[Secure-testing-commits] r1673 - data/DTSA

[Joey Hess]

Author: joeyh
Date: 2005-08-27 17:38:00 +0000 (Sat, 27 Aug 2005)
New Revision: 1673

Added:
   data/DTSA/DTSA-5-1
Modified:
   data/DTSA/list
Log:
add gaim advisory


Added: data/DTSA/DTSA-5-1
===================================================================
--- data/DTSA/DTSA-5-1	2005-08-27 17:07:18 UTC (rev 1672)
+++ data/DTSA/DTSA-5-1	2005-08-27 17:38:00 UTC (rev 1673)
@@ -0,0 +1,64 @@
+-----------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-5-1     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+August 27th, 2005
+-----------------------------------------------------------------------------
+
+Package        : gaim
+Vulnerability  : multiple remote vulnerabilities
+Problem-Type   : remote
+Debian-specific: no
+CVE ID         : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103
+
+Multiple security holes were found in gaim:
+
+CAN-2005-2102
+
+  The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
+  service (application crash) via a filename that contains invalid UTF-8
+  characters.
+
+CAN-2005-2370
+
+  Multiple memory alignment errors in libgadu, as used in gaim and other
+  packages, allow remote attackers to cause a denial of service (bus error)
+  on certain architectures such as SPARC via an incoming message.
+
+CAN-2005-2103
+
+  Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
+  to cause a denial of service (application crash) and possibly execute
+  arbitrary code via an away message with a large number of AIM substitution
+  strings, such as %t or %n.
+
+For the testing distribution (etch) this is fixed in version
+1:1.4.0-5etch2.
+
+For the unstable distribution (sid) this is fixed in version
+1:1.4.0-5.
+
+This upgrade is strongly recommended if you use gaim.
+
+The Debian testing security team does not track security issues for the
+stable distribution (woody). If stable is vulnerable, the Debian security
+team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+  deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+  deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+  apt-get update && apt-get install gaim
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/
+

Modified: data/DTSA/list
===================================================================
--- data/DTSA/list	2005-08-27 17:07:18 UTC (rev 1672)
+++ data/DTSA/list	2005-08-27 17:38:00 UTC (rev 1673)
@@ -1,3 +1,7 @@
+[27 Aug 2005] DTSA-5-1 gaim - multiple remote vulnerabilities
+	{CAN-2005-2102 CAN-2005-2370 CAN-2005-2103}
+	- gaim 1:1.4.0-5etch2 (high)
+	NOTE: joeyh working on gaim
 [27 Aug 2005] DTSA-4-1 ekg - multiple vulnerabilities
 	{CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448}
 	- ekg 1:1.5+20050808+1.6rc3-0etch1 (low)
@@ -13,5 +17,4 @@
 [26 Aug 2005] DTSA-1-1 kismet - remote code execution
 	{CAN-2005-2626 CAN-2005-2627}
 	- kismet 2005.08.R1-0.1etch1 (high)
-NOTE: joeyh working on gaim (need to verify that removing build dep is ok)
 NOTE: joeyh investingating doing mozilla-*