Debian Security Advisory

Package : clamav
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2713
Debian Bug : 490925

Damian Put discovered a vulnerability in the ClamAV anti-virus
toolkit's parsing of Petite-packed Win32 executables. The weakness
leads to an invalid memory access, and could enable an attacker to
crash clamav by supplying a maliciously crafted Petite-compressed
binary for scanning. In some configurations, such as when clamav
is used in combination with mail servers, this could cause a system
to "fail open," facilitating a follow-on viral attack.

The Common Vulnerabilities and Exposures project identifies this
weakness as CVE-2008-2713.

For the stable distribution (etch), this problem has been fixed in
version 0.90.1dfsg-3etch13. For the unstable distribution (sid), the
problem has been fixed in version 0.93.1.dfsg-1.1.

We recommend that you upgrade your clamav packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : refpolicy
Vulnerability : incompatible policy
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490271

In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process
running in the named_t domain to bind sockets to UDP ports other than
the standard 'domain' port (53). The incompatibility affects both
the 'targeted' and 'strict' policy packages supplied by this version
of refpolicy.

This update to the refpolicy packages grants the ability to bind to
arbitrary UDP ports to named_t processes. When installed, the
updated packages will attempt to update the bind policy module on
systems where it had been previously loaded and where the previous
version of refpolicy was 0.0.20061018-5 or below.

Because the Debian refpolicy packages are not yet designed with
policy module upgradeability in mind, and because SELinux-enabled
Debian systems often have some degree of site-specific policy
customization, it is difficult to assure that the new bind policy can
be successfully upgraded. To this end, the package upgrade will not
abort if the bind policy update fails. The new policy module can be
found at /usr/share/selinux/refpolicy-targeted/bind.pp after
installation. Administrators wishing to use the bind service policy
can reconcile any policy incompatibilities and install the upgrade
manually thereafter. A more detailed discussion of the corrective
procedure may be found here:

http://wiki.debian.org/SELinux/Issues/BindPortRandomization

For the stable distribution (etch), this problem has been fixed in
version 0.0.20061018-5.1+etch1. The unstable distribution (sid) is
not affected, as subsequent refpolicy releases have incorporated an
analogous change.

We recommend that you upgrade your refpolicy packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : clamav
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2713
Debian Bug : 490925

This update corrects a packaging and build error in the packages
released in DSA-1616-1. Those packages, while functional, did not
actually apply the fix intended. This update restores the fix
to the package build; no other changes are introduced. For
reference, the text of the original advisory follows.

Damian Put discovered a vulnerability in the ClamAV anti-virus
toolkit's parsing of Petite-packed Win32 executables. The weakness
leads to an invalid memory access, and could enable an attacker to
crash clamav by supplying a maliciously crafted Petite-compressed
binary for scanning. In some configurations, such as when clamav
is used in combination with mail servers, this could cause a system
to "fail open," facilitating a follow-on viral attack.

The Common Vulnerabilities and Exposures project identifies this
weakness as CVE-2008-2713.

For the stable distribution (etch), this problem has been fixed in
version 0.90.1dfsg-3.1+etch14. For the unstable distribution (sid),
the problem has been fixed in version 0.93.1.dfsg-1.1.

We recommend that you upgrade your clamav packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : ruby1.9
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service or the
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2006-2662

Drew Yao discovered that multiple integer overflows in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2663

Drew Yao discovered that multiple integer overflows in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2664

Drew Yao discovered that a programming error in the string
processing code may lead to denial of service and potentially the
execution of arbitrary code.

CVE-2008-2725

Drew Yao discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

CVE-2008-2726

Drew Yao discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

CVE-2008-2376

It was discovered that an integer overflow in the array handling
code may lead to denial of service and potentially the execution
of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.9.0+20060609-1etch2.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.2-2.

We recommend that you upgrade your ruby1.9 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : python-dns
Vulnerability : DNS response spoofing
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490217

Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
Taken together, this lack of entropy leaves applications using
python-dns to perform DNS queries highly susceptible to response
forgery.

