G'day there Gabriele, I'm hoping that this finds you fit and well.
Just to let you know, the update for "Squeeze", listed below, does not appear to have been uploaded into the security repository at the time of writing this email. You may already be aware of this, so please accept my apologies if I'm stating the obvious. Many thanks to you and your colleagues for maintaining such a great operating system. Cheerio for now, Brian. On 20 March 2012 07:05, Gabriele Giacone <1o5g4...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - - > ------------------------------------------------------------------------- > Debian Security Advisory DSA-2435-1 secur...@debian.org > http://www.debian.org/security/ Gabriele Giacone > March 19, 2012 http://www.debian.org/security/faq > - - > ------------------------------------------------------------------------- > > Package : gnash > Vulnerability : several > Problem type : local / local (remote) > Debian-specific: no > CVE ID : CVE-2010-4337 CVE-2011-4328 CVE-2012-1175 > Debian Bug : 605419 649384 664023 > > Several vulnerabilities have been identified in Gnash, the GNU Flash > player. > > CVE-2012-1175 > > Tielei Wang from Georgia Tech Information Security Center discovered a > vulnerability in GNU Gnash which is caused due to an integer overflow > error and can be exploited to cause a heap-based buffer overflow by > tricking a user into opening a specially crafted SWF file. > > CVE-2011-4328 > > Alexander Kurtz discovered an unsafe management of HTTP cookies. Cookie > files are stored under /tmp and have predictable names, vulnerability > that allows a local attacker to overwrite arbitrary files the users has > write permissions for, and are also world-readable which may cause > information leak. > > CVE-2010-4337 > > Jakub Wilk discovered an unsafe management of temporary files during the > build process. Files are stored under /tmp and have predictable names, > vulnerability that allows a local attacker to overwrite arbitrary files > the users has write permissions for. > > For the stable distribution (squeeze), this problem has been fixed in > version 0.8.8-5+squeeze1. > > For the unstable distribution (sid), this problem has been fixed in > version 0.8.10-5. > > We recommend that you upgrade your gnash packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iEYEARECAAYFAk9nusMACgkQQWTRs4lLtHkgpwCgl9BiBCIslY0CitvMaYj0hIxx > +4UAoL9xJ0yinmxXn/rRrRgu11dzimgD > =cfiS > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/201203200005.34411.1o5g4...@gmail.com > > -- Brian Booth, Mobile: 0409 233 995 Mobile: 0469 012 389 Telephone: 08 9443 9691 Telephone: 08 6262 5652 email: brian...@gmail.com P.O. Box 264, MOUNT HAWTHORN. W.A. 6915
