[Secure-testing-commits] r1852 - data/DTSA
Joey Hess
joeyh at costa.debian.org
Thu Sep 8 13:50:00 UTC 2005
Author: joeyh
Date: 2005-09-08 13:49:59 +0000 (Thu, 08 Sep 2005)
New Revision: 1852
Removed:
data/DTSA/DTSA-1-1
data/DTSA/DTSA-10-1
data/DTSA/DTSA-11-1
data/DTSA/DTSA-2-1
data/DTSA/DTSA-3-1
data/DTSA/DTSA-4-1
data/DTSA/DTSA-5-1
data/DTSA/DTSA-6-1
data/DTSA/DTSA-7-1
data/DTSA/DTSA-8-1
data/DTSA/DTSA-8-2
data/DTSA/DTSA-9-1
Log:
removing old texts od DTSAs, don't see any need to keep these in svn since
we have the advs directory and the dtsa script
Deleted: data/DTSA/DTSA-1-1
===================================================================
--- data/DTSA/DTSA-1-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-1-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,55 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-1-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 26th, 2005
-------------------------------------------------------------------------------
-
-Package : kismet
-Vulnerability : various
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2005-2626 CAN-2005-2627
-
-Multiple security holes have been discovered in kismet:
-
-CAN-2005-2627
-
-Multiple integer underflows in Kismet allow remote attackers to execute
-arbitrary code via (1) kernel headers in a pcap file or (2) data frame
-dissection, which leads to heap-based buffer overflows.
-
-CAN-2005-2626
-
-Unspecified vulnerability in Kismet allows remote attackers to have an
-unknown impact via unprintable characters in the SSID.
-
-For the testing distribution (etch) this is fixed in version
-2005.08.R1-0.1etch1
-
-For the unstable distribution (sid) this is fixed in version
-2005.08.R1-1
-
-This upgrade is recommended if you use kismet.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install kismet
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-10-1
===================================================================
--- data/DTSA/DTSA-10-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-10-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,54 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-10-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 29th, 2005
-------------------------------------------------------------------------------
-
-Package : pcre3
-Vulnerability : buffer overflow
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2005-2491
-
-An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions
-(PCRE) allows attackers to execute arbitrary code via quantifier values in
-regular expressions, which leads to a heap-based buffer overflow.
-
-For the testing distribution (etch) this is fixed in version
-6.3-0.1etch1
-
-For the unstable distribution (sid) this is fixed in version
-6.3-1
-
-This upgrade is recommended if you use pcre3.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-Before installing the update, please note that you will need to restart all
-daemons that link with libpcre3 for the security fix to be used. Either
-reboot your machine after the upgrade, or make a list of processes that are
-using libpcre3, and restart them after the upgrade. To generate the list,
-run this command before you upgrade:
-
-lsof /usr/lib/libpcre.so.3
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install libpcre3
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-11-1
===================================================================
--- data/DTSA/DTSA-11-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-11-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,49 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-11-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Andres Salomon
-August 29th, 2005
-------------------------------------------------------------------------------
-
-Package : maildrop
-Vulnerability : local privilege escalation
-Problem-Scope : local
-Debian-specific: Yes
-CVE ID : CAN-2005-2655
-
-The lockmail binary shipped with maildrop allows for an attacker to
-obtain an effective gid as group "mail". Debian ships the binary with its
-setgid bit set, but the program does not drop privileges when run. It takes
-an argument that is executed, and since it does not drop privileges, an
-attacker can execute an arbitrary command with an effective gid of the "mail"
-group.
