rootserverprojekt.de

Package : libtk-img
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-0553

It was discovered that a buffer overflow in the GIF image parsing code
of Tk, a cross-platform graphical toolkit, could lead to denial of
service and potentially the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in version
1:1.3-15etch2.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.3-release-7.

We recommend that you upgrade your libtk-img package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : dbus
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-0595

Havoc Pennington discovered that DBus, a simple interprocess messaging
system, performs insufficient validation of security policies, which
might allow local privilege escalation.

For the stable distribution (etch), this problem has been fixed in
version 1.0.2-1+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.20-1.

We recommend that you upgrade your dbus packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : sympa
Vulnerability : dos
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1648
Debian Bug : 475163

It was discovered that sympa, a modern mailing list manager, would
crash when processing certain types of malformed messages.

For the stable distribution (etch), this problem has been fixed in version
5.2.3-1.2+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 5.3.4-4.

We recommend that you upgrade your sympa package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : wordpress
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-1599 CVE-2008-0664
Debian Bug : 437085 464170

Several remote vulnerabilities have been discovered in Wordpress,
the weblog manager. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2007-1599

WordPress allows remote attackers to redirect authenticated users
to other websites and potentially obtain sensitive information.

CVE-2008-0664

The XML-RPC implementation, when registration is enabled, allows
remote attackers to edit posts of other blog users.

For the stable distribution (etch), these problems have been fixed in
version 2.0.10-1etch3.

For the unstable distribution (sid), these problems have been fixed in
version 2.3.3-1.

We recommend that you upgrade your wordpress package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : pcre3
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-2371

Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular
Expression library, may encounter a heap overflow condition when
compiling certain regular expressions involving in-pattern options and
branches, potentially leading to arbitrary code execution.

For the stable distribution (etch), this problem has been fixed in
version 6.7+7.4-4.

For the unstable distribution (sid), this problem has been fixed soon.

We recommend that you upgrade your pcre3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113


Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.

This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.

Note that this security update changes BIND network behavior in a
fundamental way, and the following steps are recommended to ensure a
smooth upgrade.


1. Make sure that your network configuration is compatible with source
port randomization. If you guard your resolver with a stateless packet
filter, you may need to make sure that no non-DNS services listen on on
the 1024--65535 UDP port range and open it at the packet filter. For
instance, packet filters based on etch's Linux 2.6.18 kernel only
support stateless filtering of IPv6 packets, and are therefore pose this
additional difficulty. (If you use IPv4 with iptables and ESTABLISHED
rules, networking changes are likely not required.)

2. Install the BIND 9 upgrade, using "apt-get update" followed by
"apt-get install bind9". Verify that the named process has been
restarted and answers recursive queries. (If all queries result in
timeouts, this indicates that networking changes are necessary; see the
first step.)

3. Verify that source port randomization is active. Check that the
/var/log/daemon.log file does not contain messages of the following
form

named[6106]: /etc/bind/named.conf.options:28: using specific
query-source port suppresses port randomization and can be insecure.

right after the "listening on IPv6 interface" and "listening on IPv4
interface" messages logged by BIND upon startup. If these messages are
present, you should remove the indicated lines from the configuration,
or replace the port numbers contained within them with "*" sign (e.g.,
replace "port 53" with "port *").

For additional certainty, use tcpdump or some other network monitoring
tool to check for varying UDP source ports. If there is a NAT device
in front of your resolver, make sure that it does not defeat the
effect of source port randomization.

4. If you cannot activate source port randomization, consider
configuring BIND 9 to forward queries to a resolver which can, possibly
over a VPN such as OpenVPN to create the necessary trusted network link.
(Use BIND's forward-only mode in this case.)


Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
Unbound) already employ source port randomization, and no updated
packages are needed. BIND 9.5 up to and including version
1:9.5.0.dfsg-4 only implements a weak form of source port
randomization and needs to be updated as well. For information on
BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
see DSA-1605-1.

The updated bind9 packages contain changes originally scheduled for
the next stable point release, including the changed IP address of
L.ROOT-SERVERS.NET (Debian bug #44914.

For the stable distribution (etch), this problem has been fixed in
version 9.3.4-2etch3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your bind9 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : bind
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113


Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.

The BIND 8 legacy code base could not be updated to include the
recommended countermeasure (source port randomization, see DSA-1603-1
for details). There are two ways to deal with this situation:

1. Upgrade to BIND 9 (or another implementation with source port
randomization). The documentation included with BIND 9 contains a
migration guide.

2. Configure the BIND 8 resolver to forward queries to a BIND 9
resolver. Provided that the network between both resolvers is trusted,
this protects the BIND 8 resolver from cache poisoning attacks (to the
same degree that the BIND 9 resolver is protected).

This problem does not apply to BIND 8 when used exclusively as an
authoritative DNS server. It is theoretically possible to safely use
BIND 8 in this way, but updating to BIND 9 is strongly recommended.
BIND 8 (that is, the bind package) will be removed from the etch
distribution in a future point release.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main

Package : glibc
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113


Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS spoofing and cache poisoning attacks. Among
other things, successful attacks can lead to misdirected web traffic
and email rerouting.

At this time, it is not possible to implement the recommended
countermeasures in the GNU libc stub resolver. The following
workarounds are available:

1. Install a local BIND 9 resoler on the host, possibly in
forward-only mode. BIND 9 will then use source port randomization
when sending queries over the network. (Other caching resolvers can
be used instead.)

2. Rely on IP address spoofing protection if available. Successful
attacks must spoof the address of one of the resolvers, which may not
be possible if the network is guarded properly against IP spoofing
attacks (both from internal and external sources).

This DSA will be updated when patches for hardening the stub resolver
are available.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main

Package : poppler
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE 2008-1693
Debian Bug : 476842

It was discovered that poppler, a PDF rendering library, did not
properly handle embedded fonts in PDF files, allowing attackers to
execute arbitrary code via a crafted font object.

For the stable distribution (etch), this problem has been fixed in version
0.4.5-5.1etch3.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.0-1.

We recommend that you upgrade your poppler package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : iceweasel
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811

Several remote vulnerabilities have been discovered in the Iceweasel
webbrowser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-2798

Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.

CVE-2008-2799

Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
the Javascript engine, which might allow the execution of arbitrary code.

CVE-2008-2800

"moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.

CVE-2008-2801

Collin Jackson and Adam Barth discovered that Javascript code
could be executed in the context or signed JAR archives.

CVE-2008-2802

"moz_bug_r_a4" discovered that XUL documements can escalate
privileges by accessing the pre-compiled "fastload" file.

CVE-2008-2803

"moz_bug_r_a4" discovered that missing input sanitising in the
mozIJSSubScriptLoader.loadSubScript() function could lead to the
execution of arbitrary code. Iceweasel itself is not affected, but
some addons are.

CVE-2008-2805

Claudio Santambrogio discovered that missing access validation in
DOM parsing allows malicious web sites to force the browser to
upload local files to the server, which could lead to information
disclosure.

CVE-2008-2807

Daniel Glazman discovered that a programming error in the code for
parsing .properties files could lead to memory content being
exposed to addons, which could lead to information disclosure.

CVE-2008-2808

Masahiro Yamada discovered that file URLS in directory listings
were insufficiently escaped.

CVE-2008-2809

John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
alternate names on self-signed certificates were handled
insufficiently, which could lead to spoofings secure connections.

CVE-2008-2811

Greg McManus discovered discovered a crash in the block reflow
code, which might allow the execution of arbitrary code.


For the stable distribution (etch), these problems have been fixed in
version 2.0.0.15-0etch1.

Iceweasel from the unstable distribution (sid) links dynamically
against the xulrunner library.

We recommend that you upgrade your iceweasel package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : pdns-recursor
Vulnerability : insufficient randomness
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Debian Bug : 490069

Thomas Biege discovered that the upstream fix for the weak random number
generator released in DSA-1544-1 was incomplete: Source port
randomization did still not use difficult-to-predict random numbers.
This is corrected in this security update.

Here is the text of the original advisory:

Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses
a weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)

In the light of recent DNS-related developments (documented in DSAs
1603, 1604, 1605), we recommend that this update is installed as an
additional safety measure. (The lack of source port randomization was
addressed in the 3.1.6 upstream version.)

In addition, this update incorporates the changed IP address of
L.ROOT-SERVERS.NET.

For the stable distribution (etch), this problem has been fixed in
version 3.1.4-1+etch2.

For the unstable distribution (sid), this problem has been fixed in
version 3.1.7-1.

We recommend that you upgrade your pdns-recursor package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0783 CVE-2008-0785

Since the previous security update, the cacti package could no longer
be rebuilt from the source package. This update corrects that problem.
Note that this problem does not affect regular use of the provided
binary packages (.deb).

For reference the original advisory text follows.

It was discovered that Cacti, a systems and services monitoring frontend,
performed insufficient input sanitising, leading to cross site scripting
and SQL injection being possible.

For the stable distribution (etch), this problem has been fixed in
version 0.8.6i-3.5.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : lighttpd
Vulnerability : various
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0983 CVE-2007-3948
Debian Bug : 434888 466663

Several local/remote vulnerabilities have been discovered in lighttpd,
a fast webserver with minimal memory footprint.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2008-0983
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not
properly calculate the size of a file descriptor array, which allows
remote attackers to cause a denial of service (crash) via a large number
of connections, which triggers an out-of-bounds access.

CVE-2007-3948
connections.c in lighttpd before 1.4.16 might accept more connections
than the configured maximum, which allows remote attackers to cause a
denial of service (failed assertion) via a large number of connection
attempts.

For the stable distribution (etch), these problems have been fixed in
version 1.4.13-4etch9.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.18-2.

We recommend that you upgrade your lighttpd package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : gaim
Vulnerability : integer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2927

It was discovered that gaim, an multi-protocol instant messaging client,
was vulnerable to several integer overflows in its MSN protocol handlers.
These could allow a remote attacker to execute arbitrary code.

For the stable distribution (etch), this problem has been fixed in version
1:2.0.0+beta5-10etch1.

For the unstable distribution (sid), this package is not present.

We recommend that you upgrade your gaim package.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : afuse
Vulnerability : privilege escalation
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2232
Debian Bug : 490921

Anders Kaseorg discovered that afuse, an automounting file system
in user-space, did not properly escape meta characters in paths.
This allowed a local attacker with read access to the filesystem to
execute commands as the owner of the filesystem.

For the stable distribution (etch), this problem has been fixed in
version 0.1.1-1+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 0.2-3.

We recommend that you upgrade your afuse (0.1.1-1+etch1) package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : ruby1.8
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service or the
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2006-2662

Drew Yao discovered that multiple integer overflows in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2663

Drew Yao discovered that multiple integer overflows in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2664

Drew Yao discovered that a programming error in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2725

Drew Yao discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

CVE-2008-2726

Drew Yao discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

CVE-2008-2376

It was discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.8.5-4etch2.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.7.22-2.

We recommend that you upgrade your ruby1.8 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : libgd2
Vulnerability : multiple vulnerabilities
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-3476 CVE-2007-3477 CVE-2007-3996 CVE-2007-2445
Debian Bug : 443456

Multiple vulnerabilities have been identified in libgd2, a library
for programmatic graphics creation and manipulation. The Common
Vulnerabilities and Exposures project identifies the following three
issues:

CVE-2007-2445

Grayscale PNG files containing invalid tRNS chunk CRC values
could cause a denial of service (crash), if a maliciously
crafted image is loaded into an application using libgd.

