Control: retitle -1 [DLA] fixes for 2014/dla-* -- more fixes: * mention -2 for 25,58,72 * add reference to -2 for 91,120 * 59 and 115 created from upload log * mention 59-1 instead of dsa in 63 * fix typo on 72,75
-- victory no need to CC me :-)
Index: english/security/2014/dla-25.data =================================================================== --- english/security/2014/dla-25.data (revision 204) +++ english/security/2014/dla-25.data (working copy) @@ -1,5 +1,5 @@ -<define-tag pagetitle>DLA-25-1 python2.6</define-tag> -<define-tag report_date>2014-7-31</define-tag> +<define-tag pagetitle>DLA-25-2 python2.6</define-tag> +<define-tag report_date>2014-8-5</define-tag> <define-tag secrefs>CVE-2011-1015 CVE-2011-1521 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-4238 CVE-2014-1912</define-tag> <define-tag packages>python2.6</define-tag> <define-tag isvulnerable>yes</define-tag> Index: english/security/2014/dla-25.wml =================================================================== --- english/security/2014/dla-25.wml (revision 204) +++ english/security/2014/dla-25.wml (working copy) @@ -1,5 +1,12 @@ <define-tag description>LTS security update</define-tag> <define-tag moreinfo> +<p>A regression has been identified in the python2.6 update of DLA-25-1, +which may cause python applications to abort if they were running during +the upgrade but they had not already imported the 'os' module, and do so +after the upgrade. This update fixes this upgrade scenario.</p> + +<p>For reference, the original advisory text follows.</p> + <p>Multiple vulnerabilities were discovered in python2.6. The more relevant are:</p> @@ -18,7 +25,7 @@ </ul> -<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in python2.6 version 2.6.6-8+deb6u1</p> +<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in python2.6 version 2.6.6-8+deb6u2</p> </define-tag> # do not modify the following line Index: english/security/2014/dla-59.data =================================================================== --- english/security/2014/dla-59.data (nonexistent) +++ english/security/2014/dla-59.data (working copy) @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-59-1 bash</define-tag> +<define-tag report_date>2014-9-24</define-tag> +<define-tag secrefs>CVE-2014-6271</define-tag> +<define-tag packages>bash</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + Index: english/security/2014/dla-59.wml =================================================================== --- english/security/2014/dla-59.wml (nonexistent) +++ english/security/2014/dla-59.wml (working copy) @@ -0,0 +1,23 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo></p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-6271";>CVE-2014-6271</a>: + +<p>GNU Bash through 4.3 processes trailing strings after function definitions +in the values of environment variables, which allows remote attackers to +execute arbitrary code via a crafted environment, as demonstrated by vectors +involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and +mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified +DHCP clients, and other situations in which setting the environment occurs +across a privilege boundary from Bash execution, aka "ShellShock."</p></li> + +</ul> + +<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in bash version 4.1-3+deb6u1</p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/security/2014/dla-59.data" +# $Id: $ Index: english/security/2014/dla-58.data =================================================================== --- english/security/2014/dla-58.data (revision 204) +++ english/security/2014/dla-58.data (working copy) @@ -1,5 +1,5 @@ -<define-tag pagetitle>DLA-58-1 apt</define-tag> -<define-tag report_date>2014-9-23</define-tag> +<define-tag pagetitle>DLA-58-2 apt</define-tag> +<define-tag report_date>2014-10-14</define-tag> <define-tag secrefs>CVE-2014-6273</define-tag> <define-tag packages>apt</define-tag> <define-tag isvulnerable>yes</define-tag> Index: english/security/2014/dla-58.wml =================================================================== --- english/security/2014/dla-58.wml (revision 204) +++ english/security/2014/dla-58.wml (working copy) @@ -1,5 +1,10 @@ <define-tag description>LTS security update</define-tag> <define-tag moreinfo> +<p>This update fixes a regression introduced in 0.8.10.3+squeeze5 where +apt would send invalid HTTP requests when sending If-Range queries.</p> + +<p>For reference, the original advisory text follows.</p> + <p>The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the @@ -8,19 +13,19 @@ <p>The following regression fixes were included in this update:</p> - <p>* Fix regression from the previous update in DLA-53-1 when the custom - apt configuration option for Dir::state::lists is set to a relative - path (#762160).</p> + <p>* Fix regression from the previous update in <a href="dla-53">DLA-53-1</a> + when the custom apt configuration option for Dir::state::lists is set to a + relative path (#762160).</p> <p>* Fix regression in the reverificaiton handling of cdrom: sources that may lead to incorrect hashsum warnings. Affected users need to run "apt-cdrom add" again after the update was applied.</p> - <p>* Fix regression from the previous update in DLA-53-1 when file:/// - sources are used and those are on a different partition than the apt - state directory.</p> + <p>* Fix regression from the previous update in <a href="dla-53">DLA-53-1</a> + when file:/// sources are used and those are on a different partition than + the apt state directory.</p> -<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 0.8.10.3+squeeze5</p> +<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 0.8.10.3+squeeze6</p> </define-tag> # do not modify the following line Index: english/security/2014/dla-63.wml =================================================================== --- english/security/2014/dla-63.wml (revision 204) +++ english/security/2014/dla-63.wml (working copy) @@ -1,8 +1,8 @@ <define-tag description>LTS security update</define-tag> <define-tag moreinfo> <p>Tavis Ormandy discovered that the patch applied to fix <a href="https://security-tracker.debian.org/tracker/CVE-2014-6271";>CVE-2014-6271</a> -released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was -incomplete and could still allow some characters to be injected into +released in <a href="dla-59">DLA-59-1</a> for bash, the GNU Bourne-Again Shell, +was incomplete and could still allow some characters to be injected into another environment (<a href="https://security-tracker.debian.org/tracker/CVE-2014-7169";>CVE-2014-7169</a>). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.</p> Index: english/security/2014/dla-72.data =================================================================== --- english/security/2014/dla-72.data (revision 204) +++ english/security/2014/dla-72.data (working copy) @@ -1,7 +1,7 @@ -<define-tag pagetitle>DLA-72-1 rsylog</define-tag> -<define-tag report_date>2014-10-19</define-tag> +<define-tag pagetitle>DLA-72-2 rsyslog</define-tag> +<define-tag report_date>2014-10-20</define-tag> <define-tag secrefs>CVE-2014-3634 CVE-2014-3683</define-tag> -<define-tag packages>rsylog</define-tag> +<define-tag packages>rsyslog</define-tag> <define-tag isvulnerable>yes</define-tag> <define-tag fixed>yes</define-tag> <define-tag fixed-section>no</define-tag> Index: english/security/2014/dla-72.wml =================================================================== --- english/security/2014/dla-72.wml (revision 204) +++ english/security/2014/dla-72.wml (working copy) @@ -1,6 +1,11 @@ <define-tag description>LTS security update</define-tag> <define-tag moreinfo> +<p>The Wheezy patch left an unresolved symbol in the imklog module of +the Squeeze version. rsyslog worked fine except that messages from the +kernel couldn't be submitted any longer. This update fixes this issue.</p> +<p>For reference, the original advisory text follows.</p> + <ul> <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3634";>CVE-2014-3634</a> @@ -16,7 +21,7 @@ </ul> -<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in rsylog version 4.6.4-2+deb6u1</p> +<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in rsyslog version 4.6.4-2+deb6u2</p> </define-tag> # do not modify the following line Index: english/security/2014/dla-75.wml =================================================================== --- english/security/2014/dla-75.wml (revision 204) +++ english/security/2014/dla-75.wml (working copy) @@ -7,8 +7,8 @@ <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-4274";>CVE-2014-4274</a> - <p>Insecure handling of a temporary file that could lead to abritrary - execution of code through the creation of a mysql configuration file + <p>Insecure handling of a temporary file that could lead to execution + of arbitrary code through the creation of a mysql configuration file pointing to an attacker-controlled plugin_dir.</p></li> <li><a href="https://security-tracker.debian.org/tracker/CVE-2013-2162";>CVE-2013-2162</a> Index: english/security/2014/dla-115.data =================================================================== --- english/security/2014/dla-115.data (nonexistent) +++ english/security/2014/dla-115.data (working copy) @@ -0,0 +1,9 @@ +<define-tag pagetitle>DLA-115-1 gosa</define-tag> +<define-tag report_date>2014-12-18</define-tag> +<define-tag packages>gosa</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + Index: english/security/2014/dla-115.wml =================================================================== --- english/security/2014/dla-115.wml (nonexistent) +++ english/security/2014/dla-115.wml (working copy) @@ -0,0 +1,14 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> + <p>Fix XSS issue during login.</p> + + <p>Fix authentication of GOsa² against the underlying LDAP server(s) + via the gosa-admin DN (#768509).</p> + +<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gosa +version 2.6.11-3+squeeze3.</p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/security/2014/dla-115.data" +# $Id: $ Index: english/security/2014/dla-120.wml =================================================================== --- english/security/2014/dla-120.wml (revision 204) +++ english/security/2014/dla-120.wml (working copy) @@ -1,5 +1,8 @@ <define-tag description>LTS security update</define-tag> <define-tag moreinfo> +<p>This advisory has been superseded by <a href="../2015/dla-120">DLA-120-2</a>. +For reference, the original advisory text follows.</p> + <p>Ilja van Sprundel of IOActive discovered several security issues in the X.org X server, which may lead to privilege escalation or denial of service.</p>
