[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 540/05 - Debian - Four Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----


- - ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 540/05 dated 14.07.05  Time: 11:10  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- - ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------

Title
=====

Debian - Four Security Advisories:
     1.  New packages fix remote command execution in phpgroupware   [DSA 746-1]
     2.  New centericq packages fix insecure temporary file creation [DSA 754-1]
     3.  New tiff packages fix arbitrary code execution              [DSA 755-1]
     4.  New squirrelmail packages fix several vulnerabilities       [DSA 756-1] 


Detail
====== 

Security Advisory summaries:

     1.  A vulnerability had been identified in the xmlrpc library included with
         phpgroupware, a web-based application including email, calendar and
         other groupware functionality. This vulnerability could lead to the
         execution of arbitrary commands on the server running phpgroupware.

     2.  It has been discovered that centericq, a text-mode multi-protocol
         instant messenger client, creates some temporary files with
         predictable filenames and is hence vulnerable to symlink attacks by
         local attackers.

     3.  A stack-based buffer overflow in libtiff, the Tag Image File Format library 
         for processing TIFF graphics files, has been discovered that can lead to 
         the execution of arbitrary code via malformed TIFF files.

     4.  Several vulnerabilities have been discovered in Squirrelmail, a
         commonly used webmail system.


Security Advisory content follows:


1.


- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ------------------------------------------------------------------------
Debian Security Advisory DSA 746-1                   security@xxxxxxxxxx
http://www.debian.org/security/                            Michael Stone
July 13, 2005                         http://www.debian.org/security/faq
- - - ------------------------------------------------------------------------

Package        : phpgroupware
Vulnerability  : remote command execution
Problem type   : input validation error
Debian-specific: no
CVE Id(s)      : CAN-2005-1921

A vulnerability had been identified in the xmlrpc library included with
phpgroupware, a web-based application including email, calendar and
other groupware functionality. This vulnerability could lead to the
execution of arbitrary commands on the server running phpgroupware.

The security team is continuing to investigate the version of
phpgroupware included with the old stable distribution (sarge). At this
time we recommend disabling phpgroupware or upgrading to the current
stable distribution (sarge).

For the current stable distribution (sarge) this problem has been fixed
in version 0.9.16.005-3.sarge0.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.16.006-1.

We recommend that you upgrade your phpgroupware package.

Upgrade instructions
- - - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (sarge)
- - - ------------------

  sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.dsc
      Size/MD5 checksum:     1665 6b60af214470336fb8dd24d029ab6326
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.diff.gz
      Size/MD5 checksum:    31814 f9f0fdb982212255037d4129736e7c21
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz
      Size/MD5 checksum: 19442629 5edd5518e8f77174c12844f9cfad6ac4

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    35984 4a87585b9a1c5f7ac32cd6a7fb217242
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   185894 c33f2c74c3df4d7ecaba47499adfcfc2
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:  9674304 8f9bc38f2610d7aeeab769f6571f8ce6
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   135960 bbc1ca292006147f097cc79396de8808
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    29534 ed73d7edab4ceae62b2b2bde8d279387
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   176070 29005653b28191bc31f2f09b49e4b681
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    40858 18b367628b687ae793281ddb6399aa0a
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:  1355020 ebe912a08a7b8721d21b98b95cd0eda2
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    59198 f7d81622bd273a1bb7aa2ff227f2c007
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    46498 565979513780536ee9cc6573728cea48
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   902042 fe53830690ad59fd3711b156260f39ad
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    22760 d40b76c6cfde48dc863eb07fa68f618c
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    39746 0a0e1480285d96d2b9cf175df30284a8
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    20272 f9b8d9bd93eb716f1ff689eea0307038
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    69878 cafaf90a5c9053ba36614fd9140d2dec
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   100516 67d9c3435e6b55f7f5961772267ca1ad
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    32896 1e2af590a4887c3ba471930d6eb99128
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    18770 1c69b89be7e3cdf5003b3d6e4b7eb1d8
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   323552 22390645056bcb021c2e608644f4f591
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   166002 f7a6ba93175803e7de9517698397cb90
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:  1328904 4c2982ec97a5b08f6d2d83fafbdbbe43
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   179716 0706f78f53596f7adeddda57a6977a09
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    91192 f49356e1ba4540c657ff64ebbca6ce62
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    49828 3001c35e7b6780a063a1c6dc74a7785d
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   119876 21d5eb594517b56f348186189292a0dc
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    62508 922fe6644df12d786b2500eb07bd5523
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:  1117384 b7f5819fed77a668023204786ec00d68
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   433776 0ddc8573dff45912049bb3c516889f4c
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    42338 4a17fcf60a2575be7182ffa780a7eb0e
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   266852 2e05a4e8f1dea399e5b8ddc99322d2d1
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    21542 2beb7d5a99acdc2a33c8fe672574d025
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:     6092 cb1f96251a63d5fadba172f648f7f909
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    18390 95374052008b852fbea203d3f6fd1d75
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   155778 b1e8dc55d9e5a4ed9d868750957babb7
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    63476 3bc0223e4550a7a56295017885f07998
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:   116012 bdffce5b093fb41e0429a7d4eee8ea93
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:     8272 f4649ebb3b674661a1a172d1f503a673
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    49984 0ba721f8a669b6b6338ae90c7bb9070f
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    25578 461e9804f5ce01b332cbe6569529bdc9
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    23596 2e3454fa36009152beb0695c80a238ec
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    45118 996eebff648f4b688403cfb00255b924
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    90172 2196aa43de438b0a5d3754ba0b4f8089
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    23050 02ed1690b4d3547dbbcfe8145d234062
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    55322 9f8ddccce78aa7ac488d6bd965bb2732
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    34538 0de0c8c676a0e1efca8845c78d0ae201
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge0_all.deb
      Size/MD5 checksum:    31116 2b7e22a553c0bc0457757993dda7cfe8

- - - -------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQCVAwUBQtW8Wg0hVr09l8FJAQK5JQP/SVcL2ww+8zgxzUgT3MqEAv6kZVu12S7T
Z9viSjPPoaUcSNm4OJnxF1gLlm6iTf6om77hJY54Uxx1Izl+50IT7Gj/qEwZTH2K
CZyggChONLcqRvh0D0/2CNx787qO+PnqkJFC6Ij6be9Ex1bK+cpBhfy5yO1oWX+V
KUj+1lyGHPY=
=L7Ey
- - -----END PGP SIGNATURE-----



2.



- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 754-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
July 13th, 2005                         http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package        : centericq
Vulnerability  : insecure temporary file
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-1914
BugTraq ID     : 14144

Eric Romang discovered that centericq, a text-mode multi-protocol
instant messenger client, creates some temporary files with
predictable filenames and is hence vulnerable to symlink attacks by
local attackers.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 4.20.0-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 4.20.0-7.

We recommend that you upgrade your centericq package.


Upgrade Instructions
- - - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1.dsc
      Size/MD5 checksum:      875 ff3553a853e9dea97f75125500f39fd6
    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1.diff.gz
      Size/MD5 checksum:   100900 b6a5e2debfafc7d8473fe81f0711a831
    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0.orig.tar.gz
      Size/MD5 checksum:  1796894 874165f4fbd40e3be677bdd1696cee9d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_alpha.deb
      Size/MD5 checksum:  1650272 882581a531410fc6284a24f40aa8b237
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_alpha.deb
      Size/MD5 checksum:   335678 c87e1264b7bb422de39eeff293929aa8
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_alpha.deb
      Size/MD5 checksum:  1651376 a8cd3d6ac111d9f28340efa50e925269
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_alpha.deb
      Size/MD5 checksum:  1650310 9f3b0d39fdda30c961247d0aa674058d

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_arm.deb
      Size/MD5 checksum:  2185028 4fdb5947660ce1d58fbdd81af93a60e9
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_arm.deb
      Size/MD5 checksum:   335736 c335b521ca1f23e4c0c87c0957e99b26
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_arm.deb
      Size/MD5 checksum:  2185856 c093062b1c397089201a417ebd35610b
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_arm.deb
      Size/MD5 checksum:  2185088 814e779647082332701c2bdb2c1bfa2e

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_i386.deb
      Size/MD5 checksum:  1349542 171e9599f323d0b7032221893c05c2db
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_i386.deb
      Size/MD5 checksum:   336380 acb15387093497c5ae902128991b37e7
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_i386.deb
      Size/MD5 checksum:  1350102 37a815e05d9bb0ba1bd5d99876a80e88
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_i386.deb
      Size/MD5 checksum:  1349540 3a02ce4144ca83d843482ac2809f988e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_ia64.deb
      Size/MD5 checksum:  1881164 6766767f7c2d44d3023436b3a8726c27
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_ia64.deb
      Size/MD5 checksum:   335720 1369e108773220fd60021709e6f7e590
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_ia64.deb
      Size/MD5 checksum:  1882048 85b7af43d942cb506b59dbec6c10d3be
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_ia64.deb
      Size/MD5 checksum:  1881146 a4b826076616b8b7cf52df38f0b3f601

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_hppa.deb
      Size/MD5 checksum:  1812254 2c988bd55387eb756552406715320117
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_hppa.deb
      Size/MD5 checksum:   336436 d40ce9a6241038f93862436496818d75
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_hppa.deb
      Size/MD5 checksum:  1813346 e721c733e24d1063e029612e4b569e2b
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_hppa.deb
      Size/MD5 checksum:  1812310 b9bd62aa66113ea84914ab4455e49bab

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_m68k.deb
      Size/MD5 checksum:  1399166 7ddc0f2503ef5f2fd2bbb3e445408458
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_m68k.deb
      Size/MD5 checksum:   336492 1400cd5ab6c2ff0d29456bcd9dfcc444
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_m68k.deb
      Size/MD5 checksum:  1399876 612c10725c364b47a4fe40450f5510c8
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_m68k.deb
      Size/MD5 checksum:  1399218 bf36275ec5ea06f9f7d557e85d826561

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_mips.deb
      Size/MD5 checksum:  1492958 a2bb8d172576366bec82e519e0081014
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_mips.deb
      Size/MD5 checksum:   336456 cfa56dc46a514e9aea800bb382040dde
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_mips.deb
      Size/MD5 checksum:  1493512 33f0de5ec770cc9337c8cb10aeb8c345
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_mips.deb
      Size/MD5 checksum:  1493010 a6c79e53b42b22fdd3171e73f75aead8

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_mipsel.deb
      Size/MD5 checksum:  1483074 9c1f565bdb835615b5a873a9515048d8
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_mipsel.deb
      Size/MD5 checksum:   335720 3dac5924736c7445985e2446df6e0bfb
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_mipsel.deb
      Size/MD5 checksum:  1483650 de5c2aae6952ba8729a1d5e697e1309b
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_mipsel.deb
      Size/MD5 checksum:  1483130 2ca921ed986f28d633cc28ddcb040c5e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_powerpc.deb
      Size/MD5 checksum:  1385012 94e319589b8f0512b8fb3821ab41db0a
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_powerpc.deb
      Size/MD5 checksum:   336420 31ec6d10723f4ea728e9a603e38abd35
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_powerpc.deb
      Size/MD5 checksum:  1385554 2210300e4bb99860d361a45a7e3c0626
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_powerpc.deb
      Size/MD5 checksum:  1385108 87855894236a34a4650e5771dfe52ca2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_s390.deb
      Size/MD5 checksum:  1193784 ed23ee7d6ec4213436285bd4e2c65e45
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_s390.deb
      Size/MD5 checksum:   336410 926b21a7de188e70c31c3aef62be36e8
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_s390.deb
      Size/MD5 checksum:  1194074 7304eb97bf4bf5b9d9a117565b04b152
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_s390.deb
      Size/MD5 checksum:  1193840 c6ca4ddb1b7ee6ec74b78b50b04b66f5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/centericq/centericq_4.20.0-1sarge1_sparc.deb
      Size/MD5 checksum:  1325774 05367d08c75e216ccab84db2ce35a870
    http://security.debian.org/pool/updates/main/c/centericq/centericq-common_4.20.0-1sarge1_sparc.deb
      Size/MD5 checksum:   336424 746efd83e6bde711b7260e968fcc4826
    http://security.debian.org/pool/updates/main/c/centericq/centericq-fribidi_4.20.0-1sarge1_sparc.deb
      Size/MD5 checksum:  1326572 1e59f2d8c81b409b5d63473a11af836b
    http://security.debian.org/pool/updates/main/c/centericq/centericq-utf8_4.20.0-1sarge1_sparc.deb
      Size/MD5 checksum:  1325720 72cb751add782b3b5c1e91878506c761


  These files will probably be moved into the stable distribution on
  its next update.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC1POdW5ql+IAeqTIRAr1dAKCI/dFTETvNO3xqGSN+xY/NCAPdlwCgkDSw
J4tHDvjiMzvbpkADPoalME8=
=CAXB
- - -----END PGP SIGNATURE-----



3.



- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 755-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
July 13th, 2005                         http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package        : tiff
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1544
Debian Bug     : 309739

Frank Warmerdam discovered a stack-based buffer overflow in libtiff,
the Tag Image File Format library for processing TIFF graphics files
that can lead to the executionof arbitrary code via malformed TIFF
files.

For the old stable distribution (woody) this problem has been fixed in
version 3.5.5-7

For the stable distribution (sarge) this problem has been fixed in
version 3.7.2-3.

For the unstable distribution (sid) this problem has been fixed in
version 3.7.2-3.

We recommend that you upgrade your libtiff packages.


Upgrade Instructions
- - - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.dsc
      Size/MD5 checksum:      623 fdb202eb01852d3aab26758f5f9a50ce
    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.diff.gz
      Size/MD5 checksum:    37270 3e154325390b0446bee083a7470adaac
    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz
      Size/MD5 checksum:   693641 3b7199ba793dec6ca88f38bb0c8cc4d8

  Alpha architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_alpha.deb
      Size/MD5 checksum:   141498 f0d74c745fc5f75016e190f7c9af0604
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_alpha.deb
      Size/MD5 checksum:   105544 ff3fe1edd72064a3cec25578decb4ce8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_alpha.deb
      Size/MD5 checksum:   423258 d26ce2a8049612b29c4736f341930439

  ARM architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_arm.deb
      Size/MD5 checksum:   117004 f1c9aafcdaae7148cdb5f13e1805ded5
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_arm.deb
      Size/MD5 checksum:    90842 e13019cb16071175cc0b88526d6dc28a
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_arm.deb
      Size/MD5 checksum:   404308 162fe09877bf4e31044ad2c1c16983bf

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_i386.deb
      Size/MD5 checksum:   112070 9351594ccf87495bc0ec6fb3624d9983
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_i386.deb
      Size/MD5 checksum:    81468 76f340590aa4a0546d810a7e7c7691a8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_i386.deb
      Size/MD5 checksum:   386938 25f47760934bf3abdf6aa5ac60a0bf84

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_ia64.deb
      Size/MD5 checksum:   158806 0a4abf7ed300b3c33a2e590caa3dd2c1
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_ia64.deb
      Size/MD5 checksum:   135786 341bf0f708522080b931e89a87b598a6
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_ia64.deb
      Size/MD5 checksum:   446574 126ed5be544a1eefe30228d06db9e219

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_hppa.deb
      Size/MD5 checksum:   128298 db87d7cbeb3620736f8cabb0286f831e
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_hppa.deb
      Size/MD5 checksum:   107142 515937e00c5a75f3efa61749a8c8cf58
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_hppa.deb
      Size/MD5 checksum:   420334 0f55b4124cd813964a438403f1253582

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_m68k.deb
      Size/MD5 checksum:   107324 33229624caf61822d6cf77e90872c6f9
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_m68k.deb
      Size/MD5 checksum:    80132 4d4279969b7526649874eb657accc2b1
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_m68k.deb
      Size/MD5 checksum:   380204 68a43fac8f06c48d38ddffc058c7242c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mips.deb
      Size/MD5 checksum:   124008 20f911e6540aa69fc85fd07567fe4697
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mips.deb
      Size/MD5 checksum:    88202 7d68f62089e9546c06d9ffa80e7b0a74
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mips.deb
      Size/MD5 checksum:   410562 5fa6371f247618b5522ff51259ba35b2

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mipsel.deb
      Size/MD5 checksum:   123504 ba3102303df4d1cbde4303a00e3428ed
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mipsel.deb
      Size/MD5 checksum:    88530 c1f77d45cda72501d85607ea50f5a4b2
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mipsel.deb
      Size/MD5 checksum:   410766 3e3a11a28bc4f1f8081b77e5c72000b0

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_powerpc.deb
      Size/MD5 checksum:   116072 045e7bbd3d4dfb9dc75268435aa62794
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_powerpc.deb
      Size/MD5 checksum:    89824 3e7d286752e28fea6769936695e097d8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_powerpc.deb
      Size/MD5 checksum:   402420 876d140d9752aaea30cb4cd7f9a38cb2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_s390.deb
      Size/MD5 checksum:   116924 380141ee69a4a10201efc66182fe5616
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_s390.deb
      Size/MD5 checksum:    92150 762a64a6166aa720fcbf5430a26760cf
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_s390.deb
      Size/MD5 checksum:   395362 228596854105753bc1a0139bc6e1fef0

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_sparc.deb
      Size/MD5 checksum:   132902 65969fd417aa734f6299c0f35f15dff9
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_sparc.deb
      Size/MD5 checksum:    88982 e674bafc1f1df1617b70f4184051da79
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_sparc.deb
      Size/MD5 checksum:   397132 e1ebfa6cdfec77c9c643f494e72d0714


  These files will probably be moved into the stable distribution on
  its next update.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC1QeAW5ql+IAeqTIRAg3QAKCrXnTEx6QLUi/GycstXUwiTl4BdQCfX885
ECPeLU0ufeSouPHXHVi0TME=
=eI3i
- - -----END PGP SIGNATURE-----



4.



- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - --------------------------------------------------------------------------
Debian Security Advisory DSA 756-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
July 13th, 2005                         http://www.debian.org/security/faq
- - - --------------------------------------------------------------------------

Package        : squirrelmail
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE IDs        : CAN-2005-1769 CAN-2005-2095
Debian Bug     : 314374 317094

Several vulnerabilities have been discovered in Squirrelmail, a
commonly used webmail system.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CAN-2005-1769

    Martijn Brinkers discovered cross-site scripting vulnerabilities
    that allow remote attackers to inject arbitrary web script or HTML
    in the URL and e-mail messages.

CAN-2005-2095

    James Bercegay of GulfTech Security discovered a vulnerability in
    the variable handling which could lead to attackers altering other
    people's preferences and possibly reading them, writing files at
    any location writable for www-data and cross site scripting.

For the old stable distribution (woody) these problems have been fixed in
version 1.2.6-4.

For the stable distribution (sarge) these problems have been fixed in
version 1.4.4-6sarge1.

For the unstable distribution (sid) these problems have been fixed in
version 1.4.4-6sarge1.

We recommend that you upgrade your squirrelmail package.


Upgrade Instructions
- - - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.dsc
      Size/MD5 checksum:      646 a3739e908230dfe1fa1074b299087276
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.diff.gz
      Size/MD5 checksum:    24291 c7107719af77e02daae1c3fd5a4000b8
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
      Size/MD5 checksum:  1856087 be9e6be1de8d3dd818185d596b41a7f1

  Architecture independent components:

    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4_all.deb
      Size/MD5 checksum:  1841510 3557389721f6e851b772838205841e01


Debian GNU/Linux 3.1 alias sarge
- - - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.dsc
      Size/MD5 checksum:      690 c518315ea574b2f268a028eb32de4497
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.diff.gz
      Size/MD5 checksum:    23441 fb2b94a5b1bf90c1b8c8b0c71fe1c40c
    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz
      Size/MD5 checksum:   575871 f50548b6f4f24d28afb5e6048977f4da

  Architecture independent components:

    http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1_all.deb
      Size/MD5 checksum:   569980 2150edd3d6fea2d20d7d448a75be8d63


  These files will probably be moved into the stable distribution on
  its next update.

- - - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC1Uz/W5ql+IAeqTIRAkE5AJ4zYssU48i0nLc1pdkdO1C8tyjknwCgl4a4
r/XUlykNIY0E/+KJATLyPLY=
=scv2
- - -----END PGP SIGNATURE-----



- - ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Debian for the information 
contained in this Briefing. 
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQtY6Ropao72zK539AQEyQQP/bWdWPNaU3ukYNVrQFpsEstGUPSYYkl4z
LzG6eOa8E3VL7WRe+wU8uvyRWccnYqNvQTJkc6qNAu0N2ndN3CTz3GCH5TFcnMi5
ZySB1D4mpEnOuRsqvz1JBbW/Wwj4QdgeIeuPfy3UsiSS0Muz+As4/B2BRFsysGPf
UmiznY6402w=
=WzWm
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________