Debian Security Advisory

Package : squirrelmail
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1578 CVE-2009-1579 CVE-2009-1580 CVE-2009-1581
CVE-2009-1381
Debian Bug : 528528

Michal Hlavinka discovered that the fix for code execution in the
map_yp_alias function, known as CVE-2009-1579 and released in DSA 1802-1,
was incomplete. This update corrects the fix for that function.

For the old stable distribution (etch), this problem has been fixed in
version 1.4.9a-5.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.15-4+lenny2.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.19-1

We recommend that you upgrade your squirrelmail package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : nsd, nsd3
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CERT advisory : VU#710316
Debian Bug : 529418 529420

Ilja van Sprundel discovered that a buffer overflow in NSD, an authoritative
name service daemon, allowed to crash the server by sending a crafted packet,
creating a denial of service.

For the old stable distribution (etch), this problem has been fixed in
version 2.3.6-1+etch1 of the nsd package.

For the stable distribution (lenny), this problem has been fixed in
version 2.3.7-1.1+lenny1 of the nsd package and version 3.0.7-3.lenny2
of the nsd3 package.

For the unstable distribution (sid), this problem has been fixed in
version 2.3.7-3 for nsd; nsd3 will be fixed soon.

We recommend that you upgrade your nsd or nsd3 package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : ipsec-tools
Vulnerability : null pointer dereference, memory leaks
Problem type : remote
Debian-specific: no
Debian bug : 527634 528933
CVE ID : CVE-2009-1574 CVE-2009-1632

Several remote vulnerabilities have been discovered in racoon, the Internet Key
Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures
project identified the following problems:

Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets
that contain no payload. This results in the daemon crashing which can be used
for denial of service attacks (CVE-2009-1574).

Various memory leaks in the X.509 certificate authentication handling and the
NAT-Traversal keepalive implementation can result in memory exhaustion and
thus denial of service (CVE-2009-1632).

For the oldstable distribution (etch), this problem has been fixed in
version 0.6.6-3.1etch3.

For the stable distribution (lenny), this problem has been fixed in
version 0.7.1-1.3+lenny2.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1:0.7.1-1.5.

We recommend that you upgrade your ipsec-tools packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : pidgin
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1373 CVE-2009-1375 CVE-2009-1376

Several vulnerabilities have been discovered in Pidgin, a graphical
multi-protocol instant messaging client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2009-1373

A buffer overflow in the Jabber file transfer code may lead to
denial of service or the execution of arbitrary code.

CVE-2009-1375

Memory corruption in an internal library may lead to denial of
service.

CVE-2009-1376

The patch provided for the security issue tracked as CVE-2008-2927
- integer overflows in the MSN protocol handler - was found to be
incomplete.

The old stable distribution (etch) is affected under the source package
name gaim. However, due to build problems the updated packages couldn't
be released along with the stable version. It will be released once the
build problem is resolved.

For the stable distribution (lenny), these problems have been fixed in
version 2.4.3-4lenny2.

For the unstable distribution (sid), these problems have been fixed in
version 2.5.6-1.

We recommend that you upgrade your pidgin packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : cscope
Vulnerability : buffer overflows
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0148
Debian Bug : 528510

Matt Murphy discovered that cscope, a source code browsing tool, does not
verify the length of file names sourced in include statements, which may
potentially lead to the execution of arbitrary code through specially
crafted source code files.

For the stable distribution (lenny), this problem has been fixed in
version 15.6-6+lenny1.

Due to a technical limitation in the Debian archive management scripts
the update for the old stable distribution (etch) cannot be released
synchronously. It will be fixed in version 15.6-2+etch1 soon.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your cscope package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : cyrus-sasl2, cyrus-sasl2-heimdal
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian bug : 528749
CERT advisory : VU#238019
CVE ID : CVE-2009-0688

James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
a free library implementing the Simple Authentication and Security Layer,
suffers from a missing null termination in certain situations. This causes
several buffer overflows in situations where cyrus-sasl2 itself requires
the string to be null terminated which can lead to denial of service or
arbitrary code execution.

Important notice (Quoting from US-CERT):
While this patch will fix currently vulnerable code, it can cause
non-vulnerable existing code to break. Here's a function prototype from
include/saslutil.h to clarify my explanation:

/* base64 encode
* in -- input data
* inlen -- input data length
* out -- output buffer (will be NUL terminated)
* outmax -- max size of output buffer
* result:
* outlen -- gets actual length of output buffer (optional)
*
* Returns SASL_OK on success, SASL_BUFOVER if result won't fit
*/
LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
char *out, unsigned outmax,
unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it
calculates the exact size required for base64 encoding in advance, then
allocates a buffer of that exact size, passing a pointer to the buffer into
sasl_encode64() as *out. As long as this code does not anticipate that the
buffer is NUL-terminated (does not call any string-handling functions like
strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64()
will begin to return SASL_BUFOVER.

For the oldstable distribution (etch), this problem will be fixed soon.

For the stable distribution (lenny), this problem has been fixed in
version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : drupal6
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE ID : no CVE id yet
Debian Bug : 529190 531386

Markus Petrux discovered a cross-site scripting vulnerability in the
taxonomy module of drupal6, a fully-featured content management
framework. It is also possible that certain browsers using the UTF-7
encoding are vulnerable to a different cross-site scripting
vulnerability.

For the stable distribution (lenny), these problems have been fixed in
version 6.6-3lenny2.

The oldstable distribution (etch) does not contain drupal6.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 6.11-1.1.

We recommend that you upgrade your drupal6 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : linux-2.6
Vulnerability : denial of service, privilege escalation
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2009-1630 CVE-2009-1633 CVE-2009-1758

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service, or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2009-1630

Frank Filz discovered that local users may be able to execute
files without execute permission when accessed via an nfs4 mount.

CVE-2009-1633

Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
the CIFS filesystem which allow remote servers to cause memory
corruption.

CVE-2009-1758

Jan Beulich discovered an issue in Xen where local guest users may
cause a denial of service (oops).

This update also fixes a regression introduced by the fix for
CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on
systems with SELinux enabled.

For the stable distribution (lenny), these problems have been fixed in
version 2.6.26-15lenny3.

For the oldstable distribution (etch), these problems, where
applicable, will be fixed in future updates to linux-2.6 and
linux-2.6.24.

We recommend that you upgrade your linux-2.6 and user-mode-linux
packages.

Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+15lenny3

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : libapache-mod-jk
Vulnerability : information disclosure
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-5519
Debian Bug : 523054

An information disclosure flaw was found in mod_jk, the Tomcat Connector
module for Apache. If a buggy client included the "Content-Length" header
without providing request body data, or if a client sent repeated
equests very quickly, one client could obtain a response intended for
another client.

For the stable distribution (lenny), this problem has been fixed in
version 1:1.2.26-2+lenny1.

The oldstable distribution (etch), this problem has been fixed in
version 1:1.2.18-3etch2.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:1.2.26-2.1.

We recommend that you upgrade your libapache-mod-jk packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : cups, cupsys
Vulnerability : null ptr dereference
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0949

Anibal Sacco discovered that cups, a general printing system for UNIX
systems, suffers from null pointer dereference because of its handling
of two consecutive IPP packets with certain tag attributes that are
treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers
to perform denial of service attacks by crashing the cups daemon.

For the oldstable distribution (etch), this problem has been fixed in
version 1.2.7-4+etch8 of cupsys.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.8-1+lenny6 of cups.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your cups/cupsys packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : apr-util
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0023

Apr-util, the Apache Portable Runtime Utility library, is used by
Apache 2.x, Subversion, and other applications. Two denial of service
vulnerabilities have been found in apr-util:

"kcope" discovered a flaw in the handling of internal XML entities in
the apr_xml_* interface that can be exploited to use all available
memory. This denial of service can be triggered remotely in the Apache
mod_dav and mod_dav_svn modules. (No CVE id yet)

Matthew Palmer discovered an underflow flaw in the
apr_strmatch_precompile function that can be exploited to cause a
daemon crash. The vulnerability can be triggered (1) remotely in
mod_dav_svn for Apache if the "SVNMasterURI"directive is in use, (2)
remotely in mod_apreq2 for Apache or other applications using
libapreq2, or (3) locally in Apache by a crafted ".htaccess" file.
(CVE-2009-0023)

Other exploit paths in other applications using apr-util may exist.

If you use Apache, or if you use svnserve in standalone mode, you need
to restart the services after you upgraded the libaprutil1 package.

For the stable distribution (lenny), these problems have been fixed in
version 1.2.12+dfsg-8+lenny2.

The oldstable distribution (etch), these problems have been fixed in
version 1.2.7+dfsg-2+etch2.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed soon.

We recommend that you upgrade your apr-util packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libsndfile
Vulnerability : heap-based buffer overflow
Problem type : local (remote)
Debian-specific: no
Debian bug : 528650
CVE ID : CVE-2009-1788 CVE-2009-1791

Two vulnerabilities have been found in libsndfile, a library to read
and write sampled audio data. The Common Vulnerabilities and Exposures
project identified the following problems:

Tobias Klein discovered that the VOC parsing routines suffer of a heap-based
buffer overflow which can be triggered by an attacker via a crafted VOC
header (CVE-2009-1788 ).

The vendor discovered that the AIFF parsing routines suffer of a heap-based
buffer overflow similar to CVE-2009-1788 which can be triggered by an attacker
via a crafted AIFF header (CVE-2009-1791).

In both cases the overflowing data is not completely attacker controlled but
still leads to application crashes or under some circumstances might still
lead to arbitrary code execution.

For the oldstable distribution (etch), this problem has been fixed in
version 1.0.16-2+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.17-4+lenny2.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.20-1.

We recommend that you upgrade your libsndfile packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libtorrent-rasterbar
Vulnerability : programming error
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-1760

It was discovered that the Rasterbar Bittorrent library performed
insufficient validation of path names specified in torrent files, which
could lead to denial of service by overwriting files.

The old stable distribution (etch) doesn't include libtorrent-rasterbar.

For the stable distribution (lenny), this problem has been fixed in
version 0.13.1-2+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 0.14.4-1.

We recommend that you upgrade your libtorrent-rasterbar package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : apache2
Vulnerability : insufficient security check
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-1195

It was discovered that the Apache web server did not properly handle
the "Options=" parameter to the AllowOverride directive:

In the stable distribution (lenny), local users could (via .htaccess)
enable script execution in Server Side Includes even in configurations
where the AllowOverride directive contained only
Options=IncludesNoEXEC.

In the oldstable distribution (etch), local users could (via
.htaccess) enable script execution in Server Side Includes and CGI
script execution in configurations where the AllowOverride directive
contained any "Options=" value.

For the stable distribution (lenny), this problem has been fixed in
version 2.2.9-10+lenny3.

The oldstable distribution (etch), this problem has been fixed in
version 2.2.3-4+etch8.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed in version 2.2.11-6.

This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages (except for the
s390 architecture where updated packages will follow shortly).

We recommend that you upgrade your apache2 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : ctorrent
Vulnerability : stack-based buffer overflow
Problem type : local (remote)
Debian-specific: no
Debian bug : 530255
CVE ID : CVE-2009-1759

Michael Brooks discovered that ctorrent, a text-mode bittorrent client,
does not verify the length of file paths in torrent files. An attacker
can exploit this via a crafted torrent that contains a long file path to
execute arbitrary code with the rights of the user opening the file.

The oldstable distribution (etch) does not contain ctorrent.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.4-dnh3.2-1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.4-dnh3.2-1.1.

We recommend that you upgrade your ctorrent packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : gforge
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE IDs : CVE ids pending

Laurent Almeras and Guillaume Smet have discovered a possible SQL
injection vulnerability and cross-site scripting vulnerabilities in
gforge, a collaborative development tool. Due to insufficient input
sanitising, it was possible to inject arbitrary SQL statements and use
several parameters to conduct cross-site scripting attacks.

For the stable distribution (lenny), these problem have been fixed in
version 4.7~rc2-7lenny1.

The oldstable distribution (etch), these problems have been fixed in
version 4.5.14-22etch11.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 4.7.3-2.

We recommend that you upgrade your gforge packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : vlc
Vulnerability : several vulnerabilities
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2008-1768 CVE-2008-1769 CVE-2008-1881 CVE-2008-2147
CVE-2008-2430 CVE-2008-3794 CVE-2008-4686 CVE-2008-5032
Debian Bugs : 478140 477805 489004 496265 503118 504639 480724

Several vulnerabilities have been discovered in vlc, a multimedia player
and streamer. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2008-1768

Drew Yao discovered that multiple integer overflows in the MP4 demuxer,
Real demuxer and Cinepak codec can lead to the execution of arbitrary
code.

CVE-2008-1769

Drew Yao discovered that the Cinepak codec is prone to a memory
corruption, which can be triggered by a crafted Cinepak file.

CVE-2008-1881

Luigi Auriemma discovered that it is possible to execute arbitrary code
via a long subtitle in an SSA file.

CVE-2008-2147

It was discovered that vlc is prone to a search path vulnerability,
which allows local users to perform privilege escalations.

CVE-2008-2430

Alin Rad Pop discovered that it is possible to execute arbitrary code
when opening a WAV file containing a large fmt chunk.

CVE-2008-3794

Pınar Yanardağ discovered that it is possible to execute arbitrary code
when opening a crafted mmst link.

CVE-2008-4686

Tobias Klein discovered that it is possible to execute arbitrary code
when opening a crafted .ty file.

CVE-2008-5032

Tobias Klein discovered that it is possible to execute arbitrary code
when opening an invalid CUE image file with a crafted header.

For the oldstable distribution (etch), these problems have been fixed
in version 0.8.6-svn20061012.debian-5.1+etch3.

For the stable distribution (lenny), these problems have been fixed in
version 0.8.6.h-4+lenny2, which was already included in the lenny
release.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 0.8.6.h-5.

We recommend that you upgrade your vlc packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : xulrunner
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835
CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840
CVE-2009-1841

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2009-1392

Several issues in the browser engine have been discovered, which can
result in the execution of arbitrary code. (MFSA 2009-24)

CVE-2009-1832

It is possible to execute arbitrary code via vectors involving "double
frame construction." (MFSA 2009-24)

CVE-2009-1833

Jesse Ruderman and Adam Hauner discovered a problem in the JavaScript
engine, which could lead to the execution of arbitrary code.
(MFSA 2009-24)

CVE-2009-1834

Pavel Cvrcek discovered a potential issue leading to a spoofing attack
on the location bar related to certain invalid unicode characters.
(MFSA 2009-25)

CVE-2009-1835

Gregory Fleischer discovered that it is possible to read arbitrary
cookies via a crafted HTML document. (MFSA 2009-26)

CVE-2009-1836

Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential
man-in-the-middle attack, when using a proxy due to insufficient checks
on a certain proxy response. (MFSA 2009-27)

CVE-2009-1837

Jakob Balle and Carsten Eiram reported a race condition in the
NPObjWrapper_NewResolve function that can be used to execute arbitrary
code. (MFSA 2009-28)

CVE-2009-1838

moz_bug_r_a4 discovered that it is possible to execute arbitrary
JavaScript with chrome privileges due to an error in the
garbage-collection implementation. (MFSA 2009-29)

CVE-2009-1839

Adam Barth and Collin Jackson reported a potential privilege escalation
when loading a file::resource via the location bar. (MFSA 2009-30)

CVE-2009-1840

Wladimir Palant discovered that it is possible to bypass access
restrictions due to a lack of content policy check, when loading a
script file into a XUL document. (MFSA 2009-31)

CVE-2009-1841

moz_bug_r_a4 reported that it is possible for scripts from page content
to run with elevated privileges and thus potentially executing arbitrary
code with the object's chrome privileges. (MFSA 2009-32)

For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.11-0lenny1.

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.11-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : amule
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-1440
Debian Bug : 525078

Sam Hocevar discovered that amule, a client for the eD2k and Kad
networks, does not properly sanitise the filename, when using the
preview function. This could lead to the injection of arbitrary commands
passed to the video player.

For the stable distribution (lenny), this problem has been fixed in
version 2.2.1-1+lenny2.

The oldstable distribution (etch) is not affected by this issue.

For the testing distribution (squeeze) this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.5-1.1.

We recommend that you upgrade your amule packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : mahara
Vulnerability : insufficient input sanitization
Problem type : remote
Debian-specific: no
CVE ID : no CVE ids yet

It was discovered that mahara, an electronic portfolio, weblog, and resume
builder is prone to several cross-site scripting attacks, which allow an
attacker to inject arbitrary HTML or script code and steal potential sensitive
data from other users.

The oldstable distribution (etch) does not contain mahara.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.4-4+lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.5-1.

We recommend that you upgrade your mahara packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny