Debian Security Advisory

Package : xulrunner
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2009-2462 CVE-2009-2463 CVE-2009-2464 CVE-2009-2465
CVE-2009-2466 CVE-2009-2467 CVE-2009-2469 CVE-2009-2471
CVE-2009-2472

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2009-2462

Martijn Wargers, Arno Renevier, Jesse Ruderman, Olli Pettay and Blake
Kaplan disocvered several issues in the browser engine that could
potentially lead to the execution of arbitrary code. (MFSA 2009-34)

CVE-2009-2463

monarch2020 reported an integer overflow in a base64 decoding function.
(MFSA 2009-34)

CVE-2009-2464

Christophe Charron reported a possibly exploitable crash occuring when
multiple RDF files were loaded in a XUL tree element. (MFSA 2009-34)

CVE-2009-2465

Yongqian Li reported that an unsafe memory condition could be created by
specially crafted document. (MFSA 2009-34)

CVE-2009-2466

Peter Van der Beken, Mike Shaver, Jesse Ruderman, and Carsten Book
discovered several issues in the JavaScript engine that could possibly
lead to the execution of arbitrary JavaScript. (MFSA 2009-34)

CVE-2009-2467

Attila Suszter discovered an issue related to a specially crafted Flash
object, which could be used to run arbitrary code. (MFSA 2009-35)

CVE-2009-2469

PenPal discovered that it is possible to execute arbitrary code via a
specially crafted SVG element. (MFSA 2009-37)

CVE-2009-2471

Blake Kaplan discovered a flaw in the JavaScript engine that might allow
an attacker to execute arbitrary JavaScript with chrome privileges.
(MFSA 2009-39)

CVE-2009-2472

moz_bug_r_a4 discovered an issue in the JavaScript engine that could be
used to perform cross-site scripting attacks. (MFSA 2009-40)

For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.12-0lenny1.

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.12-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : git-core
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
Debian bug : 532935
CVE ID : CVE-2009-2108

It was discovered that git-daemon which is part of git-core, a popular
distributed revision control system, is vulnerable to denial of service
attacks caused by a programming mistake in handling requests containing
extra unrecognized arguments which results in an infinite loop. While
this is no problem for the daemon itself as every request will spawn a
new git-daemon instance, this still results in a very high CPU consumption
and might lead to denial of service conditions.

For the oldstable distribution (etch), this problem has been fixed in
version 1.4.4.4-4+etch3.

For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny2.

For the testing distribution (squeeze), this problem has been fixed in
version 1:1.6.3.3-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.6.3.3-1.

We recommend that you upgrade your git-core packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : openexr
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-1720 CVE-2009-1721 CVE-2009-1722

Several vulnerabilities have been discovered in the OpenEXR image
library, which can lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2009-1720

Drew Yao discovered integer overflows in the preview and
compression code.

CVE-2009-1721

Drew Yao discovered that an uninitialised pointer could be freed
in the decompression code.

CVE-2009-1722

A buffer overflow was discovered in the compression code.

For the old stable distribution (etch), these problems have been fixed
in version 1.2.2-4.3+etch2.

For the stable distribution (lenny), these problems have been fixed
in version 1.6.1-3+lenny3.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your openexr packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : squid3
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : 538989
CVE ID : none assigned yet

It was discovered that squid3, a high-performance proxy caching server for
web clients, is prone to several denial of service attacks. Due to incorrect
bounds checking and insufficient validation while processing response and
request data an attacker is able to crash the squid daemon via crafted
requests or responses.

The squid package in the oldstable distribution (etch) is not affected
by this problem.

For the stable distribution (lenny), this problem has been fixed in
version 3.0.STABLE8-3+lenny1.

For the testing distribution (squeeze) and the unstable distribution (sid),
this problem will be fixed soon.

We recommend that you upgrade your squid3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : linux-2.6.24
Vulnerability : denial of service/privilege escalation
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2009-1385 CVE-2009-1389 CVE-2009-1630 CVE-2009-1633
CVE-2009-1895 CVE-2009-1914 CVE-2009-1961 CVE-2009-2406
CVE-2009-2407

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2009-1385

Neil Horman discovered a missing fix from the e1000 network driver.
A remote user may cause a denial of service by way of a kernel panic
triggered by specially crafted frame sizes.

CVE-2009-1389

Michael Tokarev discovered an issue in the r8169 network driver.
Remote users on the same LAN may cause a denial of service by way
of a kernel panic triggered by receiving a large size frame.

CVE-2009-1630

Frank Filz discovered that local users may be able to execute
files without execute permission when accessed via an nfs4 mount.

CVE-2009-1633

Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
the CIFS filesystem which allow remote servers to cause memory
corruption.

CVE-2009-1895

Julien Tinnes and Tavis Ormandy reported and issue in the Linux
vulnerability code. Local users can take advantage of a setuid
binary that can either be made to dereference a NULL pointer or
drop privileges and return control to the user. This allows a
user to bypass mmap_min_addr restrictions which can be exploited
to execute arbitrary code.

CVE-2009-1914

Mikulas Patocka discovered an issue in sparc64 kernels that allows
local users to cause a denial of service (crash) by reading the
/proc/iomem file.

CVE-2009-1961

Miklos Szeredi reported an issue in the ocfs2 filesystem. Local
users can create a denial of service (filesystem deadlock) using
a particular sequence of splice system calls.

CVE-2009-2406
CVE-2009-2407

Ramon de Carvalho Valle discovered two issues with the eCryptfs
layered filesystem using the fsfuzzer utility. A local user with
permissions to perform an eCryptfs mount may modify the contents
of a eCryptfs file, overflowing the stack and potentially gaining
elevated privileges.

For the stable distribution (etch), these problems have been fixed in
version 2.6.24-6~etchnhalf.8etch2.

We recommend that you upgrade your linux-2.6.24 packages.

Note: Debian 'etch' includes linux kernel packages based upon both the
2.6.18 and 2.6.24 linux releases. All known security issues are
carefully tracked against both packages and both packages will receive
security updates until security support for Debian 'etch'
concludes. However, given the high frequency at which low-severity
security issues are discovered in the kernel and the resource
requirements of doing an update, lower severity 2.6.18 and 2.6.24
updates will typically release in a staggered or "leap-frog" fashion.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : linux-2.6
Vulnerability : denial of service, privilege escalation
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-1895 CVE-2009-2287 CVE-2009-2406 CVE-2009-2407

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service, or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2009-1895

Julien Tinnes and Tavis Ormandy reported an issue in the Linux
personality code. Local users can take advantage of a setuid
binary that can either be made to dereference a NULL pointer or
drop privileges and return control to the user. This allows a
user to bypass mmap_min_addr restrictions which can be exploited
to execute arbitrary code.

CVE-2009-2287

Matt T. Yourst discovered an issue in the kvm subsystem. Local
users with permission to manipulate /dev/kvm can cause a denial
of service (hang) by providing an invalid cr3 value to the
KVM_SET_SREGS call.

CVE-2009-2406
CVE-2009-2407

Ramon de Carvalho Valle discovered two issues with the eCryptfs
layered filesystem using the fsfuzzer utility. A local user with
permissions to perform an eCryptfs mount may modify the contents
of a eCryptfs file, overflowing the stack and potentially gaining
elevated privileges.

For the stable distribution (lenny), these problems have been fixed in
version 2.6.26-17lenny1.

For the oldstable distribution (etch), these problems, where
applicable, will be fixed in updates to linux-2.6 and linux-2.6.24.

We recommend that you upgrade your linux-2.6 and user-mode-linux
packages.

Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+17lenny1

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : kvm
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-2287

Matt T. Yourst discovered an issue in the kvm subsystem. Local
users with permission to manipulate /dev/kvm can cause a denial
of service (hang) by providing an invalid cr3 value to the
KVM_SET_SREGS call.

For the stable distribution (lenny), these problems have been fixed
in version 72+dfsg-5~lenny2.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your kvm packages, and rebuild any kernel
modules you have built from a kvm-source package version.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : bind9
Vulnerability : improper assert
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-0696
CERT advisory : VU#725188
Debian Bug : 538975

It was discovered that the BIND DNS server terminates when processing a
specially crafted dynamic DNS update. This vulnerability affects all
BIND servers which serve at least one DNS zone authoritatively, as a
master, even if dynamic updates are not enabled. The default Debian
configuration for resolvers includes several authoritative zones, too,
so resolvers are also affected by this issue unless these zones have
been removed.

For the old stable distribution (etch), this problem has been fixed in
version 9.3.4-2etch5.

For the stable distribution (lenny), this problem has been fixed in
version 9.5.1.dfsg.P3-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:9.6.1.dfsg.P1-1.

We recommend that you upgrade your bind9 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : apache2
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1890 CVE-2009-1891

The previous update caused a regression for apache2 in Debian 4.0
"etch". Using mod_deflate together with mod_php could cause segfaults
when a client aborts a connection. This update corrects this flaw.
For reference the original advisory text is below.

A denial of service flaw was found in the Apache mod_proxy module when
it was used as a reverse proxy. A remote attacker could use this flaw
to force a proxy process to consume large amounts of CPU time. This
issue did not affect Debian 4.0 "etch". (CVE-2009-1890)

A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was
complete, even if the network connection that requested the content
was closed before compression completed. This would cause mod_deflate
to consume large amounts of CPU if mod_deflate was enabled for a large
file. A similar flaw related to HEAD requests for compressed content
was also fixed. (CVE-2009-1891)

The oldstable distribution (etch), this problem has been fixed in
version 2.2.3-4+etch10.

The other distributions stable (lenny), testing (squeeze) and
unstable (sid) were not affected by the regression.

This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages.

Updated packages for apache2-mpm-itk for the s390 architecture are
not included yet. They will be released as soon as they become
available.

We recommend that you upgrade your apache2 (2.2.3-4+etch10), apache2-mpm-itk
(2.2.3-01-2+etch4) package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : znc
Vulnerability : directory traversal
Problem type : remote
Debian-specific: no
Debian Bug : 537977

It was discovered that znc, an IRC proxy, did not properly process
certain DCC requests, allowing attackers to upload arbitrary files.

For the old stable distribution (etch), this problem has been fixed in
version 0.045-3+etch3.

For the stable distribution (lenny), this problem has been fixed in
version 0.058-2+lenny3.

For the unstable distribution (sid), this problem has been fixed in
version 0.074-1.

We recommend that you upgrade your znc package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : xml-security-c
Vulnerability : design flaw
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0217
CERT advisory : VU#466161

It was discovered that the W3C XML Signature recommendation contains a
protocol-level vulnerability related to HMAC output truncation. This
update implements the proposed workaround in the C++ version of the
Apache implementation of this standard, xml-security-c, by preventing
truncation to output strings shorter than 80 bits or half of the
original HMAC output, whichever is greater.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.1-3+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny2.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.0-4.

We recommend that you upgrade your xml-security-c packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : libmodplug
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2009-1438 CVE-2009-1513
Debian Bugs : 526657 527076 526084

Several vulnerabilities have been discovered in libmodplug, the shared
libraries for mod music based on ModPlug. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2009-1438

It was discovered that libmodplug is prone to an integer overflow when
processing a MED file with a crafted song comment or song name.

CVE-2009-1513

It was discovered that libmodplug is prone to a buffer overflow in the
PATinst function, when processing a long instrument name.

For the stable distribution (lenny), these problems have been fixed in
version 1:0.8.4-1+lenny1.

For the oldstable distribution (etch), these problems have been fixed in
version 1:0.7-5.2+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:0.8.7-1.

We recommend that you upgrade your libmodplug packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : gst-plugins-bad0.10
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2009-1438
Debian Bugs : 527075

It was discovered that gst-plugins-bad0.10, the GStreamer plugins from
the "bad" set, is prone to an integer overflow when processing a MED
file with a crafted song comment or song name.

For the stable distribution (lenny), this problem has been fixed in
version 0.10.7-2+lenny2.

For the oldstable distribution (etch), this problem has been fixed in
version 0.10.3-3.1+etch3.

For the testing distribution (squeeze) and the unstable distribution
(sid), gst-plugins-bad0.10 links against libmodplug.

We recommend that you upgrade your gst-plugins-bad0.10 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : gst-plugins-bad0.10
Vulnerability : integer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id : CVE-2009-1438
Debian Bugs : 527075

It was discovered that gst-plugins-bad0.10, the GStreamer plugins from
the "bad" set, is prone to an integer overflow when processing a MED
file with a crafted song comment or song name.

For the stable distribution (lenny), this problem has been fixed in
version 0.10.7-2+lenny2.

For the oldstable distribution (etch), this problem has been fixed in
version 0.10.3-3.1+etch3.

For the testing distribution (squeeze) and the unstable distribution
(sid), gst-plugins-bad0.10 links against libmodplug.

We recommend that you upgrade your gst-plugins-bad0.10 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : fetchmail
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2666

It was discovered that fetchmail, a full-featured remote mail retrieval
and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" recently published at the Blackhat conference.
This allows an attacker to perform undetected man-in-the-middle attacks
via a crafted ITU-T X.509 certificate with an injected null byte in the
subjectAltName or Common Name fields.

Note, as a fetchmail user you should always use strict certificate
validation through either these option combinations:
sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)
or
sslcertck sslproto tls1 (for STARTTLS-based services)

For the oldstable distribution (etch), this problem has been fixed in
version 6.3.6-1etch2.

For the stable distribution (lenny), this problem has been fixed in
version 6.3.9~rc2-4+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 6.3.9~rc2-6.

We recommend that you upgrade your fetchmail packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : memcached
Vulnerability : heap-based buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2415

Ronald Volgers discovered that memcached, a high-performance memory object
caching system, is vulnerable to several heap-based buffer overflows due
to integer conversions when parsing certain length attributes. An
attacker can use this to execute arbitrary code on the system running
memcached (on etch with root privileges).

For the oldstable distribution (etch), this problem has been fixed in
version 1.1.12-1+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.2-1+lenny1.

For the testing (squeeze) and unstable (sid) distribution , this problem
will be fixed soon.

We recommend that you upgrade your memcached packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : apr, apr-util
Vulnerability : heap buffer overflow
Debian-specific: no
CVE Id(s) : CVE-2009-2412

Matt Lewis discovered that the memory management code in the Apache
Portable Runtime (APR) library does not guard against a wrap-around
during size computations. This could cause the library to return a
memory area which smaller than requested, resulting a heap overflow
and possibly arbitrary code execution.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.7-9 of the apr package, and version 1.2.7+dfsg-2+etch3 of
the apr-util package.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.12-5+lenny1 of the apr package and version 1.2.12-5+lenny1
of the apr-util package.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your APR packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : subversion
Vulnerability : heap overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2411

Matt Lewis discovered that Subversion performs insufficient input
validation of svndiff streams. Malicious servers could cause heap
overflows in clients, and malicious clients with commit access could
cause heap overflows in servers, possibly leading to arbitrary code
execution in both cases.

For the old stable distribution (etch), this problem has been fixed in
version 1.4.2dfsg1-3.

For the stable distribution (lenny), this problem has been fixed in
version 1.5.1dfsg1-4.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.4dfsg-1.

We recommend that you upgrade your Subversion packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

Package : mantis
Vulnerability : information leak
Problem type : local
Debian-specific: yes
Debian Bug : 425010

It was discovered that the Debian Mantis package, a web based bug
tracking system, installed the database credentials in a file with
world-readable permissions onto the local filesystem. This allows
local users to acquire the credentials used to control the Mantis
database.

This updated package corrects this problem for new installations and
will carefully try to update existing ones. Administrators can check
the permissions of the file /etc/mantis/config_db.php to see if they
are safe for their environment.

The old stable distribution (etch) does not contain a mantis package.

For the stable distribution (lenny), this problem has been fixed in
version 1.1.6+dfsg-2lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.8+dfsg-2.

We recommend that you upgrade your mantis package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Package : squid3
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : 538989 539160
CVE ID : CVE-2009-2622 CVE-2009-2621

It was discovered that squid3, a high-performance proxy caching server for
web clients, is prone to several denial of service attacks. Due to incorrect
bounds checking and insufficient validation while processing response and
request data an attacker is able to crash the squid daemon via crafted
requests or responses.

This update to DSA-1843-1 includes updated upstream patches which add
checks for a corner-case in which an incomplete server reply could
also lead to denial of service conditions as well as more debugging
information.

The squid package in the oldstable distribution (etch) is not affected
by this problem.

For the stable distribution (lenny), this problem has been fixed in
version 3.0.STABLE8-3+lenny2.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 3.0.STABLE18-1.

We recommend that you upgrade your squid3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny