@@
+libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix SQL injection via the $user paramter (Closes: #633637)
+Fixes: CVE-2011-2688
+
+ -- Steffen Joeris Mon, 18 Jul 2011 10:26:11 +1000
+
libapache2-mod-authnz-external
Hi Amaya,
> Steffen Joeris wrote:
> > I had a quick look and didn't see that code included in debian as far
> > as I can see the package has the same version in all suites or am I
> > missing anything?
>
> Oh, $DEITY, you are absolutely right, I looked at a locall
Package: erlang
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Please see http://www.kb.cert.org/vuls/id/178990 for all the information.
The upstream patch can be reviewed here:
https://github.com/erlang/otp/commit/f228601de45c5
Cheers,
Steffen
-BEGIN PGP
Package: python2.6
Version: 2.6.6-10
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python2.6.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
| bef
Package: python3.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python3.1.
CVE-2011-1521[0]:
| The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x
| before 3.2.1 process
Package: ruby1.8
Version: 1.8.7.334-5
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ru
Package: ruby1.9
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 and ear
Package: libruby1.9.1
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-0188[0]:
| The VpMemAlloc function in bigdecimal.c in the BigDecimal class in
| Ruby 1.9.2-p136 an
Package: openswan
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openswan.
CVE-2011-2147[0]:
| Openswan 2.2.x does not properly restrict permissions for (1)
| /var/run/starter.pid, relat
Package: libav
Severity: grave
Tags: security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.
CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 an
severity 603749 normal
thx
It seems that the vulnerable file was introduced after 1.2.6, which is
currently in sid. So as long as a fixed version is uploaded next, everything
should be fine.
Cheers,
Steffen
signature.asc
Description: This is a digitally signed message part.
team
+ * Fix DoS due to wrong string handling (Closes: #596086)
+Fixes: CVE-2010-3072
+
+ -- Steffen Joeris Mon, 13 Sep 2010 17:07:51 +1000
+
squid3 (3.1.6-1) unstable; urgency=low
* New upstream release
diff -u squid3-3.1.6/debian/patches/00list squid3-3.1.6/debian/patches/00list
Hi Sam
Could you prepare updated packages for lenny and send a debdiff? We'll need to
release a DSA for this issue.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
On Mon, 8 Mar 2010 03:01:39 am Hideki Yamane wrote:
> Hi Steffen,
>
> On Sun, 7 Mar 2010 21:47:53 +1100
>
> Steffen Joeris wrote:
> > Thanks for the information. Have you been able to reproduce the problem
> > with IE and checked the patch?
>
> with IE6 and IE
Hi Hideki
Thanks for the information. Have you been able to reproduce the problem with
IE and checked the patch?
Cheers
Steffen
> On Sun, 7 Mar 2010 19:10:12 +1100
>
> Steffen Joeris wrote:
> > Apparently, to_native() is converting it to another encoding, but
> >
Hi Hideki
Indeed this should be fixed via a DSA and for unstable as well.
I am still having slight problems understanding the XSS issue here.
Apparently, to_native() is converting it to another encoding, but shouldn't it
do some escaping of certain characters to avoid having the usual html
chara
Hi Andres
I've read your previous comments to the bugreport, but wanted to stress the
point that it will not be acceptable for mediabomb to use an internal copy of
prototypejs. We do not want a version of the package in squeeze that does not
use the system wide protoypejs. I understand that thi
Hi Mirco
> > Hi
> >
> > GMime upstream has released latest 2.4.15 [1] version of the
> > library fixing one security issue. From 2.4.15-changes [2] file:
> >
> > 2010-01-31 Jeffrey Stedfast
> >
> > * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to
> > prevent possible buffer over
Package: libgmime-2.0-2a
Severity: grave
Tags: security patch
Hi
GMime upstream has released latest 2.4.15 [1] version of the
library fixing one security issue. From 2.4.15-changes [2] file:
2010-01-31 Jeffrey Stedfast
* gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent
reopen 559531
severity 559531 important
thanks
Hi
MSA-09-0025 and MSA-09-0029 don't seem to be fixed. Both issues are minor
security issues, so I am lowering the severity.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
diere-1.9.4/debian/changelog
--- audiere-1.9.4/debian/changelog
+++ audiere-1.9.4/debian/changelog
@@ -1,3 +1,11 @@
+audiere (1.9.4-3.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Fix FTBFS with GCC 4.4 (Closes: #505122)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris Sat, 3
Hi
For the record, this issue got CVE-2010-0303 assigned.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
descriptors
+Thanks to Julien Cristau
+
+ -- Steffen Joeris Fri, 29 Jan 2010 14:30:27 +0100
+
hybserv (1.9.2-4) unstable; urgency=low
* Update 01_fhs+mkdirfix.dpatch:
diff -u hybserv-1.9.2/debian/hybserv.postinst hybserv-1.9.2/debian/hybserv.postinst
--- hybserv-1.9.2/debian
Hi
FYI, This issue has been assigned CVE-2010-0301.
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: ircd-hybrid
Version: 1:7.2.2.dfsg.2-6.1
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed an issue in ircd-hybrid, patch attached. Please
include this patch in your next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src
Package: ircd-ratbox
Severity: grave
Tags: security patch
Hi
DSA-1980-1 has fixed two issues in ircd-ratbox, patches attached. Please
include them in the next upload.
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9
Package: oftc-hybrid
Severity: grave
Tags: security patch
Hi
Please include the patch from DSA-1980-1, which fixes an integer
underflow (patch attached).
Cheers
Steffen
--- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c
+++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c
@@ -103,7 +103,9 @@
}
Hi
Unfortunately, the package still doesn't work, but please find the patch for
the initialising error from the newer compiler below.
Cheers
Steffen
--- insight-6.7.1.dfsg.1.orig/gdb/eval.c
+++ insight-6.7.1.dfsg.1/gdb/eval.c
@@ -1627,6 +1627,8 @@
if (nargs != ndimensions)
err
hange dependency in init LSB header to use $network rather than
+$local_fs to make sure networking is available during boot and to
+make the package installation work again (Closes: #563784)
+Thanks to Petter Reinholdtsen
+
+ -- Steffen Joeris Sat, 23 Jan 2010 13:08:40 +0100
+
bastil
GCC compiler (Closes: #505626)
+Thanks to Martin Michlmayr
+
+ -- Steffen Joeris Fri, 22 Jan 2010 23:08:35 +0100
+
mm3d (1.3.7-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- mm3d-1.3.7.orig/src/mm3dcore/tool.h
+++ mm3d-1.3.7/src/mm3dcore/tool.h
by adjusting configure.ac and debian/rules
+(Closes: #565287) Thanks to Peter Green
+
+ -- Steffen Joeris Fri, 22 Jan 2010 21:39:05 +0100
+
gwget2 (1.0.4-1) unstable; urgency=low
* New upstream release. Closes: #533658, #552715.
diff -u gwget2-1.0.4/debian/rules gwget2-1.0.4/debian
xes.1-16.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Use pcap_dispatch() rather than the private functions
+pcap_offline_read()/pcap_read() and fix a few compilation errors
+(Closes: #557807)
+
+ -- Steffen Joeris Fri, 22 Jan 2010 15:16:59 +0100
+
argus (1:2.0.6.fixes
Hi Andrew
Following up on this bugreport, if I take the current argus-server package
from unstable and try to rebuild it, I'll end up without the argus (or
argus_linux) binary in the package[0]. There seems to be a change in the
libpcap package's API. Also, you've used the pcap_read() and
pcap
Package: gzip
Version: 1.3.12-8
Severity: grave
Tags: security patch
Hi Bdale, Carl
Carl, I saw too late that you're a new co-maintainer so I only
forwarded the pre-notification to Bdale (who is probably busy at LCA).
i
the following CVE (Common Vulnerabilities & Exposures) id was
published for g
Hi Christoph
> I've prepared an NMU for dc-qt (versioned as 0.2.0.alpha-4.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
Thanks for your work.
I am not really maintaining the package anymore. I guess I should check
whether the alternatives are good
Hi Adam
These issues have been assigned CVE ids, see below:
CVE-2009-4214[0]:
| Cross-site scripting (XSS) vulnerability in the strip_tags function in
| Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
| attackers to inject arbitrary web script or HTML via vectors involving
| non
=low
+
+ * Non-maintainer upload
+ * Add libmagickcore2-extra as build-depends since imagemagick has
+reorganised the plugin packages (thanks to Stuart Prescott)
+(Closes: #560604)
+
+ -- Steffen Joeris Wed, 23 Dec 2009 22:19:35 +0100
+
qemulator (0.5-3) unstable; urgency=low
*
Hi Luigi
By the way, drupal5 is also affected by at least one of these issues. Can we
remove drupal5 from debian or is there a reason for keeping it? It would be
easier foaev it gone, then we'd only have to track one package.
Cheers
Steffen
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and possib
Package: cacti
Severity: grave
Tags: security
Hi Sean
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.
CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the "Data Input Method" for the "Linu
d by the security team
+ * Fix several cross-site scriptings via different vectors
+Fixes: CVE-2009-4032
+
+ -- Steffen Joeris Wed, 16 Dec 2009 12:06:20 +0100
+
cacti (0.8.7e-1) unstable; urgency=low
* New upstream release (Closes: #541490).
diff -u cacti-0.8.7e/debian/patches/series c
Package: cups
Version: 1.4.1-5
Severity: grave
Tags: security patch
Hi Martin
The recent DSA (DSA-1933-1) fixed a few cross-site scripting issues.
Please include the patch in the unstable/testing distribution.
Cheers
Steffen
diff -u cupsys-1.2.2/debian/changelog cupsys-1.2.2/debian/changelog
---
On Sun, 11 Oct 2009 07:38:01 am Mehdi Dogguy wrote:
> Michael S Gilbert a écrit :
> > Package: advi
> > Version: 1.6.0-12
> > Severity: serious
> > Tags: security
> >
> > Hi,
> >
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for camlimages. advi statically links t
Package: newt
Severity: grave
Tags: security patch
Hi
There is a buffer overflow in textbox.c. This issue is CVE-2009-2905.
In textbox.c the following patch has been applied.
- result = malloc(strlen(text) + (strlen(text) / width) + 2);
+ result = malloc(strlen(text) + (strlen(text)
Package: viewvc
Severity: grave
Tags: security patch
Hi
According to upstream:
Version 1.1.2 (released 11-Aug-2009)
* security fix: validate the 'view' parameter to avoid XSS attack
* security fix: avoid printing illegal parameter names and values
http://viewvc.tigris.org/source/browse/*ch
* Expand security patch for integer overflows to also cover other
+image types (Closes: #540146)
+Fixes: CVE-2009-2660
+
+ -- Steffen Joeris Sat, 08 Aug 2009 07:05:38 +
+
camlimages (1:3.0.1-2) unstable; urgency=low
[ Mehdi Dogguy ]
diff -u camlimages-3.0.1/debian/patches/fix_integ
Package: dhcp3-server
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dhcp3.
CVE-2009-1892[0]:
| dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and
| hardware ethernet configuration settings are both used, al
Hi
So I had another look at the issue. Indeed, set_nss_error was undefined, so I
used a different function. Also, I think there was another regression with
displaying signed and encrypted S/MIME messages. Could you please test these
updated packages[0] in your environments and tell me, whether
-maintainer upload by the security team
+ * Fix XSS via the backend parameter (Closes: #536554)
+Fixes: CVE-2009-2360
+
+ -- Steffen Joeris Sat, 11 Jul 2009 06:02:56 +
+
sork-passwd-h3 (3.1-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- sork-passwd-h3-3.1
Package: sork-passwd-h3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sork-passwd-h3.
CVE-2009-2360[0]:
| Cross-site scripting (XSS) vulnerability in passwd/main.php in the
| Passwd module before 3.1.1 for Horde allows remote
team
+ * Fix cross-site scripting vulnerability, which can be exploited via
+the userid, userdescrip, useremail, grp and grpdescrip parameters
+(Closes: #530271)
+Fixes: CVE-2009-1732
+
+ -- Steffen Joeris Mon, 06 Jul 2009 08:09:24 +
+
ipplan (4.91a-1) unstable; urgency=low
On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote:
> The existing patch is correct - using htmlspecialchars will have the
> effect of placing escaped stings in the database. It will also have
> the effect of double escaping each time you edit a field.
>
> My patch replaces the display templa
Hi Richard
I am not sure about your patch.
Setting a maximum length does not fix a potential xss issue. Why not using
htmlspecialchars() to take care of escaping? I have attached a potential patch
for that. Of course, it would be good to check the rest of the code as well
and see whether it is
Package: plone3
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for plone3.
CVE-2009-0662[0]:
| The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product
| for Plone, does not properly handle the login form, which allow
Hi Rene
> Unfortunately, this doesn't apply as dpd code seems to have moved out of
> demux.c (I didn't find any of the patch context). Have you had contact with
> openswan upstream concerning this bug?
Isn't the vulnerable code in programs/pluto/ikev1.c?
Cheers
Steffen
--
To UNSUBSCRIBE, ema
d by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris Tue, 24 Mar 2009 12:31:39 +
+
strongswan (4.2.4-5) unstable; urgency=high
Reason for urgency high: this is potentially security relevant.
diff -u strongsw
intainer upload by the security team
+ * Fix DoS issue via malicious Dead Peer Detection packet
+Fixes: CVE-2009-0790
+
+ -- Steffen Joeris Tue, 24 Mar 2009 13:20:43 +
+
openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high
* Non-maintainer upload.
diff -u openswan-2.4.12+dfsg/debian
ction vulnerability when used with multibyte
+encodings by using mysql_real_escape_string()
+
+ -- Steffen Joeris Mon, 30 Mar 2009 11:21:06 +0200
+
auth2db (0.2.5-2+dfsg-1) unstable; urgency=medium
* New debian-specific+upstream release (Closes: #493132):
diff -u auth2db-0.2.5-2+dfsg/debian/pa
Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote a
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for proftpd.
CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection protec
table; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Include upstream patch to fix DoS via error in request processing
+code (Closes: #514142)
+
+ -- Steffen Joeris Thu, 05 Feb 2009 18:28:57 +
+
squid (2.7.STABLE3-4) unstable; urgency=low
* debian/rules
diff -u squi
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for gst-plugins-good0.10.
CVE-2009-0386[0]:
| Heap-based buffer overflow in the qtdemux_parse_samp
fixed 514138 1.3.6-1
thanks
Hi Benjamin
On Wed, 4 Feb 2009 04:29:05 pm Benjamin Drung wrote:
> The upcoming audacity 1.3.7-1 does not crash if I open the generated
> file from [0]. According to the Gentoo bug tracker [1] audacity 1.3.6
> does not have this bug any more. You can find
> String_par
Package: squid
Severity: grave
Tags: security
Justification: user security hole
Hi
A DoS issue has been reported[0] for squid. So far I cannot see the
vulnerable code in the stable release, but it would be nice, if you
could check that as well. Lenny seems to be affected and needs fixing.
I've ju
Package: audacity
Version: 1.3.5-2
Severity: grave
Tags: security
Justification: user security hole
There is a buffer overflow in audacity apparently affecting the etch
and lenny version. You can find a reproducer here[0].
However, I just took a random .gro file and when importing it under
Project
Package: xvnc4viewer
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vnc4.
CVE-2008-4770[0]:
| The CMsgReader::readRect function in the VNC Viewer component in
| RealVNC VNC Free Edition 4.0 th
retitle 507587 CVE-2008-5282,CVE-2008-6005,CVE-2009-0323: multiple buffer
overflows
thanks
Hi
There is an additional CVE about buffer overflows.
CVE-2009-0323[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0
| and 11.0 allow remote attackers to execute arbitrary code vi
Package: phpicalendar
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for phpicalendar.
CVE-2008-5840[0]:
| PHP iCalendar 2.24 and earlier allows remote attackers to bypass
| authentication by setting t
Package: python-moinmoin
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moin.
CVE-2009-0260[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in
| action/AttachFile.py in MoinMoin befo
Package: php5
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for php5.
CVE-2008-5557[0]:
| Heap-based buffer overflow in
| ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring
| extensi
Package: uw-imap
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for uw-imap.
CVE-2008-5514[0]:
| Off-by-one error in the rfc822_output_char function in the
| RFC822BUFFER routines in the Universit
severity 509024 normal
thanks
On Wed, 17 Dec 2008 06:03:45 pm Nico Golde wrote:
> Hi,
>
> * Steffen Joeris [2008-12-17 17:53]:
> > The patch for CVE-2007-2739 seems to be incomplete as already discussed
> > via private mail. Just using htmlspecialchars(), instead of the rep
Package: php-xajax
Severity: grave
Justification: user security hole
Tags: security
Hi
The patch for CVE-2007-2739 seems to be incomplete as already discussed
via private mail. Just using htmlspecialchars(), instead of the replace
calls should do the trick.
I've requested a new CVE id for this an
Package: netdisco-mibs-installer
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for netdisco-mibs-installer.
CVE-2008-5379[0]:
| netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary
| fi
On Wed, 3 Dec 2008 07:55:42 pm Joost Yervante Damad wrote:
> On Wednesday 03 December 2008 15:10:12 Frederic Peters wrote:
> > Mark Purcell wrote:
> > > On Monday 24 November 2008 22:58:38 Steffen Joeris wrote:
> > > > Packages for lenny and sid build fine with the p
Package: amaya
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for amaya.
CVE-2008-5282[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1
| allow remote attackers to execute arbi
Package: moodle
Severity: serious
Justification: Unknown
Hi
The moodle package embeds several code copies.
At the moment the list includes:
libphp-phpmailer
tinymce
libphp-adodb
libphp-snoopy
kses
domxml-php4-to-php5.php
libmarkdown-php
There are a few others that are simply not yet packaged f
Package: cups
Version: 1.3.8-1lenny3
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Martin
Cups upstream just fixed another integer overflow[0], which was introduced
due to an incomplete fix for CVE-2008-1722. The upstream commit can be
found here[1]. A CVE id has been
Hi Martin
> I just received the attached message from No-IP.com. This affects
> stable and testing.
I might be tired, but where does this differ from #506179, which is fixed in
unstable?
Cheers
Steffen
signature.asc
Description: This is a digitally signed message part.
Package: wireshark
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
the following remotely exploitable vulnerability in Wireshark's
SMTP dissector has been reported:
References:
http://packetstormsecurity.org/0811-advisories/wireshark104-dos.txt
http://bugs.gentoo.org/sh
Hi
> CVE-2008-4868[1]:
> | Unspecified vulnerability in the avcodec_close function in
> | libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
> | has unknown impact and attack vectors, related to a free "on random
> | pointers."
Forget about this one, it seems to be fixed in our
Package: ffmpeg-debian
Version: 0.svn20080206-14
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ffmpeg.
CVE-2008-4869[0]:
| FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attacke
Hi
Please also see this advisory[0] as an additional issue.
Description:
A vulnerability has been reported in Nagios, which can be exploited by
malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests
without pe
On Sun, 2 Nov 2008 11:34:28 pm Steffen Joeris wrote:
> On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote:
> > Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :
> > > Thanks for spotting this problem.
> > >
> > > The referred [2] patch is ac
On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote:
> Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit :
> > Thanks for spotting this problem.
> >
> > The referred [2] patch is actually not exactly apllicable to the version
> > of class.phpmailer.php shipped in phpgroupware 0.9.1
Package: phpgroupware
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Peter,
the following CVE (Common Vulnerabilities & Exposures) id was
published for egroupware-core.
CVE-2007-3215[0]:
| PHPMailer 1.7, when configured to use sendmail, allows remote
| attackers to exe
Hi Charlie
> Thanks for the bug report.
>
> I have addressed this issue in ampache-3.4.3-1 which is currently on
> m.d.n [1] awaiting sponsoring.
>
> With Lenny so close to release I am contacting my usual sponsor for
> guidance on which would be the best solution for this bug:
> a. use supplied
Package: opendb
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for opendb.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote atta
Package: mediamate
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mediamate.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remot
Package: pixelpost
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pixelpost.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remot
Package: mahara
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mahara.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote atta
Package: ampache
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ampache.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allows remote at
Package: libphp-snoopy
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libphp-snoopy.
CVE-2008-4796[0]:
| The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
| and earlier allo
Package: snmpd
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following announcement has been released by net-snmp upstream:
SECURITY ISSUE: A bug in the getbulk handling code could let anyone
with even minimal access crash the agent. If you have open access
to y
reassgin 449497 tech-ctte,foo2zjs
thanks
Dear Technical Committee Members
Currently, there is a dispute about a certain part of the foo2zjs package.
Unfortunately, we do not seem to be able to solve it and thus require your
assistance. We have tried to get a paragraph together to state the prob
Hi
I am upset that you again raised the severity without consulting anyone. The
package as it stands is DFSG free and the getweb script is there for the
convenience of the users as well as the documentation. Your arguments haven't
changed my opinion. However, it doesn't look like we are finding
severity 449497 important
thanks
On Sun, 26 Oct 2008 11:40:34 pm Joost Yervante Damad wrote:
> Hi Luca,
>
> > [3] not that I checked with such printers, I'm only in touch with one
> > that needs a non-free firmware
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15
>
> So you
On Sun, 26 Oct 2008 10:12:49 pm Luca Capello wrote:
> Hi there!
>
> On Sun, 26 Oct 2008 08:03:46 +0100, Steffen Joeris wrote:
> > On Sun, 26 Oct 2008 07:38:51 +0100. Joost Yervante Damad wrote:
> >> I understand your sentiment, and it is indeed a "grey" are
Hi
Sorry for the confusing statement here.
> > > I understand your sentiment, and it is indeed a "grey" area situation.
> > > If I take policy literary, I think this package is fine in main, but it
> > > is not as simple...
> > >
> > > In order to get this bug rolling (and lenny released ;-) ), ca
Hi
> I understand your sentiment, and it is indeed a "grey" area situation. If I
> take policy literary, I think this package is fine in main, but it is not
> as simple...
>
> In order to get this bug rolling (and lenny released ;-) ), can you all
> live with me splitting up the package in two pack
1 - 100 of 278 matches
Mail list logo
