Debian testing security team

From d7d2ed9b9125badb09983dfef4c3e281e4c68af0 Mon Sep 17 00:00:00 2001 From: Neil McGovern Date: Wed, 7 Dec 2005 12:14:28 +0000 Subject: Releasing 4 DTSAs git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@2967 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- website/DTSA/DTSA-22-1.html | 91 ++++++++++++++++++++++++++++++++++++++++++++ website/DTSA/DTSA-23-1.html | 91 ++++++++++++++++++++++++++++++++++++++++++++ website/DTSA/DTSA-24-1.html | 91 ++++++++++++++++++++++++++++++++++++++++++++ website/DTSA/DTSA-25-1.html | 93 +++++++++++++++++++++++++++++++++++++++++++++ website/list.html | 8 ++++ 5 files changed, 374 insertions(+) create mode 100644 website/DTSA/DTSA-22-1.html create mode 100644 website/DTSA/DTSA-23-1.html create mode 100644 website/DTSA/DTSA-24-1.html create mode 100644 website/DTSA/DTSA-25-1.html (limited to 'website') diff --git a/website/DTSA/DTSA-22-1.html b/website/DTSA/DTSA-22-1.html new file mode 100644 index 0000000000..5daf12235f --- /dev/null +++ b/website/DTSA/DTSA-22-1.html @@ -0,0 +1,91 @@ + + + Debian testing security team - Advisory + + + + +

+ + +

+ +

+
+ + + + + + + + + + + +

+	Debian testing security team - Advisory	+
+	Debian testing security team - Advisory	+ +

+ + +

DTSA-22-1

Date Reported:

December 5th, 2005

Affected Package:

uim

Vulnerability:

local privilege escalation

Problem-Scope:

local

Debian-specific:

CVE:

+CVE-2005-3149 +

More information:

CVE-2005-3149
+
+ Masanari Yamamoto discovered that incorrect use of environment
+ variables in uim. This bug causes privilege escalation if setuid/setgid
+ applications was linked to libuim.
+

For the testing distribution (etch) this is fixed in version 1:0.4.7-2.0etch1

For the unstable distribution (sid) this is fixed in version 1:0.4.7-2

This upgrade is recommended if you use uim.

+

If you have the secure testing lines in your sources.list, you can update by running this command as root:

apt-get update && apt-get upgrade

To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:

+ +

deb http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

deb-src http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

The archive signing key can be downloaded from

+

http://secure-testing.debian.net/ziyi-2005-7.asc

+ +
+ + +

+ +

+ + + + diff --git a/website/DTSA/DTSA-23-1.html b/website/DTSA/DTSA-23-1.html new file mode 100644 index 0000000000..188b985dd7 --- /dev/null +++ b/website/DTSA/DTSA-23-1.html @@ -0,0 +1,91 @@ + + + Debian testing security team - Advisory + + + + +

+ + +

+ +

+
+ + + + + + + + + + + +

+	Debian testing security team - Advisory	+
+	Debian testing security team - Advisory	+ +

+ + +

DTSA-23-1

Date Reported:

December 5th, 2005

Affected Package:

centericq

Vulnerability:

buffer overflow

Problem-Scope:

local

Debian-specific:

CVE:

+CVE-2005-3863 +

More information:

CVE-2005-3863
+
+ Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
+ Research Team discovered a buffer overflow in kkstrtext.h of the ktools
+ library, which is included in centericq.
+

For the testing distribution (etch) this is fixed in version 4.21.0-6.0etch1

For the unstable distribution (sid) this is fixed in version 4.21.0-6

This upgrade is recommended if you use centericq.

+

If you have the secure testing lines in your sources.list, you can update by running this command as root:

apt-get update && apt-get upgrade

To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:

+ +

deb http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

deb-src http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

The archive signing key can be downloaded from

+

http://secure-testing.debian.net/ziyi-2005-7.asc

+ +
+ + +

+ +

+ + + + diff --git a/website/DTSA/DTSA-24-1.html b/website/DTSA/DTSA-24-1.html new file mode 100644 index 0000000000..14c2d482a0 --- /dev/null +++ b/website/DTSA/DTSA-24-1.html @@ -0,0 +1,91 @@ + + + Debian testing security team - Advisory + + + + +

+ + +

+ +

+
+ + + + + + + + + + + +

+	Debian testing security team - Advisory	+
+	Debian testing security team - Advisory	+ +

+ + +

DTSA-24-1

Date Reported:

December 5th, 2005

Affected Package:

inkscape

Vulnerability:

buffer overflow

Problem-Scope:

remote

Debian-specific:

CVE:

+CVE-2005-3737 +

More information:

CVE-2005-3737
+
+ Joxean Koret discovered that inkscape is vulnerable in the SVG importer
+ (style.cpp), which might allow remote attackers to execute arbitrary code
+ via a SVG file with long CSS style property values.
+

For the testing distribution (etch) this is fixed in version 0.43-0.0etch1

For the unstable distribution (sid) this is fixed in version 0.43-1

This upgrade is recommended if you use inkscape.

+

If you have the secure testing lines in your sources.list, you can update by running this command as root:

apt-get update && apt-get install inkscape

To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:

+ +

deb http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

deb-src http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

The archive signing key can be downloaded from

+

http://secure-testing.debian.net/ziyi-2005-7.asc

+ +
+ + +

+ +

+ + + + diff --git a/website/DTSA/DTSA-25-1.html b/website/DTSA/DTSA-25-1.html new file mode 100644 index 0000000000..64dbd49db6 --- /dev/null +++ b/website/DTSA/DTSA-25-1.html @@ -0,0 +1,93 @@ + + + Debian testing security team - Advisory + + + + +

+ + +

+ +

+
+ + + + + + + + + + + +

+	Debian testing security team - Advisory	+
+	Debian testing security team - Advisory	+ +

+ + +

DTSA-25-1

Date Reported:: December 5th, 2005
Affected Package:: smb4k
Vulnerability:: access validation error
Problem-Scope:: local
Debian-specific:: No
CVE:: +CVE-2005-2851 +
More information:: CVE-2005-2851
+
+ A vulnerability leading to unauthorized file access has been found. A
+ pre-existing symlink from /tmp/sudoers and /tmp/super.tab to a textfile
+ will cause Smb4k to write the contents of these files to the target of the
+ symlink, as Smb4k does not check for the existence of these files before
+ writing to them.
+
For the testing distribution (etch) this is fixed in version 0.6.4-0.0etch1
For the unstable distribution (sid) this is fixed in version 0.6.4-1
This upgrade is recommended if you use smb4k.
+
If you have the secure testing lines in your sources.list, you can update by running this command as root:: apt-get update && apt-get install smb4k
To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:
+ +: deb http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free; deb-src http://secure-testing-mirrors.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
The archive signing key can be downloaded from
+: http://secure-testing.debian.net/ziyi-2005-7.asc; + +
+ + +
+ + + + + + + + diff --git a/website/list.html b/website/list.html index 881e242968..bac3366671 100644 --- a/website/list.html +++ b/website/list.html @@ -77,6 +77,14 @@; Format string vulnerability
[November 3rd, 2005] DTSA-21-1 clamav: Denial of service vulnerabilities and buffer overflow
[December 5th, 2005] DTSA-22-1 uim: local privilege escalation
[December 5th, 2005] DTSA-23-1 centericq: buffer overflow
[December 5th, 2005] DTSA-24-1 inkscape: buffer overflow
[December 5th, 2005] DTSA-25-1 smb4k: access validation error

-- cgit v1.2.3