DSA 1772-1: New udev packages fix privilege escalation  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1772-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
April 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : udev
Vulnerability : several
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-1185 CVE-2009-1186

Sebastian Kramer discovered two vulnerabilities in udev, the /dev and
hotplug management daemon.

CVE-2009-1185

udev does not check the origin of NETLINK messages, allowing local
users to gain root privileges.

CVE-2009-1186

udev suffers from a buffer overflow condition in path encoding,
potentially allowing arbitrary code execution.

For the old stable distribution (etch), these problems have been fixed in
version 0.105-4etch1.

For the stable distribution (lenny), these problems have been fixed in
version 0.125-7+lenny1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your udev package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1.diff.gz
Size/MD5 checksum: 65496 c004ab727c31c58012eb518ea1293c06
http://security.debian.org/pool/updates/main/u/udev/udev_0.105.orig.tar.gz
Size/MD5 checksum: 188150 9d58389d5ef915c49681cae4fba3cd60
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1.dsc
Size/MD5 checksum: 653 11e4e0cb9bc8cb2f93890e80e9314a7b

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_alpha.udeb
Size/MD5 checksum: 133696 82ebf80715efaa545bb98fa92b5c6e30
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_alpha.deb
Size/MD5 checksum: 293006 6e1ff1cf34638ebe01d6a7cc3771eef9
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_alpha.deb
Size/MD5 checksum: 25892 17fc41c4605c256b933cefcda3c21a48
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_alpha.deb
Size/MD5 checksum: 67762 335db6bf028839d64d656b3b243d3e23

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_amd64.deb
Size/MD5 checksum: 277954 4daf7f67c7ddb2bea7906c3a2e5f4450
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_amd64.deb
Size/MD5 checksum: 17570 abb465d39529deff8a8a44e6e3511e92
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_amd64.deb
Size/MD5 checksum: 64016 1fa7e638e153131fae0794bdfa29f10e
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_amd64.udeb
Size/MD5 checksum: 118680 18f17e7030d7ec1c8445e8b2e5420150

arm architecture (ARM)

http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_arm.deb
Size/MD5 checksum: 266724 8cb242b97c43b91065a51ad06e341c26
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_arm.deb
Size/MD5 checksum: 65394 053e04d02f57089c52ee9ed2dedd1824
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_arm.deb
Size/MD5 checksum: 18146 06aaf0730d2822b9efc3658d9c6aad6f
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_arm.udeb
Size/MD5 checksum: 108792 d1d15e13b7acaf80449d70a46474d5cc

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_hppa.deb
Size/MD5 checksum: 284024 5a95e42a4bc958ea800d0ad2fc7137f7
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_hppa.deb
Size/MD5 checksum: 69216 1fa0f6be4314a15c272008889ad5cdd3
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_hppa.udeb
Size/MD5 checksum: 123292 9423477a619848bc5b897c183578eedf
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_hppa.deb
Size/MD5 checksum: 22822 2e425348f052eb7227af5b4162d87886

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_i386.deb
Size/MD5 checksum: 62672 1fb6a5c71a746c54d2d153f82d156622
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_i386.udeb
Size/MD5 checksum: 104858 6755b7f2be45c09dcfbeba11b71fb2b4
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_i386.deb
Size/MD5 checksum: 15596 42d679cf1bf5708e12f2ebe0928d0f17
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_i386.deb
Size/MD5 checksum: 263502 c771e199202b3a30191e562591b2a5f1

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_ia64.deb
Size/MD5 checksum: 71234 db3642925a8d81f1d63fa5a194be85ca
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_ia64.deb
Size/MD5 checksum: 348482 03798072d8288f3e6080f6a32178a55a
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_ia64.deb
Size/MD5 checksum: 26664 f1eeb303578e5d42c46d1d50bedc3427
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_ia64.udeb
Size/MD5 checksum: 178622 1681eaf7e11447c584d199eca57c7829

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_mips.deb
Size/MD5 checksum: 21846 c154d642eeaec8a4ff465d0dd7854d6f
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_mips.deb
Size/MD5 checksum: 278706 c612857d27e034d3979476512798bb43
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_mips.udeb
Size/MD5 checksum: 123368 547c1b25665f105ca681dbb1efe1841d
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_mips.deb
Size/MD5 checksum: 65332 0a7201607ea9d769cbd09ebc96905500

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_mipsel.deb
Size/MD5 checksum: 279278 6a3d796f15b65b8b61a991cd2631ef69
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_mipsel.deb
Size/MD5 checksum: 65140 e5d91868a42e3a0c36eb30f512376db1
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_mipsel.udeb
Size/MD5 checksum: 123416 b97a524a2ea9289b38467dd03d5213db
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_mipsel.deb
Size/MD5 checksum: 21560 672e1b4ffc6da2e7d8c6ffdbfebd5b51

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_powerpc.udeb
Size/MD5 checksum: 109412 149ab68cffb0272aadbd758c45f640fc
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_powerpc.deb
Size/MD5 checksum: 18832 d37c3f79c808b6b775e9b5e82c265cdc
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_powerpc.deb
Size/MD5 checksum: 65400 e1030bc12fcca0cf4ca2f4000a9d732e
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_powerpc.deb
Size/MD5 checksum: 283004 083d7593e935231bfbc1868d54be6899

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_s390.deb
Size/MD5 checksum: 66024 63704d890de325cce6d3ab739bfcc5df
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_s390.deb
Size/MD5 checksum: 280362 68985aade59854bea6933ba6b9825152
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_s390.udeb
Size/MD5 checksum: 119284 b89e7a4ae300862b138c65d1a65f5861
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_s390.deb
Size/MD5 checksum: 19968 8176690f76660c6dfdbb9d0a0ad1c85b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.105-4etch1_sparc.udeb
Size/MD5 checksum: 108102 09f683e56ddcf705f6b0f1ff1465299a
http://security.debian.org/pool/updates/main/u/udev/udev_0.105-4etch1_sparc.deb
Size/MD5 checksum: 261794 0c02b3cc77b22cc7ec88c424bc5342ab
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.105-4etch1_sparc.deb
Size/MD5 checksum: 66058 44da6bfe900da48fd4ac0b367846c23b
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.105-4etch1_sparc.deb
Size/MD5 checksum: 18924 2871710daab3972cda3485866c1ff0f7

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1.diff.gz
Size/MD5 checksum: 63221 1cdb4f78dc7cf5c5702fa69e3f528724
http://security.debian.org/pool/updates/main/u/udev/udev_0.125.orig.tar.gz
Size/MD5 checksum: 254564 be98e04cefdd9ca76b8fe7e92735ce29
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1.dsc
Size/MD5 checksum: 1031 3c1c71e9321ee24dcbb4237bda82ecf8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_alpha.deb
Size/MD5 checksum: 81916 0d0d955ef294f83409f7729287911834
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_alpha.udeb
Size/MD5 checksum: 148990 83667ad6d0c6d0c43ddd851d139f1fd6
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_alpha.deb
Size/MD5 checksum: 281758 61570a51644b3470c4ca8306f6531d2f
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_alpha.deb
Size/MD5 checksum: 2436 82668adc7df4b743eff35e1c353f5101

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_amd64.udeb
Size/MD5 checksum: 128220 6951de1f9f2a952c718c6322d4cc041c
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_amd64.deb
Size/MD5 checksum: 266322 d25ceb9d564f9ff30cc841432588d11a
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_amd64.deb
Size/MD5 checksum: 2426 c04b51779d612328c0e63048ae9112e2
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_amd64.deb
Size/MD5 checksum: 77548 68d9da089db647fed48a5e2e126109a0

arm architecture (ARM)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_arm.deb
Size/MD5 checksum: 79020 8990da78870b19da2123a246308b9f42
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_arm.udeb
Size/MD5 checksum: 123542 64e28579a5dd7f20902b4683c1c2d717
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_arm.deb
Size/MD5 checksum: 2438 6749f4622bebfb95248e522d031ac012
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_arm.deb
Size/MD5 checksum: 257106 80d322c9d53711a0fee58af3d027e32d

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_armel.deb
Size/MD5 checksum: 2440 27ff9848ed16db7e8c5ca75f0a022403
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_armel.deb
Size/MD5 checksum: 258074 fce468ead3db83d21356f1da16e50e9d
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_armel.udeb
Size/MD5 checksum: 124506 2eb7a09d5ee3b5c308ac221851fc1573
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_armel.deb
Size/MD5 checksum: 79228 2c16ecd4418d9fcd3f6dadf85fab95bb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_hppa.deb
Size/MD5 checksum: 84240 5f32416e51f5ee674c8331429bcd71ad
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_hppa.deb
Size/MD5 checksum: 274388 9464fdcd2dac50388cf23d2e891fa903
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_hppa.udeb
Size/MD5 checksum: 142578 18523c4afa6e272ed8449dc433bb68ce
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_hppa.deb
Size/MD5 checksum: 2438 187adc54d95719c8bf2a20c73b9b820a

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_i386.deb
Size/MD5 checksum: 253168 9667472701f5f78e75f944afe4e18a1f
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_i386.deb
Size/MD5 checksum: 76280 c9f04437d9c090e54fdfaf4c08b04273
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_i386.udeb
Size/MD5 checksum: 115724 05843396641d6e8eed4d417020969f23
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_i386.deb
Size/MD5 checksum: 2426 ea4c748d93da3e0ffd9c070461fb9ea4

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_ia64.deb
Size/MD5 checksum: 85644 2594d69577d4d309f6be2878524641f2
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_ia64.udeb
Size/MD5 checksum: 190230 a682ed3c0b26b059740b37ac0976bd93
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_ia64.deb
Size/MD5 checksum: 2432 0c4b9c1716892330ff482e8a8cb2f12d
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_ia64.deb
Size/MD5 checksum: 324656 efa495e7fc30164bb91958f81a5f0e02

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_mips.udeb
Size/MD5 checksum: 135612 f596cc4d41bf41fa78d25deae191df8a
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_mips.deb
Size/MD5 checksum: 2436 ef6056a525dd10b577dcf3ac162cad18
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_mips.deb
Size/MD5 checksum: 78790 50b801e86b6a29fedac17aa4012cc222
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_mips.deb
Size/MD5 checksum: 270716 15cea80dfc523e1ffadcf609293be4d6

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_mipsel.deb
Size/MD5 checksum: 2438 51d32dfc43f95c2579e989d332c6837e
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_mipsel.udeb
Size/MD5 checksum: 135566 8a7d0840ba79647dad206aeea62dbc4e
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_mipsel.deb
Size/MD5 checksum: 78640 e7197dd434ba99f4bef46f7176b458f1
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_mipsel.deb
Size/MD5 checksum: 270760 53926589b10466163d5ea90008de5b8c

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_powerpc.deb
Size/MD5 checksum: 272424 7a9d2807d73e0da05171d50882bb2b44
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_powerpc.udeb
Size/MD5 checksum: 129696 4e24c200eaf8b615603cc7319b449f30
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_powerpc.deb
Size/MD5 checksum: 2442 a0d04b0bf5d8278796d276568940084e
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_powerpc.deb
Size/MD5 checksum: 79194 bb40fe52920ee2bfc65f1243ced8268f

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_s390.deb
Size/MD5 checksum: 79448 d17034c5d4f29b21f9f6affcc8c31cf3
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_s390.udeb
Size/MD5 checksum: 133264 e34bae7a1639cccb63814f96a014cd37
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_s390.deb
Size/MD5 checksum: 2428 d88d5d9eedc3c5d1bfb2f441d948f9ef
http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_s390.deb
Size/MD5 checksum: 271886 9eaba049c1bbdf7903fbe52efd296f5b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/u/udev/udev_0.125-7+lenny1_sparc.deb
Size/MD5 checksum: 259536 409b46996745484d7514739cfb4cca6e
http://security.debian.org/pool/updates/main/u/udev/libvolume-id0_0.125-7+lenny1_sparc.deb
Size/MD5 checksum: 79640 2cc666f27b22a986c6ef5677509e13ad
http://security.debian.org/pool/updates/main/u/udev/libvolume-id-dev_0.125-7+lenny1_sparc.deb
Size/MD5 checksum: 2436 3c928f720d5a3cd021b633f8070ddfd6
http://security.debian.org/pool/updates/main/u/udev/udev-udeb_0.125-7+lenny1_sparc.udeb
Size/MD5 checksum: 124598 a93970f05ff0c1a9b670e5dd3bacdad8


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJ5wkDAAoJEL97/wQC1SS+aPkH/iGPHaLUOQuUVo1Z99SVMGIW
6RWVX/V1HyOgdOPApsuoKxzHrFV6UToSp8vqAlmBeXkz3Ow79BXwUjpLYb6dlngD
NexhpIPYqHl+m9Frlpfa2QP36bYPIfcMcU0zNPGZQmFa5XIdMUdtr3BZnUHSMCg6
bimtGTcy+9BLsb/L89uw7m8Y4sw4SwKK08FngB9j2bFGPZGX6XN/RySDoZAjgA+M
3g4pi4io+DZy4qkfQvGUaWpI9OcMWytrp1AI2VYy4LMT+ZZhGaOl1mhruE6xpHqs
y09ZKhCP04T4b/4xbWE/7C+y4G2FHrFs858sbPJ04PUaZErhMbyrXKUj3f/1ckQ=
=57uF
-----END PGP SIGNATURE-----
"


Kanye says ‘South Park’ put him in check
(AP)

Camo-wearing woman arrested at Spears home
(AP)

DSA 1754-1: New roundup packages fix privilege escalation

GLSA 200904-15 mpg123: User-assisted execution of arbitrary code  

Posted by Daniela Mehler

"Gentoo Linux Security Advisory GLSA 200904-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: mpg123: User-assisted execution of arbitrary code
Date: April 16, 2009
Bugs: #265342
ID: 200904-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An error in mpg123 might allow for the execution of arbitrary code.

Background
==========

mpg123 is a realtime MPEG 1.0/2.0/2.5 audio player for layers 1, 2 and
3.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-sound/mpg123 < 1.7.2 > = 1.7.2

Description
===========

The vendor reported a signedness error in the store_id3_text() function
in id3.c, allowing for out-of-bounds memory access.

Impact
======

A remote attacker could entice a user to open an MPEG-1 Audio Layer 3
(MP3) file containing a specially crafted ID3 tag, possibly resulting
in the execution of arbitrary code with the privileges of the user
running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mpg123 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-sound/mpg123-1.7.2"

References
==========

[ 1 ] CVE-2009-1301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1301

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200904-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
"

USN-758-1: udev vulnerabilities  

Posted by Daniela Mehler

"Ubuntu Security Notice USN-758-1 April 15, 2009
udev vulnerabilities
CVE-2009-1185, CVE-2009-1186
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
udev 079-0ubuntu35.1

Ubuntu 7.10:
udev 113-0ubuntu17.2

Ubuntu 8.04 LTS:
udev 117-8ubuntu0.2

Ubuntu 8.10:
udev 124-9ubuntu0.2

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

Details follow:

Sebastian Krahmer discovered that udev did not correctly validate netlink
message senders. A local attacker could send specially crafted messages
to udev in order to gain root privileges. (CVE-2009-1185)

Sebastian Krahmer discovered a buffer overflow in the path encoding routines
in udev. A local attacker could exploit this to crash udev, leading to a
denial of service. (CVE-2009-1186)


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079-0ubuntu35.1.diff.gz
Size/MD5: 51122 c7d3b676db9a83db24f422a285438ca7
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079-0ubuntu35.1.dsc
Size/MD5: 670 7cbaeaa0f9888994397d3d7cf90e3658
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079.orig.tar.gz
Size/MD5: 281803 2b34fbddeadee3728ffe28121d6c1ebd

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_079-0ubuntu35.1_amd64.udeb
Size/MD5: 142138 1392a4f575c8acda5672fc62f637b3fb
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079-0ubuntu35.1_amd64.deb
Size/MD5: 279030 84f654a125f3e3d0725103cfe68420b0

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_079-0ubuntu35.1_i386.udeb
Size/MD5: 109638 4882b6311f73bef9868881b1c5e8ed41
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079-0ubuntu35.1_i386.deb
Size/MD5: 239122 af377acadfffddf3d9040dc23286fc8f

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_079-0ubuntu35.1_powerpc.udeb
Size/MD5: 118100 d792bd2e62989a8d95309aed153e4289
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079-0ubuntu35.1_powerpc.deb
Size/MD5: 280766 b306f68f10ff06ca5cd9ee17828d39d5

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_079-0ubuntu35.1_sparc.udeb
Size/MD5: 115618 63bcef9fd2bada2eafe266d7796a84c9
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_079-0ubuntu35.1_sparc.deb
Size/MD5: 247624 4b80d6ca0c5e076f249087c118962922

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113-0ubuntu17.2.diff.gz
Size/MD5: 55913 a7a1ba8a02b2fe905bc71743e5a5c7c0
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113-0ubuntu17.2.dsc
Size/MD5: 728 7b6e062975bbe336c2d760e5ff11572a
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113.orig.tar.gz
Size/MD5: 239920 be4948d5057ae469de9bea8ae588221e

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_113-0ubuntu17.2_amd64.deb
Size/MD5: 86226 3f5adacc769ddfe17fafd79c54ce81a7
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_113-0ubuntu17.2_amd64.deb
Size/MD5: 81900 edaba987b6002b09d6b4173e156e330e
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_113-0ubuntu17.2_amd64.udeb
Size/MD5: 149804 e601d0c2bc7037a8df133a30d1f76605
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113-0ubuntu17.2_amd64.deb
Size/MD5: 304258 7a2173b367fc88bf531bfb706e3e1f8b
http://security.ubuntu.com/ubuntu/pool/main/u/udev/volumeid_113-0ubuntu17.2_amd64.deb
Size/MD5: 75160 fd8f032baabb6f0bbfc6f371cec52e1c

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_113-0ubuntu17.2_i386.deb
Size/MD5: 83892 12a63120228e99b4730f010cd361c244
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_113-0ubuntu17.2_i386.deb
Size/MD5: 80572 6b5994b0eadaaee1f523de159718b408
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_113-0ubuntu17.2_i386.udeb
Size/MD5: 132812 630042b66ab4a4344191fc82ecec0a38
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113-0ubuntu17.2_i386.deb
Size/MD5: 288284 986d47c76158ade2a30e6a1948f55082
http://security.ubuntu.com/ubuntu/pool/main/u/udev/volumeid_113-0ubuntu17.2_i386.deb
Size/MD5: 74174 902478d959375b71e2b78cf0f0f8d82a

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_113-0ubuntu17.2_lpia.deb
Size/MD5: 83926 a32df0b3fe432aadfad07d3961e20a7e
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_113-0ubuntu17.2_lpia.deb
Size/MD5: 80568 0266ced7497651f1bc9996ee0e00d6c5
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_113-0ubuntu17.2_lpia.udeb
Size/MD5: 132732 386aa29c7b1175fac96d231a0e255118
http://ports.ubuntu.com/pool/main/u/udev/udev_113-0ubuntu17.2_lpia.deb
Size/MD5: 288604 e05dbb1b8ff89c24b26cf318550442d6
http://ports.ubuntu.com/pool/main/u/udev/volumeid_113-0ubuntu17.2_lpia.deb
Size/MD5: 74138 bf4aa952e2d07c0d27fba4e858dcd678

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_113-0ubuntu17.2_powerpc.deb
Size/MD5: 87538 e0b0ae6ebf9847c5a4141950026b29f2
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_113-0ubuntu17.2_powerpc.deb
Size/MD5: 83398 a4372fb8399d28496fe8ed7a03fe2aab
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_113-0ubuntu17.2_powerpc.udeb
Size/MD5: 149236 99bdb65c79ce39bf881fa56972a7df76
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113-0ubuntu17.2_powerpc.deb
Size/MD5: 336274 d575f25a976f8cbd4cd123f47c696305
http://security.ubuntu.com/ubuntu/pool/main/u/udev/volumeid_113-0ubuntu17.2_powerpc.deb
Size/MD5: 77432 6c548fabc0ad7861f125de70071cd0d7

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_113-0ubuntu17.2_sparc.deb
Size/MD5: 87846 a331c703a9b11a20670a160d9bc5a16e
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_113-0ubuntu17.2_sparc.deb
Size/MD5: 83846 6d2a1c58ea38e9b71fba17f841b4a26c
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_113-0ubuntu17.2_sparc.udeb
Size/MD5: 141244 de4f7c09715c900cda38abbf53a6bf0f
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_113-0ubuntu17.2_sparc.deb
Size/MD5: 294436 4591981586a1d547ea33c3cc8b09b39b
http://security.ubuntu.com/ubuntu/pool/main/u/udev/volumeid_113-0ubuntu17.2_sparc.deb
Size/MD5: 74714 cee96bfcea22c72a410644cb812591c0

Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_117-8ubuntu0.2.diff.gz
Size/MD5: 65730 81fffa88d20b553d3957cc5180258028
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_117-8ubuntu0.2.dsc
Size/MD5: 716 5ce142feffe74504599351ce14f8e79c
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_117.orig.tar.gz
Size/MD5: 245289 1e2b0a30a39019fc7ef947786102cd22

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_117-8ubuntu0.2_amd64.deb
Size/MD5: 90008 9b726512e3681753aa17b4c28f5f0c97
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_117-8ubuntu0.2_amd64.deb
Size/MD5: 85680 7b719dd5b310814d742d82e8187936ad
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_117-8ubuntu0.2_amd64.udeb
Size/MD5: 142424 3b3556f38c4751c19e94dfa442378975
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_117-8ubuntu0.2_amd64.deb
Size/MD5: 275764 a7341d40aaf3886ede818bacdb8f725b

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_117-8ubuntu0.2_i386.deb
Size/MD5: 87874 bba06e76c225f835d4bd5da9cf71cb17
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_117-8ubuntu0.2_i386.deb
Size/MD5: 84476 2aaa0302816eb8d524b4b9eed6cc6664
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_117-8ubuntu0.2_i386.udeb
Size/MD5: 125376 12efe871f550741a6070849ecbf345d8
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_117-8ubuntu0.2_i386.deb
Size/MD5: 262096 14de9f79f3e92bca2fd087747fe2cbe4

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_117-8ubuntu0.2_lpia.deb
Size/MD5: 87820 06ae468615109e9693007bbbbd5ab76c
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_117-8ubuntu0.2_lpia.deb
Size/MD5: 84344 74698366a89ff79f7da56e1e8081b7f8
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_117-8ubuntu0.2_lpia.udeb
Size/MD5: 125366 24e6abe9d2d71edc59c8fee7c321aac4
http://ports.ubuntu.com/pool/main/u/udev/udev_117-8ubuntu0.2_lpia.deb
Size/MD5: 262202 ccd906dc5ba0f8150d2e54560cb506fa

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_117-8ubuntu0.2_powerpc.deb
Size/MD5: 91184 0244aee4cd0b49b752b60bb69b822e8d
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_117-8ubuntu0.2_powerpc.deb
Size/MD5: 87282 717d460e52f5208028b8a114c41441d3
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_117-8ubuntu0.2_powerpc.udeb
Size/MD5: 142902 ac0227c34eabb4f40f8011ab810c6774
http://ports.ubuntu.com/pool/main/u/udev/udev_117-8ubuntu0.2_powerpc.deb
Size/MD5: 284190 791467a0daac1a186b308a5260998765

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_117-8ubuntu0.2_sparc.deb
Size/MD5: 91172 5d7f21eb5e8183fd4a3a93a08e71fa9a
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_117-8ubuntu0.2_sparc.deb
Size/MD5: 87420 5799e495a349dffb947bca5b831e0a59
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_117-8ubuntu0.2_sparc.udeb
Size/MD5: 134148 07f30c5e47363b26a07a695ef208ac39
http://ports.ubuntu.com/pool/main/u/udev/udev_117-8ubuntu0.2_sparc.deb
Size/MD5: 268260 81d8d2489b05238c43928ccca028fd97

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_124-9ubuntu0.2.diff.gz
Size/MD5: 60670 3294d977bf37ae45a66d47b624b60db0
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_124-9ubuntu0.2.dsc
Size/MD5: 1092 b52e321c7c4c0e0d6d292167cb6019f8
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_124.orig.tar.gz
Size/MD5: 257418 2ea9229208154229c5d6df6222f74ad7

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_124-9ubuntu0.2_amd64.deb
Size/MD5: 93152 2ae90a4dc2bad933180b03169f021786
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_124-9ubuntu0.2_amd64.deb
Size/MD5: 88906 31e1fc7a2a7546cdb6c26b38df29cab3
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_124-9ubuntu0.2_amd64.udeb
Size/MD5: 140768 bff970a06a6364bec08459be64169da8
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_124-9ubuntu0.2_amd64.deb
Size/MD5: 280684 09f8b16a2b7b7b5c637e314302ad27b1

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id-dev_124-9ubuntu0.2_i386.deb
Size/MD5: 90866 348a4b3c7ecace17161c156f648ef7f5
http://security.ubuntu.com/ubuntu/pool/main/u/udev/libvolume-id0_124-9ubuntu0.2_i386.deb
Size/MD5: 87674 af9f5a9f38ebff8867ea1d6055e33705
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev-udeb_124-9ubuntu0.2_i386.udeb
Size/MD5: 124664 65a463c6512f87e71b40640809f68245
http://security.ubuntu.com/ubuntu/pool/main/u/udev/udev_124-9ubuntu0.2_i386.deb
Size/MD5: 263786 34aa4d7ad23bcd6fe682d5c958c2b176

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_124-9ubuntu0.2_lpia.deb
Size/MD5: 90952 13a89ac0608a4432f8fe3410798bfc80
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_124-9ubuntu0.2_lpia.deb
Size/MD5: 87526 c62d3f557da0f00a683dd2affab3ac18
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_124-9ubuntu0.2_lpia.udeb
Size/MD5: 124596 227b5495edd9e8164030ec9e3445206f
http://ports.ubuntu.com/pool/main/u/udev/udev_124-9ubuntu0.2_lpia.deb
Size/MD5: 263960 55a49a09202c83919fc7966e9cb4f0e9

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_124-9ubuntu0.2_powerpc.deb
Size/MD5: 94720 9f705767aec000389c4a0ac5547e4b08
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_124-9ubuntu0.2_powerpc.deb
Size/MD5: 90490 0a821585e04ab4a3ae43fba609d15bad
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_124-9ubuntu0.2_powerpc.udeb
Size/MD5: 136420 a13c982f31bb35caf8bdfa0230d6bf25
http://ports.ubuntu.com/pool/main/u/udev/udev_124-9ubuntu0.2_powerpc.deb
Size/MD5: 283654 27a1278de0e01ecd84806b4c52242130

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/u/udev/libvolume-id-dev_124-9ubuntu0.2_sparc.deb
Size/MD5: 94552 4ca615812516cb06abbeb05936f60e3c
http://ports.ubuntu.com/pool/main/u/udev/libvolume-id0_124-9ubuntu0.2_sparc.deb
Size/MD5: 90856 7c2cbb37e564258dcf75f2f0a85ebe51
http://ports.ubuntu.com/pool/main/u/udev/udev-udeb_124-9ubuntu0.2_sparc.udeb
Size/MD5: 136020 0f478380b3c641b037818ed607eea594
http://ports.ubuntu.com/pool/main/u/udev/udev_124-9ubuntu0.2_sparc.deb
Size/MD5: 274892 2f392b3a4d9d271db107930adc81e8e4


--L+ofChggJdETEG3Y
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook

iEYEARECAAYFAknmFF0ACgkQH/9LqRcGPm0WTACdHYzddbGfJ7Xssw4zr7l99fkQ
eboAnjPitugwDnG0VEsFg5vEr/gWh4ZL
=azBB
-----END PGP SIGNATURE-----
"


USN-756-1: ClamAV vulnerability
Kanye says ‘South Park’ put him in check
(AP)

DSA 1767-1: New multipath-tools packages fix denial of service

RHSA-2009:0350-01 Moderate: php security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: php security update
Advisory ID: RHSA-2009:0350-01
Product: Red Hat Application Stack
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0350.html
Issue date: 2009-04-14
CVE Names: CVE-2008-3658 CVE-2008-3660 CVE-2008-5498
CVE-2008-5557 CVE-2008-5658 CVE-2008-5814
CVE-2009-0754 CVE-2009-1271
=====================================================================

1. Summary:

Updated php packages that fix several security issues are now available for
Red Hat Application Stack v2.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, x86_64

3. Description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

A heap-based buffer overflow flaw was found in PHP's mbstring extension. A
remote attacker able to pass arbitrary input to a PHP script using mbstring
conversion functions could cause the PHP interpreter to crash or, possibly,
execute arbitrary code. (CVE-2008-5557)

A flaw was found in the handling of the "mbstring.func_overload"
configuration setting. A value set for one virtual host, or in a user's
.htaccess file, was incorrectly applied to other virtual hosts on the same
server, causing the handling of multibyte character strings to not work
correctly. (CVE-2009-0754)

A directory traversal flaw was found in PHP's ZipArchive::extractTo
function. If PHP is used to extract a malicious ZIP archive, it could allow
an attacker to write arbitrary files anywhere the PHP process has write
permissions. (CVE-2008-5658)

A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP
script allowed a remote attacker to load a carefully crafted font file, it
could cause the PHP interpreter to crash or, possibly, execute arbitrary
code. (CVE-2008-3658)

A flaw was found in the way PHP handled certain file extensions when
running in FastCGI mode. If the PHP interpreter was being executed via
FastCGI, a remote attacker could create a request which would cause the PHP
interpreter to crash. (CVE-2008-3660)

A memory disclosure flaw was found in the PHP gd extension's imagerotate
function. A remote attacker able to pass arbitrary values as the
"background color" argument of the function could, possibly, view portions
of the PHP interpreter's memory. (CVE-2008-5498)

A cross-site scripting flaw was found in a way PHP reported errors for
invalid cookies. If the PHP interpreter had "display_errors" enabled, a
remote attacker able to set a specially-crafted cookie on a victim's system
could possibly inject arbitrary HTML into an error message generated by
PHP. (CVE-2008-5814)

A flaw was found in PHP's json_decode function. A remote attacker could use
this flaw to create a specially-crafted string which could cause the PHP
interpreter to crash while being decoded in a PHP script. (CVE-2009-1271)

All php users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues. The httpd web server
must be restarted for the changes to take effect.

4. Solution:

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

459529 - CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension
459572 - CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension
474824 - CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability
478425 - CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure
478848 - CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution)
479272 - CVE-2009-0754 PHP mbstring.func_overload web server denial of service
480167 - CVE-2008-5814 php: XSS via PHP error messages
494530 - CVE-2009-1271 php: crash on malformed input in json_decode()

6. Package List:

Red Hat Application Stack v2 for Enterprise Linux (v.5):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/php-5.2.6-4.el5s2.src.rpm

i386:
php-5.2.6-4.el5s2.i386.rpm
php-bcmath-5.2.6-4.el5s2.i386.rpm
php-cli-5.2.6-4.el5s2.i386.rpm
php-common-5.2.6-4.el5s2.i386.rpm
php-dba-5.2.6-4.el5s2.i386.rpm
php-debuginfo-5.2.6-4.el5s2.i386.rpm
php-devel-5.2.6-4.el5s2.i386.rpm
php-gd-5.2.6-4.el5s2.i386.rpm
php-imap-5.2.6-4.el5s2.i386.rpm
php-ldap-5.2.6-4.el5s2.i386.rpm
php-mbstring-5.2.6-4.el5s2.i386.rpm
php-mysql-5.2.6-4.el5s2.i386.rpm
php-ncurses-5.2.6-4.el5s2.i386.rpm
php-odbc-5.2.6-4.el5s2.i386.rpm
php-pdo-5.2.6-4.el5s2.i386.rpm
php-pgsql-5.2.6-4.el5s2.i386.rpm
php-snmp-5.2.6-4.el5s2.i386.rpm
php-soap-5.2.6-4.el5s2.i386.rpm
php-xml-5.2.6-4.el5s2.i386.rpm
php-xmlrpc-5.2.6-4.el5s2.i386.rpm

x86_64:
php-5.2.6-4.el5s2.x86_64.rpm
php-bcmath-5.2.6-4.el5s2.x86_64.rpm
php-cli-5.2.6-4.el5s2.x86_64.rpm
php-common-5.2.6-4.el5s2.x86_64.rpm
php-dba-5.2.6-4.el5s2.x86_64.rpm
php-debuginfo-5.2.6-4.el5s2.x86_64.rpm
php-devel-5.2.6-4.el5s2.x86_64.rpm
php-gd-5.2.6-4.el5s2.x86_64.rpm
php-imap-5.2.6-4.el5s2.x86_64.rpm
php-ldap-5.2.6-4.el5s2.x86_64.rpm
php-mbstring-5.2.6-4.el5s2.x86_64.rpm
php-mysql-5.2.6-4.el5s2.x86_64.rpm
php-ncurses-5.2.6-4.el5s2.x86_64.rpm
php-odbc-5.2.6-4.el5s2.x86_64.rpm
php-pdo-5.2.6-4.el5s2.x86_64.rpm
php-pgsql-5.2.6-4.el5s2.x86_64.rpm
php-snmp-5.2.6-4.el5s2.x86_64.rpm
php-soap-5.2.6-4.el5s2.x86_64.rpm
php-xml-5.2.6-4.el5s2.x86_64.rpm
php-xmlrpc-5.2.6-4.el5s2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1271
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFJ5NAgXlSAg2UNWIIRAtJhAKCCKdjXCXkz0PeZUk5q0S3rsSf53gCfc/vm
fj9YjQ5kUoICJShHZQfaHY8=
=eevn
-----END PGP SIGNATURE-----
"

RHSA-2009:0421-01 Moderate: ghostscript security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: ghostscript security update
Advisory ID: RHSA-2009:0421-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0421.html
Issue date: 2009-04-14
CVE Names: CVE-2007-6725 CVE-2008-6679 CVE-2009-0196
CVE-2009-0792
=====================================================================

1. Summary:

Updated ghostscript packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

Ghostscript is a set of software that provides a PostScript interpreter, a
set of C procedures (the Ghostscript library, which implements the graphics
capabilities in the PostScript language) and an interpreter for Portable
Document Format (PDF) files.

It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not
address all possible integer overflow flaws in Ghostscript's International
Color Consortium Format library (icclib). Using specially-crafted ICC
profiles, an attacker could create a malicious PostScript or PDF file with
embedded images that could cause Ghostscript to crash or, potentially,
execute arbitrary code when opened. (CVE-2009-0792)

A buffer overflow flaw and multiple missing boundary checks were found in
Ghostscript. An attacker could create a specially-crafted PostScript or PDF
file that could cause Ghostscript to crash or, potentially, execute
arbitrary code when opened. (CVE-2008-6679, CVE-2007-6725, CVE-2009-0196)

Red Hat would like to thank Alin Rad Pop of Secunia Research for
responsibly reporting the CVE-2009-0196 flaw.

Users of ghostscript are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

491853 - CVE-2009-0792 ghostscript, argyllcms: Incomplete fix for CVE-2009-0583
493379 - CVE-2009-0196 ghostscript: Missing boundary check in Ghostscript's jbig2dec library
493442 - CVE-2007-6725 ghostscript: DoS (crash) in CCITTFax decoding filter
493445 - CVE-2008-6679 ghostscript: Buffer overflow in BaseFont writer module for pdfwrite defice

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.15.2-9.4.el5_3.7.src.rpm

i386:
ghostscript-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.i386.rpm

x86_64:
ghostscript-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-8.15.2-9.4.el5_3.7.x86_64.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.x86_64.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.15.2-9.4.el5_3.7.src.rpm

i386:
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm

x86_64:
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.x86_64.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ghostscript-8.15.2-9.4.el5_3.7.src.rpm

i386:
ghostscript-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.i386.rpm

ia64:
ghostscript-8.15.2-9.4.el5_3.7.ia64.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.ia64.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.ia64.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.ia64.rpm

ppc:
ghostscript-8.15.2-9.4.el5_3.7.ppc.rpm
ghostscript-8.15.2-9.4.el5_3.7.ppc64.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.ppc.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.ppc64.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.ppc.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.ppc64.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.ppc.rpm

s390x:
ghostscript-8.15.2-9.4.el5_3.7.s390.rpm
ghostscript-8.15.2-9.4.el5_3.7.s390x.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.s390.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.s390x.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.s390.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.s390x.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.s390x.rpm

x86_64:
ghostscript-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-8.15.2-9.4.el5_3.7.x86_64.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-debuginfo-8.15.2-9.4.el5_3.7.x86_64.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm
ghostscript-devel-8.15.2-9.4.el5_3.7.x86_64.rpm
ghostscript-gtk-8.15.2-9.4.el5_3.7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFJ5NDvXlSAg2UNWIIRAjMaAKCjfVglsgHCEb9SsKxEMkY2tYStQwCgwH01
j8WuJbWvHzKCxStqjTM4p2I=
=gteK
-----END PGP SIGNATURE-----
"


RHSA-2009:0377-01 Important: java-1.6.0-openjdk security update
Kanye says ‘South Park’ put him in check
(AP)

Kanye says ‘South Park’ put him in check
(AP)

GLSA 200904-13 Ventrilo: Denial of Service  

Posted by Daniela Mehler

"Gentoo Linux Security Advisory GLSA 200904-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Ventrilo: Denial of Service
Date: April 14, 2009
Bugs: #234819
ID: 200904-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Ventrilo, allowing for a Denial
of Service.

Background
==========

Ventrilo is a Voice over IP group communication server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-sound/ventrilo-server-bin < 3.0.3 > = 3.0.3

Description
===========

Luigi Auriemma reported a NULL pointer dereference in Ventrilo when
processing packets with an invalid version number followed by another
packet.

Impact
======

A remote attacker could send specially crafted packets to the server,
resulting in a crash.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Ventrilo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose
">=media-sound/ventrilo-server-bin-3.0.3"

References
==========

[ 1 ] CVE-2008-3680
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3680

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200904-13.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
"


Country star Joe Nichols plans Broadway debut
(AP)

Kanye says ‘South Park’ put him in check
(AP)

GLSA 200904-10 Avahi: Denial of Service

USN-756-1: ClamAV vulnerability  

Posted by Daniela Mehler

"Ubuntu Security Notice USN-756-1 April 13, 2009
clamav vulnerability
https://launchpad.net/bugs/360502
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
libclamav5 0.94.dfsg.2-1ubuntu0.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that ClamAV did not properly verify buffers when
processing Upack files. A remote attacker could send a crafted file and
cause a denial of service via application crash.


Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3.diff.gz
Size/MD5: 160035 9ec8019deb73a5a954c97fcb0bf26309
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3.dsc
Size/MD5: 1507 33a07aa02735d0740a991fd53d1690c7
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.94.dfsg.2.orig.tar.gz
Size/MD5: 22073819 7b45b0c54b887b23cb49e4bff807cf58

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-base_0.94.dfsg.2-1ubuntu0.3_all.deb
Size/MD5: 19497612 4f42a7f2efa8bab6df3f316dc58644f3
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-docs_0.94.dfsg.2-1ubuntu0.3_all.deb
Size/MD5: 1077770 0eb5f3a51d3d05ab98e9cab30fa689ec
http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-testfiles_0.94.dfsg.2-1ubuntu0.3_all.deb
Size/MD5: 208466 f1161a232ed581d23e34465e4e9b69bf

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 240062 e37dbed6b3807db87a0a564839960c9e
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 915356 b2d6c5bbe0928fbff8d3f8646e2916bb
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 255912 8e697047c72b3d631e3215394ed346ef
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 236034 1c01619d9fc562477c61f7dba6b7e990
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 575624 14154e0bd4975215d2edce6159e73bba
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav5_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 539994 664164b600a3225e1dd4297394cd5705
http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.94.dfsg.2-1ubuntu0.3_amd64.deb
Size/MD5: 233094 c44ed50398c9108188682ea6593f4c12

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 233596 526cdf381eea1dfb2b8a25c9ab47af55
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 849528 3d7efe88f9bc29680559141b9add7cfc
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 254090 2858c4a22109947e27a274eab66d2b2d
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 233118 8275f107c892dade9c8e269294776ddc
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 543786 89aab0500eb0b1dc290a6ead5e172749
http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav5_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 525928 bb809d8829610db1ddbbeb98a17e2777
http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.94.dfsg.2-1ubuntu0.3_i386.deb
Size/MD5: 229716 41f3df00a9eaefa7bbdc44bf90076271

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/c/clamav/clamav-daemon_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 233144 bb617f3ed2b61f494702e3c1c67d8e1f
http://ports.ubuntu.com/pool/main/c/clamav/clamav-dbg_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 867034 4fad6f85315f71e40f2942d54e74ae5f
http://ports.ubuntu.com/pool/main/c/clamav/clamav-freshclam_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 254190 96f301fe4b606d3ed7dda39c3d7d5100
http://ports.ubuntu.com/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 232658 99c61d4acf7b1025670189b589e4f4ce
http://ports.ubuntu.com/pool/main/c/clamav/libclamav-dev_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 545288 ee5a94b51bad427aeac20db209fe2388
http://ports.ubuntu.com/pool/main/c/clamav/libclamav5_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 528622 952540615e83e89aa3fcf032a1f67c46
http://ports.ubuntu.com/pool/universe/c/clamav/clamav-milter_0.94.dfsg.2-1ubuntu0.3_lpia.deb
Size/MD5: 229656 4889c53c828b7e66d54748d954c6f3c7

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/c/clamav/clamav-daemon_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 243322 7bc824817425ef6faf4d83c1950d7a7f
http://ports.ubuntu.com/pool/main/c/clamav/clamav-dbg_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 904222 4133d09baa03806b109a6a0ba45e15eb
http://ports.ubuntu.com/pool/main/c/clamav/clamav-freshclam_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 258658 96993b01982151656d85c6978d323f24
http://ports.ubuntu.com/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 240674 e10e69574fce756e0774e936a62e3a8c
http://ports.ubuntu.com/pool/main/c/clamav/libclamav-dev_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 615272 8dadb6a8a6da0470745de9d8c558fd7c
http://ports.ubuntu.com/pool/main/c/clamav/libclamav5_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 556208 dc082d12f3c15a98650253f56f635bc7
http://ports.ubuntu.com/pool/universe/c/clamav/clamav-milter_0.94.dfsg.2-1ubuntu0.3_powerpc.deb
Size/MD5: 233188 dbf6c9f45ab5114e105ebe443562697a

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/c/clamav/clamav-daemon_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 233162 6b035e2961759537051f30803e6e4e96
http://ports.ubuntu.com/pool/main/c/clamav/clamav-dbg_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 836902 850d4356b9a87db92d5efc2db81d8936
http://ports.ubuntu.com/pool/main/c/clamav/clamav-freshclam_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 253444 6c0517570fc4ac05b94080f60adcc571
http://ports.ubuntu.com/pool/main/c/clamav/clamav_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 233530 8cc09abef6a0baf488ba3f8c0cadecee
http://ports.ubuntu.com/pool/main/c/clamav/libclamav-dev_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 579172 61ee5fb721cd8543113931525737db7a
http://ports.ubuntu.com/pool/main/c/clamav/libclamav5_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 544798 1f62918b0a49e4e13f6a760642d04c20
http://ports.ubuntu.com/pool/universe/c/clamav/clamav-milter_0.94.dfsg.2-1ubuntu0.3_sparc.deb
Size/MD5: 230582 9429f9caa92a0cd8feda0d70f9967e6d



--m51xatjYGsM+13rf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknji2oACgkQW0JvuRdL8Br3agCfTo44XFSBbPYTdW5RtZOUV6rN
hhUAn3XoZf2VoaLn24x6y5Gu/3Lbcw5G
=js+V
-----END PGP SIGNATURE-----
"


DSA 1754-1: New roundup packages fix privilege escalation
DSA 1767-1: New multipath-tools packages fix denial of service
Kanye says ‘South Park’ put him in check
(AP)

Kanye says ‘South Park’ put him in check
(AP)

DSA 1770-1: New imp4 packages fix cross-site scripting  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1770-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
April 13, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : imp4
Vulnerability : Insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2008-4182 CVE-2009-0930
Debian Bugs : 500114 500553 513266

Several vulnerabilities have been found in imp4, a webmail component for
the horde framework. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2008-4182

It was discovered that imp4 suffers from a cross-site scripting (XSS)
attack via the user field in an IMAP session, which allows attackers to
inject arbitrary HTML code.

CVE-2009-0930

It was discovered that imp4 is prone to several cross-site scripting
(XSS) attacks via several vectors in the mail code allowing attackers
to inject arbitrary HTML code.

For the oldstable distribution (etch), these problems have been fixed in
version 4.1.3-4etch1.

For the stable distribution (lenny), these problems have been fixed in
version 4.2-4, which was already included in the lenny release.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 4.2-4.


We recommend that you upgrade your imp4 packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3-4etch1.dsc
Size/MD5 checksum: 1059 2502fe9fc8aceeb3bd3492b739a6c53a
http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3.orig.tar.gz
Size/MD5 checksum: 4178089 91fb63a44805bdff178c39c9bd1c73c5
http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3-4etch1.diff.gz
Size/MD5 checksum: 10716 156684bbc1de0c24a44ccef4b979d10a

Architecture independent packages:

http://security.debian.org/pool/updates/main/i/imp4/imp4_4.1.3-4etch1_all.deb
Size/MD5 checksum: 4167730 fc8bbcc5348d4548bf9c707bbad8aec7


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknjVVYACgkQ62zWxYk/rQeKAgCguUQGF7RsrFVNslohtgGLK9N3
hUAAn2pdOPR/zPHGNOSSSBevDbim8/eS
=0AOt
-----END PGP SIGNATURE-----
"


Country star Joe Nichols plans Broadway debut
(AP)

DSA 1754-1: New roundup packages fix privilege escalation

DSA 1754-1: New roundup packages fix privilege escalation  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1754-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
April 09, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : roundup
Vulnerability : insufficient access checks
Problem type : remote
Debian-specific: no
Debian Bug : 518768

It was discovered that roundup, an issue tracker with a command-line,
web and email interface, allows users to edit resources in
unauthorized ways, including granting themselves admin rights.

This update introduces stricter access checks, actually enforcing the
configured permissions and roles. This means that the configuration
may need updating. In addition, user registration via the web
interface has been disabled; use the program "roundup-admin" from the
command line instead.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.1-10+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.4-4+lenny1.

We recommend that you upgrade your roundup package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1-10+etch1.dsc
Size/MD5 checksum: 692 d3833663815ebb9c1cddc9460d4d83d9
http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1-10+etch1.diff.gz
Size/MD5 checksum: 31444 081c0f1e73060e4c08bee19e00a65ca6

Architecture independent packages:

http://security.debian.org/pool/updates/main/r/roundup/roundup_1.2.1-10+etch1_all.deb
Size/MD5 checksum: 1001982 5dd583af51c872e7104ccbc6a4712a19

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/r/roundup/roundup_1.4.4.orig.tar.gz
Size/MD5 checksum: 1362370 6a9f6fc272d833ef0179b00e63010a08
http://security.debian.org/pool/updates/main/r/roundup/roundup_1.4.4-4+lenny1.diff.gz
Size/MD5 checksum: 31251 79f0a30609f4d468724e1ef4a4baa806
http://security.debian.org/pool/updates/main/r/roundup/roundup_1.4.4-4+lenny1.dsc
Size/MD5 checksum: 1052 54b59892c5950d6aaa008241a34baf2e

Architecture independent packages:

http://security.debian.org/pool/updates/main/r/roundup/roundup_1.4.4-4+lenny1_all.deb
Size/MD5 checksum: 1278590 6565b9fcdec76bc76b75d543426875fc


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJ3mCDAAoJEL97/wQC1SS+vFEIAJfs6ZkXdQowmaZ+BF+UrmLA
mqq3lMiD2XWbQ8VF36ItrTHYZLAYVxjlcacrirb2ndn4oEdwAJSoavvuYMIYRYR7
cuyaAlsTWRGENXSLwIxrZP7P/8UxJ/p9NS+f6tjNgIb2mmMd8VzZqAN69hdfkKsR
/OHLILPt6qpd0ZjgShAXt5zhK9V6pO2jsUa8zpzvns+wSs1DfUwXqv7aGyvW39cE
TnOhgXTtjimuV8h5+x5hpFgkUbaiMD47wUy4Fgw9pW5kT0gJ3FsgMHVtvEBb8lQq
fXrszabiunG/IEUKeO+u89syoZMesYwfk6cCT5aYYRSaX7bo6KxB44u8ABp+pxc=
=Cu88
-----END PGP SIGNATURE-----
"


Kanye says ‘South Park’ put him in check
(AP)

Kanye says ‘South Park’ put him in check
(AP)

DSA 1767-1: New multipath-tools packages fix denial of service

ull-disclosure [ GLSA 200904-11  

Posted by Daniela Mehler

"Gentoo Linux Security Advisory GLSA 200904-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Tor: Multiple vulnerabilities
Date: April 08, 2009
Bugs: #250018, #256078, #258833
ID: 200904-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities in Tor might allow for heap corruption, Denial
of Service, escalation of privileges and information disclosure.

Background
==========

Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/tor < 0.2.0.34 > = 0.2.0.34

Description
===========

* Theo de Raadt reported that the application does not properly drop
privileges to the primary groups of the user specified via the "User"
configuration option (CVE-2008-5397).

* rovv reported that the "ClientDNSRejectInternalAddresses"
configuration option is not always enforced (CVE-2008-5398).

* Ilja van Sprundel reported a heap-corruption vulnerability that
might be remotely triggerable on some platforms (CVE-2009-0414).

* It has been reported that incomplete IPv4 addresses are treated as
valid, violating the specification (CVE-2009-0939).

* Three unspecified vulnerabilities have also been reported
(CVE-2009-0936, CVE-2009-0937, CVE-2009-0938).

Impact
======

A local attacker could escalate privileges by leveraging unintended
supplementary group memberships of the Tor process. A remote attacker
could exploit these vulnerabilities to cause a heap corruption with
unknown impact and attack vectors, to cause a Denial of Service via CPU
consuption or daemon crash, and to weaken anonymity provided by the
service.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Tor users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.0.34"

References
==========

[ 1 ] CVE-2008-5397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397
[ 2 ] CVE-2008-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398
[ 3 ] CVE-2009-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0414
[ 4 ] CVE-2009-0936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0936
[ 5 ] CVE-2009-0937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0937
[ 6 ] CVE-2009-0938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0938
[ 7 ] CVE-2009-0939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0939

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200904-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
"


Kanye says ‘South Park’ put him in check
(AP)

GLSA 200904-11 Tor: Multiple vulnerabilities

DSA 1769-1: New openjdk-6 packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1769-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
April 11, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openjdk-6
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101

Several vulnerabilities have been identified in OpenJDK, an
implementation of the Java SE platform.

Creation of large, temporary fonts could use up available disk space,
leading to a denial of service condition (CVE-2006-2426).

Several vulnerabilities existed in the embedded LittleCMS library,
exploitable through crafted images: a memory leak, resulting in a
denial of service condition (CVE-2009-0581), heap-based buffer
overflows, potentially allowing arbitrary code execution
(CVE-2009-0723, CVE-2009-0733), and a null-pointer dereference,
leading to denial of service (CVE-2009-0793).

The LDAP server implementation (in com.sun.jdni.ldap) did not properly
close sockets if an error was encountered, leading to a
denial-of-service condition (CVE-2009-1093).

The LDAP client implementation (in com.sun.jdni.ldap) allowed
malicious LDAP servers to execute arbitrary code on the client
(CVE-2009-1094).

The HTTP server implementation (sun.net.httpserver) contained an
unspecified denial of service vulnerability (CVE-2009-1101).

Several issues in Java Web Start have been addressed (CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098). The Debian packages
currently do not support Java Web Start, so these issues are not
directly exploitable, but the relevant code has been updated
nevertheless.

For the stable distribution (lenny), these problems have been fixed in
version 9.1+lenny2.

We recommend that you upgrade your openjdk-6 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11-9.1+lenny2.dsc
Size/MD5 checksum: 2471 ac801bf95b5a70dc2872d3829662ec21
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11.orig.tar.gz
Size/MD5 checksum: 51692912 a409bb4e935a22dcbd3529dc098c58de
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11-9.1+lenny2.diff.gz
Size/MD5 checksum: 294391 8245a20f2c8886f5a21ccc584be55963

Architecture independent packages:

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-doc_6b11-9.1+lenny2_all.deb
Size/MD5 checksum: 12053188 aca3fd411328bdb8ebaecc32cb5dec8c
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-lib_6b11-9.1+lenny2_all.deb
Size/MD5 checksum: 5270602 ac2ec87d2254d75888025068260724c9
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-source_6b11-9.1+lenny2_all.deb
Size/MD5 checksum: 26557844 4162900f514b37b46bd3445c31137038

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 8173896 624e143dcca33faeef6f18b3b2dbf091
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 260278 bec0a9dbb3193958ea38849920f207b1
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 21624912 8d671cce12b85a8c2a275b27ffdefc3c
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 34552586 9ef7d040a16bfb7cda895fe080a89639
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 2373440 4a642fce362f92b7fa55ce07b9cf64ad

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum: 46891228 ac3e2086cf139e8243b38c6edbd80dc7
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum: 9658430 552cfaa8544f5eedd8b9fea5188e77c5
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum: 229460 e2e374c1591818a644e6a3edb0ac3ad6
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum: 2351524 0c9f107821594971cc63cac39fd014b1
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum: 22423776 645caac427ee007eed470895fc12ab9e

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_i386.deb
Size/MD5 checksum: 23574268 b1343b60841cae842b86f18d756117e2
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_i386.deb
Size/MD5 checksum: 101067580 2340584d11bc1e48fb4b984673a40244
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_i386.deb
Size/MD5 checksum: 2341038 723ddcefe74b00d3ea2ed76a883f1f24
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_i386.deb
Size/MD5 checksum: 218946 c6c020f02470f3575a692813abd1b41c
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_i386.deb
Size/MD5 checksum: 9667436 0aec96944c633abdb0d501ea6aa7eb8f

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_ia64.deb
Size/MD5 checksum: 8289320 f73111b40487fb1d8c2a7193e8d81385
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_ia64.deb
Size/MD5 checksum: 2456260 a54c41e6b6ac2d78de30c3ecf34fac12
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_ia64.deb
Size/MD5 checksum: 22549136 afc00f58991b3bcf918fc41df61c3fd0
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_ia64.deb
Size/MD5 checksum: 34069370 8df511da244c3d6318ffc5d5141a61ba
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_ia64.deb
Size/MD5 checksum: 324686 8035c4fdc432626912a2bb3da4585ed6

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_mips.deb
Size/MD5 checksum: 8097690 377c76a1a56e8609da0d980070d8d16b
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_mips.deb
Size/MD5 checksum: 226786 0d8231609d97dd052bdced6f802fa8d5
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_mips.deb
Size/MD5 checksum: 2349856 a371082d2ccad75595af31fd54470381
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_mips.deb
Size/MD5 checksum: 35242334 af43cfa59394220c4826d68577950df6
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_mips.deb
Size/MD5 checksum: 21158386 d606f602b2667cfc26fc91c3680aaf12

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_mipsel.deb
Size/MD5 checksum: 21180172 8c2e20e24f3b43b74b3d91cb5aa70de3
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_mipsel.deb
Size/MD5 checksum: 34096046 4cb42eb3ba7fbac9a0e3505ad057de09
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_mipsel.deb
Size/MD5 checksum: 2349822 387ba1e26565cd39cea6bf1b93c0a3b3
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_mipsel.deb
Size/MD5 checksum: 8099274 18197ad1556942c861febdb98d6e7f23
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_mipsel.deb
Size/MD5 checksum: 226316 0025dc147f2fb45e59d600130129ff8f

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_powerpc.deb
Size/MD5 checksum: 8129342 6a173ba25b207301ffed322252118903
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_powerpc.deb
Size/MD5 checksum: 2386836 af23bfe3c5f4b2ce424fde40bb7f4935
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_powerpc.deb
Size/MD5 checksum: 21316924 17cbaa7f30cccdf93848cc1bfaf5d88d
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_powerpc.deb
Size/MD5 checksum: 35337320 3ea33923e7f700119ee41cc5f495524f
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_powerpc.deb
Size/MD5 checksum: 243502 d63bfda1e127f6b05ae355deffc1b61e

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_sparc.deb
Size/MD5 checksum: 2335290 473bde592db775853753221eaeb46dd2
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_sparc.deb
Size/MD5 checksum: 103119614 20b1b65401329c139530e1113870b703
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_sparc.deb
Size/MD5 checksum: 23512994 8c60d293442a38b4d6674273afb04f09
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_sparc.deb
Size/MD5 checksum: 220458 0a3b6eb5e25c4c5bdb4d8f30689114be
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_sparc.deb
Size/MD5 checksum: 9681988 1450a9fdd406c12815c7d65bbeb4b8ab


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJ4KUOAAoJEL97/wQC1SS+qMwIAIsGSe+hIKgveS1tusa9au6v
EyPOATwo/a8ubY7RCO6yNOB9ET2EdwbPyBNucUqmmBEUuMDmZcmireuWl4tzoMa1
m/hhMFHi9CEbWwyjp9hseX5v1MUMpNUtI2yQthSV4iMdw2Hf+Z1WRtG8eR+qU1zu
2BrI3l5RFp1ES+nLtq3PL70pNDScg5F/LX4e1E0ROeWBhOtJdDogA9pWEl1Yeb6V
q/9J2F6NyVSslK4Kt8Tgl6vC3CCKL6QGuqmFyvE7WfNotwvYEMnyA+RCF8dhDxf9
xVHXx2TQiCOQexrPTqhkuEvj23TWdic94kn6G3CIQX8TpJAA/AF7raaSPx4j7J8=
=vShn
-----END PGP SIGNATURE-----
"


DSA 1767-1: New multipath-tools packages fix denial of service
Kanye says ‘South Park’ put him in check
(AP)