CVE-2007-3476

An array indexing error in libgd's GIF handling could induce a
denial of service (crash with heap corruption) if exceptionally
large color index values are supplied in a maliciously crafted
GIF image file.

CVE-2007-3477

The imagearc() and imagefilledarc() routines in libgd allow
an attacker in control of the parameters used to specify
the degrees of arc for those drawing functions to perform
a denial of service attack (excessive CPU consumption).

CVE-2007-3996

Multiple integer overflows exist in libgd's image resizing and
creation routines; these weaknesses allow an attacker in control
of the parameters passed to those routines to induce a crash or
execute arbitrary code with the privileges of the user running
an application or interpreter linked against libgd2.

For the stable distribution (etch), these problems have been fixed in
version 2.0.33-5.2etch1. For the unstable distribution (sid), the
problem has been fixed in version 2.0.35.dfsg-1.

We recommend that you upgrade your libgd2 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : lighttpd
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1531

This update fixes a regression in lighttpd introduced in DSA-1540,
causing SSL failures. For reference the original advisory text is
quoted below.

It was discovered that lighttpd, a fast webserver with minimal memory
footprint, was didn't correctly handle SSL errors. This could allow
a remote attacker to disconnect all active SSL connections.

For the stable distribution (etch), this problem has been fixed in
version 1.4.13-4etch10.

We recommend that you upgrade your lighttpd package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : iceweasel
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-2785 CVE-2008-2933

Several remote vulnerabilities have been discovered in the Iceweasel
web browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-2785

It was discovered that missing boundary checks on a reference
counter for CSS objects can lead to the execution of arbitrary code.

CVE-2008-2933

Billy Rios discovered that passing an URL containing a pipe symbol
to Iceweasel can lead to Chrome privilege escalation.

For the stable distribution (etch), these problems have been fixed in
version 2.0.0.16-0etch1. Updated packages for ia64, arm and mips are
not yet available and will be released as soon as they have been built.

For the unstable distribution (sid), these problems have been fixed in
xulrunner 1.9.0.1-1 and iceweasel 3.0.1-1.

We recommend that you upgrade your iceweasel package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Package : xulrunner
Vulnerability : several
Problem type : local/remote
Debian-specific: no
CVE ID : CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2008-2785

It was discovered that missing boundary checks on a reference
counter for CSS objects can lead to the execution of arbitrary code.

CVE-2008-2798

Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.

CVE-2008-2799

Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
the Javascript engine, which might allow the execution of arbitrary code.

CVE-2008-2800

"moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.

CVE-2008-2801

Collin Jackson and Adam Barth discovered that Javascript code
could be executed in the context of signed JAR archives.

CVE-2008-2802

"moz_bug_r_a4" discovered that XUL documements can escalate
privileges by accessing the pre-compiled "fastload" file.

CVE-2008-2803

"moz_bug_r_a4" discovered that missing input sanitising in the
mozIJSSubScriptLoader.loadSubScript() function could lead to the
execution of arbitrary code. Iceweasel itself is not affected, but
some addons are.

CVE-2008-2805

Claudio Santambrogio discovered that missing access validation in
DOM parsing allows malicious web sites to force the browser to
upload local files to the server, which could lead to information
disclosure.

CVE-2008-2807

Daniel Glazman discovered that a programming error in the code for
parsing .properties files could lead to memory content being
exposed to addons, which could lead to information disclosure.

CVE-2008-2808

Masahiro Yamada discovered that file URLS in directory listings
were insufficiently escaped.

CVE-2008-2809

John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
alternate names on self-signed certificates were handled
insufficiently, which could lead to spoofings secure connections.

CVE-2008-2811

Greg McManus discovered discovered a crash in the block reflow
code, which might allow the execution of arbitrary code.

CVE-2008-2933

Billy Rios discovered that passing an URL containing a pipe symbol
to Iceweasel can lead to Chrome privilege escalation.

For the stable distribution (etch), these problems have been fixed in
version 1.8.0.15~pre080614d-0etch1.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.1-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch