Debian Security Advisory

  • Package : lighttpd
    Vulnerability : DOS
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1531


    It was discovered that lighttpd, a fast webserver with minimal memory
    footprint, was didn't correctly handle SSL errors. This could allow
    a remote attacker to disconnect all active SSL connections.


    This security update fixes a regression in the previous one, which caused
    SSL failures.


    For the stable distribution (etch), this problem has been fixed in version
    1.4.13-4etch8.


    We recommend that you upgrade your lighttpd package.



    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : openoffice.org
    Vulnerability : several
    Problem type : local (remote)
    Debian-specific: no
    CVE IDs : CVE-2007-5745 CVE-2007-5746 CVE-2007-5747 CVE-2008-0320


    Several security related problems have been discovered in
    OpenOffice.org, the free office suite. The Common Vulnerabilities and
    Exposures project identifies the following problems:


    CVE-2007-5745, CVE-2007-5747


    Several bugs have been discovered in the way OpenOffice.org parses
    Quattro Pro files that may lead to a overflow in the heap
    potentially leading to the execution of arbitrary code.


    CVE-2007-5746


    Specially crafted EMF files can trigger a buffer overflow in the
    heap that may lead to the execution of arbitrary code.


    CVE-2008-0320


    A bug has been discovered in the processing of OLE files that can
    cause a buffer overflow in the heap potentially leading to the
    execution of arbitrary code.


    Recently reported problems in the ICU library are fixed in separate
    libicu packages with DSA 1511 against which OpenOffice.org is linked.


    For the old stable distribution (sarge) these problems have been fixed in
    version 1.1.3-9sarge9.


    For the stable distribution (etch) these problems have been fixed in
    version 2.0.4.dfsg.2-7etch5.


    For the testing (lenny) and unstable (sid) distributions these
    problems have been fixed in version 2.4.0~ooh680m5-1.


    We recommend that you upgrade your openoffice.org packages.



    Upgrade Instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given at the end of this advisory:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 3.1 alias sarge

  • Package : xpdf
    Vulnerability : multiple
    Problem type : local (remote)
    Debian-specific: no
    CVE Id(s) : CVE-2008-1693


    Kees Cook discovered a vulnerability in xpdf, set set of tools for
    display and conversion of Portable Document Format (PDF) files. The
    Common Vulnerabilities and Exposures project identifies the following
    problem:


    CVE-2008-1693


    Xpdf's handling of embedded fonts lacks sufficient validation
    and type checking. If a maliciously-crafted PDF file is opened,
    the vulnerability may allow the execution of arbitrary code with
    the privileges of the user running xpdf.


    For the stable distribution (etch), these problems have been fixed in
    version 3.01-9.1+etch3.


    For the unstable distribution (sid), these problems were fixed in
    version 3.02-1.2.


    We recommend that you upgrade your xpdf package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

  • Package : suphp
    Vulnerability : programming error
    Problem type : local
    Debian-specific: no
    CVE Id(s) : CVE-2008-1614
    Debian Bug : 475431


    It was discovered that suphp, an Apache module to run PHP scripts with
    owner permissions handles symlinks insecurely, which may lead to
    privilege escalation by local users.


    For the stable distribution (etch), this problem has been fixed in
    version 0.6.2-1+etch0.


    For the unstable distribution (sid), this problem will be fixed soon.


    We recommend that you upgrade your suphp packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian 4.0 (stable)

  • Package : clamav
    Vulnerability : buffer overflows
    Problem type : remotee
    Debian-specific: no
    CVE Id(s) : CVE-2008-0314 CVE-2008-1100


    Several remote vulnerabilities have been discovered in the Clam anti-virus
    toolkit. The Common Vulnerabilities and Exposures project identifies the
    following problems:


    CVE-2008-0314


    Damian Put discovered that a buffer overflow in the handler for
    PeSpin binaries may lead to the execution of arbitrary code.


    CVE-2008-1100


    Alin Rad Pop discovered that a buffer overflow in the handler for
    Upack PE binaries may lead to the execution of arbitrary code.


    no CVE yet


    Damian Put and Thomas Pollet discovered that a buffer overflow in
    the handler for WWPack-compressed PE binaries may lead to the
    execution of arbitrary code.


    For the stable distribution (etch) these problems have been fixed
    in version 0.90.1-3etch11.


    For the unstable distribution (sid) these problems have been fixed in
    version 0.92.1~dfsg2-1


    We recommend that you upgrade your clamav packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian 4.0 (stable)

  • Package : mplayer
    Vulnerability : missing input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1558


    It was discovered that the MPlayer movie player performs insufficient
    input sanitising on SDP session data, leading to potential execution
    of arbitrary code through a malformed multimedia stream.


    For the stable distribution (etch), this problem has been fixed in
    version 1.0~rc1-12etch3.


    For the unstable distribution (sid), this problem has been fixed in
    version 1.0~rc2-10.


    We recommend that you upgrade your mplayer package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian 4.0 (stable)

  • Package : python2.4
    Vulnerability : several
    Problem type : local(remote)
    Debian-specific: no
    CVE Id(s) : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887


    Several vulnerabilities have been discovered in the interpreter for the
    Python language. The Common Vulnerabilities and Exposures project identifies
    the following problems:


    CVE-2007-2052


    Piotr Engelking discovered that the strxfrm() function of the locale
    module miscalculates the length of an internal buffer, which may
    result in a minor information disclosure.


    CVE-2007-4965


    It was discovered that several integer overflows in the imageop
    module may lead to the execution of arbitrary code, if a user is
    tricked into processing malformed images. This issue is also
    tracked as CVE-2008-1679 due to an initially incomplete patch.


    CVE-2008-1721

    Justin Ferguson discovered that a buffer overflow in the zlib
    module may lead to the execution of arbitrary code.


    CVE-2008-1887


    Justin Ferguson discovered that insufficient input validation in
    PyString_FromStringAndSize() may lead to the execution of arbitrary
    code.


    For the stable distribution (etch), these problems have been fixed in
    version 2.4.4-3+etch1.


    For the unstable distribution (sid), these problems have been fixed in
    version 2.4.5-2.


    We recommend that you upgrade your python2.4 packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian 4.0 (stable)

  • Package : ikiwiki
    Vulnerability : cross-site request forgery
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-0165
    Debian Bug : 475445


    It has been discovered that ikiwiki, a Wiki implementation, does not
    guard password and content changes against cross-site request forgery
    (CSRF) attacks.


    For the stable distribution (etch), this problem has been fixed in
    version 1.33.5.


    For the unstable distribution (sid), this problem has been fixed in
    version 2.42.


    We recommend that you upgrade your ikiwiki package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : roundup
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1474
    Debian Bug : 472643


    Roundup, an issue tracking system, fails to properly escape HTML input,
    allowing an attacker to inject client-side code (typically JavaScript)
    into a document that may be viewed in the victim's browser.


    For the stable distribution (etch), this problem has been fixed in version
    1.2.1-5+etch1.


    We recommend that you upgrade your roundup packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

  • Package : iceweasel
    Vulnerability : programming error
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1380


    It was discovered that crashes in the Javascript engine of Iceweasel,
    an unbranded version of the Firefox browser could potentially lead to
    the execution of arbitrary code.


    For the stable distribution (etch), this problem has been fixed in
    version 2.0.0.14-0etch1


    For the unstable distribution (sid), this problem has been fixed in
    version 2.0.0.14-1.


    We recommend that you upgrade your iceweasel package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian 4.0 (stable)

  • Package : perl
    Vulnerability : heap buffer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Id : CVE-2008-1927
    Debian Bug : 454792


    It has been discovered that the Perl interpreter may encounter a buffer
    overflow condition when compiling certain regular expressions containing
    Unicode characters. This also happens if the offending characters are
    contained in a variable reference protected by the \Q...\E quoting
    construct. When encountering this condition, the Perl interpreter
    typically crashes, but arbitrary code execution cannot be ruled out.


    For the stable distribution (etch), this problem has been fixed in
    version 5.8.8-7etch2.


    The unstable distribution (sid) will be fixed soon.


    We recommend that you upgrade your perl packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : phpmyadmin
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1149 CVE-2008-1567 CVE-2008-1924


    Several remote vulnerabilities have been discovered in phpMyAdmin,
    an application to administrate MySQL over the WWW. The Common
    Vulnerabilities and Exposures project identifies the following problems:


    CVE-2008-1924


    Attackers with CREATE table permissions were allowed to read
    arbitrary files readable by the webserver via a crafted
    HTTP POST request.


    CVE-2008-1567


    The PHP session data file stored the username and password of
    a logged in user, which in some setups can be read by a local
    user.


    CVE-2008-1149


    Cross site scripting and SQL injection were possible by attackers
    that had permission to create cookies in the same cookie domain
    as phpMyAdmin runs in.


    For the stable distribution (etch), these problems have been fixed in
    version 4:2.9.1.1-7.


    For the unstable distribution (sid), these problems have been fixed in
    version 4:2.11.5.2-1.


    We recommend that you upgrade your phpmyadmin package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : iceape
    Vulnerability : several
    Problem-Type : remote
    Debian-specific: no
    CVE ID : CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235
    CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240
    CVE-2008-1241


    A regression in mailnews handling has been fixed. For reference the
    original advisory text below:


    Several remote vulnerabilities have been discovered in the Iceape internet
    suite, an unbranded version of the Seamonkey Internet Suite. The Common
    Vulnerabilities and Exposures project identifies the following problems:


    CVE-2007-4879


    Peter Brodersen and Alexander Klink discovered that the
    autoselection of SSL client certificates could lead to users
    being tracked, resulting in a loss of privacy.


    CVE-2008-1233


    "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
    CVE-2007-5338 allow the execution of arbitrary code through
    XPCNativeWrapper.


    CVE-2008-1234


    "moz_bug_r_a4" discovered that insecure handling of event
    handlers could lead to cross-site scripting.


    CVE-2008-1235

    Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
    that incorrect principal handling can lead to cross-site
    scripting and the execution of arbitrary code.


    CVE-2008-1236


    Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
    Palmgren discovered crashes in the layout engine, which might
    allow the execution of arbitrary code.


    CVE-2008-1237


    "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
    Javascript engine, which might allow the execution of arbitrary
    code.


    CVE-2008-1238


    Gregory Fleischer discovered that HTTP Referrer headers were
    handled incorrectly in combination with URLs containing Basic
    Authentication credentials with empty usernames, resulting
    in potential Cross-Site Request Forgery attacks.


    CVE-2008-1240


    Gregory Fleischer discovered that web content fetched through
    the jar: protocol can use Java to connect to arbitrary ports.
    This is only an issue in combination with the non-free Java
    plugin.


    CVE-2008-1241


    Chris Thomas discovered that background tabs could generate
    XUL popups overlaying the current tab, resulting in potential
    spoofing attacks.


    For the stable distribution (etch), these problems have been fixed in
    version 1.0.13~pre080323b-0etch2.


    We recommend that you upgrade your iceape packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian 4.0 (stable)

  • Package : xulrunner
    Vulnerability : programming error
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1380


    It was discovered that crashes in the Javascript engine of xulrunner,
    the Gecko engine library, could potentially lead to the execution of
    arbitrary code.


    For the stable distribution (etch), this problem has been fixed in
    version 1.8.0.15~pre080323b-0etch2.


    For the unstable distribution (sid), this problem has been fixed in
    version 1.8.1.14-1.


    We recommend that you upgrade your xulrunner packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian 4.0 (stable)

  • Package : perl
    Vulnerability : heap buffer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Id : CVE-2008-1927
    Debian Bug : 454792


    An editorial mistake resulted in DSA-1556-1 not correctly applying the
    required change, making it ineffective. This DSA has been reissued as
    DSA-1556-2. We apologize for the inconvenience. The text of the
    original DSA follows.


    It has been discovered that the Perl interpreter may encounter a buffer
    overflow condition when compiling certain regular expressions containing
    Unicode characters. This also happens if the offending characters are
    contained in a variable reference protected by the \Q...\E quoting
    construct. When encountering this condition, the Perl interpreter
    typically crashes, but arbitrary code execution cannot be ruled out.


    For the stable distribution (etch), this problem has been fixed in
    version 5.8.8-7etch3.


    The unstable distribution (sid) will be fixed soon.


    We recommend that you upgrade your perl packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : wml
    Vulnerability : insecure temporary files
    Problem type : local
    Debian-specific: no
    CVE IDs : CVE-2008-0665 CVE-2008-0666
    Debian Bugs : 463907 471345


    The security update DSA 1492-1 fixed the security problem below but
    introduced a new problem by not removing temporary directories in the
    ipp backend. This update corrects this.


    For completeness here is the original advisory text:


    Frank Lichtenheld and Nico Golde discovered that WML, an off-line
    HTML generation toolkit, creates insecure temporary files in the
    eperl and ipp backends and in the wmg.cgi script, which could lead
    to local denial of service by overwriting files.


    The old stable distribution (sarge) is not affected.


    For the stable distribution (etch) this problem has been fixed in
    version 2.0.11-1etch2.


    For the unstable distribution (sid) this problem has been fixed in
    version 2.0.11ds1-0.2.


    We recommend that you upgrade your wml package.



    Upgrade Instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given at the end of this advisory:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : phpgedview
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2007-5051
    Debian Bug : 443901


    It was discovered that phpGedView, an application to provide online access
    to genealogical data, performed insufficient input sanitising on some
    parameters, making it vulnerable to cross site scripting.


    For the stable distribution (etch), this problem has been fixed in version
    4.0.2.dfsg-3.


    For the unstable distribution (sid), this problem has been fixed in version
    4.1.e+4.1.1-2.


    We recommend that you upgrade your phpgedview package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : ldm
    Vulnerability : programming error
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1293
    Debian Bug : 469462


    Christian Herzog discovered that within the Linux Terminal Server Project,
    it was possible to connect to X on any LTSP client from any host on the
    network, making client windows and keystrokes visible to that host.


    NOTE: most ldm installs are likely to be in a chroot environment exported
    over NFS, and will not be upgraded merely by upgrading the server itself.
    For example, on the i386 architecture, to upgrade ldm will likely require:


    chroot /opt/ltsp/i386 apt-get update
    chroot /opt/ltsp/i386 apt-get dist-upgrade



    For the stable distribution (etch), this problem has been fixed in
    version 0.99debian11+etch1.


    For the unstable distribution (sid), this problem has been fixed in
    version 2:0.1~bzr20080308-1.


    We recommend that you upgrade your ldm package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : kronolith2
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    Debian Bug : 478121


    "The-0utl4w" discovered that the Kronolith, calendar component for
    the Horde Framework, didn't properly sanitise URL input, leading to
    a cross-site scripting vulnerability in the add event screen.


    For the stable distribution (etch), this problem has been fixed in
    version 2.1.4-1etch1.


    The unstable distribution (sid) will be fixed soon.


    We recommend that you upgrade your kronolith2 package.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.



    Debian GNU/Linux 4.0 alias etch

  • Package : iceape
    Vulnerability : programming error
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1380


    It was discovered that crashes in the Javascript engine of Iceape,
    an unbranded version of the Seamonkey internet suite could
    potentially lead to the execution of arbitrary code.


    For the stable distribution (etch), this problem has been fixed in
    version 1.0.13~pre080323b-0etch3.


    For the unstable distribution (sid), this problem has been fixed in
    version 1.1.9-2.


    We recommend that you upgrade your iceape packages.


    Upgrade instructions
    - --------------------


    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.


    If you are using the apt-get package manager, use the line for
    sources.list as given below:


    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages


    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian 4.0 (stable)