The Common Vulnerabilities and Exposures project identifies this
class of weakness as CVE-2008-1447.

For the stable distribution (etch), these problems have been fixed in
version 2.3.0-5.2+etch1.

We recommend that you upgrade your python-dns package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : python2.5
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887

Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2007-2052

Piotr Engelking discovered that the strxfrm() function of the locale
module miscalculates the length of an internal buffer, which may
result in a minor information disclosure.

CVE-2007-4965

It was discovered that several integer overflows in the imageop
module may lead to the execution of arbitrary code, if a user is
tricked into processing malformed images. This issue is also
tracked as CVE-2008-1679 due to an initially incomplete patch.

CVE-2008-1721

Justin Ferguson discovered that a buffer overflow in the zlib
module may lead to the execution of arbitrary code.

CVE-2008-1887

Justin Ferguson discovered that insufficient input validation in
PyString_FromStringAndSize() may lead to the execution of arbitrary
code.

For the stable distribution (etch), these problems have been fixed in
version 2.5-5+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.5.2-3.

We recommend that you upgrade your python2.5 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

ackage : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-0304 CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2802 CVE-2008-2803 CVE-2008-2807 CVE-2008-2809 CVE-2008-2811

Several remote vulnerabilities have been discovered in the Icedove
mail client, an unbranded version of the Thunderbird client. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2008-0304

It was discovered that a buffer overflow in MIME decoding can lead
to the execution of arbitrary code.

CVE-2008-2785

It was discovered that missing boundary checks on a reference
counter for CSS objects can lead to the execution of arbitrary code.

CVE-2008-2798

Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.

CVE-2008-2799

Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
the Javascript engine, which might allow the execution of arbitrary code.

CVE-2008-2802

"moz_bug_r_a4" discovered that XUL documements can escalate
privileges by accessing the pre-compiled "fastload" file.

CVE-2008-2803

"moz_bug_r_a4" discovered that missing input sanitising in the
mozIJSSubScriptLoader.loadSubScript() function could lead to the
execution of arbitrary code. Iceweasel itself is not affected, but
some addons are.

CVE-2008-2807

Daniel Glazman discovered that a programming error in the code for
parsing .properties files could lead to memory content being
exposed to addons, which could lead to information disclosure.

CVE-2008-2809

John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
alternate names on self-signed certificates were handled
insufficiently, which could lead to spoofings secure connections.

CVE-2008-2811

Greg McManus discovered discovered a crash in the block reflow
code, which might allow the execution of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1. Packages for
s390 are not yet available and will be provided later.

For the unstable distribution (sid), these problems have been fixed in
version 2.0.0.16-1.

We recommend that you upgrade your icedove package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : newsx
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-3252
Debian Bug : 492742

It was discovered that newsx, an NNTP news exchange utility, was affected
by a buffer overflow allowing remote attackers to execute arbitrary code
via a news article containing a large number of lines starting with a period.

For the stable distribution (etch), this problem has been fixed in version
1.6-2etch1.

For the testing (lenny) and unstable distribution (sid), this problem has
been fixed in version 1.6-3.

We recommend that you upgrade your newsx package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : dnsmasq
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447

Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.

This update changes Debian's dnsmasq packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.

This update also switches the random number generator to Dan
Bernstein's SURF.

For the stable distribution (etch), this problem has been fixed in
version 2.35-1+etch4. Packages for alpha will be provided later.

For the unstable distribution (sid), this problem has been fixed in
version 2.43-1.

We recommend that you upgrade your dnsmasq package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libxslt
Vulnerability : buffer overflows
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2008-2935

Chris Evans discovered that a buffer overflow in the RC4 functions of
libexslt may lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.1.19-3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your libxslt packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : cupsys
Vulnerability : buffer overflows
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0053 CVE-2008-1373 CVE-2008-1722
Debian Bug : 476305

Several remote vulnerabilities have been discovered in the Common Unix
Printing System (CUPS). The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2008-0053

Buffer overflows in the HP-GL input filter allowed to possibly run
arbitrary code through crafted HP-GL files.

CVE-2008-1373

Buffer overflow in the GIF filter allowed to possibly run arbitrary
code through crafted GIF files.

CVE-2008-1722

Integer overflows in the PNG filter allowed to possibly run arbitrary
code through crafted PNG files.

For the stable distribution (etch), these problems have been fixed in
version 1.2.7-4etch4 of package cupsys.

For the testing (lenny) and unstable distribution (sid), these problems
have been fixed in version 1.3.7-2 of package cups.

We recommend that you upgrade your cupsys package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : httrack
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
BugTraq ID : 30425

Joan Calvet discovered that httrack, a utility to create local copies of
websites, is vulnerable to a buffer overflow potentially allowing to
execute arbitrary code when passed excessively long URLs.

For the stable distribution (etch), this problem has been fixed in
version 3.40.4-3.1+etch1.

For the testing (lenny) and unstable distribution (sid), this problem has
been fixed in version 3.42.3-1.

We recommend that you upgrade your httrack package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : opensc
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2235

Chaskiel M Grundman discovered that opensc, a library and utilities to
handle smart cards, would initialise smart cards with the Siemens CardOS M4
card operating system without proper access rights. This allowed everyone
to change the card's PIN.

With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
resonable chance that this vulnerability has not been exploited.

This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not
affected.

After upgrading the package, running
pkcs15-tool -T
will show you whether the card is fine or vulnerable. If the card is
vulnerable, you need to update the security setting using:
pkcs15-tool -T -U

For the stable distribution (etch), this problem has been fixed in
version 0.11.1-2etch1.

For the unstable distribution (sid), this problem has been fixed in
version 0.11.4-4.

We recommend that you upgrade your opensc 0.11.1-2etch1 package and check
your card(s) with the command described above.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : pdns
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3337

Brian Dowling discovered that the PowerDNS authoritative name server
does not respond to DNS queries which contain certain characters,
increasing the risk of successful DNS spoofing (CVE-2008-3337). This
update changes PowerDNS to respond with SERVFAIL responses instead.

For the stable distribution (etch), this problem has been fixed in version
2.9.20-8+etch1.

For the unstable distribution (sid), this problem has been fixed in
version 2.9.21.1-1.

We recommend that you upgrade your pdns package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : postfix
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2936

Sebastian Krahmer discovered that Postfix, a mail transfer agent,
incorrectly checks the ownership of a mailbox. In some configurations,
this allows for appending data to arbitrary files as root.

The default Debian installation of Postfix is not affected. Only a
configuration meeting the following requirements is vulnerable:
* The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.
* The mail spool directory is user-writeable.
* The user can create hardlinks pointing to root-owned symlinks
located in other directories.

For a detailed treating of this issue, please refer to the upstream
author's announcement:
http://article.gmane.org/gmane.mail.postfix.announce/110

For the stable distribution (etch), this problem has been fixed in
version 2.3.8-2etch1.

For the testing distribution (lenny), this problem has been fixed in
version 2.5.2-2lenny1.

For the unstable distribution (sid), this problem has been fixed
in version 2.5.4-1.

We recommend that you upgrade your postfix package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : postfix
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2936

Due to a version numbering problem, the Postfix update for DSA 1629 was
not installable on the i386 (Intel ia32) architecture. This update
increases the version number to make it installable on i386 aswell.
For reference the original advisory text is below.

Sebastian Krahmer discovered that Postfix, a mail transfer agent,
incorrectly checks the ownership of a mailbox. In some configurations,
this allows for appending data to arbitrary files as root.

Note that only specific configurations are vulnerable; the default
Debian installation is not affected. Only a configuration meeting
the following requirements is vulnerable:
* The mail delivery style is mailbox, with the Postfix built-in
local(8) or virtual(8) delivery agents.
* The mail spool directory (/var/spool/mail) is user-writeable.
* The user can create hardlinks pointing to root-owned symlinks
located in other directories.

For a detailed treating of the issue, please refer to the upstream
author's announcement:
http://article.gmane.org/gmane.mail.postfix.announce/110

For the stable distribution (etch), this problem has been fixed in
version 2.3.8-2+etch1.

For the testing distribution (lenny), this problem has been fixed in
version 2.5.2-2lenny1.

For the unstable distribution (sid), this problem has been fixed
in version 2.5.4-1.

We recommend that you upgrade your postfix package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : linux-2.6
Vulnerability : denial of service/information leak
Problem type : several
Debian-specific: no
CVE Id(s) : CVE-2007-6282 CVE-2008-0598 CVE-2008-2729 CVE-2008-2812
CVE-2008-2826 CVE-2008-2931 CVE-2008-3272 CVE-2008-3275

Several vulnerabilities have been discovered in the Linux kernel that may
lead to a denial of service or arbitrary code execution. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2007-6282

Dirk Nehring discovered a vulnerability in the IPsec code that allows
remote users to cause a denial of service by sending a specially crafted
ESP packet.

CVE-2008-0598

Tavis Ormandy discovered a vulnerability that allows local users to access
uninitialized kernel memory, possibly leaking sensitive data. This issue
is specific to the amd64-flavour kernel images.

CVE-2008-2729

Andi Kleen discovered an issue where uninitialized kernel memory
was being leaked to userspace during an exception. This issue may allow
local users to gain access to sensitive data. Only the amd64-flavour
Debian kernel images are affected.

CVE-2008-2812

Alan Cox discovered an issue in multiple tty drivers that allows
local users to trigger a denial of service (NULL pointer dereference)
and possibly obtain elevated privileges.

CVE-2008-2826

Gabriel Campana discovered an integer overflow in the sctp code that
can be exploited by local users to cause a denial of service.

CVE-2008-2931

Miklos Szeredi reported a missing privilege check in the do_change_type()
function. This allows local, unprivileged users to change the properties
of mount points.

CVE-2008-3272

Tobias Klein reported a locally exploitable data leak in the
snd_seq_oss_synth_make_info() function. This may allow local users
to gain access to sensitive information.

CVE-2008-3275

Zoltan Sogor discovered a coding error in the VFS that allows local users
to exploit a kernel memory leak resulting in a denial of service.

For the stable distribution (etch), this problem has been fixed in
version 2.6.18.dfsg.1-22etch2.

We recommend that you upgrade your linux-2.6, fai-kernels, and
user-mode-linux packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:

Debian 4.0 (etch)
fai-kernels 1.17+etch.22etch2
user-mode-linux 2.6.18-1um-2etch.22etch2

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libxml2
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-3281

Andreas Solberg discovered that libxml2, the GNOME XML library,
could be forced to recursively evaluate entities, until available
CPU & memory resources were exhausted.

For the stable distribution (etch), this problem has been fixed in version
2.6.27.dfsg-3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your libxml2 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libxml2
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-3281

The previous security update of the libxml2 package introduced
some problems with other packages, most notably with librsvg.
This update corrects these problems whilst still fixing the
reported scurity problem.

For reference the text of the previous security announcement
follows:

Andreas Solberg discovered that libxml2, the GNOME XML library,
could be forced to recursively evaluate entities, until available
CPU & memory resources were exhausted.

For the stable distribution (etch), this problem has been fixed in version
2.6.27.dfsg-4.

For the unstable distribution (sid), this problem has been fixed in
version 2.6.32.dfsg-3.

We recommend that you upgrade your libxml2 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : tiff
Vulnerability : buffer underflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-2327

Drew Yao discovered that libTIFF, a library for handling the Tagged Image
File Format, is vulnerable to a programming error allowing malformed
tiff files to lead to a crash or execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 3.8.2-7+etch1.

For the testing distribution (lenny), this problem has been fixed in
version 3.8.2-10+lenny1.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your tiff package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch