Beiträge von Micha

    Package : libxml
    Vulnerability : several
    Problem type : local (remote)
    Debian-specific: no
    CVE IDs : CVE-2009-2416 CVE-2009-2414

    Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
    vulnerabilities in libxml, a library for parsing and handling XML data
    files, which can lead to denial of service conditions or possibly arbitrary
    code execution in the application using the library. The Common
    Vulnerabilities and Exposures project identifies the following problems:

    An XML document with specially-crafted Notation or Enumeration attribute
    types in a DTD definition leads to the use of a pointers to memory areas
    which have already been freed (CVE-2009-2416).

    Missing checks for the depth of ELEMENT DTD definitions when parsing
    child content can lead to extensive stack-growth due to a function
    recursion which can be triggered via a crafted XML document (CVE-2009-2414).


    For the oldstable distribution (etch), this problem has been fixed in
    version 1.8.17-14+etch1.

    The stable (lenny), testing (squeeze) and unstable (sid) distribution
    do not contain libxml anymore but libxml2 for which DSA-1859-1 has been
    released.


    We recommend that you upgrade your libxml packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : ruby1.8, ruby1.9
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2009-0642 CVE-2009-1904

    Several vulnerabilities have been discovered in Ruby. The Common
    Vulnerabilities and Exposures project identifies the following
    problems:

    CVE-2009-0642

    The return value from the OCSP_basic_verify function was not checked
    properly, allowing continued use of a revoked certificate.

    CVE-2009-1904

    An issue in parsing BigDecimal numbers can result in a
    denial-of-service condition (crash).

    The following matrix identifies fixed versions:

    ruby1.8 ruby1.9
    oldstable (etch) 1.8.5-4etch5 1.9.0+20060609-1etch5
    stable (lenny) 1.8.7.72-3lenny1 1.9.0.2-9lenny1
    unstable (sid) 1.8.7.173-1 (soon)

    We recommend that you upgrade your Ruby packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : libxml2
    Vulnerability : several
    Problem type : local (remote)
    Debian-specific: no
    CVE IDs : CVE-2009-2416 CVE-2009-2414

    Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several
    vulnerabilities in libxml2, a library for parsing and handling XML data
    files, which can lead to denial of service conditions or possibly arbitrary
    code execution in the application using the library. The Common
    Vulnerabilities and Exposures project identifies the following problems:

    An XML document with specially-crafted Notation or Enumeration attribute
    types in a DTD definition leads to the use of a pointers to memory areas
    which have already been freed (CVE-2009-2416).

    Missing checks for the depth of ELEMENT DTD definitions when parsing
    child content can lead to extensive stack-growth due to a function
    recursion which can be triggered via a crafted XML document (CVE-2009-2414).


    For the oldstable distribution (etch), this problem has been fixed in
    version 2.6.27.dfsg-6+etch1.

    For the stable distribution (lenny), this problem has been fixed in
    version 2.6.32.dfsg-5+lenny1.

    For the testing (squeeze) and unstable (sid) distribution, this problem
    will be fixed soon.


    We recommend that you upgrade your libxml2 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Die Domain war gestern Abend bis heute Mittag nicht bzw. schwer zu erreichen. Es gab ein Problem bei der Anbindung des Servers zum DNS - Systems.

    Dieses ist jetzt behoben und gleichzeitig wurde auch die Fehlfunktion bei der E-Mail Versendung bei Neuregistrierungen im Forum behoben.

    Zitat

    Original von Applecorner
    ich habe von Server4You einen Root Server, dort gibt es als Weboberfläche jedoch nur Plesk. Plesk ist jedoch zu ressourcen Hungrig und vergibt keine alternativ Domain für Kunden bei denen der Domainumzug oder Neubestellung noch nicht vollzogen ist. :(
    (

    Nun auch Plesk vergibt intern einen auch von außerhalb zu erreichenden Weblink. Zu erreichen über die Site-Vorschau in Plesk unter der Domain.

    Hier mal ein Beispiel.

    https://xxxwebserver.de:8443/sitepreview/http/xyzdomain.de

    Vorn steht der Serverlink, dann der Port und nachfolgend der symbolische Link zur Domain. Damit sind auch Webs deren Domain noch nicht freigegeben wurde erreichbar.

    Package : imagemagick
    Vulnerability : multiple
    Problem type : local(remote)
    Debian-specific: no
    CVE Id(s) : CVE-2007-1667 CVE-2007-1797 CVE-2007-4985 CVE-2007-4986
    CVE-2007-4987 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097
    CVE-2009-1882
    Debian Bug : 418057 412945 444267 530838

    Several vulnerabilities have been discovered in the imagemagick image
    manipulation programs which can lead to the execution of arbitrary code,
    exposure of sensitive information or cause DoS. The Common Vulnerabilities
    and Exposures project identifies the following problems:

    CVE-2007-1667

    Multiple integer overflows in XInitImage function in xwd.c for
    ImageMagick, allow user-assisted remote attackers to cause a denial of
    service (crash) or obtain sensitive information via crafted images with
    large or negative values that trigger a buffer overflow. It only affects
    the oldstable distribution (etch).

    CVE-2007-1797

    Multiple integer overflows allow remote attackers to execute arbitrary
    code via a crafted DCM image, or the colors or comments field in a
    crafted XWD image. It only affects the oldstable distribution (etch).

    CVE-2007-4985

    A crafted image file can trigger an infinite loop in the ReadDCMImage
    function or in the ReadXCFImage function. It only affects the oldstable
    distribution (etch).

    CVE-2007-4986

    Multiple integer overflows allow context-dependent attackers to execute
    arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file,
    which triggers a heap-based buffer overflow. It only affects the
    oldstable distribution (etch).

    CVE-2007-4987

    Off-by-one error allows context-dependent attackers to execute arbitrary
    code via a crafted image file, which triggers the writing of a '\0'
    character to an out-of-bounds address. It affects only the oldstable
    distribution (etch).

    CVE-2007-4988

    A sign extension error allows context-dependent attackers to execute
    arbitrary code via a crafted width value in an image file, which
    triggers an integer overflow and a heap-based buffer overflow. It
    affects only the oldstable distribution (etch).

    CVE-2008-1096

    The load_tile function in the XCF coder allows user-assisted remote
    attackers to cause a denial of service or possibly execute arbitrary
    code via a crafted .xcf file that triggers an out-of-bounds heap write.
    It affects only to oldstable (etch).

    CVE-2008-1097

    Heap-based buffer overflow in the PCX coder allows user-assisted remote
    attackers to cause a denial of service or possibly execute arbitrary
    code via a crafted .pcx file that triggers incorrect memory allocation
    for the scanline array, leading to memory corruption. It affects only to
    oldstable (etch).

    CVE-2009-1882

    Integer overflow allows remote attackers to cause a denial of service
    (crash) and possibly execute arbitrary code via a crafted TIFF file,
    which triggers a buffer overflow.

    For the old stable distribution (etch), these problems have been fixed in
    version 7:6.2.4.5.dfsg1-0.15+etch1.

    For the stable distribution (lenny), these problems have been fixed in
    version 7:6.3.7.9.dfsg2-1~lenny3.

    For the upcoming stable distribution (squeeze) and the unstable
    distribution (sid), these problems have been fixed in version
    7:6.5.1.0-1.1.

    We recommend that you upgrade your imagemagick packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : camlimages
    Vulnerability : integer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Ids : CVE-2009-2660
    Debian Bug : 540146

    Tielei Wang discovered that CamlImages, an open source image processing
    library, suffers from several integer overflows which may lead to a
    potentially exploitable heap overflow and result in arbitrary code
    execution. This advisory addresses issues with the reading of JPEG and
    GIF Images, while DSA 1832-1 addressed the issue with PNG images.

    For the oldstable distribution (etch), this problem has been fixed in
    version 2.20-8+etch2.

    For the stable distribution (lenny), this problem has been fixed in
    version 1:2.2.0-4+lenny2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1:3.0.1-3.


    We recommend that you upgrade your camlimages package.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : squid3
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    Debian bug : 538989 539160
    CVE ID : CVE-2009-2622 CVE-2009-2621

    It was discovered that squid3, a high-performance proxy caching server for
    web clients, is prone to several denial of service attacks. Due to incorrect
    bounds checking and insufficient validation while processing response and
    request data an attacker is able to crash the squid daemon via crafted
    requests or responses.

    This update to DSA-1843-1 includes updated upstream patches which add
    checks for a corner-case in which an incomplete server reply could
    also lead to denial of service conditions as well as more debugging
    information.


    The squid package in the oldstable distribution (etch) is not affected
    by this problem.

    For the stable distribution (lenny), this problem has been fixed in
    version 3.0.STABLE8-3+lenny2.

    For the testing distribution (squeeze), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 3.0.STABLE18-1.


    We recommend that you upgrade your squid3 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 5.0 alias lenny

    Package : mantis
    Vulnerability : information leak
    Problem type : local
    Debian-specific: yes
    Debian Bug : 425010

    It was discovered that the Debian Mantis package, a web based bug
    tracking system, installed the database credentials in a file with
    world-readable permissions onto the local filesystem. This allows
    local users to acquire the credentials used to control the Mantis
    database.

    This updated package corrects this problem for new installations and
    will carefully try to update existing ones. Administrators can check
    the permissions of the file /etc/mantis/config_db.php to see if they
    are safe for their environment.

    The old stable distribution (etch) does not contain a mantis package.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.1.6+dfsg-2lenny1.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.1.8+dfsg-2.

    We recommend that you upgrade your mantis package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.

    Debian GNU/Linux 5.0 alias lenny

    Package : subversion
    Vulnerability : heap overflow
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2009-2411

    Matt Lewis discovered that Subversion performs insufficient input
    validation of svndiff streams. Malicious servers could cause heap
    overflows in clients, and malicious clients with commit access could
    cause heap overflows in servers, possibly leading to arbitrary code
    execution in both cases.

    For the old stable distribution (etch), this problem has been fixed in
    version 1.4.2dfsg1-3.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.5.1dfsg1-4.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.6.4dfsg-1.

    We recommend that you upgrade your Subversion packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : apr, apr-util
    Vulnerability : heap buffer overflow
    Debian-specific: no
    CVE Id(s) : CVE-2009-2412

    Matt Lewis discovered that the memory management code in the Apache
    Portable Runtime (APR) library does not guard against a wrap-around
    during size computations. This could cause the library to return a
    memory area which smaller than requested, resulting a heap overflow
    and possibly arbitrary code execution.

    For the old stable distribution (etch), this problem has been fixed in
    version 1.2.7-9 of the apr package, and version 1.2.7+dfsg-2+etch3 of
    the apr-util package.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.2.12-5+lenny1 of the apr package and version 1.2.12-5+lenny1
    of the apr-util package.

    For the unstable distribution (sid), this problem will be fixed soon.

    We recommend that you upgrade your APR packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : memcached
    Vulnerability : heap-based buffer overflow
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2009-2415

    Ronald Volgers discovered that memcached, a high-performance memory object
    caching system, is vulnerable to several heap-based buffer overflows due
    to integer conversions when parsing certain length attributes. An
    attacker can use this to execute arbitrary code on the system running
    memcached (on etch with root privileges).


    For the oldstable distribution (etch), this problem has been fixed in
    version 1.1.12-1+etch1.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.2.2-1+lenny1.

    For the testing (squeeze) and unstable (sid) distribution , this problem
    will be fixed soon.


    We recommend that you upgrade your memcached packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : fetchmail
    Vulnerability : insufficient input validation
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2009-2666

    It was discovered that fetchmail, a full-featured remote mail retrieval
    and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
    SSL/TLS Certificates" recently published at the Blackhat conference.
    This allows an attacker to perform undetected man-in-the-middle attacks
    via a crafted ITU-T X.509 certificate with an injected null byte in the
    subjectAltName or Common Name fields.

    Note, as a fetchmail user you should always use strict certificate
    validation through either these option combinations:
    sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)
    or
    sslcertck sslproto tls1 (for STARTTLS-based services)


    For the oldstable distribution (etch), this problem has been fixed in
    version 6.3.6-1etch2.

    For the stable distribution (lenny), this problem has been fixed in
    version 6.3.9~rc2-4+lenny1.

    For the testing distribution (squeeze), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 6.3.9~rc2-6.


    We recommend that you upgrade your fetchmail packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : gst-plugins-bad0.10
    Vulnerability : integer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Id : CVE-2009-1438
    Debian Bugs : 527075


    It was discovered that gst-plugins-bad0.10, the GStreamer plugins from
    the "bad" set, is prone to an integer overflow when processing a MED
    file with a crafted song comment or song name.


    For the stable distribution (lenny), this problem has been fixed in
    version 0.10.7-2+lenny2.

    For the oldstable distribution (etch), this problem has been fixed in
    version 0.10.3-3.1+etch3.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), gst-plugins-bad0.10 links against libmodplug.


    We recommend that you upgrade your gst-plugins-bad0.10 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : gst-plugins-bad0.10
    Vulnerability : integer overflow
    Problem type : local (remote)
    Debian-specific: no
    CVE Id : CVE-2009-1438
    Debian Bugs : 527075


    It was discovered that gst-plugins-bad0.10, the GStreamer plugins from
    the "bad" set, is prone to an integer overflow when processing a MED
    file with a crafted song comment or song name.


    For the stable distribution (lenny), this problem has been fixed in
    version 0.10.7-2+lenny2.

    For the oldstable distribution (etch), this problem has been fixed in
    version 0.10.3-3.1+etch3.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), gst-plugins-bad0.10 links against libmodplug.


    We recommend that you upgrade your gst-plugins-bad0.10 packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : libmodplug
    Vulnerability : several
    Problem type : local (remote)
    Debian-specific: no
    CVE Ids : CVE-2009-1438 CVE-2009-1513
    Debian Bugs : 526657 527076 526084

    Several vulnerabilities have been discovered in libmodplug, the shared
    libraries for mod music based on ModPlug. The Common Vulnerabilities and
    Exposures project identifies the following problems:

    CVE-2009-1438

    It was discovered that libmodplug is prone to an integer overflow when
    processing a MED file with a crafted song comment or song name.

    CVE-2009-1513

    It was discovered that libmodplug is prone to a buffer overflow in the
    PATinst function, when processing a long instrument name.


    For the stable distribution (lenny), these problems have been fixed in
    version 1:0.8.4-1+lenny1.

    For the oldstable distribution (etch), these problems have been fixed in
    version 1:0.7-5.2+etch1.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem has been fixed in version 1:0.8.7-1.


    We recommend that you upgrade your libmodplug packages.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch