Package: anjuta
Version: 1.2.4a-5
Severity: grave
i just tested the etch -> lenny transition, and anjuta failed to upgrade
properly. the error follows:
Preparing to replace anjuta 1:1.2.4a-5 (using
.../anjuta_2%3a2.4.2-1_amd64.deb) ...
Unpacking replacement anjuta ...
dpkg: error processing
Package: xscreensaver
Version: 5.05-3
Severity: grave
i just tested the etch -> lenny transition on two of my systems, and
xscreensaver ended up locking me out of both of them.
version 4.24 of the xscreensaver daemon was running when i started the
upgrade. i went off to work on some other thin
hello all,
any news on the patches for ghostscript in stable (CVE-2007-6725,
CVE-2008-6679, and CVE-2009-0196)? these issues have been sitting
unfixed for quite a while now. thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trou
Package: gnutls26
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for gnutls26.
CVE-2009-1417[0]:
| gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and
| expiration times of X.509 certificates, which allows remote atta
On Tue, 12 May 2009 13:54:10 +0100, Dominic Hargreaves wrote:
> Hi,
>
> I wondered if any fix is likely to be available for CVE-2008-5519
> (information disclosure, looks potentially quite severe) any time
> soon or if any more help is needed?
hi,
no one has claimed this (that i've seen), and th
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote:
> Package: cron
> Version: 3.0pl1-105
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu jaunty ubuntu-patch
>
> Hi,
>
> I was reviewing a list of
On Fri, 15 May 2009 14:18:26 +0200, Nico Golde wrote:
> Package: eggdrop
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> turns out my patch has a bug in it which opens this up for a
> buffer overflow again in case strlen(ctcpbuf) returns 0:
> http://www.gossamer-th
On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the gnutls26 package:
>
> #528281: gnutls26: CVE-2009-1417 certificate expiration vulnerability
does it make sense to close this bug since
On Fri, 15 May 2009 20:15:49 +0200, Andreas Metzler wrote:
> On 2009-05-15 "Michael S. Gilbert" wrote:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which w
On Fri, 15 May 2009 20:50:47 +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert [2009-05-15 19:45]:
> > On Tue, 12 May 2009 00:03:05 +, Debian Bug Tracking System wrote:
> > > This is an automatic notification regarding your Bug report
> > > which was file
this is CVE-2008-0388:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0388
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Mon, 18 May 2009 06:49:48 +0200, Ola Lundqvist wrote:
> Thanks. However this applies only to the windows version as that
> functions do not even exist in the linux/unix version.
ok, yes, i see that now. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subj
package: openoffice.org-common
severity: grave
version: 1:3.1.0-2
the latest version of openoffice will not install because a mkdir
fails:
mkdir: cannot create directory '/var/lib/openoffice/share/config': No
such file or directory
if i manually create the directory, the installation works:
$
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1~lenny1 0.10.4-4
Severity: serious
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gstreamer0.10-plugins-good.
CVE-2009-1932[0]:
| Multiple integer overflows in the (1) user_info_callback,
package: ecryptfs-utils
version: 68-1
version: 75-1
severity: serious
tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ecryptfs-utils.
CVE-2009-1296[0]:
|Chris Jones discovered that the eCryptfs support utilities would
|report the mount passphrase int
reopen 517639
found 517639 1.8.7.72-3
found 517639 1.8.5-4etch4
thank you
hi,
this bug is still present in the stable releases. please coordinate
with the security team (t...@security.debian.org) to prepare updated
packages. thanks.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.de
package: webkit
severity: serious
tags: security
hello,
it has been discovered that all of the major web browsers use a
predictable pseudo-random number generator (PRNG). please see
reference [0]. the robust solution is to switch to a provably
unpredictable PRNG such as Blum Blum Shub [1,2].
[0
Package: dbus
Version: 1.2.1-5
Severity: grave
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for dbus.
CVE-2009-1189[0]:
| The _dbus_validate_signature_with_reason function
| (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses
| in
found 532720 1.0.2-1+etch2
thank you
note bug report on CVE-2008-3834 is here: http://bugs.debian.org/501433
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
reopen 520052
found 520052 1.0.1-4
fixed 520052 1.1.7-1
thanks
yes, i, as the original reporter, spent a non-insignificant amount of
time to determine that webkit is indeed affected. in fact, i believe
that my description in the original report is very complete and
describes the extent of the pro
CVE-2008-4723 is the wrong CVE, which is for firefox. it should be
CVE-2008-4724
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
since this is a minor issue, would you be interested in pushing out
fixes for this problem in a stable proposed update? if so, please
contact the security team.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas..
Package: vim
Version: 1:7.0.109
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes multiple security flaws in
vim [1]. these issues are currently reserved in the CVE tracker, but
redhat describes the probems as:
Multiple security flaw
package: linux-2.6
severity: grave
tags: security
as seen in recent articles and discussions, the linux kernel is
currently vulnerable to rootkit attacks via the /dev/mem device. one
article [1] mentions that there is an existing patch for the problem,
but does not link to it. perhaps this fix c
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
> > as seen in recent articles and discussions, the linux kernel is
> > currently vulnerable to rootkit attacks via the /dev/mem device. one
> >
reopen 524373
thanks
On Thu, 16 Apr 2009 16:53:38 -0400 Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 04:21:10PM -0400, Michael S. Gilbert wrote:
> >
> > i think that any flaw that allows an attacker to elevate his pwnage from
> > root to hidden should always be consid
btw, redhat-based distros are thought to be invulnerable to these
attacks due their incorporation of execshield (in particular, due to
address space randomization). perhaps it's high time that debian
consider doing the same?
i know that execshield is not in the vanilla kernel, but when it comes
to
fyi, see upstream changelog as well:
http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Fri, 10 Apr 2009 18:18:00 +0100 Darren Salt wrote:
> This does not apply to xine-lib. You mean CVE-2009-0698, which is fixed in
> unstable (and should soon be fixed in, at least, stable too; it probably
> applies to oldstable too, but I've not looked yet).
not that i nor anyone else should trus
package: ghostscript
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for ghostscript.
CVE-2007-6725[0]:
| The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
| other versions, allows remote attackers to cause a denial
package: poppler
severity: grave
tags: security
hello,
ubuntu recently patched the following poppler issues [0]:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
the
package: cups
severity: grave
tags: security
hello,
redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183
these are
On Sat, 25 Apr 2009 01:15:11 + Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the nautilus package:
>
> #515104: nautilus: potential exploits via application launchers
awesome! any chance of backporting this to lenny
On Tue, 21 Apr 2009 23:54:36 +0200 Nico Golde wrote:
> Hi,
> turns out CVE-2008-6679 also is fixed since 8.64.
> The only unfixed issue in this report is CVE-2009-0196.
>
> Michael, please better check the code next time, this would
> have save me a lot of time this evening.
I appologize. I ha
Package: clamav
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for clamav.
CVE-2008-5525[0]:
| ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is
| used, allows remote attackers to bypass detection of malware in an
|
hi,
any news on this one? since this is being tracked with critical
severity, it really should be handled as swiftly as possible (it's been
six months now since the original disclosure). suse has issued updates
for CVE-2008-5824, perhaps their patches may be helpful [1]. thanks.
mike
[1]
http
package: pango
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.
CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization. Pango suffers from a multiplicative integer
Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure rsa
package: clamav
severity: grave
tags: security
hi,
ubuntu recently patched a problem in clamav [1]. the description is:
It was discovered that ClamAV did not properly verify its input when
processing TAR archives. A remote attacker could send a specially
crafted TAR file and cause a denia
Package: php5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for php5.
CVE-2008-5814[0]:
| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
| inje
Package: xine-lib
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| attack
package: dbus
version: 1.2.16-1
severity: grave
hello, dbus is currently uninstallable on sid; erroring with the
following message:
chown: cannot access `/usr/lib/dbus-1.0/dbus-daemon-launch-help': No
such file or directory
this can be fixed with a 'mkdir -p':
$ sudo mkdir -p /usr/lib/dbu
On Thu, 16 Jul 2009 21:26:53 +0200, Chiel Kooijman wrote:
> Package: base
> Severity: critical
> Tags: security
> Justification: root security hole
>
> I tried to edit /etc/fstab as user (forgot to use `sudo') but, as I
> noticed later, the partition that contains the root (/) files was full.
> Af
reassign 537299 vim
retitle 537299 vim: potential data loss on saturated disk partitions
tag 537299 - security
thanks
On Thu, 16 Jul 2009 23:26:26 +0200, Chiel Kooijman wrote:
> Thanks for your reply,
>
> I guess you're right.
> It hadn't occurred to me yet that it could have happened at the mome
package: libio-socket-ssl-perl
version: 1.01-1
severity: serious
tags: security , patch
a security issue has been fixed in the latest upstream version of
libio-socket-ssl-perl [0]. see patch [1]. please coordinate with the
security team to prepare updates for the stable releases. thank you.
[0
package: mediawiki
version: 1:1.15.0-1
severity: serious
tags: security
hello, multiple vulnerabilies have been fixed in upstream mediawiki
1.15.1 (these problems did not exist before 1.14.0, so lenny/etch are
not vulnerable) [0]. please update unstable to this version. thanks.
[0]
http://lists.w
package: htmldoc
version: 1.8.27-2
severity: serious
tags: security , patch
hello, a security advisory has been issued for htmldoc [0]. patches
available from gentoo [1]. please coordinate with the security team to
prepare updates for the stable releases. thank you.
[0] http://secunia.com/advi
while this bug is still open, would it make sense to disable the gcc
option/optimization/bug/flaw that allows this vulnerability to exist?
the "-fno-delete-null-pointer-checks" flag will completely disable
this option kernel-wide [1].
obviously there is a tradeoff here. the null pointer optimizat
tag 524806 patch
thanks
derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5. i am fairly certain all of these CVEs are addressed in this one.
note vulnerable code not present in etch for CVE-2009-0755/1188.
please test; i've done some basic testing with existing pdfs on my
s
reopen 535909
fixed 535909 1:3.0.1-3
thanks
> This bug has been solved with 1:3.0.1-2 before the bug was opened.
thanks for the update. please coordinate with the security team to
prepare updates for the stable releases.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
wit
package: php5
version: 5.2.0-8+etch13
severity: serious
tags: security , patch
it has been disclosed that php is potentially vulnerable to remote
memory dislosure [0]. patches are available for 5.2.10 and 5.3.0, but
older versions are likely affected (as well as php4). please check and
coordinat
the 2.8.1 fix is incomplete, and is now claimed fixed in 2.8.3. see:
http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/
http://core.trac.wordpress.org/changeset/11765
http://core.trac.wordpress.org/changeset/11766
http://core.trac.wordpress.org/changeset/11768
http://core.
package: rubygems1.9
version: 1.3.1
tags: security
severity: serious
hello, it has been disclosed thet a specially crafted gem archive could
be used to overwrite system files. confirmed for 1.3.x, but older
versions may also be affected. please check and help the security
team prepare updates fo
On Sun, 09 Aug 2009 15:34:18 +0900 Daigo Moriwaki wrote:
> Hello Michael,
>
> Michael S. Gilbert wrote:
> > package: rubygems1.9
> > version: 1.3.1
> > tags: security
> > severity: serious
> >
> > hello, it has been disclosed thet a specially craft
On Sun, 9 Aug 2009 11:00:50 +0200 Sylvain Le Gall wrote:
> Hello,
>
> On Sat, Aug 08, 2009 at 11:01:45PM -0400, Michael S. Gilbert wrote:
> > reopen 535909
> > fixed 535909 1:3.0.1-3
> > thanks
> >
> > > This bug has been solved with 1:3.0.1-2 before t
On Sun, 09 Aug 2009 17:01:38 +0900 Daigo Moriwaki wrote:
> Hello Michael,
>
> Michael S. Gilbert wrote:
> >> In Debian, executables from gems install into a particular directory
> >> specific to
> >> RubyGems such as /var/lib/gems/{1.8|1.9.0}/bin instead of
On Mon, 10 Aug 2009 08:24:06 -0500, Gunnar Wolf wrote:
> Michael S. Gilbert dijo [Sun, Aug 09, 2009 at 11:58:04PM -0400]:
> > > I tried testgem downloaded from
> > > http://bugs.gentoo.org/show_bug.cgi?id=278566.
> > >
> > > % sudo gem install testgem
Package: libvorbis
Version: 1.1.2.dfsg-1.4
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvorbis.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, a
Package: xulrunner
Version: 1.9.1.1-2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xulrunner.
CVE-2009-2663[0]:
| libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
| 3.5.x before 3.5.2 and other products, allows
On Mon, 10 Aug 2009 23:01:36 -0500, Peter Samuelson wrote:
>
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
>
On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote:
> On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote:
> > Package: xulrunner
> > Version: 1.9.1.1-2
> > Severity: grave
> > Tags: security
> >
> > Hi,
> > the following CV
severity 532689 important
thanks
denial-of-services are not serious. this should probably be fixed
with CVE-2009-0642 which is actually serious. please coordinate with
the security team to prepare updates for the stable releases on these.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@li
Package: nautilus
Version: 2.20-7
Severity: grave
Tags: security
as you have probably seen by now, there has been a lot of coverage
about the potential avenue for exploits via kde and gnome application
launchers (it looks like xfce is safe, for now) [1], [2], [3].
the core of the problem is that
Package: konqueror
Version: 4:3.5.9.dfsg.1-6
Severity: grave
Tags: security
as you have probably seen by now, there has been a lot of coverage
about the potential avenue for exploits via kde and gnome application
launchers (it looks like xfce is safe, for now) [1], [2], [3].
the core of the probl
you can track progress for this bug in kde here [1]
[1] http://bugs.debian.org/515106
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Sun, 01 Mar 2009 10:16:27 +0100 wrote:
> > (although if that's the case, i think that there is a problem
> > with debian's documentation [1] since it appears to indicate that any
> > and all security holes are to be reported as grave).
>
> It says “Most security bugs should also be set at crit
reopen 532689
thank you
this bug isn't entirely fixed yet since stable is still affected.
please coordinate with the security team to prepare updates for lenny.
thanks.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
Package: libpng
Version: 1.2.15~beta5-1+etch2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpng.
CVE-2009-2042[0]:
| libpng before 1.2.37 does not properly parse 1-bit interlaced images
| with width values that are not divisibl
On Thu, 25 Jun 2009 22:33:10 + Moritz Muehlenhoff wrote:
> lynx supports neither Javascript nor multipart/form-data, so it's not
> affected.
i am trying to track the deeper cause here (the fact that all of the
web browsers use a predictable PRNG), rather than the symptom (this
particular explo
Package: cupsys
Version: 1.2.7-4etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to c
Package: cups
Version: 1.3.8-1+lenny6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cups.
CVE-2009-0791[0]:
| Multiple integer overflows in the pdftops filter in CUPS 1.1.17,
| 1.1.22, and 1.3.7 allow remote attackers to c
reopen 534973
fixed 534973 1:1.5.2-5
thanks
hello,
please assist the security team to prepare updates for this issue in
the stable releases. thank you.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists
hello,
i just encountered this problem after upgrading xorg in unstable as
well. i use the dvorak keyboard, but now gdm and x have switched to
qwerty by default. i have tried reverting to libxi6 1.1.4 from
testing, but that did not solve the problem. i also tried setting up
the following in /etc
reopen 532522
forwarded 532522 http://www.dillo.org/bugtrack/Dquery.html
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
package: dillo
version: 0.8.5-4
severity: serious
tags: security
hello,
it has been found that dillo is vulnerable to an integer overflow. the
text of the problem is:
|Dillo, an open source graphical web browser, suffers from an integer
|overflow which may lead to a potentially exploitable heap
fixed 533347 1.0.8-1
thanks
some more info about this issue can be found here [1]. please
coordinate with the security team to prepare updated packages for the
stable releases. thanks.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=501929
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@
package: webkit
version: 1.0.1-4
severity: grave
tags: security
hello,
webkit has recently been hit by a deluge of security issues [1],[2].
i've been trying to figure out the state of these problems and where
debian is affected, but apple's security announcements have been
notoriously sparse.
th
forwarded 535793 https://bugs.webkit.org/show_bug.cgi?id=26973
thanks
i've started a discussion on these issues in the upstream bug report
in the above link.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.d
On 7/5/09, Kiko Piris wrote:
> Can’t upgrade nagios3 to 3.0.6-5, aptitude complains :
>
> | The following packages have unmet dependencies:
> | nagios3: Depends: libltdl3 (>= 1.5.2-2) which is a virtual package.
>
> And since that version solves DSA-1825-1, setting severity to grave.
>
> Regards
forwarded 532520
http://lists.gnu.org/archive/html/lynx-dev/2009-07/msg0.html
thanks
it looks like the lynx situation for this issue isn't so simple.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debi
from some of the upstream discussion, it looks like libbsd provides an
arc4random cryptographically secure PRNG, which lynx prefers when
available. an appropriate fix for this issue thus would be to depend on
libbsd0 and make sure lynx makes use of its arc4random.
mike
--
To UNSUBSCRIBE, email
On Sun, 5 Jul 2009 08:43:27 +0200 Kiko Piris wrote:
> | # apt-cache policy nagios3
> | nagios3:
> | Installed: 3.0.6-4+b1
> | Candidate: 3.0.6-5
> | Version table:
> | 3.0.6-5 0
> | 500 http://mir1.ovh.net unstable/main Packages
> | *** 3.0.6-4+b1 0
> | 100 /var/lib/dpkg
On Sun, 5 Jul 2009 20:25:47 +0200 Kiko Piris wrote:
> Yes, I can see it now.
>
> But, according to the file date on a couple of mirrors I just checked,
> it seems to have “appeared” this morning at 11:19 CEST (just a couple of
> hours after my bugreport).
fixed in latest unstable upload. closing
Package: phpmyadmin
Version: 4:2.9.1.1-10
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpmyadmin.
CVE-2009-2284[0]:
| Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
| allows remote attackers to inject arbi
package: rails
version: 1.1.6-3
severity: serious
tags: security
hello,
it has been found that rails is vulnerable to a password bypass [1]. this will
be
fixed in upstream version 2.3.3.
[1]
http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
--
To
package: camlimages
version: 2.20-8
severity: serious
tags: security
hello,
camlimages is vulnerable to several integer overflows [1]. this has
not yet been fixed upstream, but has been addressed by redhat [2].
[1] http://www.ocert.org/advisories/ocert-2009-009.html
[2] https://bugzilla.redhat.
On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
> > version 1:1.5.2-5 that I released to unstable is suitable for stable
> > aswell. Prior to this bugfix unstable and stable both contained
> > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
> > build it for stable as
Package: apache2
Version: 2.2.3-4+etch6
Severity: serious
Tags: security , patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for apache2.
CVE-2009-1890[0]:
| The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
| module in the Apache HTTP Server befo
reopen 535488
reopen 535489
thanks
On Sat, 11 Jul 2009 17:20:46 +0200 Martin Pitt wrote:
> Hello Michael,
>
> Michael S. Gilbert [2009-07-02 12:35 -0400]:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for cups.
> >
package: wordpress
version: 2.0.10-1etch3
severity: serious
tags: security
an advisory, CORE-2009-0515, has been issued for wordpress. there are issues
with unchecked privilidges and many potential information disclosures. see [1].
this is fixed in upstream version 2.8.1. please coordinate wit
package: iceweasel
version: 3.5
severity: critical
tags: security
hello, a remote shellcode injection has been disclosed for firefox [0],
[1]. the advisory says that version 3.5 has been verified as
vulnerable, but older versions are very likely susseptable as well. i
have not checked.
this is c
forwarded 537104 https://bugzilla.mozilla.org/show_bug.cgi?id=504237
thanks
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
forcemerge 541496 541483
thanks
the kernel-sec team is aware and tracking the issue. Dann Frazier may
be able to update with more info/timeframe.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian
fyi, ubuntu has patches in progess for older versions, which may be
useful for backports to the stable releases:
http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
http://git.savannah.gnu.org/cgit/gnutls.git/patch/?id=177e7ddb761999cd8b439e14a2bf43590756e230
--
To UNSUBSCRIBE,
dear maintainer,
the security team has applied an nmu for xscreensaver in unstable and
will soon for experimental also. see attached debdiffs.
regards,
michael gilbert
xscreensaver.debdiff
Description: Binary data
xscreensaver-experimental.debdiff
Description: Binary data
just a quick suggestion to try: manually remove the problematic file first
(i.e.
'sudo rm /usr/lib/fglrx/diversions/libglx.so'), then use apt to remove the
package.
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact li
tag 542400 -moreinfo
found 542400 1:9-8-1
thanks
fyi, i was just able to reproduce this problem with 1:9-8-1. my suggested
workaround does work:
$ sudo rm /usr/lib/fglrx/diversions/libglx.so
$ sudo apt-get remove fglrx-glx
Reading package lists... Done
Building dependency tree
Reading st
On Sun, 23 Aug 2009 20:49:13 +0200 Bertrand Marc Bertrand wrote:
> I don't think you should remove /usr/lib/fglrx/diversions/libglx.so by
> hand. This file belongs to xserver-xorg-core (that's why there is a
> diversion).
agreed. that is just a temporary solution to get the problematic
package
fixed 542400 1:9-8-2
thanks
tested revision 278. your changes have fixed this problem. thanks!
mike
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Hi,
A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed. Attached is the debdiff of the
changes.
The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://men
1 - 100 of 108 matches
Mail list logo
