Debian Security Advisory

    • Offizieller Beitrag

    Package : libtk-img
    Vulnerability : buffer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Id(s) : CVE-2008-0553

    It was discovered that a buffer overflow in the GIF image parsing code
    of Tk, a cross-platform graphical toolkit, could lead to denial of
    service and potentially the execution of arbitrary code.

    For the stable distribution (etch), this problem has been fixed in version
    1:1.3-15etch2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1:1.3-release-7.

    We recommend that you upgrade your libtk-img package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : dbus
    Vulnerability : programming error
    Problem type : local
    Debian-specific: no
    CVE Id(s) : CVE-2008-0595

    Havoc Pennington discovered that DBus, a simple interprocess messaging
    system, performs insufficient validation of security policies, which
    might allow local privilege escalation.

    For the stable distribution (etch), this problem has been fixed in
    version 1.0.2-1+etch1.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.1.20-1.

    We recommend that you upgrade your dbus packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : sympa
    Vulnerability : dos
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1648
    Debian Bug : 475163

    It was discovered that sympa, a modern mailing list manager, would
    crash when processing certain types of malformed messages.

    For the stable distribution (etch), this problem has been fixed in version
    5.2.3-1.2+etch1.

    For the unstable distribution (sid), this problem has been fixed in
    version 5.3.4-4.

    We recommend that you upgrade your sympa package.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : wordpress
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2007-1599 CVE-2008-0664
    Debian Bug : 437085 464170

    Several remote vulnerabilities have been discovered in Wordpress,
    the weblog manager. The Common Vulnerabilities and Exposures project
    identifies the following problems:

    CVE-2007-1599

    WordPress allows remote attackers to redirect authenticated users
    to other websites and potentially obtain sensitive information.

    CVE-2008-0664

    The XML-RPC implementation, when registration is enabled, allows
    remote attackers to edit posts of other blog users.

    For the stable distribution (etch), these problems have been fixed in
    version 2.0.10-1etch3.

    For the unstable distribution (sid), these problems have been fixed in
    version 2.3.3-1.

    We recommend that you upgrade your wordpress package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : pcre3
    Vulnerability : buffer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Id(s) : CVE-2008-2371

    Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular
    Expression library, may encounter a heap overflow condition when
    compiling certain regular expressions involving in-pattern options and
    branches, potentially leading to arbitrary code execution.

    For the stable distribution (etch), this problem has been fixed in
    version 6.7+7.4-4.

    For the unstable distribution (sid), this problem has been fixed soon.

    We recommend that you upgrade your pcre3 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : bind9
    Vulnerability : DNS cache poisoning
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1447
    CERT advisory : VU#800113


    Dan Kaminsky discovered that properties inherent to the DNS protocol
    lead to practical DNS cache poisoning attacks. Among other things,
    successful attacks can lead to misdirected web traffic and email
    rerouting.

    This update changes Debian's BIND 9 packages to implement the
    recommended countermeasure: UDP query source port randomization. This
    change increases the size of the space from which an attacker has to
    guess values in a backwards-compatible fashion and makes successful
    attacks significantly more difficult.

    Note that this security update changes BIND network behavior in a
    fundamental way, and the following steps are recommended to ensure a
    smooth upgrade.


    1. Make sure that your network configuration is compatible with source
    port randomization. If you guard your resolver with a stateless packet
    filter, you may need to make sure that no non-DNS services listen on on
    the 1024--65535 UDP port range and open it at the packet filter. For
    instance, packet filters based on etch's Linux 2.6.18 kernel only
    support stateless filtering of IPv6 packets, and are therefore pose this
    additional difficulty. (If you use IPv4 with iptables and ESTABLISHED
    rules, networking changes are likely not required.)

    2. Install the BIND 9 upgrade, using "apt-get update" followed by
    "apt-get install bind9". Verify that the named process has been
    restarted and answers recursive queries. (If all queries result in
    timeouts, this indicates that networking changes are necessary; see the
    first step.)

    3. Verify that source port randomization is active. Check that the
    /var/log/daemon.log file does not contain messages of the following
    form

    named[6106]: /etc/bind/named.conf.options:28: using specific
    query-source port suppresses port randomization and can be insecure.

    right after the "listening on IPv6 interface" and "listening on IPv4
    interface" messages logged by BIND upon startup. If these messages are
    present, you should remove the indicated lines from the configuration,
    or replace the port numbers contained within them with "*" sign (e.g.,
    replace "port 53" with "port *").

    For additional certainty, use tcpdump or some other network monitoring
    tool to check for varying UDP source ports. If there is a NAT device
    in front of your resolver, make sure that it does not defeat the
    effect of source port randomization.

    4. If you cannot activate source port randomization, consider
    configuring BIND 9 to forward queries to a resolver which can, possibly
    over a VPN such as OpenVPN to create the necessary trusted network link.
    (Use BIND's forward-only mode in this case.)


    Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
    Unbound) already employ source port randomization, and no updated
    packages are needed. BIND 9.5 up to and including version
    1:9.5.0.dfsg-4 only implements a weak form of source port
    randomization and needs to be updated as well. For information on
    BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
    see DSA-1605-1.

    The updated bind9 packages contain changes originally scheduled for
    the next stable point release, including the changed IP address of
    L.ROOT-SERVERS.NET (Debian bug #449148).

    For the stable distribution (etch), this problem has been fixed in
    version 9.3.4-2etch3.

    For the unstable distribution (sid), this problem will be fixed soon.

    We recommend that you upgrade your bind9 package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : bind
    Vulnerability : DNS cache poisoning
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1447
    CERT advisory : VU#800113


    Dan Kaminsky discovered that properties inherent to the DNS protocol
    lead to practical DNS cache poisoning attacks. Among other things,
    successful attacks can lead to misdirected web traffic and email
    rerouting.

    The BIND 8 legacy code base could not be updated to include the
    recommended countermeasure (source port randomization, see DSA-1603-1
    for details). There are two ways to deal with this situation:

    1. Upgrade to BIND 9 (or another implementation with source port
    randomization). The documentation included with BIND 9 contains a
    migration guide.

    2. Configure the BIND 8 resolver to forward queries to a BIND 9
    resolver. Provided that the network between both resolvers is trusted,
    this protects the BIND 8 resolver from cache poisoning attacks (to the
    same degree that the BIND 9 resolver is protected).

    This problem does not apply to BIND 8 when used exclusively as an
    authoritative DNS server. It is theoretically possible to safely use
    BIND 8 in this way, but updating to BIND 9 is strongly recommended.
    BIND 8 (that is, the bind package) will be removed from the etch
    distribution in a future point release.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main

    • Offizieller Beitrag

    Package : glibc
    Vulnerability : DNS cache poisoning
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1447
    CERT advisory : VU#800113


    Dan Kaminsky discovered that properties inherent to the DNS protocol
    lead to practical DNS spoofing and cache poisoning attacks. Among
    other things, successful attacks can lead to misdirected web traffic
    and email rerouting.

    At this time, it is not possible to implement the recommended
    countermeasures in the GNU libc stub resolver. The following
    workarounds are available:

    1. Install a local BIND 9 resoler on the host, possibly in
    forward-only mode. BIND 9 will then use source port randomization
    when sending queries over the network. (Other caching resolvers can
    be used instead.)

    2. Rely on IP address spoofing protection if available. Successful
    attacks must spoof the address of one of the resolvers, which may not
    be possible if the network is guarded properly against IP spoofing
    attacks (both from internal and external sources).

    This DSA will be updated when patches for hardening the stub resolver
    are available.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main

    • Offizieller Beitrag

    Package : poppler
    Vulnerability : programming error
    Problem type : local
    Debian-specific: no
    CVE Id(s) : CVE 2008-1693
    Debian Bug : 476842

    It was discovered that poppler, a PDF rendering library, did not
    properly handle embedded fonts in PDF files, allowing attackers to
    execute arbitrary code via a crafted font object.

    For the stable distribution (etch), this problem has been fixed in version
    0.4.5-5.1etch3.

    For the unstable distribution (sid), this problem has been fixed in
    version 0.8.0-1.

    We recommend that you upgrade your poppler package.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : iceweasel
    Vulnerability : several
    Problem-Type : remote
    Debian-specific: no
    CVE ID : CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811

    Several remote vulnerabilities have been discovered in the Iceweasel
    webbrowser, an unbranded version of the Firefox browser. The Common
    Vulnerabilities and Exposures project identifies the following problems:

    CVE-2008-2798

    Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
    crashes in the layout engine, which might allow the execution of
    arbitrary code.

    CVE-2008-2799

    Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
    the Javascript engine, which might allow the execution of arbitrary code.

    CVE-2008-2800

    "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.

    CVE-2008-2801

    Collin Jackson and Adam Barth discovered that Javascript code
    could be executed in the context or signed JAR archives.

    CVE-2008-2802

    "moz_bug_r_a4" discovered that XUL documements can escalate
    privileges by accessing the pre-compiled "fastload" file.

    CVE-2008-2803

    "moz_bug_r_a4" discovered that missing input sanitising in the
    mozIJSSubScriptLoader.loadSubScript() function could lead to the
    execution of arbitrary code. Iceweasel itself is not affected, but
    some addons are.

    CVE-2008-2805

    Claudio Santambrogio discovered that missing access validation in
    DOM parsing allows malicious web sites to force the browser to
    upload local files to the server, which could lead to information
    disclosure.

    CVE-2008-2807

    Daniel Glazman discovered that a programming error in the code for
    parsing .properties files could lead to memory content being
    exposed to addons, which could lead to information disclosure.

    CVE-2008-2808

    Masahiro Yamada discovered that file URLS in directory listings
    were insufficiently escaped.

    CVE-2008-2809

    John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
    alternate names on self-signed certificates were handled
    insufficiently, which could lead to spoofings secure connections.

    CVE-2008-2811

    Greg McManus discovered discovered a crash in the block reflow
    code, which might allow the execution of arbitrary code.


    For the stable distribution (etch), these problems have been fixed in
    version 2.0.0.15-0etch1.

    Iceweasel from the unstable distribution (sid) links dynamically
    against the xulrunner library.

    We recommend that you upgrade your iceweasel package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : pdns-recursor
    Vulnerability : insufficient randomness
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1637
    Debian Bug : 490069

    Thomas Biege discovered that the upstream fix for the weak random number
    generator released in DSA-1544-1 was incomplete: Source port
    randomization did still not use difficult-to-predict random numbers.
    This is corrected in this security update.

    Here is the text of the original advisory:

    Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses
    a weak random number generator to create DNS transaction IDs and UDP
    source port numbers. As a result, cache poisoning attacks were
    simplified. (CVE-2008-1637)

    In the light of recent DNS-related developments (documented in DSAs
    1603, 1604, 1605), we recommend that this update is installed as an
    additional safety measure. (The lack of source port randomization was
    addressed in the 3.1.6 upstream version.)

    In addition, this update incorporates the changed IP address of
    L.ROOT-SERVERS.NET.

    For the stable distribution (etch), this problem has been fixed in
    version 3.1.4-1+etch2.

    For the unstable distribution (sid), this problem has been fixed in
    version 3.1.7-1.

    We recommend that you upgrade your pdns-recursor package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : cacti
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-0783 CVE-2008-0785

    Since the previous security update, the cacti package could no longer
    be rebuilt from the source package. This update corrects that problem.
    Note that this problem does not affect regular use of the provided
    binary packages (.deb).

    For reference the original advisory text follows.

    It was discovered that Cacti, a systems and services monitoring frontend,
    performed insufficient input sanitising, leading to cross site scripting
    and SQL injection being possible.

    For the stable distribution (etch), this problem has been fixed in
    version 0.8.6i-3.5.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : lighttpd
    Vulnerability : various
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-0983 CVE-2007-3948
    Debian Bug : 434888 466663

    Several local/remote vulnerabilities have been discovered in lighttpd,
    a fast webserver with minimal memory footprint.

    The Common Vulnerabilities and Exposures project identifies the
    following problems:

    CVE-2008-0983
    lighttpd 1.4.18, and possibly other versions before 1.5.0, does not
    properly calculate the size of a file descriptor array, which allows
    remote attackers to cause a denial of service (crash) via a large number
    of connections, which triggers an out-of-bounds access.

    CVE-2007-3948
    connections.c in lighttpd before 1.4.16 might accept more connections
    than the configured maximum, which allows remote attackers to cause a
    denial of service (failed assertion) via a large number of connection
    attempts.

    For the stable distribution (etch), these problems have been fixed in
    version 1.4.13-4etch9.

    For the unstable distribution (sid), these problems have been fixed in
    version 1.4.18-2.

    We recommend that you upgrade your lighttpd package.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : gaim
    Vulnerability : integer overflow
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-2927

    It was discovered that gaim, an multi-protocol instant messaging client,
    was vulnerable to several integer overflows in its MSN protocol handlers.
    These could allow a remote attacker to execute arbitrary code.

    For the stable distribution (etch), this problem has been fixed in version
    1:2.0.0+beta5-10etch1.

    For the unstable distribution (sid), this package is not present.

    We recommend that you upgrade your gaim package.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : afuse
    Vulnerability : privilege escalation
    Problem type : local
    Debian-specific: no
    CVE Id(s) : CVE-2008-2232
    Debian Bug : 490921

    Anders Kaseorg discovered that afuse, an automounting file system
    in user-space, did not properly escape meta characters in paths.
    This allowed a local attacker with read access to the filesystem to
    execute commands as the owner of the filesystem.

    For the stable distribution (etch), this problem has been fixed in
    version 0.1.1-1+etch1.

    For the unstable distribution (sid), this problem has been fixed in
    version 0.2-3.

    We recommend that you upgrade your afuse (0.1.1-1+etch1) package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : ruby1.8
    Vulnerability : several
    Problem-Type : remote
    Debian-specific: no
    CVE ID : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376

    Several vulnerabilities have been discovered in the interpreter for
    the Ruby language, which may lead to denial of service or the
    execution of arbitrary code. The Common Vulnerabilities and Exposures
    project identifies the following problems:

    CVE-2006-2662

    Drew Yao discovered that multiple integer overflows in the string
    processing code may lead to denial of service and potentially the
    execution of arbitrary code.

    CVE-2008-2663

    Drew Yao discovered that multiple integer overflows in the string
    processing code may lead to denial of service and potentially the
    execution of arbitrary code.

    CVE-2008-2664

    Drew Yao discovered that a programming error in the string
    processing code may lead to denial of service and potentially the
    execution of arbitrary code.

    CVE-2008-2725

    Drew Yao discovered that an integer overflow in the array handling
    code may lead to denial of service and potentially the execution
    of arbitrary code.

    CVE-2008-2726

    Drew Yao discovered that an integer overflow in the array handling
    code may lead to denial of service and potentially the execution
    of arbitrary code.

    CVE-2008-2376

    It was discovered that an integer overflow in the array handling
    code may lead to denial of service and potentially the execution
    of arbitrary code.

    For the stable distribution (etch), these problems have been fixed in
    version 1.8.5-4etch2.

    For the unstable distribution (sid), these problems have been fixed in
    version 1.8.7.22-2.

    We recommend that you upgrade your ruby1.8 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : libgd2
    Vulnerability : multiple vulnerabilities
    Problem type : local (remote)
    Debian-specific: no
    CVE Id(s) : CVE-2007-3476 CVE-2007-3477 CVE-2007-3996 CVE-2007-2445
    Debian Bug : 443456

    Multiple vulnerabilities have been identified in libgd2, a library
    for programmatic graphics creation and manipulation. The Common
    Vulnerabilities and Exposures project identifies the following three
    issues:

    CVE-2007-2445

    Grayscale PNG files containing invalid tRNS chunk CRC values
    could cause a denial of service (crash), if a maliciously
    crafted image is loaded into an application using libgd.

    CVE-2007-3476

    An array indexing error in libgd's GIF handling could induce a
    denial of service (crash with heap corruption) if exceptionally
    large color index values are supplied in a maliciously crafted
    GIF image file.

    CVE-2007-3477

    The imagearc() and imagefilledarc() routines in libgd allow
    an attacker in control of the parameters used to specify
    the degrees of arc for those drawing functions to perform
    a denial of service attack (excessive CPU consumption).

    CVE-2007-3996

    Multiple integer overflows exist in libgd's image resizing and
    creation routines; these weaknesses allow an attacker in control
    of the parameters passed to those routines to induce a crash or
    execute arbitrary code with the privileges of the user running
    an application or interpreter linked against libgd2.

    For the stable distribution (etch), these problems have been fixed in
    version 2.0.33-5.2etch1. For the unstable distribution (sid), the
    problem has been fixed in version 2.0.35.dfsg-1.

    We recommend that you upgrade your libgd2 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : lighttpd
    Vulnerability : denial of service
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1531

    This update fixes a regression in lighttpd introduced in DSA-1540,
    causing SSL failures. For reference the original advisory text is
    quoted below.

    It was discovered that lighttpd, a fast webserver with minimal memory
    footprint, was didn't correctly handle SSL errors. This could allow
    a remote attacker to disconnect all active SSL connections.

    For the stable distribution (etch), this problem has been fixed in
    version 1.4.13-4etch10.

    We recommend that you upgrade your lighttpd package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : iceweasel
    Vulnerability : several
    Problem-Type : remote
    Debian-specific: no
    CVE ID : CVE-2008-2785 CVE-2008-2933

    Several remote vulnerabilities have been discovered in the Iceweasel
    web browser, an unbranded version of the Firefox browser. The Common
    Vulnerabilities and Exposures project identifies the following problems:

    CVE-2008-2785

    It was discovered that missing boundary checks on a reference
    counter for CSS objects can lead to the execution of arbitrary code.

    CVE-2008-2933

    Billy Rios discovered that passing an URL containing a pipe symbol
    to Iceweasel can lead to Chrome privilege escalation.

    For the stable distribution (etch), these problems have been fixed in
    version 2.0.0.16-0etch1. Updated packages for ia64, arm and mips are
    not yet available and will be released as soon as they have been built.

    For the unstable distribution (sid), these problems have been fixed in
    xulrunner 1.9.0.1-1 and iceweasel 3.0.1-1.

    We recommend that you upgrade your iceweasel package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    • Offizieller Beitrag

    Package : xulrunner
    Vulnerability : several
    Problem type : local/remote
    Debian-specific: no
    CVE ID : CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933

    Several remote vulnerabilities have been discovered in Xulrunner, a
    runtime environment for XUL applications. The Common Vulnerabilities
    and Exposures project identifies the following problems:

    CVE-2008-2785

    It was discovered that missing boundary checks on a reference
    counter for CSS objects can lead to the execution of arbitrary code.

    CVE-2008-2798

    Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
    crashes in the layout engine, which might allow the execution of
    arbitrary code.

    CVE-2008-2799

    Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
    the Javascript engine, which might allow the execution of arbitrary code.

    CVE-2008-2800

    "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities.

    CVE-2008-2801

    Collin Jackson and Adam Barth discovered that Javascript code
    could be executed in the context of signed JAR archives.

    CVE-2008-2802

    "moz_bug_r_a4" discovered that XUL documements can escalate
    privileges by accessing the pre-compiled "fastload" file.

    CVE-2008-2803

    "moz_bug_r_a4" discovered that missing input sanitising in the
    mozIJSSubScriptLoader.loadSubScript() function could lead to the
    execution of arbitrary code. Iceweasel itself is not affected, but
    some addons are.

    CVE-2008-2805

    Claudio Santambrogio discovered that missing access validation in
    DOM parsing allows malicious web sites to force the browser to
    upload local files to the server, which could lead to information
    disclosure.

    CVE-2008-2807

    Daniel Glazman discovered that a programming error in the code for
    parsing .properties files could lead to memory content being
    exposed to addons, which could lead to information disclosure.

    CVE-2008-2808

    Masahiro Yamada discovered that file URLS in directory listings
    were insufficiently escaped.

    CVE-2008-2809

    John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
    alternate names on self-signed certificates were handled
    insufficiently, which could lead to spoofings secure connections.

    CVE-2008-2811

    Greg McManus discovered discovered a crash in the block reflow
    code, which might allow the execution of arbitrary code.

    CVE-2008-2933

    Billy Rios discovered that passing an URL containing a pipe symbol
    to Iceweasel can lead to Chrome privilege escalation.

    For the stable distribution (etch), these problems have been fixed in
    version 1.8.0.15~pre080614d-0etch1.

    For the unstable distribution (sid), these problems have been fixed in
    version 1.9.0.1-1.

    We recommend that you upgrade your xulrunner packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch