[Secure-testing-commits] r1665 - data/DTSA

Sat Aug 27 04:16:45 UTC 2005

Author: joeyh
Date: 2005-08-27 04:16:45 +0000 (Sat, 27 Aug 2005)
New Revision: 1665

Added:
   data/DTSA/DTSA-2-1
   data/DTSA/DTSA-3-1
   data/DTSA/DTSA-4-1
Modified:
   data/DTSA/list
Log:
prepared 3 more dtsas, currently autobuilding


Added: data/DTSA/DTSA-2-1
===================================================================

--- data/DTSA/DTSA-2-1	2005-08-27 01:13:54 UTC (rev 1664)
+++ data/DTSA/DTSA-2-1	2005-08-27 04:16:45 UTC (rev 1665)
@@ -0,0 +1,68 @@
+-----------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-2-1     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+August 27th, 2005
+-----------------------------------------------------------------------------
+
+Package        : centericq
+Vulnerability  : multiple vulnerabilities
+Problem-Type   : local and remote
+Debian-specific: no
+CVE ID         : CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914
+
+centericq in testing is vulnerable to multiple security holes:
+
+CAN-2005-2448
+
+  Multiple endianness errors in libgadu, which is embedded in centericq,
+  allow remote attackers to cause a denial of service (invalid behaviour in
+  applications) on big-endian systems.
+
+CAN-2005-2370
+
+  Multiple memory alignment errors in libgadu, which is embedded in
+  centericq, allows remote attackers to cause a denial of service (bus error)
+  on certain architectures such as SPARC via an incoming message.
+
+CAN-2005-2369
+
+  Multiple integer signedness errors in libgadu, which is embedded in
+  centericq, may allow remote attackers to cause a denial of service
+  or execute arbitrary code.
+
+CAN-2005-1914
+
+  centericq creates temporary files with predictable file names, which
+  allows local users to overwrite arbitrary files via a symlink attack.
+
+For the testing distribution (etch) this is fixed in version
+4.20.0-8etch1.
+
+For the unstable distribution (sid) this is fixed in version
+4.20.0-9.
+
+This upgrade is recommended if you use centericq.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+  deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+  deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+  apt-get update && apt-get install centericq
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
+

Added: data/DTSA/DTSA-3-1
===================================================================
--- data/DTSA/DTSA-3-1	2005-08-27 01:13:54 UTC (rev 1664)
+++ data/DTSA/DTSA-3-1	2005-08-27 04:16:45 UTC (rev 1665)
@@ -0,0 +1,77 @@
+-----------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-3-1     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+August 27th, 2005
+-----------------------------------------------------------------------------
+
+Package        : clamav
+Vulnerability  : denial of service and privilege escalation
+Problem-Type   : remote
+Debian-specific: no
+CVE ID         : CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922 CAN-2005-2450 
+
+Multiple security holes were found in clamav:
+
+CAN-2005-2070
+
+  The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long
+  timeouts, allows remote attackers to cause a denial of service by keeping
+  an open connection, which prevents ClamAV from reloading.
+
+CAN-2005-1923
+
+  The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote
+  attackers to cause a denial of service (CPU consumption by infinite loop)
+  via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff,
+  which causes a zero-length read.
+
+CAN-2005-2056
+
+  The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote
+  attackers to cause a denial of service (application crash) via a crafted
+  Quantum archive.
+
+CAN-2005-1922
+
+  The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote
+  attackers to cause a denial of service (file descriptor and memory
+  consumption) via a crafted file that causes repeated errors in the
+  cli_msexpand function.
+
+CAN-2005-2450
+
+  Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file
+  format processors in libclamav for Clam AntiVirus (ClamAV) allow remote
+  attackers to gain privileges via a crafted e-mail message.
+
+For the testing distribution (etch) this is fixed in version
+0.86.2-4etch1.
+
+For the unstable distribution (sid) this is fixed in version
+0.86.2-1.
+
+This upgrade is strongly recommended if you use clamav.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+  deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+  deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+  apt-get update && apt-get install clamav
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
+

Added: data/DTSA/DTSA-4-1
===================================================================
--- data/DTSA/DTSA-4-1	2005-08-27 01:13:54 UTC (rev 1664)
+++ data/DTSA/DTSA-4-1	2005-08-27 04:16:45 UTC (rev 1665)
@@ -0,0 +1,73 @@
+-----------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-4-1     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+August 27th, 2005
+-----------------------------------------------------------------------------
+
+Package        : ekg
+Vulnerability  : multiple vulnerabilities
+Problem-Type   : local and remote
+Debian-specific: no
+CVE ID         : CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448
+
+Multiple vulnerabilities were discovered in ekg:
+
+CAN-2005-1916
+
+  Eric Romang discovered insecure temporary file creation and arbitrary
+  command execution in a contributed script that can be exploited by a local
+  attacker.
+
+CAN-2005-1851
+
+  Marcin Owsiany and Wojtek Kaniewski discovered potential shell command
+  injection in a contributed script.
+
+CAN-2005-1850
+
+  Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file
+  creation in contributed scripts.
+
+CAN-2005-1852
+
+  Multiple integer overflows in libgadu, as used in ekg, allows remote
+  attackers to cause a denial of service (crash) and possibly execute
+  arbitrary code via an incoming message.
+
+CAN-2005-2448
+
+  Multiple endianness errors in libgadu in ekg allow remote attackers to
+  cause a denial of service (invalid behaviour in applications) on
+  big-endian systems.
+
+For the testing distribution (etch) this is fixed in version
+1:1.5+20050808+1.6rc3-0etch1.
+
+For the unstable distribution (sid) this is fixed in version
+1:1.5+20050808+1.6rc3-1.
+
+This upgrade is recommended if you use ekg.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+  deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+  deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+  apt-get update && apt-get install ekg
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
+

Modified: data/DTSA/list
===================================================================
--- data/DTSA/list	2005-08-27 01:13:54 UTC (rev 1664)
+++ data/DTSA/list	2005-08-27 04:16:45 UTC (rev 1665)
@@ -1,5 +1,17 @@
+[27 Aug 2005] DTSA-4-1 ekg - multiple vulnerabilities
+	{CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448}
+	- ekg 1:1.5+20050808+1.6rc3-0etch1 (low)
+	NOTE: joeyh working on ekg
+[27 Aug 2005] DTSA-3-1 clamav - denial of service and privilege escalation
+	{CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922 CAN-2005-2450 }
+	- clamav 0.86.2-4etch1 (high)
+	NOTE: joeyh working on clamav
+[27 Aug 2005] DTSA-2-1 centericq - multiple vulnerabilities
+	{CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914}
+	- centericq 4.20.0-8etch1 (medium)
+	NOTE: joeyh working on centericq
 [26 Aug 2005] DTSA-1-1 kismet - remote code execution
 	{CAN-2005-2626 CAN-2005-2627}
 	- kismet 2005.08.R1-0.1etch1 (high)
-NOTE: joeyh working on gaim
+NOTE: joeyh working on gaim (need to verify that removing build dep is ok)
 NOTE: joeyh investingating doing mozilla-*


