Beiträge von Micha

    Aus aktuellen Anlass mal eine Beschreibung wie alle Listen inclusive Daten von Mailman gesichert werden können.

    1. Auf dem Server in das Verzeichnis /var/lib/mailman/ wechseln
    2. Die Ordner /data/ und /archives/ und /lists/ runterladen oder erst packen

    tar -cpvW -f /root/mmdata.tar ./data
    tar -cpvW -f /root/mmarchives.tar ./archives
    tar -cpvW -f /root/mmlists.tar ./lists

    und dann runterladen.

    2. die drei Dateien auf den Zielrechner kopieren und im gleichen Ordner entpacken

    tar -xvf mmdata.tar
    tar -xvf mmarchives.tar
    tar -xvf mmlists.tar

    3. die Installation bereinigen

    in das Verzeichnis /usr/lib/mailman/bin/ wechseln und folgenden Befehl ausführen für jede übertragene Liste einzeln

    withlist -l -r fix_.....url listname.......

    Package : telepathy-gabble
    Vulnerability : insufficient input validation
    Problem type : remote
    Debian-specific: no
    CVE ID : none yet

    It was discovered that telepathy-gabble, the Jabber/XMMP connection manager
    for the Telepathy framework, is processing google:jingleinfo updates without
    validating their origin. This may allow an attacker to trick telepathy-gabble
    into relaying streamed media data through a server of his choice and thus
    intercept audio and video calls.


    For the oldstable distribution (lenny), this problem has been fixed in
    version 0.7.6-1+lenny1.

    For the stable distribution (squeeze), this problem has been fixed in
    version 0.9.15-1+squeeze1.

    For the testing (wheezy) and unstable (sid) distributions, this problem
    will be fixed soon.

    We recommend that you upgrade your telepathy-gabble packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : openafs
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-0430 CVE-2011-0431

    Two vulnerabilities were discovered the distributed filesystem AFS:

    CVE-2011-0430

    Andrew Deason discovered that a double free in the Rx server
    process could lead to denial of service or the execution of
    arbitrary code.

    CVE-2011-0431

    It was discovered that insufficient error handling in the
    kernel module could lead to denial of service.

    For the oldstable distribution (lenny), this problem has been fixed in
    version 1.4.7.dfsg1-6+lenny4. Due to a technical problem with the
    buildd infrastructure the update is not yet available, but will be
    installed into the archive soon.

    For the stable distribution (squeeze), this problem has been fixed in
    version 1.4.12.1+dfsg-4.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.4.14+dfsg-1.

    We recommend that you upgrade your openafs packages. Note that in order
    to apply this security update, you must rebuild the OpenAFS kernel module.


    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : phpmyadmin
    Vulnerability : sql injection
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-0987

    It was discovered that phpMyAdmin, a a tool to administer MySQL over
    the web, when the bookmarks feature is enabled, allowed to create a
    bookmarked query which would be executed unintentionally by other users.

    For the oldstable distribution (lenny), this problem has been fixed in
    version 4:2.11.8.1-5+lenny8.

    For the stable distribution (squeeze), this problem has been fixed in
    version 4:3.3.7-5.

    For the testing distribution (wheezy) and unstable distribution (sid),
    this problem has been fixed in version 4:3.3.9.2-1.

    We recommend that you upgrade your phpmyadmin packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : chromium-browser
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-0777 CVE-2011-0778 CVE-2011-0783 CVE-2011-0983 CVE-2011-0981 CVE-2011-0984 CVE-2011-0985


    Several vulnerabilities were discovered in the Chromium browser.
    The Common Vulnerabilities and Exposures project identifies the
    following problems:


    CVE-2011-0777

    Use-after-free vulnerability in Google Chrome before 9.0.597.84 allows remote
    attackers to cause a denial of service or possibly have unspecified other
    impact via vectors related to image loading


    CVE-2011-0778

    Google Chrome before 9.0.597.84 does not properly restrict drag and drop
    operations, which might allow remote attackers to bypass the Same Origin
    Policy via unspecified vectors


    CVE-2011-0783

    Unspecified vulnerability in Google Chrome before 9.0.597.84 allows
    user-assisted remote attackers to cause a denial of service
    (application crash) via vectors involving a "bad volume setting."


    CVE-2011-0983

    Google Chrome before 9.0.597.94 does not properly handle anonymous blocks,
    which allows remote attackers to cause a denial of service or possibly have
    unspecified other impact via unknown vectors that lead to a "stale pointer."


    CVE-2011-0981

    Google Chrome before 9.0.597.94 does not properly perform event handling for
    animations, which allows remote attackers to cause a denial of service or
    possibly have unspecified other impact via unknown vectors that lead to a
    "stale pointer."


    CVE-2011-0984

    Google Chrome before 9.0.597.94 does not properly handle plug-ins, which
    allows remote attackers to cause a denial of service (out-of-bounds read)
    via unspecified vectors


    CVE-2011-0985

    Google Chrome before 9.0.597.94 does not properly perform process termination
    upon memory exhaustion, which has unspecified impact and remote attack vectors.


    For the stable distribution (squeeze), these problems have been fixed
    in version 6.0.472.63~r59945-5+squeeze2

    For the testing distribution (wheezy), these problems will be fixed soon.

    For the unstable distribution (sid), these problems have been fixed
    in version 9.0.597.98~r74359-1

    We recommend that you upgrade your chromium-browser packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : ffmpeg-debian
    Vulnerability : buffer overflow
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-3429 CVE-2010-4704 CVE-2010-4705

    Several vulnerabilities have been discovered in FFmpeg coders, which are used by
    by MPlayer and other applications.


    CVE-2010-3429

    Cesar Bernardini and Felipe Andres Manzano reported an arbitrary offset
    dereference vulnerability in the libavcodec, in particular in the flic file
    format parser. A specific flic file may exploit this vulnerability and execute
    arbitrary code. Mplayer is also affected by this problem, as well as other
    software that use this library.


    CVE-2010-4704

    Greg Maxwell discovered an integer overflow the Vorbis decoder in FFmpeg. A
    specific ogg file may exploit this vulnerability and execute arbitrary code.


    CVE-2010-4705

    A potential integer overflow has been discovered in the Vorbis decoder in
    FFmpeg.


    This upload also fixes an incomplete patch from DSA-2000-1. Michael Gilbert
    noticed that there was remaining vulnerabilities, which may cause a denial of
    service and potentially execution of arbitrary code.

    For the oldstable distribution (lenny), this problem has been fixed in
    version 0.svn20080206-18+lenny3.

    We recommend that you upgrade your ffmpeg-debian packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : shadow
    Vulnerability : insufficient input sanitization
    Problem type : local
    Debian-specific: no
    CVE ID : CVE-2011-0721

    Kees Cook discovered that the chfn and chsh utilities do not properly
    sanitize user input that includes newlines. An attacker could use this
    to to corrupt passwd entries and may create users or groups in NIS
    environments.


    Packages in the oldstable distribution (lenny) are not affected by this
    problem.

    For the stable distribution (squeeze), this problem has been fixed in
    version 1:4.1.4.2+svn3283-2+squeeze1.

    For the testing (wheezy) and unstable (sid) distributions, this problem
    will be fixed soon.

    We recommend that you upgrade your shadow packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : openjdk-6
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-4476 CVE-2009-3555
    Debian Bug : 612660

    It was discovered that the floating point parser in OpenJDK, an
    implementation of the Java platform, can enter an infinite loop when
    processing certain input strings. Such input strings represent valid
    numbers and can be contained in data supplied by an attacker over the
    network, leading to a denial-of-service attack.

    For the old stable distribution (lenny), this problem has been fixed
    in version 6b18-1.8.3-2~lenny1.

    Note that this update introduces an OpenJDK package based on the
    IcedTea release 1.8.3 into the old stable distribution. This
    addresses several dozen security vulnerabilities, most of which are
    only exploitable by malicious mobile code. A notable exception is
    CVE-2009-3555, the TLS renegotiation vulnerability. This update
    implements the protocol extension described in RFC 5746, addressing
    this issue.

    This update also includes a new version of Hotspot, the Java virtual
    machine, which increases the default heap size on machines with
    several GB of RAM. If you run several JVMs on the same machine, you
    might have to reduce the heap size by specifying a suitable -Xmx
    argument in the invocation of the "java" command.

    We recommend that you upgrade your openjdk-6 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : python-django
    Vulnerability : multiple
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-0696 CVE-2011-0697

    Several vulnerabilities were discovered in the django web development
    framework:

    CVE-2011-0696

    For several reasons the internal CSRF protection was not used to
    validate ajax requests in the past. However, it was discovered that
    this exception can be exploited with a combination of browser plugins
    and redirects and thus is not sufficient.

    CVE-2011-0697

    It was discovered that the file upload form is prone to cross-site
    scripting attacks via the file name.

    It is important to note that this update introduces minor backward
    incompatibilities due to the fixes for the above issues.
    For the exact details, please see:
    http://docs.djangoproject.com/en/1.2/releases/1.2.5/
    and in particular the "Backwards incompatible changes" section.


    Packages in the oldstable distribution (lenny) are not affected by these
    problems.

    For the stable distribution (squeeze), this problem has been fixed in
    version 1.2.3-3+squeeze1.

    For the testing distribution (wheezy), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.2.5-1.

    We recommend that you upgrade your python-django packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : openssl
    Vulnerability : invalid memory access
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2011-0014

    Neel Mehta discovered that an incorrectly formatted ClientHello handshake
    message could cause OpenSSL to parse past the end of the message. This
    allows an attacker to crash an application using OpenSSL by triggering
    an invalid memory access. Additionally, some applications may be vulnerable
    to expose contents of a parsed OCSP nonce extension.

    Packages in the oldstable distribution (lenny) are not affected by this
    problem.

    For the stable distribution (squeeze), this problem has been fixed in
    version 0.9.80-4squeeze1.

    For the testing distribution (wheezy), this problem has been fixed in
    version 0.9.80-5.

    For the unstable distribution (sid), this problem has been fixed in
    version 0.9.80-5.

    We recommend that you upgrade your invalid memory access packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : openjdk-6
    Vulnerability : denial of service
    Problem type : local (remote)
    Debian-specific: no
    CVE ID : CVE-2010-4476
    Debian Bug : 612660

    It was discovered that the floating point parser in OpenJDK, an
    implementation of the Java platform, can enter an infinite loop when
    processing certain input strings. Such input strings represent valid
    numbers and can be contained in data supplied by an attacker over the
    network, leading to a denial-of-service attack.

    For the oldstable distribution (lenny), this problem will be fixed in
    version 6b18-1.8.3-2~lenny1. For technical reasons, this update will
    be released separately.

    For the stable distribution (squeeze), this problem has been fixed in
    version 6b18-1.8.3-2+squeeze1.

    For the testing distribution (wheezy) and the unstable distribution
    (sid), this problem will be fixed soon.

    We recommend that you upgrade your openjdk-6 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : tomcat6
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-3718 CVE-2011-0013 CVE-2011-0534
    Debian Bug : 612257

    Several vulnerabilities were discovered in the Tomcat Servlet and JSP
    engine:

    CVE-2010-3718

    It was discovered that the SecurityManager insufficiently
    restricted the working directory.

    CVE-2011-0013

    It was discovered that the HTML manager interface is affected
    by cross-site scripting.

    CVE-2011-0534

    It was discovered that NIO connector performs insufficient
    validation of the HTTP headers, which could lead to denial
    of service.

    The oldstable distribution (lenny) is not affected by these issues.

    For the stable distribution (squeeze), this problem has been fixed in
    version 6.0.28-9+squeeze1.

    For the unstable distribution (sid), this problem has been fixed in
    version 6.0.28-10.

    We recommend that you upgrade your tomcat6 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : vlc
    Vulnerability : missing input sanitising
    Problem type : (local)remote
    Debian-specific: no
    CVE ID : CVE-2011-0531

    Dan Rosenberg discovered that insufficient input validation in VLC's
    processing of Matroska/WebM containers could lead to the execution of
    arbitrary code.

    For the stable distribution (squeeze), this problem has been fixed in
    version 1.1.3-1squeeze3.

    The version of vlc in the oldstable distribution (lenny) is affected
    by further issues and will be addressed in a followup DSA.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.1.7-1.

    We recommend that you upgrade your vlc packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : cgiirc
    Vulnerability : cross-site scripting
    Problem type : local
    Debian-specific: no
    CVE ID : CVE-2011-0050

    Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
    cgiirc, a web based IRC client, which could lead to the execution
    of arbitrary javascript.

    For the old-stable distribution (lenny), this problem has been fixed in
    version 0.5.9-3lenny1.

    For the stable distribution (squeeze), and unstable distribution (sid),
    this problem will be fixed shortly.

    We recommend that you upgrade your cgiirc packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : postgresql-8.3, postgresql-8.4, postgresql-9.0
    Vulnerability : buffer overflow
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-4015

    It was discovered that PostgreSQL's intarray contrib module does not
    properly handle integers with a large number of digits, leading to a
    server crash and potentially arbitary code execution.

    For the stable distribution (lenny), this problem has been fixed in
    version 8.3.14-0lenny1 of the postgresql-8.3 package.

    For the testing distribution (squeeze), this problem has been fixed in
    version 8.4.7-0squeeze1 of the postgresql-8.4 package.

    For the unstable distribution (sid), this problem has been fixed in
    version 8.4.7-1 of the postgresql-8.4 package and version 9.0.3-1 of
    the postgresql-9.0 package.

    The updates also include reliability improvements; for details see the
    respective changelogs.

    We recommend that you upgrade your PostgreSQL packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : pcscd
    Vulnerability : buffer overflow
    Problem type : local
    Debian-specific: no
    CVE ID : CVE-2010-4531

    MWR InfoSecurity identified a buffer overflow in pcscd, middleware
    to access a smart card via PC/SC, which could lead to the execution
    of arbitrary code.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.4.102-1+lenny4.

    For the testing distribution (squeeze), this problem has been fixed in
    version 1.5.5-4.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.5.5-4.

    We recommend that you upgrade your pcscd packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : freetype
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-3814 CVE-2010-3855

    Two buffer overflows were found in the Freetype font library, which could
    lead to the execution of arbitrary code.

    For the stable distribution (lenny), this problem has been fixed in
    version 2.3.7-2+lenny5.

    For the testing distribution (squeeze), this problem has been fixed in
    version 2.4.2-2.1.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.4.2-2.1.

    We recommend that you upgrade your freetype packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : exim4
    Vulnerability : privilege escalation / regression
    Problem type : local
    CVE Id(s) : CVE-2010-4345 CVE-2011-0017
    Debian bug : 611572
    Behaviour change : yes

    The updated packages from DSA-2154-1 introduced a regression which
    prevented unprivileged users from using 'exim4 -bf' to test filter
    configurations. This update fixes this problem.

    Please also read the information provided in DSA-2154-1 if you have
    not done so already.

    For the stable distribution (lenny), this problem has been fixed in
    version 4.69-9+lenny4.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem will be fixed soon.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : exim4
    Vulnerability : privilege escalation
    Problem type : local
    CVE Id(s) : CVE-2010-4345 CVE-2011-0017
    Behaviour change : yes

    A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
    user to obtain root privileges by specifying an alternate
    configuration file using the -C option or by using the macro override
    facility (-D option). Unfortunately, fixing this vulnerability is not
    possible without some changes in exim4's behvaviour. If you use the -C
    or -D options or use the system filter facility, you should evaluate
    the changes carefully and adjust your configuration accordingly. The
    Debian default configuration is not affected by the changes.

    The detailed list of changes is described in the NEWS.Debian file in
    the packages. The relevant sections are also reproduced below.

    In addition to that, missing error handling for the setuid/setgid
    system calls allowed the Debian-exim user to cause root to append
    log data to arbitrary files (CVE-2011-0017).

    For the stable distribution (lenny), these problems have been fixed in
    version 4.69-9+lenny3.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), these problem have been fixed in version 4.72-4.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Package : linux-2.6
    Vulnerability : privilege escalation/denial of service/information leak
    Problem type : local/remote
    Debian-specific: no
    CVE Id(s) : CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162
    CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248
    CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346
    CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4565
    CVE-2010-4649 CVE-2010-4656 CVE-2010-4668 CVE-2011-0521

    Several vulnerabilities have been discovered in the Linux kernel that may lead
    to a privilege escalation, denial of service or information leak. The Common
    Vulnerabilities and Exposures project identifies the following problems:

    CVE-2010-0435

    Gleb Napatov reported an issue in the KVM subsystem that allows virtual
    machines to cause a denial of service of the host machine by executing mov
    to/from DR instructions.

    CVE-2010-3699

    Keir Fraser provided a fix for an issue in the Xen subsystem. A guest can
    cause a denial of service on the host by retaining a leaked reference to a
    device. This can result in a zombie domain, xenwatch process hangs, and xm
    command failures.

    CVE-2010-4158

    Dan Rosenberg discovered an issue in the socket filters subsystem, allowing
    local unprivileged users to obtain the contents of sensitive kernel memory.

    CVE-2010-4162

    Dan Rosenberg discovered an overflow issue in the block I/O subsystem that
    allows local users to map large numbers of pages, resulting in a denial of
    service due to invocation of the out of memory killer.

    CVE-2010-4163

    Dan Rosenberg discovered an issue in the block I/O subsystem. Due to
    improper validation of iov segments, local users can trigger a kernel panic
    resulting in a denial of service.

    CVE-2010-4242

    Alan Cox reported an issue in the Bluetooth subsystem. Local users with
    sufficient permission to access HCI UART devices can cause a denial of
    service (NULL pointer dereference) due to a missing check for an existing
    tty write operation.

    CVE-2010-4243

    Brad Spengler reported a denial-of-service issue in the kernel memory
    accounting system. By passing large argv/envp values to exec, local users
    can cause the out of memory killer to kill processes owned by other users.

    CVE-2010-4248

    Oleg Nesterov reported an issue in the POSIX CPU timers subsystem. Local
    users can cause a denial of service (Oops) due to incorrect assumptions
    about thread group leader behavior.

    CVE-2010-4249

    Vegard Nossum reported an issue with the UNIX socket garbage collector.
    Local users can consume all of LOWMEM and decrease system performance by
    overloading the system with inflight sockets.

    CVE-2010-4258

    Nelson Elhage reported an issue in Linux oops handling. Local users may be
    able to obtain elevated privileges if they are able to trigger an oops with
    a process' fs set to KERNEL_DS.

    CVE-2010-4342

    Nelson Elhage reported an issue in the econet protocol. Remote attackers can
    cause a denial of service by sending an Acorn Universal Networking packet
    over UDP.

    CVE-2010-4346

    Tavis Ormandy discovered an issue in the install_special_mapping routine
    which allows local users to bypass the mmap_min_addr security restriction.
    Combined with an otherwise low severity local denial of service
    vulnerability (NULL pointer dereference), a local user could obtain elevated
    privileges.

    CVE-2010-4526

    Eugene Teo reported a race condition in the Linux SCTP implementation.
    Remote users can cause a denial of service (kernel memory corruption) by
    transmitting an ICMP unreachable message to a locked socket.

    CVE-2010-4527

    Dan Rosenberg reported two issues in the OSS soundcard driver. Local users
    with access to the device (members of group 'audio' on default Debian
    installations) may contain access to sensitive kernel memory or cause a
    buffer overflow, potentially leading to an escalation of privileges.

    CVE-2010-4529

    Dan Rosenberg reported an issue in the Linux kernel IrDA socket
    implementation on non-x86 architectures. Local users may be able to gain
    access to sensitive kernel memory via a specially crafted IRLMP_ENUMDEVICES
    getsockopt call.

    CVE-2010-4565

    Dan Rosenberg reported an issue in the Linux CAN protocol implementation.
    Local users can obtain the address of a kernel heap object which might help
    facilitate system exploitation.

    CVE-2010-4649

    Dan Carpenter reported an issue in the uverb handling of the InfiniBand
    subsystem. A potential buffer overflow may allow local users to cause a
    denial of service (memory corruption) by passing in a large cmd.ne value.

    CVE-2010-4656

    Kees Cook reported an issue in the driver for I/O-Warrior USB devices.
    Local users with access to these devices maybe able to overrun kernel
    buffers, resulting in a denial of service or privilege escalation.

    CVE-2010-4668

    Dan Rosenberg reported an issue in the block subsystem. A local user can
    cause a denial of service (kernel panic) by submitting certain 0-length I/O
    requests.

    CVE-2011-0521

    Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local
    users can pass a negative info->num value, corrupting kernel memory and
    causing a denial of service.

    For the stable distribution (lenny), this problem has been fixed in
    version 2.6.26-26lenny2.

    The following matrix lists additional source packages that were rebuilt for
    compatibility with or to take advantage of this update:

    Debian 5.0 (lenny)
    user-mode-linux 2.6.26-1um-2+26lenny2

    We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

    Note that these updates will not become active until after your system is
    rebooted.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/