Package: xfce4-terminal
Version: 0.2.8-5
Severity: normal
if new fonts are installed, xfce4-terminal will not recognize them until
all of its processes are stopped. this can be problematic because
user's will expect the new options to be available immediately. also, if
the user is running a long
Package: mozilla-plugin-gnash
Version: 0.8.3-6
Severity: important
fyi, it appears that certain aspects of finance.google.com are currently
unsupported by gnash. for example, at [1], gnash does not draw the
stock graph.
thanks for the hard work.
[1] http://finance.google.com/finance?q=INDEXDJX
Package: python-matplotlib
Version: 0.98.3-4
Severity: normal
the following python code creates a histogram with an x-axis range of
0.1 min to 0.3 max (based on the mins and maxes of the x rather than bin).
the bins should be used to size the axis since the user specified that
he wanted to see tho
Package: vim
Version: 1:7.0.109
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes multiple security flaws in
vim [1]. these issues are currently reserved in the CVE tracker, but
redhat describes the probems as:
Multiple security flaw
Package: anjuta
Version: 1.2.4a-5
Severity: grave
i just tested the etch -> lenny transition, and anjuta failed to upgrade
properly. the error follows:
Preparing to replace anjuta 1:1.2.4a-5 (using
.../anjuta_2%3a2.4.2-1_amd64.deb) ...
Unpacking replacement anjuta ...
dpkg: error processing
Package: xscreensaver
Version: 5.05-3
Severity: grave
i just tested the etch -> lenny transition on two of my systems, and
xscreensaver ended up locking me out of both of them.
version 4.24 of the xscreensaver daemon was running when i started the
upgrade. i went off to work on some other thin
package: linux-2.6
severity: grave
tags: security
as seen in recent articles and discussions, the linux kernel is
currently vulnerable to rootkit attacks via the /dev/mem device. one
article [1] mentions that there is an existing patch for the problem,
but does not link to it. perhaps this fix c
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
> > as seen in recent articles and discussions, the linux kernel is
> > currently vulnerable to rootkit attacks via the /dev/mem device. one
> >
reopen 524373
thanks
On Thu, 16 Apr 2009 16:53:38 -0400 Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 04:21:10PM -0400, Michael S. Gilbert wrote:
> >
> > i think that any flaw that allows an attacker to elevate his pwnage from
> > root to hidden should always be consid
btw, redhat-based distros are thought to be invulnerable to these
attacks due their incorporation of execshield (in particular, due to
address space randomization). perhaps it's high time that debian
consider doing the same?
i know that execshield is not in the vanilla kernel, but when it comes
to
this is the only libquantum3 bug on its page [1]. maybe you can get the
bugs.debian.org maintainers to change their presentation to include all
source bugs when looking at the binary package pages?
[1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libquantum3
On Sun, 19 Apr 2009 12:18:06 +0100
fyi, see upstream changelog as well:
http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Fri, 10 Apr 2009 18:18:00 +0100 Darren Salt wrote:
> This does not apply to xine-lib. You mean CVE-2009-0698, which is fixed in
> unstable (and should soon be fixed in, at least, stable too; it probably
> applies to oldstable too, but I've not looked yet).
not that i nor anyone else should trus
package: ffmpeg-debian
severity: important
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for ffmpeg-debian.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows r
package: ntop
severity: important
tags: security
hello,
fedora issued the following as a security update for ntop [0]:
ls -lh /var/log/ntop/access.log -rw-rw-rw- 1 root root 0 2009-02-04
11:53 /var/log/ntop/access.log
Fixed.
log world-writable when the --access-log- file option
package: ghostscript
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for ghostscript.
CVE-2007-6725[0]:
| The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
| other versions, allows remote attackers to cause a denial
package: phpmyadmin
severity: important
tags: security
hello,
fedora issued a security update for myphpadmin [0]:
Improvements for 3.1.3.2: - [security] Insufficient output sanitizing
when generating configuration file
http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php
does th
package: mplayer
severity: important
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for mplayer.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| atta
package: poppler
severity: grave
tags: security
hello,
ubuntu recently patched the following poppler issues [0]:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
the
package: cups
severity: grave
tags: security
hello,
redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183
these are
On Thu, 16 Apr 2009 23:50:54 -0600 dann frazier wrote:
> > > The support for dynamically loadable kernel modules in Linux can be
> > > abuses similarly. Does that make it a "grave security issue"?
> >
> > probably...at least until someone comes up with a secure way to do it.
>
> Oh, come on.
>
Wouter Verhelst wrote:
> There are several ways in which a local attacker can get root access.
> 'init=/bin/bash'. boot with the 'emergency' option (which causes
> sysvinit to do almost the same thing as 'init=/bin/bash'). Boot a
> live-CD, chroot into the target system. Worst case, remove the disk
i was looking at the link as provided in redhat's announcement. this
seems to be CVE-2009-1285, which debian is already tracking as
unimportant. however, the phpmyadmin page considers the issue to be
critical. perhaps the debian severity is too low?
mike
--
To UNSUBSCRIBE, email to debian-b
On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote:
> On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> > i was looking at the link as provided in redhat's announcement. this
> > seems to be CVE-2009-1285, which debian is already tracking as
> >
On Tue, 21 Apr 2009 11:49:57 +0200, Emilio Pozuelo Monfort wrote:
> Michael Gilbert wrote:
> > it seems like ghostscript support in evince is a bonus feature (rather
> > a core component). it would be nice if the libgs8 dependency were
> > treated as recommends instead of a depends. this is espec
On Tue, 21 Apr 2009 17:21:20 +0200, Emilio Pozuelo Monfort wrote:
> Michael S. Gilbert wrote:
> > On Tue, 21 Apr 2009 11:49:57 +0200, Emilio Pozuelo Monfort wrote:
> >> Michael Gilbert wrote:
> >>> it seems like ghostscript support in evince is a bonus feature (rathe
On Wed, 22 Apr 2009 11:31:44 +0200, Josselin Mouette wrote:
> > Maybe if evince doesn't fail miserably if libspectre1 or other dependencies
> > of
> > the backends aren't found, we could exclude them from Depends and put them
> > on
> > Recommends, or maybe split the backends into separate packag
On Thu, 23 Apr 2009 16:41:07 +0200, Emilio Pozuelo Monfort wrote:
> Michael S. Gilbert wrote:
> > recommends are now automatically installed, so this shouldn't happen too
> > often.
>
> Except for new installs AFAIK.
i presume that a new install via debian-installer
On Thu, 23 Apr 2009 21:54:14 +0200, Josselin Mouette wrote:
> > i presume that a new install via debian-installer does not circumvent
> > apt's default behavior. is there any reason to think that this is not
> > the case?
>
> It is disabled during initial installation, but even if it wasn’t, and
On Sat, 25 Apr 2009 01:15:11 + Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the nautilus package:
>
> #515104: nautilus: potential exploits via application launchers
awesome! any chance of backporting this to lenny
hello,
thanks for fixing this security issue. please coordinate with the
security team (t...@security.debian.org) to prepare new packages for the
stable releases. thank you.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
package: clamav
severity: grave
tags: security
hi,
ubuntu recently patched a problem in clamav [1]. the description is:
It was discovered that ClamAV did not properly verify its input when
processing TAR archives. A remote attacker could send a specially
crafted TAR file and cause a denia
Package: mapserver
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for mapserver.
CVE-2009-0839[0]:
| Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x
| before 4.10.4 and 5.x before 5.2.2, when the server has a m
Package: php5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for php5.
CVE-2008-5814[0]:
| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
| inje
package: argyll
severity: important
tags: security
Hi,
CVE-2009-0792 has been issued for argyll. The details are:
Multiple integer overflows and multiple insufficient upper-bounds
checks on certain variable sizes were originally discovered in the
Ghostscript's International Color Consorti
Package: xine-lib
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| attack
package: pptp-linux
severity: important
tags: security
Hello,
Fedora issued the following update for pptp-linux, which they have
tagged as security-related:
This update corrects the behaviour of pptpsetup when its --delete
option is used, retaining the permissions of /etc/ppp/chap-secrets
package: libquantum3
severity: wishlist
hello, there are now new versions (1.0.0 stable and 1.1.0 developmental)
of the libquantum library available upstream. this is a request for a
debian package of the new stable version. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.d
does this bug affect php4 at all? asking to determine whether a dsa
needs to be issued for php4 in etch. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Sun, 26 Apr 2009 10:17:22 +0200 Moritz Muehlenhoff wrote:
> On Wed, Feb 25, 2009 at 12:38:12AM -0500, Michael Gilbert wrote:
> > does this problem (with cookies) really affect the version of webkit in
> > debian, which does not currently support cookies (or more accurately
> > the libraries in
On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote:
> Hi,
> turns out CVE-2008-6679 also is fixed since 8.64.
> The only unfixed issue in this report is CVE-2009-0196.
>
> Michael, please better check the code next time, this would
> have save me a lot of time this evening.
I appologize. I ha
fyi, ubuntu issued a usn [1] for this issue. not sure if any of their
work may be useful to you.
[1] http://www.ubuntu.com/usn/USN-761-1
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
CVE-2009-0579 looks like a good candidate for a stable/old-stable
proposed update since it's not really a security issue, but it would be
good for the package to adhere to the administrator's desired policy.
please coordinate with the security team (t...@securuty.debian.org) if
you plan to work on
Package: qemu
Severity: important
Tags: security
Fixed: 0.9.1-5
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2008-1945[0]:
| QEMU 0.9.0 does not properly handle changes to removable media, which
| allows guest OS users to read arbitrary files on the h
fixed 526013 0.9.1-5
thanks
i should have mentioned that qemu > 0.9.1-5 is already in lenny, so the
security update will need to be for etch only.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: qemu
Severity: important
Tags: security
Tags: fixed 0.9.1+svn20081101-1
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2008-4539[0]:
| Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM
| before kvm-82 and (2) QEMU on Debian
Package: clamav
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for clamav.
CVE-2008-5525[0]:
| ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is
| used, allows remote attackers to bypass detection of malware in an
|
Package: clamav
Severity: important
Tags: security
Tags: fixed 0.95+dfsg-1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for clamav.
CVE-2009-1241[0]:
| Unspecified vulnerability in ClamAV before 0.95 allows remote
| attackers to bypass detection of malware via a mod
package: bugs.debian.org
severity: wishlist
hello,
i've recently been submitting some bugs related to security issues in
the stable releases that already have fixes in testing/unstable. i
would like to be able to tag this information at the time that i submit
the report, but it is currently not
it looks like webkit is tagged as not-affected for CVE-2008-3950 in
the security tracker [1], but there has been no discussion on the matter
in this report. is the tracker data accurate? and if so, i think that
this bug can safely be closed.
mike
[1] http://security-tracker.debian.net/tracker/CVE
On Sat, 2 May 2009 15:37:52 +0200 Aurelien Jarno wrote:
> This is fixed in the lenny branch of the SVN.
great to hear. do you plan to work with the security team to issue a
DSA for this one, or is it minor enough that it would make more sense
to do it in an spu?
--
To UNSUBSCRIBE, email to de
package: cacti
version: 0.8.6i-3.4
tags: security
hello, there is an xss vulnerability in etch's version of cacti [1].
this was fixed in 0.8.7b, which is already in lenny and sid.
[1] http://openwall.com/lists/oss-security/2009/05/15/1
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@list
reopen 467237
found 467237 2.27.2-2
thank you
this bug has been improved, but still exists. middle-click will open
tabs in new windows, but there is no "open link in new tab" option in
the right-click menu.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject o
package: prelude-manager
tags: security
severity: important
hello,
fedora recently released a security update for prelude-manager [1].
the text of the issue is:
The configuration file of prelude-manager contains a database password
and is world readable. This update restricts permissions to
this bug is submitted to provide a place to discuss/track triage your
spu/ospu update for this issue.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: prewikka
Severity: important
Tags: security
Hi,
Redhat recently issued security updates for prewikka [0] because the
password file is world readable. The text of the issue is:
| The permissions on the prewikka.conf file are world readable and contain the
sql
| database password used b
Package: mpfr
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for mpfr.
CVE-2009-0757[0]:
| Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent
| attackers to cause a denial of service (crash) via the (1)
| mpfr_snpri
package: pango
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.
CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization. Pango suffers from a multiplicative integer
On Fri, 8 May 2009 10:46:16 +0200 Pierre Chifflier wrote:
> While I appreciate the effort of checking security related things, I'll
> just point out that the verification was fairly trivial:
thanks for the info. i've found that it is often more effective to
defer to the expertise of the maintaine
Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure rsa
hello all,
any news on the patches for ghostscript in stable (CVE-2007-6725,
CVE-2008-6679, and CVE-2009-0196)? these issues have been sitting
unfixed for quite a while now. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Tr
Package: zoneminder
Severity: normal
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for zoneminder.
CVE-2008-6755[0]:
| ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to
| the apache user account, and sets the permissions to 0600, wh
Package: gnutls26
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for gnutls26.
CVE-2009-1417[0]:
| gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and
| expiration times of X.509 certificates, which allows remote atta
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote:
> Hi,
>
> I wondered if any fix is likely to be available for CVE-2008-5519
> (information disclosure, looks potentially quite severe) any time
> soon or if any more help is needed?
hi,
no one has claimed this (that i've seen), and th
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote:
> Package: cron
> Version: 3.0pl1-105
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu jaunty ubuntu-patch
>
> Hi,
>
> I was reviewing a list of
On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote:
> Package: eggdrop
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> turns out my patch has a bug in it which opens this up for a
> buffer overflow again in case strlen(ctcpbuf) returns 0:
> http://www.gossamer-th
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the gnutls26 package:
>
> #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability
does it make sense to close this bug since
On Fri, 15 May 2009 20:15:49 +0200, Andreas Metzler wrote:
> On 2009-05-15 "Michael S. Gilbert" wrote:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which w
On Fri, 15 May 2009 20:50:47 +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert [2009-05-15 19:45]:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which was file
this is CVE-2008-0388:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0388
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
package: drupal6
severity: important
tags: security
version: 6.11-1 6.6-3
hi,
a cross-site scripting vulnerability has been discovered in drupal. see
[1].
please coordinate with the security team to prepare fixes for the
stable releases.
thanks.
[1] http://drupal.org/node/461886
--
To UNS
package: drupal5
severity: important
tags: security
version: 5.17-1
hi,
a cross-site scripting vulnerability has been discovered in drupal. see
[1].
please coordinate with the security team to prepare fixes for the
stable releases.
thanks.
[1] http://drupal.org/node/461886
--
To UNSUBSCRI
Package: linux-2.6
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2007-6514[0]:
| Apache HTTP Server, when running on Linux with a document root on a
| Windows share mounted using smbfs, allows remote attackers to
On Mon, 18 May 2009 06:49:48 +0200, Ola Lundqvist wrote:
> Thanks. However this applies only to the windows version as that
> functions do not even exist in the linux/unix version.
ok, yes, i see that now. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a su
Package: linux-2.6
Version: 2.6.26-15lenny2
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2009-0787[0]:
| The ecryptfs_write_metadata_to_contents function in the eCryptfs
| functionality in the Linux kernel 2.6.2
tag 529326 patch
thank you
note that this affects the lenny and squeeze versions of the kernel
(2.6.26). even though the kernel changelog says that this problem only
affects 2.6.28, it actually affects any version before 2.6.28.9 that has
ecryptfs.
patches are available here:
http://git.kernel.o
On Mon, 18 May 2009 11:52:04 -0600, dann frazier wrote:
> On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote:
> > Package: linux-2.6
> > Version: 2.6.26-15lenny2
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > Th
Package: linux-2.6
Version: 2.6.26
Severity: important
Tags: security patch
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.
CVE-2009-1360[0]:
| The __inet6_check_established function in net/ipv6/inet6_hashtables.c
| in the Linux kernel before 2.6.29, wh
package: openoffice.org-common
severity: grave
version: 1:3.1.0-2
the latest version of openoffice will not install because a mkdir
fails:
mkdir: cannot create directory '/var/lib/openoffice/share/config': No
such file or directory
if i manually create the directory, the installation works:
$
reopen 535888
fixed 535888 5.2.10.dfsg.1-2
thanks
thanks for fixing this issue! reopening to continue tracking in
etch/lenny, which haven't been fixed yet.
mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@
On Fri, 10 Jul 2009 10:26:22 -0500, Raphael Geissert wrote:
> close 535888
> found 535888 5.2.6.dfsg.1-1+lenny3
> found 535888 5.2.9.dfsg.1-4
> fixed 535888 5.3.0-1
> thanks
>
> On Friday 10 July 2009 10:14:08 Michael S. Gilbert wrote:
> > reopen 535888
> > fixed
i probably should have asked whether you think that this issue warrants
a DSA, would be good for an SPU, or whether you think it is
unimportant. if this can be considered unimportant, then yes, i agree
the bug should be closed, but if there do need to be stable updates,
then i think that the bug s
Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for apache2.
CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server befo
reopen 535488
reopen 535489
thanks
On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
> Hello Michael,
>
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> >
package: wordpress
version: 2.0.10-1etch3
severity: serious
tags: security
an advisory, CORE-2009-0515, has been issued for wordpress. there are issues
with unchecked privilidges and many potential information disclosures. see [1].
this is fixed in upstream version 2.8.1. please coordinate wit
package: mysql-dfsg-5.0
version: 5.0.32-7etch8
severity: important
tags: security
hello, it has been disclosed that mysql has a post-authentication
format string vulnerability [1]. according to that message, affected
versions are claimed to be 5.0.45 and older, which would mean that lenny
and sid
package: iceweasel
version: 3.5
severity: critical
tags: security
hello, a remote shellcode injection has been disclosed for firefox [0],
[1]. the advisory says that version 3.5 has been verified as
vulnerable, but older versions are very likely susseptable as well. i
have not checked.
this is c
forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237
thanks
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
package: dbus
version: 1.2.16-1
severity: grave
hello, dbus is currently uninstallable on sid; erroring with the
following message:
chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No
such file or directory
this can be fixed with a 'mkdir -p':
$ sudo mkdir -p /usr/lib/dbu
package: moonlight-plugin-mozilla
version: 1.0.1-3
severity: important
hello, i just tried out the moonlight plugin, but it doesn't appear to
work out of the box. steps to reproduce:
1. $ sudo apt-get install moonlight-plugin-mozilla
2. $ iceweasel http://research.microsoft.com/tuva
3. observe e
package: libio-socket-ssl-perl
version: 1.01-1
severity: serious
tags: security , patch
a security issue has been fixed in the latest upstream version of
libio-socket-ssl-perl [0]. see patch [1]. please coordinate with the
security team to prepare updates for the stable releases. thank you.
[0
package: mediawiki
version: 1:1.15.0-1
severity: serious
tags: security
hello, multiple vulnerabilies have been fixed in upstream mediawiki
1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are
not vulnerable) [0]. please update unstable to this version. thanks.
[0]
http://lists.w
package: htmldoc
version: 1.8.27-2
severity: serious
tags: security , patch
hello, a security advisory has been issued for htmldoc [0]. patches
available from gentoo [1]. please coordinate with the security team to
prepare updates for the stable releases. thank you.
[0] http://secunia.com/advi
while this bug is still open, would it make sense to disable the gcc
option/optimization/bug/flaw that allows this vulnerability to exist?
the "-fno-delete-null-pointer-checks" flag will completely disable
this option kernel-wide [1].
obviously there is a tradeoff here. the null pointer optimizat
Subject: RFP: maniadrive -- 3D stunt driving game
Package: wnpp
Severity: wishlist
* Package name: maniadrive
Version : 1.2
Upstream Author : #raydium on irc.freenode.net
* URL : http://maniadrive.raydium.org/
* License : GPL
Programming Lang: C, PHP
Descrip
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1~lenny1 0.10.4-4
Severity: serious
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gstreamer0.10-plugins-good.
CVE-2009-1932[0]:
| Multiple integer overflows in the (1) user_info_callback,
package: ecryptfs-utils
version: 68-1
version: 75-1
severity: serious
tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ecryptfs-utils.
CVE-2009-1296[0]:
|Chris Jones discovered that the eCryptfs support utilities would
|report the mount passphrase int
reopen 517639
found 517639 1.8.7.72-3
found 517639 1.8.5-4etch4
thank you
hi,
this bug is still present in the stable releases. please coordinate
with the security team (t...@security.debian.org) to prepare updated
packages. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.
package: webkit
severity: serious
tags: security
hello,
it has been discovered that all of the major web browsers use a
predictable pseudo-random number generator (PRNG). please see
reference [0]. the robust solution is to switch to a provably
unpredictable PRNG such as Blum Blum Shub [1,2].
[0
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dbus.
CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
| in
1 - 100 of 231 matches
Mail list logo
