[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 971/05 - Debian - Various Security Bulletins



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 971/05 dated 22.11.05  Time: 11:01
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Debian Security Advisories

Detail
====== 
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 900-2                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
November 21st, 2005                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : fetchmail
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2005-3088
Debian Bug     : 336096

Due to restrictive dependency definition the updated fetchmailconf
package couldn't be installed on the old stable distribution (woody)
together with fetchmail-ssl.  Hence, this update loosens it, so that
the update can be pulled in.  For completeness we're including the
original advisory text:

   Thomas Wolff discovered that the fetchmailconfig program which is
   provided as part of fetchmail, an SSL enabled POP3, APOP, IMAP mail
   gatherer/forwarder, creates the new configuration in an insecure
   fashion that can lead to leaking passwords for mail accounts to
   local users.

This update also fixes a regression in the package for stable caused
by the last security update.

For the old stable distribution (woody) this problem has been fixed in
version 5.9.11-6.4.

For the stable distribution (sarge) this problem has been fixed in
version 6.2.5-12sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 6.2.5.4-1.

We recommend that you upgrade your fetchmail package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4.dsc
      Size/MD5 checksum:      712 e1a82c36c542d941d9ab5fddd72a084b
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4.diff.gz
      Size/MD5 checksum:   300946 003692d316f2ff494fe6486c33211490
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
      Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

  Architecture independent components:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.4_all.deb
      Size/MD5 checksum:   165494 c81bd2391062a87978341feebd8c37b9
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.4_all.deb
      Size/MD5 checksum:    92860 e6839df03c88066d2512ec2aa15f4409

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_alpha.deb
      Size/MD5 checksum:   307132 e726923c5c1fe0466d94fc850011abb8

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_arm.deb
      Size/MD5 checksum:   290738 d77ba92322089b6616153ec4c7174918

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_i386.deb
      Size/MD5 checksum:   286456 44493842e69d13461215ccf3f005ada2

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_ia64.deb
      Size/MD5 checksum:   329954 ded4883a2870ade58dcc1ca525a76fc9

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_hppa.deb
      Size/MD5 checksum:   299108 a149496bb4e367043440b54faa8f3420

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_m68k.deb
      Size/MD5 checksum:   281270 79d99ef204a11fc4855cd80c987deba8

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_mips.deb
      Size/MD5 checksum:   296536 5dbce03b1d4c4dafefd2a76865d038d0

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_mipsel.deb
      Size/MD5 checksum:   296000 db69187b67827063291609685c992245

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_powerpc.deb
      Size/MD5 checksum:   291488 8cecaef33456e36256a7498c8ce07556

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_s390.deb
      Size/MD5 checksum:   288956 3d5dd68aca0781fdaa64bc600960af46

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_sparc.deb
      Size/MD5 checksum:   293594 24741d48693824b9654fe54f28690fd4


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgY/aW5ql+IAeqTIRAkiuAKCT29H2NQLFBWmTqqNCrvMBlPW6aQCfUynO
I0XlLd+3EfcgvkLutbt93P8=
=hMMc
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 901-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
November 19th, 2005                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : gnump3d
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2005-3349 CVE-2005-3355

Several vulnerabilities have been discovered in gnump3d, a streaming
server for MP3 and OGG files.  The Common Vulnerabilities and
Exposures Project identifies the following problems:

CVE-2005-3349

    Ludwig Nussel discovered several temporary files that are created
    with predictable filenames in an insecure fashion and allows local
    attackers to craft symlink attacks.

CVE-2005-3355

    Ludwig Nussel discovered that the theme parameter to HTTP
    requests may be used for path traversal.

The old stable distribution (woody) does not contain a gnump3d package.

For the stable distribution (sarge) these problems have been fixed in
version 2.9.3-1sarge3.

For the unstable distribution (sid) these problems have been fixed in
version 2.9.8-1.

We recommend that you upgrade your gnump3 package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3-1sarge3.dsc
      Size/MD5 checksum:      575 49b982ffa8bc0981063c22e43e37d8e0
    http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3-1sarge3.diff.gz
      Size/MD5 checksum:    16233 c719d2a258db442db1523c8f5c06560c
    http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3.orig.tar.gz
      Size/MD5 checksum:   616250 1a0d6a10f6ac2354e1f8c6000665f299

  Architecture independent components:

    http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3-1sarge3_all.deb
      Size/MD5 checksum:   603396 87d0c50400f7cd2d96e4c42982102f7e


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDftFUW5ql+IAeqTIRAvsTAJ0UBLkVAUo4NSQg8r3MsbMtXGC0CgCfcvA0
wR5CC4V9G2kyiBDF9UsYWXE=
=/EV6
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 902-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
November 21st, 2005                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : xmail
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2005-2943

A buffer overflow has been discovered in the sendmail program of
xmail, an advanced, fast and reliable ESMTP/POP3 mail server that
could lead to the execution of arbitrary code with group mail
privileges.

The old stable distribution (woody) does not contain xmail packages.

For the stable distribution (sarge) this problem has been fixed in
version 1.21-3sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.22-1.

We recommend that you upgrade your xmail package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1.dsc
      Size/MD5 checksum:      657 a4e8cbdcec1936899e9adddc6b1bc906
    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1.diff.gz
      Size/MD5 checksum:    28636 bdd037ca57a8a87c7ab8bb3a88129c51
    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21.orig.tar.gz
      Size/MD5 checksum:   413237 c6417c5b66cd0b0bff7375767d07235b

  Architecture independent components:

    http://security.debian.org/pool/updates/main/x/xmail/xmail-doc_1.21-3sarge1_all.deb
      Size/MD5 checksum:   167674 f0fa9b9b5cacf6b74dfcd69263c9828f

  Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_alpha.deb
      Size/MD5 checksum:   278502 b101478b4cf0e95815f555ee6bdd454a

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_amd64.deb
      Size/MD5 checksum:   221568 4bd15b227397150b4bc19f3796f3bc2d

  ARM architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_arm.deb
      Size/MD5 checksum:   192590 ba0ef6c44b48499884a8223a7a461fea

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_i386.deb
      Size/MD5 checksum:   217318 bdc30f339ec5a24d350bc48b7dff8230

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_ia64.deb
      Size/MD5 checksum:   302600 2d4d3612ddaac4dabcc82952273edfc7

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_hppa.deb
      Size/MD5 checksum:   221460 9d190d6f7c447408da4e6455bc5a024b

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_m68k.deb
      Size/MD5 checksum:   171800 83523cace162c5512e871b522f8f7856

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_mips.deb
      Size/MD5 checksum:   253434 72c21574bd267b086525d6dc0aa0d1b5

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_mipsel.deb
      Size/MD5 checksum:   252274 438867cf4bf498f4b7718f660dea4daa

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_powerpc.deb
      Size/MD5 checksum:   237562 50e3a3caa64ac6b7bd48c041a7631d4d

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_s390.deb
      Size/MD5 checksum:   207120 4a8224bbd34e2fdf08ba38f416ae367c

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xmail/xmail_1.21-3sarge1_sparc.deb
      Size/MD5 checksum:   200282 eeae78fc7f3b86637dde718f2191247a


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgX0qW5ql+IAeqTIRAk7gAJ9iEkkF3Me2oSa2OxTPq3OCDFZzNwCeOrN2
5HBvgXDJyEA6EMUQUtpFy8Q=
=7g5i
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 903-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
November 21st, 2005                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : unzip
Vulnerability  : race condition
Problem type   : local
Debian-specific: no
CVE ID         : CAN-2005-2475
BugTraq ID     : 14450
Debian Bug     : 321927

Imran Ghory discovered a race condition in the permissions setting
code in unzip.  When decompressing a file in a directory an attacker
has access to, unzip could be tricked to set the file permissions to a
different file the user has permissions to.

For the old stable distribution (woody) this problem has been fixed in
version 5.50-1woody4.

For the stable distribution (sarge) this problem has been fixed in
version 5.52-1sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 5.52-4.

We recommend that you upgrade your unzip package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4.dsc
      Size/MD5 checksum:      571 684b8e8a520bfb6fa00ed477e1df9f0e
    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4.diff.gz
      Size/MD5 checksum:     6099 44a7e7bb15dd3ab02a7e001cdaa0ca79
    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50.orig.tar.gz
      Size/MD5 checksum:  1068379 6d27bcdf9b51d0ad0f78161d0f99582e

  Alpha architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_alpha.deb
      Size/MD5 checksum:   160404 4031c211175ee7c728f8cc42334ae816

  ARM architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_arm.deb
      Size/MD5 checksum:   139336 7ebcf2fc5f4cc97000954c05bd80966b

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_i386.deb
      Size/MD5 checksum:   122764 2369eed1365bb4f6aadd09ac75c9693b

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_ia64.deb
      Size/MD5 checksum:   190982 a0e88f9c1279d3b2c7941690e439ff65

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_hppa.deb
      Size/MD5 checksum:   146928 7cfae9b95228d90ca3a1d83bda79655b

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_m68k.deb
      Size/MD5 checksum:   119542 f3b8481fb06596dc6fc84aeefd7e5bbf

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_mips.deb
      Size/MD5 checksum:   142948 dc037b7fa6f703ca7a1b140d2c19911e

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_mipsel.deb
      Size/MD5 checksum:   143390 3630211263e9245e1773913a2474a9ff

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_powerpc.deb
      Size/MD5 checksum:   136326 0aa9b78a55e11796693b906f0900ac64

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_s390.deb
      Size/MD5 checksum:   137018 cfd3ef68d1c6d2ecde54c1a67a6c3adc

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody4_sparc.deb
      Size/MD5 checksum:   147472 3f90c2488e0bf3aa6b3f0ec8acd815d9


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2.dsc
      Size/MD5 checksum:      528 84e70559fc6ca7a2a9331f31f462b548
    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2.diff.gz
      Size/MD5 checksum:     4970 69b3a1be17c376bf4419201f4d1ec8a5
    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52.orig.tar.gz
      Size/MD5 checksum:  1140291 9d23919999d6eac9217d1f41472034a9

  Alpha architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_alpha.deb
      Size/MD5 checksum:   175420 841029027991b860df6215c994b7c3b6

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_amd64.deb
      Size/MD5 checksum:   154804 c3a1cf3a9e5f63af998df54898e4d88f

  ARM architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_arm.deb
      Size/MD5 checksum:   155356 7d0ea21c83b7c01c74c3822abd5f022c

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_i386.deb
      Size/MD5 checksum:   144864 320a080d0cfbf93a47e75469d95f84e9

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_ia64.deb
      Size/MD5 checksum:   206580 ba92d4f8810bc7a44ab7c8957f23222a

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_hppa.deb
      Size/MD5 checksum:   162756 fd86bf652a165e4f8d390faae9568514

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_m68k.deb
      Size/MD5 checksum:   133674 da733ceba3d7467b46a5ec4ba92d4acc

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_mips.deb
      Size/MD5 checksum:   163318 773c63ffc83a536d8809757d5a8a8b4a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_mipsel.deb
      Size/MD5 checksum:   163892 18f2898f965b04c40d72d92c91243dfd

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_powerpc.deb
      Size/MD5 checksum:   157286 822fb6f064c6a298659f4966034a76fb

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_s390.deb
      Size/MD5 checksum:   156410 7bb65d46d779040eeaddab1ff916c039

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge2_sparc.deb
      Size/MD5 checksum:   154876 763b24730efd2ac6a334f8d1af1706be


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgatcW5ql+IAeqTIRAvMvAKCcVwATytiDdN4K/62sYNSoqSzJNQCfQqzu
zrJu9fZOdCZoskHU/ct/SUQ=
=9Jbk
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 904-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
November 21st, 2005                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : netpbm-free
Vulnerability  : buffer overflows
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2005-3632

Greg Roelofs discovered and fixed several buffer overflows in pnmtopng
which is also included in netpbm, a collection of graphic conversion
utilities, that can lead to the execution of arbitrary code via a
specially crafted PNM file.

For the old stable distribution (woody) these problems have been fixed in
version 9.20-8.5.

For the stable distribution (sarge) these problems have been fixed in
version 10.0-8sarge2.

For the unstable distribution (sid) these problems will be fixed in
version 10.0-11.

We recommend that you upgrade your netpbm package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.5.dsc
      Size/MD5 checksum:      662 96a668f0bb42e934723b9b817689cc15
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.5.diff.gz
      Size/MD5 checksum:    53572 9f2a3165379c73a32e804b204b9b1e59
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20.orig.tar.gz
      Size/MD5 checksum:  1882851 0f153116c21bc7d2e167e574a486c22f

  Alpha architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_alpha.deb
      Size/MD5 checksum:    77848 627c196dd4639c50f6da9690496be51e
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_alpha.deb
      Size/MD5 checksum:   135546 806a23dbf8413a1f843aa11fbbfa781b
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_alpha.deb
      Size/MD5 checksum:  1414082 fa04a52a558e6c669be2d094f93a4e56

  ARM architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_arm.deb
      Size/MD5 checksum:    64254 6f3e8baa362a0a3bbaa786c6a407d650
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_arm.deb
      Size/MD5 checksum:   125610 74820b9a024736466427ce1d11a6adcd
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_arm.deb
      Size/MD5 checksum:  1127918 4a832be9b32a6f862587021e25fc86f4

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_i386.deb
      Size/MD5 checksum:    62566 727555759e3ee96e14afc427fd1a4ed4
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_i386.deb
      Size/MD5 checksum:   103548 e4d71b9a616d71d62fda09bda5488edd
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_i386.deb
      Size/MD5 checksum:  1078678 e308c85fd1bee7a94f7d07eb0814e607

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_ia64.deb
      Size/MD5 checksum:    96604 aa26dc77cfae42c85fc827080c3c14cc
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_ia64.deb
      Size/MD5 checksum:   170564 0f28db29582f8574fe5efec313f0381a
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_ia64.deb
      Size/MD5 checksum:  1608842 b600f6008f1bec860ace6011e2fa9c0a

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_hppa.deb
      Size/MD5 checksum:    84002 62a268babaa314dcdd5b033c72266a11
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_hppa.deb
      Size/MD5 checksum:   123008 aee769727d4ab3aa31ff9c81e8711758
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_hppa.deb
      Size/MD5 checksum:  1337864 2267fdf93760dadda27bedeba21caaa9

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_m68k.deb
      Size/MD5 checksum:    62134 16cf3e3a10d721afec49783d7c3fbf92
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_m68k.deb
      Size/MD5 checksum:   102356 c3d4d655a64999384c32fe344a599682
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_m68k.deb
      Size/MD5 checksum:  1016676 2fc4559a8210aab615c916b802ba7684

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_mips.deb
      Size/MD5 checksum:    66994 825061bf9972d1ded323d5acdcd710b3
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_mips.deb
      Size/MD5 checksum:   123604 437b49b289dc3072ebaae26ebbbbff66
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_mips.deb
      Size/MD5 checksum:  1181322 2de610968c7e02bbf260b212a6a1ac84

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_mipsel.deb
      Size/MD5 checksum:    66838 565e13796a04a757af7e5020290dcde4
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_mipsel.deb
      Size/MD5 checksum:   123662 64da6e70b45ddb6f4468f46e7c44e9d6
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_mipsel.deb
      Size/MD5 checksum:  1180028 b29bbde4848b486ee1c2f533197d6752

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_powerpc.deb
      Size/MD5 checksum:    69042 21dd1ef5cbe08aceb71b58d7d1a7a16f
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_powerpc.deb
      Size/MD5 checksum:   117970 b2c077652d4f90fa4f03e0f28534559e
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_powerpc.deb
      Size/MD5 checksum:  1154096 2e415b674c4e3d73d79894a2a6d54e52

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_s390.deb
      Size/MD5 checksum:    66788 a4b358db59bf28ce606efa8ed31f8428
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_s390.deb
      Size/MD5 checksum:   116142 cf4293b7b0ae9e370b5f4fcd4bc8d112
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_s390.deb
      Size/MD5 checksum:  1130568 d0e7577566b78bc0a24dec621fd81e85

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.5_sparc.deb
      Size/MD5 checksum:    65400 d17577ed10e69ee74f75e703b385882e
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.5_sparc.deb
      Size/MD5 checksum:   118692 903289a73a661db5132034669d22ba45
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.5_sparc.deb
      Size/MD5 checksum:  1435808 07cb72079ccdedd112694b06fd034552


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0-8sarge2.dsc
      Size/MD5 checksum:      749 8ab3b792bc83b9d768a09132935966a4
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0-8sarge2.diff.gz
      Size/MD5 checksum:    45837 4182abb160edf2f5081bfc2b7bc31377
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0.orig.tar.gz
      Size/MD5 checksum:  1926538 985e9f6d531ac0b2004f5cbebdeea87d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_alpha.deb
      Size/MD5 checksum:    82672 37d22ebe7276477898ac5a80f3c3ca00
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_alpha.deb
      Size/MD5 checksum:   145984 c88fc97f0e29e0388ca2d17aba17ba09
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_alpha.deb
      Size/MD5 checksum:    91588 d13c945e0bb3e9bee58e0ff2b170207e
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_alpha.deb
      Size/MD5 checksum:   146408 f2776a853306abf2dcfa40623d576e06
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_alpha.deb
      Size/MD5 checksum:  1594906 2bdc07c20834ae3bf3f4457357de1f19

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_amd64.deb
      Size/MD5 checksum:    68748 ef2f34beb730485fee2a4ffd875941f8
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_amd64.deb
      Size/MD5 checksum:   118008 ff2f3169d6fb407bf8f2c72161321b1a
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_amd64.deb
      Size/MD5 checksum:    77132 776dab5922464bc0e0530498f8cb1b54
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_amd64.deb
      Size/MD5 checksum:   118400 ae18aec98ef8662f6666e0f8d32c87d3
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_amd64.deb
      Size/MD5 checksum:  1277520 c212cf4f1ec34de9c59268312b298956

  ARM architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_arm.deb
      Size/MD5 checksum:    61804 55de08dc9496ac0ab77b17a2c766c80c
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_arm.deb
      Size/MD5 checksum:   114652 ea128cedb8a31391821c3d377adcc196
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_arm.deb
      Size/MD5 checksum:    68900 025644277b7b494a6b67850085f32f02
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_arm.deb
      Size/MD5 checksum:   115068 01c46f8400fb00dbd4f2ab57cff93466
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_arm.deb
      Size/MD5 checksum:  1226686 d11f8e54b13050f7b5823fd0f72330a1

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_i386.deb
      Size/MD5 checksum:    64926 ce68c6c99dd0d6946caa158974a3a201
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_i386.deb
      Size/MD5 checksum:   110566 39d16a56f46bd49d39a6dc6fd89aa08a
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_i386.deb
      Size/MD5 checksum:    72040 e5dffe84d5d74b74d0e8acaaed1c3d55
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_i386.deb
      Size/MD5 checksum:   110738 305012924bc7390035d1d69b6c5c721d
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_i386.deb
      Size/MD5 checksum:  1178734 999eddf08e1d0c24d16f601a220c9b93

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_ia64.deb
      Size/MD5 checksum:    96466 544eb8f9ff0086c3e9d3abdec86fbec9
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_ia64.deb
      Size/MD5 checksum:   154668 80d6aebf07b4338ce1816959226c1227
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_ia64.deb
      Size/MD5 checksum:   107210 515ff376d227fa5cd1e3f314da465934
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_ia64.deb
      Size/MD5 checksum:   155020 3b539cd2d6b0fee495dcc954faedf0a1
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_ia64.deb
      Size/MD5 checksum:  1816522 cb9920b1ce0035f070db19adbc15373b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_hppa.deb
      Size/MD5 checksum:    77962 4640e42165c5a28faee159623eaf3b47
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_hppa.deb
      Size/MD5 checksum:   128068 045b1b3c72a4b538de0eef9f39f22bf4
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_hppa.deb
      Size/MD5 checksum:    88608 5e57aa608b3b5bb7da235d8f81de6fd5
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_hppa.deb
      Size/MD5 checksum:   128532 7620a8001c3436855b929cd80c8f7af6
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_hppa.deb
      Size/MD5 checksum:  1410172 936284480aff9674517eccfaae99f76d

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_m68k.deb
      Size/MD5 checksum:    62276 a7695c8d946d05b977686d8c5a43d569
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_m68k.deb
      Size/MD5 checksum:   105384 428c32376928676f579b4acc808df5ba
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_m68k.deb
      Size/MD5 checksum:    69594 bc6914997fd9942c4881124feff14bd6
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_m68k.deb
      Size/MD5 checksum:   105604 f11be5ff58c8fd6ee632bf01647e4199
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_m68k.deb
      Size/MD5 checksum:  1119642 fbd4be6544590ec08a818220e08d0e71

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_mips.deb
      Size/MD5 checksum:    68680 554ee1f49b1399d0e0ce57aaccfdaa22
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_mips.deb
      Size/MD5 checksum:   120034 acb9e8860ffd41b6abedaacae15d22cc
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_mips.deb
      Size/MD5 checksum:    75504 5e82d1e1f5e806d470d6f139a474ed77
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_mips.deb
      Size/MD5 checksum:   120384 6c23833c6690f184a9f4099cf2de7d38
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_mips.deb
      Size/MD5 checksum:  1671538 565ffe085afee85bdadb3931716aff9a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_mipsel.deb
      Size/MD5 checksum:    68390 09eaf6ff62842b12bba001003ceda8dc
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_mipsel.deb
      Size/MD5 checksum:   120134 ea9ca48c392b946b75591818b1a7f08a
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_mipsel.deb
      Size/MD5 checksum:    75164 26701ac67beabf7d842e894a0d40130c
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_mipsel.deb
      Size/MD5 checksum:   120442 ab43c7303e4a3d00cf281f5a05e4e83f
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_mipsel.deb
      Size/MD5 checksum:  1678264 f4df4fa5a4873fa38fcdf06a93d867b2

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_powerpc.deb
      Size/MD5 checksum:    71138 5537258e9e342998750d9b6506982164
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_powerpc.deb
      Size/MD5 checksum:   123604 e12f868f695adfcef8a6256cbb89daaa
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_powerpc.deb
      Size/MD5 checksum:    83324 129d59fb7fdfda0dfd06327eda4ea214
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_powerpc.deb
      Size/MD5 checksum:   123910 193561799536112dbfac38c50cb89a6b
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_powerpc.deb
      Size/MD5 checksum:  1521584 f2ec44857eaf4bf9e591a2e0d993d65c

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_s390.deb
      Size/MD5 checksum:    70438 deaf1eac0c8c8e1ed2e676aee31cec47
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_s390.deb
      Size/MD5 checksum:   115184 4a96f38c41c6e0bf4c66aa3419178a22
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_s390.deb
      Size/MD5 checksum:    77632 ca8446b3919271228491d8b255fd5bf9
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_s390.deb
      Size/MD5 checksum:   115652 37cb64b6ac171da0fffa8944fbe5f60d
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_s390.deb
      Size/MD5 checksum:  1256870 427dae51b929fdb0ef16feb60019fdcd

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge2_sparc.deb
      Size/MD5 checksum:    67734 b3eacbd2deeb9da5fed21fa03647951f
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge2_sparc.deb
      Size/MD5 checksum:   117286 fce7a4a7d08697f2cf5b2b22c94934ea
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge2_sparc.deb
      Size/MD5 checksum:    74492 81ece0d62781d46579cfc923e2f9ad4d
    http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge2_sparc.deb
      Size/MD5 checksum:   117698 5217fe47475db4e8d0e8f99ff5675aca
    http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge2_sparc.deb
      Size/MD5 checksum:  1279416 f0e1ad2342fefbdce08630777d03c579


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgf5OW5ql+IAeqTIRAmMmAJ9mjT2xHOCjQj43OERq7JFtD3ze6gCfRPh0
E/yFbQi4Oo+JrV/fUw4h3u0=
=Z1R9
- -----END PGP SIGNATURE-----


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 811-2                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
November 21st, 2005                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : common-lisp-controller
Vulnerability  : design error
Problem type   : local
Debian-specific: no
CVE ID         : CAN-2005-2657

The bugfix for the problem mentioned below contained an error that
caused third party programs to fail.  The problem is corrected by this
update.  For completeness we're including the original advisory text:

   Francois-Rene Rideau discovered a bug in common-lisp-controller, a
   Common Lisp source and compiler manager, that allows a local user
   to compile malicious code into a cache directory which is executed
   by another user if that user has not used Common Lisp before.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 4.15sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 4.18.

We recommend that you upgrade your common-lisp-controller package.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/common-lisp-controller/common-lisp-controller_4.15sarge3.dsc
      Size/MD5 checksum:      599 20ea8fa341ceb1cf7b023aff4df6e389
    http://security.debian.org/pool/updates/main/c/common-lisp-controller/common-lisp-controller_4.15sarge3.tar.gz
      Size/MD5 checksum:    25132 0f2d6f3e075eb70397b6664c37e99867

  Architecture independent components:

    http://security.debian.org/pool/updates/main/c/common-lisp-controller/common-lisp-controller_4.15sarge3_all.deb
      Size/MD5 checksum:    24184 854430ec786872dc81f7d735dd554e54


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgW8EW5ql+IAeqTIRAkusAKCcoQkyJQv+Ra/wJ3g4WiM1WH1DXwCbB/jp
wF+MXIlgUhcChT9hrccg7HY=
=irng
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Debian for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>




-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBQ4L67Ipao72zK539AQFtGAP/S/H8qT/MD8AGNxXIbhwSKGufjL4Axo7I
nnnAVauwXKFjBpQFxIKDuOcxv7/1gx+qNXpjj2VTbyvWniebNp/orMgzBpdGTqsy
R+pZPPD/ZKAT3+GigVScflyPTUoRANcpPiFD7+olJVNLg+cZ+bBp3WV7P2WNQBZs
JD3Uk7k0pLI=
=YUSW
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________