian Bug : 454792

It has been discovered that the Perl interpreter may encounter a buffer
overflow condition when compiling certain regular expressions containing
Unicode characters. This also happens if the offending characters are
contained in a variable reference protected by the \Q...\E quoting
construct. When encountering this condition, the Perl interpreter
typically crashes, but arbitrary code execution cannot be ruled out.

For the stable distribution (etch), this problem has been fixed in
version 5.8.8-7etch2.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your perl packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : phpmyadmin
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1149 CVE-2008-1567 CVE-2008-1924

Several remote vulnerabilities have been discovered in phpMyAdmin,
an application to administrate MySQL over the WWW. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-1924

Attackers with CREATE table permissions were allowed to read
arbitrary files readable by the webserver via a crafted
HTTP POST request.

CVE-2008-1567

The PHP session data file stored the username and password of
a logged in user, which in some setups can be read by a local
user.

CVE-2008-1149

Cross site scripting and SQL injection were possible by attackers
that had permission to create cookies in the same cookie domain
as phpMyAdmin runs in.

For the stable distribution (etch), these problems have been fixed in
version 4:2.9.1.1-7.

For the unstable distribution (sid), these problems have been fixed in
version 4:2.11.5.2-1.

We recommend that you upgrade your phpmyadmin package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : iceape
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235
CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240
CVE-2008-1241

A regression in mailnews handling has been fixed. For reference the
original advisory text below:

Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4879

Peter Brodersen and Alexander Klink discovered that the
autoselection of SSL client certificates could lead to users
being tracked, resulting in a loss of privacy.

CVE-2008-1233

"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.

CVE-2008-1234

"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.

CVE-2008-1235

Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
scripting and the execution of arbitrary code.

CVE-2008-1236

Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.

CVE-2008-1237

"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.

CVE-2008-1238

Gregory Fleischer discovered that HTTP Referrer headers were
handled incorrectly in combination with URLs containing Basic
Authentication credentials with empty usernames, resulting
in potential Cross-Site Request Forgery attacks.

CVE-2008-1240

Gregory Fleischer discovered that web content fetched through
the jar: protocol can use Java to connect to arbitrary ports.
This is only an issue in combination with the non-free Java
plugin.

CVE-2008-1241

Chris Thomas discovered that background tabs could generate
XUL popups overlaying the current tab, resulting in potential
spoofing attacks.

For the stable distribution (etch), these problems have been fixed in
version 1.0.13~pre080323b-0etch2.

We recommend that you upgrade your iceape packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)

Package : xulrunner
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1380

It was discovered that crashes in the Javascript engine of xulrunner,
the Gecko engine library, could potentially lead to the execution of
arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.8.0.15~pre080323b-0etch2.

For the unstable distribution (sid), this problem has been fixed in
version 1.8.1.14-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)

Package : perl
Vulnerability : heap buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2008-1927
Debian Bug : 454792

An editorial mistake resulted in DSA-1556-1 not correctly applying the
required change, making it ineffective. This DSA has been reissued as
DSA-1556-2. We apologize for the inconvenience. The text of the
original DSA follows.

It has been discovered that the Perl interpreter may encounter a buffer
overflow condition when compiling certain regular expressions containing
Unicode characters. This also happens if the offending characters are
contained in a variable reference protected by the \Q...\E quoting
construct. When encountering this condition, the Perl interpreter
typically crashes, but arbitrary code execution cannot be ruled out.

For the stable distribution (etch), this problem has been fixed in
version 5.8.8-7etch3.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your perl packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : wml
Vulnerability : insecure temporary files
Problem type : local
Debian-specific: no
CVE IDs : CVE-2008-0665 CVE-2008-0666
Debian Bugs : 463907 471345

The security update DSA 1492-1 fixed the security problem below but
introduced a new problem by not removing temporary directories in the
ipp backend. This update corrects this.

For completeness here is the original advisory text:

Frank Lichtenheld and Nico Golde discovered that WML, an off-line
HTML generation toolkit, creates insecure temporary files in the
eperl and ipp backends and in the wmg.cgi script, which could lead
to local denial of service by overwriting files.

The old stable distribution (sarge) is not affected.

For the stable distribution (etch) this problem has been fixed in
version 2.0.11-1etch2.

For the unstable distribution (sid) this problem has been fixed in
version 2.0.11ds1-0.2.

We recommend that you upgrade your wml package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : phpgedview
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5051
Debian Bug : 443901

It was discovered that phpGedView, an application to provide online access
to genealogical data, performed insufficient input sanitising on some
parameters, making it vulnerable to cross site scripting.

For the stable distribution (etch), this problem has been fixed in version
4.0.2.dfsg-3.

For the unstable distribution (sid), this problem has been fixed in version
4.1.e+4.1.1-2.

We recommend that you upgrade your phpgedview package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : ldm
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1293
Debian Bug : 469462

Christian Herzog discovered that within the Linux Terminal Server Project,
it was possible to connect to X on any LTSP client from any host on the
network, making client windows and keystrokes visible to that host.

NOTE: most ldm installs are likely to be in a chroot environment exported
over NFS, and will not be upgraded merely by upgrading the server itself.
For example, on the i386 architecture, to upgrade ldm will likely require:

chroot /opt/ltsp/i386 apt-get update
chroot /opt/ltsp/i386 apt-get dist-upgrade


For the stable distribution (etch), this problem has been fixed in
version 0.99debian11+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 2:0.1~bzr20080308-1.

We recommend that you upgrade your ldm package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : kronolith2
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
Debian Bug : 478121

"The-0utl4w" discovered that the Kronolith, calendar component for
the Horde Framework, didn't properly sanitise URL input, leading to
a cross-site scripting vulnerability in the add event screen.

For the stable distribution (etch), this problem has been fixed in
version 2.1.4-1etch1.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your kronolith2 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : iceape
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1380

It was discovered that crashes in the Javascript engine of Iceape,
an unbranded version of the Seamonkey internet suite could
potentially lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.0.13~pre080323b-0etch3.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.9-2.

We recommend that you upgrade your iceape packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)