-
-For the testing distribution (etch) this is fixed in version
-1.5.3-1.1etch1
-
-For the unstable distribution (sid) this is fixed in version
-1.5.3-2
-
-This upgrade is recommended if you use maildrop.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install maildrop
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-2-1
===================================================================
--- data/DTSA/DTSA-2-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-2-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,67 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-2-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 28th, 2005
-------------------------------------------------------------------------------
-
-Package : centericq
-Vulnerability : multiple vulnerabilities
-Problem-Scope : local and remote
-Debian-specific: No
-CVE ID : CAN-2005-2448 CAN-2005-2370 CAN-2005-2369 CAN-2005-1914
-
-centericq in testing is vulnerable to multiple security holes:
-
-CAN-2005-2448
-
-Multiple endianness errors in libgadu, which is embedded in centericq,
-allow remote attackers to cause a denial of service (invalid behaviour in
-applications) on big-endian systems.
-
-CAN-2005-2370
-
-Multiple memory alignment errors in libgadu, which is embedded in
-centericq, allows remote attackers to cause a denial of service (bus error)
-on certain architectures such as SPARC via an incoming message.
-
-CAN-2005-2369
-
-Multiple integer signedness errors in libgadu, which is embedded in
-centericq, may allow remote attackers to cause a denial of service
-or execute arbitrary code.
-
-CAN-2005-1914
-
-centericq creates temporary files with predictable file names, which
-allows local users to overwrite arbitrary files via a symlink attack.
-
-For the testing distribution (etch) this is fixed in version
-4.20.0-8etch1
-
-For the unstable distribution (sid) this is fixed in version
-4.20.0-9
-
-This upgrade is recommended if you use centericq.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install centericq
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-3-1
===================================================================
--- data/DTSA/DTSA-3-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-3-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,76 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-3-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 28th, 2005
-------------------------------------------------------------------------------
-
-Package : clamav
-Vulnerability : denial of service and privilege escalation
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2005-2070 CAN-2005-1923 CAN-2005-2056 CAN-2005-1922 CAN-2005-2450
-
-Multiple security holes were found in clamav:
-
-CAN-2005-2070
-
-The ClamAV Mail fILTER (clamav-milter), when used in Sendmail using long
-timeouts, allows remote attackers to cause a denial of service by keeping
-an open connection, which prevents ClamAV from reloading.
-
-CAN-2005-1923
-
-The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) allows remote
-attackers to cause a denial of service (CPU consumption by infinite loop)
-via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff,
-which causes a zero-length read.
-
-CAN-2005-2056
-
-The Quantum archive decompressor in Clam AntiVirus (ClamAV) allows remote
-attackers to cause a denial of service (application crash) via a crafted
-Quantum archive.
-
-CAN-2005-1922
-
-The MS-Expand file handling in Clam AntiVirus (ClamAV) allows remote
-attackers to cause a denial of service (file descriptor and memory
-consumption) via a crafted file that causes repeated errors in the
-cli_msexpand function.
-
-CAN-2005-2450
-
-Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file
-format processors in libclamav for Clam AntiVirus (ClamAV) allow remote
-attackers to gain privileges via a crafted e-mail message.
-
-For the testing distribution (etch) this is fixed in version
-0.86.2-4etch1
-
-For the unstable distribution (sid) this is fixed in version
-0.86.2-1
-
-This upgrade is recommended if you use clamav.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install upgrade
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-4-1
===================================================================
--- data/DTSA/DTSA-4-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-4-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,72 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-4-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 28th, 2005
-------------------------------------------------------------------------------
-
-Package : ekg
-Vulnerability : multiple vulnerabilities
-Problem-Scope : local and remote
-Debian-specific: No
-CVE ID : CAN-2005-1916 CAN-2005-1851 CAN-2005-1850 CAN-2005-1852 CAN-2005-2448
-
-Multiple vulnerabilities were discovered in ekg:
-
-CAN-2005-1916
-
-Eric Romang discovered insecure temporary file creation and arbitrary
-command execution in a contributed script that can be exploited by a local
-attacker.
-
-CAN-2005-1851
-
-Marcin Owsiany and Wojtek Kaniewski discovered potential shell command
-injection in a contributed script.
-
-CAN-2005-1850
-
-Marcin Owsiany and Wojtek Kaniewski discovered insecure temporary file
-creation in contributed scripts.
-
-CAN-2005-1852
-
-Multiple integer overflows in libgadu, as used in ekg, allows remote
-attackers to cause a denial of service (crash) and possibly execute
-arbitrary code via an incoming message.
-
-CAN-2005-2448
-
-Multiple endianness errors in libgadu in ekg allow remote attackers to
-cause a denial of service (invalid behaviour in applications) on
-big-endian systems.
-
-For the testing distribution (etch) this is fixed in version
-1:1.5+20050808+1.6rc3-0etch1
-
-For the unstable distribution (sid) this is fixed in version
-1:1.5+20050808+1.6rc3-1
-
-This upgrade is recommended if you use ekg.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install libgadu3 ekg
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-5-1
===================================================================
--- data/DTSA/DTSA-5-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-5-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,63 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-5-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 28th, 2005
-------------------------------------------------------------------------------
-
-Package : gaim
-Vulnerability : multiple remote vulnerabilities
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103
-
-Multiple security holes were found in gaim:
-
-CAN-2005-2102
-
-The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
-service (application crash) via a filename that contains invalid UTF-8
-characters.
-
-CAN-2005-2370
-
-Multiple memory alignment errors in libgadu, as used in gaim and other
-packages, allow remote attackers to cause a denial of service (bus error)
-on certain architectures such as SPARC via an incoming message.
-
-CAN-2005-2103
-
-Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
-to cause a denial of service (application crash) and possibly execute
-arbitrary code via an away message with a large number of AIM substitution
-strings, such as %t or %n.
-
-For the testing distribution (etch) this is fixed in version
-1:1.4.0-5etch2
-
-For the unstable distribution (sid) this is fixed in version
-1:1.4.0-5
-
-This upgrade is recommended if you use gaim.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install gaim
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-6-1
===================================================================
--- data/DTSA/DTSA-6-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-6-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,61 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-6-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Neil McGovern
-August 28th, 2005
-------------------------------------------------------------------------------
-
-Package : cgiwrap
-Vulnerability : multiple vulnerabilities
-Problem-Scope : remote
-Debian-specific: No
-CVE ID :
-
-Javier Fernández-Sanguino Peña discovered various vulnerabilities in cgiwrap:
-
-Minimum UID does not include all system users
-
-The CGIwrap program will not seteuid itself to uids below the 'minimum' uid
-to prevent scripts from being misused to compromise the system. However,
-the Debian package sets the minimum uid to 100 when it should be 1000.
-
-CGIs can be used to disclose system information
-
-The cgiwrap (and php-cgiwrap) package installs some debugging CGIs
-(actually symbolink links, which link to cgiwrap and are called 'cgiwrap'
-and 'nph-cgiwrap' or link to php-cgiwrap). These CGIs should not be
-installed in production environments as they disclose internal and
-potentially sensible information.
-
-For the testing distribution (etch) this is fixed in version
-3.9-3.0etch1
-
-For the unstable distribution (sid) this is fixed in version
-3.9-3.1
-
-This upgrade is recommended if you use cgiwrap.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-If you use cgiwrap:
- apt-get update && apt-get install cgiwrap
-If you use php-cgiwrap:
- apt-get update && apt-get install php-cgiwrap
-
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-7-1
===================================================================
--- data/DTSA/DTSA-7-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-7-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,50 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-7-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 28th, 2005
-------------------------------------------------------------------------------
-
-Package : mozilla
-Vulnerability : frame injection spoofing
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2004-0718 CAN-2005-1937
-
-A vulnerability has been discovered in Mozilla that allows remote attackers
-to inject arbitrary Javascript from one page into the frameset of another
-site. Thunderbird is not affected by this and Galeon will be automatically
-fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will
-be covered by a separate advisory.
-
-Note that this is the same security fix put into stable in DSA-777.
-
-For the testing distribution (etch) this is fixed in version
-2:1.7.8-1sarge1
-
-For the unstable distribution (sid) this is fixed in version
-2:1.7.10-1
-
-This upgrade is recommended if you use mozilla.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install mozilla
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-8-1
===================================================================
--- data/DTSA/DTSA-8-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-8-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,117 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-8-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-September 1st, 2005
-------------------------------------------------------------------------------
-
-Package : mozilla-firefox
-Vulnerability : several vulnerabilities (update)
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
-
-We experienced that the update for Mozilla Firefox from DTSA-8-1
-unfortunately was a regression in several cases. Since the usual
-praxis of backporting apparently does not work, this update is
-basically version 1.0.6 with the version number rolled back, and hence
-still named 1.0.4-*. For completeness below is the original advisory
-text:
-
-Several problems were discovered in Mozilla Firefox:
-
-CAN-2004-0718 CAN-2005-1937
-
-A vulnerability has been discovered in Mozilla Firefox that allows remote
-attackers to inject arbitrary Javascript from one page into the frameset of
-another site.
-
-CAN-2005-2260
-
-The browser user interface does not properly distinguish between
-user-generated events and untrusted synthetic events, which makes it easier
-for remote attackers to perform dangerous actions that normally could only be
-performed manually by the user.
-
-CAN-2005-2261
-
-XML scripts ran even when Javascript disabled.
-
-CAN-2005-2262
-
-The user can be tricked to executing arbitrary JavaScript code by using a
-JavaScript URL as wallpaper.
-
-CAN-2005-2263
-
-It is possible for a remote attacker to execute a callback function in the
-context of another domain (i.e. frame).
-
-CAN-2005-2264
-
-By opening a malicious link in the sidebar it is possible for remote
-attackers to steal sensitive information.
-
-CAN-2005-2265
-
-Missing input sanitising of InstallVersion.compareTo() can cause the
-application to crash.
-
-CAN-2005-2266
-
-Remote attackers could steal sensitive information such as cookies and
-passwords from web sites by accessing data in alien frames.
-
-CAN-2005-2267
-
-By using standalone applications such as Flash and QuickTime to open a
-javascript: URL, it is possible for a remote attacker to steal sensitive
-information and possibly execute arbitrary code.
-
-CAN-2005-2268
-
-It is possible for a Javascript dialog box to spoof a dialog box from a
-trusted site and facilitates phishing attacks.
-
-CAN-2005-2269
-
-Remote attackers could modify certain tag properties of DOM nodes that could
-lead to the execution of arbitrary script or code.
-
-CAN-2005-2270
-
-The Mozilla browser family does not properly clone base objects, which allows
-remote attackers to execute arbitrary code.
-
-Note that this is the same set of security fixes put into stable in
-DSA-775 and DSA-779, and updated in DSA-779-2.
-
-For the testing distribution (etch) this is fixed in version
-1.0.4-2sarge3
-
-For the unstable distribution (sid) this is fixed in version
-1.0.6-3
-
-This upgrade is recommended if you use mozilla-firefox.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install mozilla-firefoxFIXME, I'm broken
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-8-2
===================================================================
--- data/DTSA/DTSA-8-2 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-8-2 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,117 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-8-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-September 1st, 2005
-------------------------------------------------------------------------------
-
-Package : mozilla-firefox
-Vulnerability : several vulnerabilities (update)
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
-
-We experienced that the update for Mozilla Firefox from DTSA-8-1
-unfortunately was a regression in several cases. Since the usual
-praxis of backporting apparently does not work, this update is
-basically version 1.0.6 with the version number rolled back, and hence
-still named 1.0.4-*. For completeness below is the original advisory
-text:
-
-Several problems were discovered in Mozilla Firefox:
-
-CAN-2004-0718 CAN-2005-1937
-
-A vulnerability has been discovered in Mozilla Firefox that allows remote
-attackers to inject arbitrary Javascript from one page into the frameset of
-another site.
-
-CAN-2005-2260
-
-The browser user interface does not properly distinguish between
-user-generated events and untrusted synthetic events, which makes it easier
-for remote attackers to perform dangerous actions that normally could only be
-performed manually by the user.
-
-CAN-2005-2261
-
-XML scripts ran even when Javascript disabled.
-
-CAN-2005-2262
-
-The user can be tricked to executing arbitrary JavaScript code by using a
-JavaScript URL as wallpaper.
-
-CAN-2005-2263
-
-It is possible for a remote attacker to execute a callback function in the
-context of another domain (i.e. frame).
-
-CAN-2005-2264
-
-By opening a malicious link in the sidebar it is possible for remote
-attackers to steal sensitive information.
-
-CAN-2005-2265
-
-Missing input sanitising of InstallVersion.compareTo() can cause the
-application to crash.
-
-CAN-2005-2266
-
-Remote attackers could steal sensitive information such as cookies and
-passwords from web sites by accessing data in alien frames.
-
-CAN-2005-2267
-
-By using standalone applications such as Flash and QuickTime to open a
-javascript: URL, it is possible for a remote attacker to steal sensitive
-information and possibly execute arbitrary code.
-
-CAN-2005-2268
-
-It is possible for a Javascript dialog box to spoof a dialog box from a
-trusted site and facilitates phishing attacks.
-
-CAN-2005-2269
-
-Remote attackers could modify certain tag properties of DOM nodes that could
-lead to the execution of arbitrary script or code.
-
-CAN-2005-2270
-
-The Mozilla browser family does not properly clone base objects, which allows
-remote attackers to execute arbitrary code.
-
-Note that this is the same set of security fixes put into stable in
-DSA-775 and DSA-779, and updated in DSA-779-2.
-
-For the testing distribution (etch) this is fixed in version
-1.0.4-2sarge3
-
-For the unstable distribution (sid) this is fixed in version
-1.0.6-3
-
-This upgrade is recommended if you use mozilla-firefox.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install mozilla-firefox
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
Deleted: data/DTSA/DTSA-9-1
===================================================================
--- data/DTSA/DTSA-9-1 2005-09-08 13:47:29 UTC (rev 1851)
+++ data/DTSA/DTSA-9-1 2005-09-08 13:49:59 UTC (rev 1852)
@@ -1,46 +0,0 @@
-------------------------------------------------------------------------------
-Debian Testing Security Advisory DTSA-9-1 http://secure-testing.debian.net
-secure-testing-team at lists.alioth.debian.org Joey Hess
-August 31st, 2005
-------------------------------------------------------------------------------
-
-Package : bluez-utils
-Vulnerability : bad device name escaping
-Problem-Scope : remote
-Debian-specific: No
-CVE ID : CAN-2005-2547
-
-A bug in bluez-utils allows remote attackers to execute arbitrary commands
-via shell metacharacters in the Bluetooth device name when invoking the PIN
-helper.
-
-For the testing distribution (etch) this is fixed in version
-2.19-0.1etch1
-
-For the unstable distribution (sid) this is fixed in version
-2.19-1
-
-This upgrade is recommended if you use bluez-utils.
-
-The Debian testing security team does not track security issues for then
-stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
-the Debian security team will make an announcement once a fix is ready.
-
-Upgrade Instructions
---------------------
-
-To use the Debian testing security archive, add the following lines to
-your /etc/apt/sources.list:
-
-deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
-
-The archive signing key can be downloaded from
-http://secure-testing.debian.net/ziyi-2005-7.asc
-
-To install the update, run this command as root:
-
-apt-get update && apt-get install bluez-utils
-
-For further information about the Debian testing security team, please refer
-to http://secure-testing.debian.net/
More information about the Secure-testing-commits
mailing list