Beiträge von Micha

    Package : cups, cupsys
    Vulnerability : null ptr dereference
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2009-0949


    Anibal Sacco discovered that cups, a general printing system for UNIX
    systems, suffers from null pointer dereference because of its handling
    of two consecutive IPP packets with certain tag attributes that are
    treated as IPP_TAG_UNSUPPORTED tags. This allows unauthenticated attackers
    to perform denial of service attacks by crashing the cups daemon.


    For the oldstable distribution (etch), this problem has been fixed in
    version 1.2.7-4+etch8 of cupsys.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.3.8-1+lenny6 of cups.

    For the testing distribution (squeeze), this problem will be fixed soon.

    For the unstable distribution (sid), this problem will be fixed soon.


    We recommend that you upgrade your cups/cupsys packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : libapache-mod-jk
    Vulnerability : information disclosure
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2008-5519
    Debian Bug : 523054

    An information disclosure flaw was found in mod_jk, the Tomcat Connector
    module for Apache. If a buggy client included the "Content-Length" header
    without providing request body data, or if a client sent repeated
    equests very quickly, one client could obtain a response intended for
    another client.

    For the stable distribution (lenny), this problem has been fixed in
    version 1:1.2.26-2+lenny1.

    The oldstable distribution (etch), this problem has been fixed in
    version 1:1.2.18-3etch2.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem has been fixed in version 1:1.2.26-2.1.

    We recommend that you upgrade your libapache-mod-jk packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Am 05.06.2009 ab ca. 12.00 Uhr bis 06.06.2009 werden Serverarbeiten durchgeführt. Das Betriebssystem des Servers wird erneuert, da für das jetzige (SUSE 10.1) keine Aktualisierungen mehr angeboten werden.

    In dieser Zeit ist die Domain komplett nicht zu erreichen.

    Package : linux-2.6
    Vulnerability : denial of service, privilege escalation
    Problem type : local/remote
    Debian-specific: no
    CVE Id(s) : CVE-2009-1630 CVE-2009-1633 CVE-2009-1758

    Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a denial of service, or privilege escalation. The Common
    Vulnerabilities and Exposures project identifies the following
    problems:

    CVE-2009-1630

    Frank Filz discovered that local users may be able to execute
    files without execute permission when accessed via an nfs4 mount.

    CVE-2009-1633

    Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
    the CIFS filesystem which allow remote servers to cause memory
    corruption.

    CVE-2009-1758

    Jan Beulich discovered an issue in Xen where local guest users may
    cause a denial of service (oops).

    This update also fixes a regression introduced by the fix for
    CVE-2009-1184 in 2.6.26-15lenny3. This prevents a boot time panic on
    systems with SELinux enabled.

    For the stable distribution (lenny), these problems have been fixed in
    version 2.6.26-15lenny3.

    For the oldstable distribution (etch), these problems, where
    applicable, will be fixed in future updates to linux-2.6 and
    linux-2.6.24.

    We recommend that you upgrade your linux-2.6 and user-mode-linux
    packages.

    Note: Debian carefully tracks all known security issues across every
    linux kernel package in all releases under active security support.
    However, given the high frequency at which low-severity security
    issues are discovered in the kernel and the resource requirements of
    doing an update, updates for lower priority issues will normally not
    be released for all kernels at the same time. Rather, they will be
    released in a staggered or "leap-frog" fashion.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    The following matrix lists additional source packages that were rebuilt for
    compatibility with or to take advantage of this update:

    Debian 5.0 (lenny)
    user-mode-linux 2.6.26-1um-2+15lenny3

    You may use an automated update by adding the resources from the
    footer to the proper configuration.

    Debian GNU/Linux 5.0 alias lenny

    Eine Mietdomain auf meinem Server war heute plötzlich gesperrt. Entsperren war nicht möglich, da Plesk immer meinte "Die Domain ist für Backup-/Wiederherstellungszwecke vorübergehend gesperrt."

    Es war aber kein Backupprozess gestartet. Tja was nun, also mal gesucht und die Lösung gefunden. Mit der Eingabe des folgenden Befehls auf der Kommandozeile wird die Domain entsperrt:

    /usr/local/psa/bin/domain --on deineDomain.de

    Package : drupal6
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE ID : no CVE id yet
    Debian Bug : 529190 531386


    Markus Petrux discovered a cross-site scripting vulnerability in the
    taxonomy module of drupal6, a fully-featured content management
    framework. It is also possible that certain browsers using the UTF-7
    encoding are vulnerable to a different cross-site scripting
    vulnerability.

    For the stable distribution (lenny), these problems have been fixed in
    version 6.6-3lenny2.

    The oldstable distribution (etch) does not contain drupal6.

    For the testing distribution (squeeze) and the unstable distribution
    (sid), these problems have been fixed in version 6.11-1.1.


    We recommend that you upgrade your drupal6 packages.


    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 5.0 alias lenny

    Package : cyrus-sasl2, cyrus-sasl2-heimdal
    Vulnerability : buffer overflow
    Problem type : remote
    Debian-specific: no
    Debian bug : 528749
    CERT advisory : VU#238019
    CVE ID : CVE-2009-0688

    James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
    a free library implementing the Simple Authentication and Security Layer,
    suffers from a missing null termination in certain situations. This causes
    several buffer overflows in situations where cyrus-sasl2 itself requires
    the string to be null terminated which can lead to denial of service or
    arbitrary code execution.

    Important notice (Quoting from US-CERT):
    While this patch will fix currently vulnerable code, it can cause
    non-vulnerable existing code to break. Here's a function prototype from
    include/saslutil.h to clarify my explanation:

    /* base64 encode
    * in -- input data
    * inlen -- input data length
    * out -- output buffer (will be NUL terminated)
    * outmax -- max size of output buffer
    * result:
    * outlen -- gets actual length of output buffer (optional)
    *
    * Returns SASL_OK on success, SASL_BUFOVER if result won't fit
    */
    LIBSASL_API int sasl_encode64(const char *in, unsigned inlen,
    char *out, unsigned outmax,
    unsigned *outlen);

    Assume a scenario where calling code has been written in such a way that it
    calculates the exact size required for base64 encoding in advance, then
    allocates a buffer of that exact size, passing a pointer to the buffer into
    sasl_encode64() as *out. As long as this code does not anticipate that the
    buffer is NUL-terminated (does not call any string-handling functions like
    strlen(), for example) the code will work and it will not be vulnerable.

    Once this patch is applied, that same code will break because sasl_encode64()
    will begin to return SASL_BUFOVER.


    For the oldstable distribution (etch), this problem will be fixed soon.

    For the stable distribution (lenny), this problem has been fixed in
    version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

    For the testing distribution (squeeze), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal.


    We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 5.0 alias lenny

    Ich würde meinen im confixx gibts da auch was, Logdateien oder so ähnlich. Habe leider kein confixx.

    Allerdings sagt die Fehlermeldung eindeutig:

    Zitat

    More information about this error may be available in the server error log. Apache Server at https://www.rootserverprojekt.de/www.community-channel.de Port 80

    Damit sollte also in die error log des Apachen geschaut werden und das kann nur der Anbieter. Vom Anbieter auch schwach, nicht mal eine Kontaktadresse im Server einzutragen....

    Zitat

    Please contact the server administrator, [no address given]

    Package : cscope
    Vulnerability : buffer overflows
    Problem type : local(remote)
    Debian-specific: no
    CVE Id(s) : CVE-2009-0148
    Debian Bug : 528510

    Matt Murphy discovered that cscope, a source code browsing tool, does not
    verify the length of file names sourced in include statements, which may
    potentially lead to the execution of arbitrary code through specially
    crafted source code files.

    For the stable distribution (lenny), this problem has been fixed in
    version 15.6-6+lenny1.

    Due to a technical limitation in the Debian archive management scripts
    the update for the old stable distribution (etch) cannot be released
    synchronously. It will be fixed in version 15.6-2+etch1 soon.

    For the unstable distribution (sid), this problem will be fixed soon.

    We recommend that you upgrade your cscope package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 5.0 alias lenny

    Die Domain ist doch schon beim neuen Anbieter :D


    domain: dpsg-friesoythe.com
    status: LOCK,TRANSFER-LOCK-60
    owner-c: LULU-10517352
    admin-c: LULU-10517352
    tech-c: LULU-10517352
    zone-c: LULU-10517352
    nserver: ns1.ntdns.de
    nserver: ns2.ntdns.de
    nserver: ns3.ntdns.de
    created: 2009-05-22 13:32:09
    expire: 2009-05-22 13:32:32 (registry time)
    changed: 2009-05-22 14:10:32


    Du müstest nur mal wegen der dpsgfriesoythe.com schauen, die ist noch beim alten.

    Package : pidgin
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2009-1373 CVE-2009-1375 CVE-2009-1376

    Several vulnerabilities have been discovered in Pidgin, a graphical
    multi-protocol instant messaging client. The Common Vulnerabilities and
    Exposures project identifies the following problems:

    CVE-2009-1373

    A buffer overflow in the Jabber file transfer code may lead to
    denial of service or the execution of arbitrary code.

    CVE-2009-1375

    Memory corruption in an internal library may lead to denial of
    service.

    CVE-2009-1376

    The patch provided for the security issue tracked as CVE-2008-2927
    - integer overflows in the MSN protocol handler - was found to be
    incomplete.

    The old stable distribution (etch) is affected under the source package
    name gaim. However, due to build problems the updated packages couldn't
    be released along with the stable version. It will be released once the
    build problem is resolved.

    For the stable distribution (lenny), these problems have been fixed in
    version 2.4.3-4lenny2.

    For the unstable distribution (sid), these problems have been fixed in
    version 2.5.6-1.

    We recommend that you upgrade your pidgin packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 5.0 alias lenny

    Package : ipsec-tools
    Vulnerability : null pointer dereference, memory leaks
    Problem type : remote
    Debian-specific: no
    Debian bug : 527634 528933
    CVE ID : CVE-2009-1574 CVE-2009-1632

    Several remote vulnerabilities have been discovered in racoon, the Internet Key
    Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures
    project identified the following problems:

    Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets
    that contain no payload. This results in the daemon crashing which can be used
    for denial of service attacks (CVE-2009-1574).

    Various memory leaks in the X.509 certificate authentication handling and the
    NAT-Traversal keepalive implementation can result in memory exhaustion and
    thus denial of service (CVE-2009-1632).


    For the oldstable distribution (etch), this problem has been fixed in
    version 0.6.6-3.1etch3.

    For the stable distribution (lenny), this problem has been fixed in
    version 0.7.1-1.3+lenny2.

    For the testing distribution (squeeze), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 1:0.7.1-1.5.


    We recommend that you upgrade your ipsec-tools packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : nsd, nsd3
    Vulnerability : buffer overflow
    Problem type : remote
    Debian-specific: no
    CERT advisory : VU#710316
    Debian Bug : 529418 529420

    Ilja van Sprundel discovered that a buffer overflow in NSD, an authoritative
    name service daemon, allowed to crash the server by sending a crafted packet,
    creating a denial of service.

    For the old stable distribution (etch), this problem has been fixed in
    version 2.3.6-1+etch1 of the nsd package.

    For the stable distribution (lenny), this problem has been fixed in
    version 2.3.7-1.1+lenny1 of the nsd package and version 3.0.7-3.lenny2
    of the nsd3 package.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.3.7-3 for nsd; nsd3 will be fixed soon.

    We recommend that you upgrade your nsd or nsd3 package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch

    Package : squirrelmail
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2009-1578 CVE-2009-1579 CVE-2009-1580 CVE-2009-1581
    CVE-2009-1381
    Debian Bug : 528528

    Michal Hlavinka discovered that the fix for code execution in the
    map_yp_alias function, known as CVE-2009-1579 and released in DSA 1802-1,
    was incomplete. This update corrects the fix for that function.

    For the old stable distribution (etch), this problem has been fixed in
    version 1.4.9a-5.

    For the stable distribution (lenny), this problem has been fixed in
    version 1.4.15-4+lenny2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.4.19-1

    We recommend that you upgrade your squirrelmail package.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.

    Debian GNU/Linux 4.0 alias etch

    Eine gewisse Reihenfolge mußt Du schon einhalten, sonst wird wohl der Antrag erstmal abgelehnt.

    1. KK beim alten Anbieter abgeben, damit wird die Domain auf Transfer gestellt.
    2. Beim neuen Anbieter im DNS die Domain eintragen
    3. Im Kundenmenü im Domain Robot per KK die Domain zu Webtropia ziehen.

    Nun ist jetzt anders gelaufen, werden wir sehen was passiert :lift:

    So ich habe gerade ein Video mit 12 MB hochgeladen. Ging ohne Probleme.

    Damit ist alles fertig eingerichtet.

    Noch eine Frage zum Domainumzug, den KK an den alten Anbieter hast Du schon gestellt oder?

    Wenn ja, mußt Du die Domain im Kundenmenü von Webtropia -->Domain-Robot -->Expertenmodus -->Domaintransfer zu Webtropia umziehen. Aber vorher im DNS die Domain anlegen !

    Viel Spaß noch mit dem Flvideo.