Debian Security Advisory

Package : asterisk
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1897

Joel R. Voss discovered that the IAX2 module of Asterisk, a free
software PBX and telephony toolkit performs insufficient validation of
IAX2 protocol messages, which may lead to denial of service.

For the stable distribution (etch), this problem has been fixed in
version 1.2.13~dfsg-2etch4.

For the unstable distribution (sid), this problem has been fixed
in version 1.4.19.1~dfsg-1.

We recommend that you upgrade your asterisk packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)

Package : linux-2.6
Vulnerability : several vulnerabilities
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-6694 CVE-2008-0007 CVE-2008-1294 CVE-2008-1375

Several local vulnerabilities have been discovered in the Linux kernel
that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2007-6694

Cyrill Gorcunov reported a NULL pointer dereference in code specific
to the CHRP PowerPC platforms. Local users could exploit this issue
to achieve a Denial of Service (DoS).

CVE-2008-0007

Nick Piggin of SuSE discovered a number of issues in subsystems which
register a fault handler for memory mapped areas. This issue can be
exploited by local users to achieve a Denial of Service (DoS) and possibly
execute arbitrary code.

CVE-2008-1294

David Peer discovered that users could escape administrator imposed cpu
time limitations (RLIMIT_CPU) by setting a limit of 0.

CVE-2008-1375

Alexander Viro discovered a race condition in the directory notification
subsystem that allows local users to cause a Denial of Service (oops)
and possibly result in an escalation of priveleges.

For the stable distribution (etch), this problem has been fixed in version
2.6.18.dfsg.1-18etch3.

The unstable (sid) and testing distributions will be fixed soon.

We recommend that you upgrade your linux-2.6, fai-kernels, and
user-mode-linux packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:

Debian 4.0 (etch)
fai-kernels 1.17+etch.18etch3
user-mode-linux 2.6.18-1um-2etch.18etch3

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : cpio
Vulnerability : programming error
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4476

Dmitry Levin discovered a vulnerability in path handling code used by
the cpio archive utility. The weakness could enable a denial of
service (crash) or potentially the execution of arbitrary code if a
vulnerable version of cpio is used to extract or to list the contents
of a maliciously crafted archive.

For the stable distribution (etch), these problems have been fixed in
version 2.6-18.1+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.9-5.

We recommend that you upgrade your cpio packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : wordpress
Vulnerability : multiple
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-3639 CVE-2007-4153 CVE-2007-4154 CVE-2007-0540

Several remote vulnerabilities have been discovered in wordpress,
a weblog manager. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2007-3639

Insufficient input sanitising allowed for remote attackers to
redirect visitors to external websites.

CVE-2007-4153

Multiple cross-site scripting vulnerabilities allowed remote
authenticated administrators to inject arbitrary web script or HTML.

CVE-2007-4154

SQL injection vulnerability allowed allowed remote authenticated
administrators to execute arbitrary SQL commands.

CVE-2007-0540

WordPress allows remote attackers to cause a denial of service
(bandwidth or thread consumption) via pingback service calls with
a source URI that corresponds to a file with a binary content type,
which is downloaded even though it cannot contain usable pingback data.

[no CVE name yet]

Insufficient input sanitising caused an attacker with a normal user
account to access the administrative interface.

For the stable distribution (etch), these problems have been fixed in
version 2.0.10-1etch2.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.3-1.

We recommend that you upgrade your wordpress package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : blender
Vulnerability : buffer overrun
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-1102

Stefan Cornelius discovered a vulnerability in the Radiance High
Dynamic Range (HDR) image parser in Blender, a 3D modelling
application. The weakness could enable a stack-based buffer overflow
and the execution of arbitrary code if a maliciously-crafted HDR file
is opened, or if a directory containing such a file is browsed via
Blender's image-open dialog.

For the stable distribution (etch), these problems have been fixed in
version 2.42a-7.1+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.45-5.

We recommend that you upgrade your blender packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : b2evolution
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-0175
Debian Bug : 410568

"unsticky" discovered that b2evolution, a blog engine, performs
insufficient input sanitising, allowing for cross site scripting.

For the stable distribution (etch), this problem has been fixed in
version 0.9.2-3+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.2-4.

We recommend that you upgrade your b2evolution (0.9.2-3+etch1) package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0783 CVE-2008-0785

It was discovered that Cacti, a systems and services monitoring frontend,
performed insufficient input sanitising, leading to cross site scripting
and SQL injection being possible.

For the stable distribution (etch), this problem has been fixed in
version 0.8.6i-3.3.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7b-1.

We recommend that you upgrade your cacti package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : roundup
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1474
Debian Bug : 472643

Roundup, an issue tracking system, fails to properly escape HTML input,
allowing an attacker to inject client-side code (typically JavaScript)
into a document that may be viewed in the victim's browser.

For the stable distribution (etch), this problem has been fixed in version
1.2.1-5+etch2.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.3-3.1.

We recommend that you upgrade your roundup packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0783 CVE-2008-0785

The original update for cacti unfortunately introduced a regression.
Updated packages have been created to address this. For reference, the
full advisory text is quoted below.

It was discovered that Cacti, a systems and services monitoring frontend,
performed insufficient input sanitising, leading to cross site scripting
and SQL injection being possible.

For the stable distribution (etch), this problem has been fixed in
version 0.8.6i-3.4.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7b-1.

We recommend that you upgrade your cacti package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : kazehakase
Vulnerability : various
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2006-7227 CVE-2006-7228 CVE-2006-7230 CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662 CVE-2007-4766 CVE-2007-4767 CVE-2007-4768
Debian Bug : 464756

Andrews Salomon reported that kazehakase, a GTK+-base web browser that
allows pluggable rendering engines, contained an embedded copy of the
PCRE library in its source tree which was compiled in and used in preference
to the system-wide version of this library.

The PCRE library has been updated to fix the security issues reported
against it in previous Debian Security Advisories. This update ensures that
kazehakase uses that supported library, and not its own embedded and
insecure version.

For the stable distribution (etch), this problem has been fixed in version
0.4.2-1etch1.

We recommend that you upgrade your kazehakase package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : php5
Vulnerability : several
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2007-3806 CVE-2008-1384 CVE-2008-2050 CVE-2008-2051
Debian Bug : 479723

Several vulnerabilities have been discovered in PHP, a server-side,
HTML-embedded scripting language. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-3806

The glob function allows context-dependent attackers to cause
a denial of service and possibly execute arbitrary code via
an invalid value of the flags parameter.

CVE-2008-1384

Integer overflow allows context-dependent attackers to cause
a denial of service and possibly have other impact via a
printf format parameter with a large width specifier.

CVE-2008-2050

Stack-based buffer overflow in the FastCGI SAPI.

CVE-2008-2051

The escapeshellcmd API function could be attacked via
incomplete multibyte chars.

This update als includes a fix which was pending for the next Debian
4.0 `etch' stable update, for crashes in php5-recode (Debian bug 459020).

For the stable distribution (etch), these problems have been fixed in
version 5.2.0-8+etch11.

For the unstable distribution (sid), these problems have been fixed in
version 5.2.6-1.

We recommend that you upgrade your php5 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : rdesktop
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1801 CVE-2008-1802 CVE-2008-1803
Debian Bug : 480133 480134 480135

Several remote vulnerabilities have been discovered in rdesktop, a
Remote Desktop Protocol client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2008-1801

Remote exploitation of an integer underflow vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.

CVE-2008-1802

Remote exploitation of a BSS overflow vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.

CVE-2008-1803

Remote exploitation of an integer signedness vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.

For the stable distribution (etch), these problems have been fixed in
version 1.5.0-1etch2.

For the unstable distribution (sid), these problems have been fixed in
version 1.5.0-4+cvs20071006.

We recommend that you upgrade your rdesktop package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : rdesktop
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1801 CVE-2008-1802 CVE-2008-1803
Debian Bug : 480133 480134 480135

Several remote vulnerabilities have been discovered in rdesktop, a
Remote Desktop Protocol client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2008-1801

Remote exploitation of an integer underflow vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.

CVE-2008-1802

Remote exploitation of a BSS overflow vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.

CVE-2008-1803

Remote exploitation of an integer signedness vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.

For the stable distribution (etch), these problems have been fixed in
version 1.5.0-1etch2.

For the unstable distribution (sid), these problems have been fixed in
version 1.5.0-4+cvs20071006.

We recommend that you upgrade your rdesktop package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : icedove
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237

Several remote vulnerabilities have been discovered in the Icedove mail
client, an unbranded version of the Thunderbird client. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-1233

"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.

CVE-2008-1234

"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.

CVE-2008-1235

Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
scripting and the execution of arbitrary code.

CVE-2008-1236

Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.

CVE-2008-1237

"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.

For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1.

We recommend that you upgrade your icedove packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 4.0 (stable)

Package : linux-2.6
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-1669

A vulnerability has been discovered in the Linux kernel that may lead
to a denial of service. The Common Vulnerabilities and Exposures
project identifies the following problem:

CVE-2008-1669

Alexander Viro discovered a race condition in the fcntl code that
may permit local users on multi-processor systems to execute parallel
code paths that are otherwise prohibited and gain re-ordered access
to the descriptor table.

For the stable distribution (etch), this problem has been fixed in version
2.6.18.dfsg.1-18etch4.

For the unstable distribution(sid), this problem has been fixed in version
2.6.25-2.

We recommend that you upgrade your linux-2.6, fai-kernels, and
user-mode-linux packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:

Debian 4.0 (etch)
fai-kernels 1.17+etch.18etch4
user-mode-linux 2.6.18-1um-2etch.18etch4

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : openssl
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166

Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian. However, other systems
can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions. The old stable distribution
(sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.

A detector for known weak key material will be published at:

<http://security.debian.org/project/extra/dowkd/dowkd.pl.gz>
<http://security.debian.org/project/extra/…dowkd.pl.gz.asc>
(OpenPGP signature)

Instructions how to implement key rollover for various packages will be
published at:

<http://www.debian.org/security/key-rollover/>

This web site will be continously updated to reflect new and updated
instructions on key rollovers for packages using SSL certificates.
Popular packages not affected will also be listed.

In addition to this critical change, two other vulnerabilities have been
fixed in the openssl package which were originally scheduled for release
with the next etch point release: OpenSSL's DTLS (Datagram TLS,
basically "SSL over UDP") implementation did not actually implement the
DTLS specification, but a potentially much weaker protocol, and
contained a vulnerability permitting arbitrary code execution
(CVE-2007-4995). A side channel attack in the integer multiplication
routines is also addressed (CVE-2007-3108).

For the stable distribution (etch), these problems have been fixed in
version 0.9.8c-4etch3.

For the unstable distribution (sid) and the testing distribution
(lenny), these problems have been fixed in version 0.9.8g-9.

We recommend that you upgrade your openssl package and subsequently
regenerate any cryptographic material, as outlined above.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : openssh
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166

The recently announced vulnerability in Debian's openssl package
(DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result,
all user and host keys generated using broken versions of the openssl
package must be considered untrustworthy, even after the openssl update
has been applied.

1. Install the security updates

This update contains a dependency on the openssl update and will
automatically install a corrected version of the libss0.9.8 package,
and a new package openssh-blacklist.

Once the update is applied, weak user keys will be automatically
rejected where possible (though they cannot be detected in all
cases). If you are using such keys for user authentication, they
will immediately stop working and will need to be replaced (see
step 3).

OpenSSH host keys can be automatically regenerated when the OpenSSH
security update is applied. The update will prompt for confirmation
before taking this step.

2. Update OpenSSH known_hosts files

The regeneration of host keys will cause a warning to be displayed when
connecting to the system using SSH until the host key is updated in the
known_hosts file. The warning will look like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

In this case, the host key has simply been changed, and you should update
the relevant known_hosts file as indicated in the error message.

It is recommended that you use a trustworthy channel to exchange the
server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on
the server; it's fingerprint can be printed using the command:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

In addition to user-specific known_hosts files, there may be a
system-wide known hosts file /etc/ssh/known_hosts. This is file is
used both by the ssh client and by sshd for the hosts.equiv
functionality. This file needs to be updated as well.

3. Check all OpenSSH user keys

The safest course of action is to regenerate all OpenSSH user keys,
except where it can be established to a high degree of certainty that the
key was generated on an unaffected system.

Check whether your key is affected by running the ssh-vulnkey tool, included
in the security update. By default, ssh-vulnkey will check the standard
location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity),
your authorized_keys file (~/.ssh/authorized_keys and
~/.ssh/authorized_keys2), and the system's host keys
(/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key).

To check all your own keys, assuming they are in the standard
locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity):

ssh-vulnkey

To check all keys on your system:

sudo ssh-vulnkey -a

To check a key in a non-standard location:

ssh-vulnkey /path/to/key

If ssh-vulnkey says "Unknown (no blacklist information)", then it has no
information about whether that key is affected. In this case, you
can examine the modification time (mtime) of the file using "ls -l".
Keys generated before September 2006 are not affected. Keep in mind
that, although unlikely, backup procedures may have changed the file
date back in time (or the system clock may have been incorrectly
set).

If in doubt, generate a new key and remove the old one from any
servers.

4. Regenerate any affected user keys

OpenSSH keys used for user authentication must be manually regenerated,
including those which may have since been transferred to a different system
after being generated.

New keys can be generated using ssh-keygen, e.g.:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host

5. Update authorized_keys files (if necessary)

Once the user keys have been regenerated, the relevant public keys
must be propagated to any authorized_keys files (and authorized_keys2
files, if applicable) on remote systems. Be sure to delete the lines
containing old keys from those files..

In addition to countermeasures to mitigate the randomness vulnerability,
this OpenSSH update fixes several other vulnerabilities:

CVE-2008-1483:
Timo Juhani Lindfors discovered that, when using X11 forwarding, the
SSH client selects an X11 forwarding port without ensuring that it
can be bound on all address families. If the system is configured
with IPv6 (even if it does not have working IPv6 connectivity), this
could allow a local attacker on the remote server to hijack X11
forwarding.

CVE-2007-4752:
Jan Pechanec discovered that ssh fails back to creating a trusted X11
cookie if creating an untrusted cookie fails, potentially exposing
the local display to a malicious remote server when using X11
forwarding.

For the stable distribution (etch), these problems have been fixed in
version 4.3p2-9etch1. Currently, only a subset of all supported
architectures have been built; further updates will be provided when
they become available.

For the unstable distribution (sid) and the testing distribution
(lenny), these problems have been fixed in version 4.7p1-9.

We recommend that you upgrade your openssh packages and take the
measures indicated above.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : gforge
Vulnerability : insecure temporary files
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-0167

Stephen Gran and Mark Hymers discovered that some scripts run by GForge,
a collaborative development tool, open files in write mode in a potentially
insecure manner. This may be exploited to overwrite arbitary files on the
local system.

For the stable distribution (etch), this problem has been fixed in version
4.5.14-22etch8.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your gforge package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : openssh
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166

Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with
options (such as "no-port-forwarding" or forced commands) were ignored by
the new ssh-vulnkey tool introduced in openssh 1:4.3p2-9etch1 (see DSA
1576-1). This could cause some compromised keys not to be listed in
ssh-vulnkey's output.

This update also adds more information to ssh-vulnkey's manual page.

For the stable distribution (etch), this problem has been fixed in version
1:4.3p2-9etch2

We recommend that you upgrade your openssh (1:4.3p2-9etch2) package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : php4
Vulnerability : several
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2007-3799 CVE-2007-3806 CVE-2007-3998 CVE-2007-4657
CVE-2008-2051

Several vulnerabilities have been discovered in PHP version 4, a
server-side, HTML-embedded scripting language. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2007-3799

The session_start function allows remote attackers to insert
arbitrary attributes into the session cookie via special characters
in a cookie that is obtained from various parameters.

CVE-2007-3806

A denial of service was possible through a malicious script abusing
the glob() function.

CVE-2007-3998

Certain maliciously constructed input to the wordwrap() function could
lead to a denial of service attack.

CVE-2007-4657

Large len values of the stspn() or strcspn() functions could allow an
attacker to trigger integer overflows to expose memory or cause denial
of service.

CVE-2008-2051

The escapeshellcmd API function could be attacked via incomplete
multibyte chars.

For the stable distribution (etch), these problems have been fixed in
version 6:4.4.4-8+etch6.

The php4 are no longer present the unstable distribution (sid).

We recommend that you upgrade your php4 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch