RHSA-2009:1127-01 Critical: kdelibs security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: kdelibs security update
Advisory ID: RHSA-2009:1127-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1127.html
Issue date: 2009-06-25
CVE Names: CVE-2009-1687 CVE-2009-1690 CVE-2009-1698
=====================================================================

1. Summary:

Updated kdelibs packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Description:

The kdelibs packages provide libraries for the K Desktop Environment (KDE).

A flaw was found in the way the KDE CSS parser handled content for the
CSS "style" attribute. A remote attacker could create a specially-crafted
CSS equipped HTML page, which once visited by an unsuspecting user, could
cause a denial of service (Konqueror crash) or, potentially, execute
arbitrary code with the privileges of the user running Konqueror.
(CVE-2009-1698)

A flaw was found in the way the KDE HTML parser handled content for the
HTML "head" element. A remote attacker could create a specially-crafted
HTML page, which once visited by an unsuspecting user, could cause a denial
of service (Konqueror crash) or, potentially, execute arbitrary code with
the privileges of the user running Konqueror. (CVE-2009-1690)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the KDE JavaScript garbage collector handled memory
allocation requests. A remote attacker could create a specially-crafted
HTML page, which once visited by an unsuspecting user, could cause a denial
of service (Konqueror crash) or, potentially, execute arbitrary code with
the privileges of the user running Konqueror. (CVE-2009-1687)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The desktop must be restarted (log out,
then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

505571 - CVE-2009-1690 kdelibs: KHTML Incorrect handling element content once the element was removed (DoS, ACE)
506453 - CVE-2009-1687 kdelibs: Integer overflow in KJS JavaScript garbage collector
506469 - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)

6. Package List:

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdelibs-3.3.1-14.el4.src.rpm

i386:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-devel-3.3.1-14.el4.i386.rpm

ia64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.ia64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.ia64.rpm
kdelibs-devel-3.3.1-14.el4.ia64.rpm

ppc:
kdelibs-3.3.1-14.el4.ppc.rpm
kdelibs-3.3.1-14.el4.ppc64.rpm
kdelibs-debuginfo-3.3.1-14.el4.ppc.rpm
kdelibs-debuginfo-3.3.1-14.el4.ppc64.rpm
kdelibs-devel-3.3.1-14.el4.ppc.rpm

s390:
kdelibs-3.3.1-14.el4.s390.rpm
kdelibs-debuginfo-3.3.1-14.el4.s390.rpm
kdelibs-devel-3.3.1-14.el4.s390.rpm

s390x:
kdelibs-3.3.1-14.el4.s390.rpm
kdelibs-3.3.1-14.el4.s390x.rpm
kdelibs-debuginfo-3.3.1-14.el4.s390.rpm
kdelibs-debuginfo-3.3.1-14.el4.s390x.rpm
kdelibs-devel-3.3.1-14.el4.s390x.rpm

x86_64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.x86_64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.x86_64.rpm
kdelibs-devel-3.3.1-14.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdelibs-3.3.1-14.el4.src.rpm

i386:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-devel-3.3.1-14.el4.i386.rpm

x86_64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.x86_64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.x86_64.rpm
kdelibs-devel-3.3.1-14.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdelibs-3.3.1-14.el4.src.rpm

i386:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-devel-3.3.1-14.el4.i386.rpm

ia64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.ia64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.ia64.rpm
kdelibs-devel-3.3.1-14.el4.ia64.rpm

x86_64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.x86_64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.x86_64.rpm
kdelibs-devel-3.3.1-14.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdelibs-3.3.1-14.el4.src.rpm

i386:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-devel-3.3.1-14.el4.i386.rpm

ia64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.ia64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.ia64.rpm
kdelibs-devel-3.3.1-14.el4.ia64.rpm

x86_64:
kdelibs-3.3.1-14.el4.i386.rpm
kdelibs-3.3.1-14.el4.x86_64.rpm
kdelibs-debuginfo-3.3.1-14.el4.i386.rpm
kdelibs-debuginfo-3.3.1-14.el4.x86_64.rpm
kdelibs-devel-3.3.1-14.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdelibs-3.5.4-22.el5_3.src.rpm

i386:
kdelibs-3.5.4-22.el5_3.i386.rpm
kdelibs-apidocs-3.5.4-22.el5_3.i386.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.i386.rpm

x86_64:
kdelibs-3.5.4-22.el5_3.i386.rpm
kdelibs-3.5.4-22.el5_3.x86_64.rpm
kdelibs-apidocs-3.5.4-22.el5_3.x86_64.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.i386.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdelibs-3.5.4-22.el5_3.src.rpm

i386:
kdelibs-debuginfo-3.5.4-22.el5_3.i386.rpm
kdelibs-devel-3.5.4-22.el5_3.i386.rpm

x86_64:
kdelibs-debuginfo-3.5.4-22.el5_3.i386.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.x86_64.rpm
kdelibs-devel-3.5.4-22.el5_3.i386.rpm
kdelibs-devel-3.5.4-22.el5_3.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdelibs-3.5.4-22.el5_3.src.rpm

i386:
kdelibs-3.5.4-22.el5_3.i386.rpm
kdelibs-apidocs-3.5.4-22.el5_3.i386.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.i386.rpm
kdelibs-devel-3.5.4-22.el5_3.i386.rpm

ia64:
kdelibs-3.5.4-22.el5_3.ia64.rpm
kdelibs-apidocs-3.5.4-22.el5_3.ia64.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.ia64.rpm
kdelibs-devel-3.5.4-22.el5_3.ia64.rpm

ppc:
kdelibs-3.5.4-22.el5_3.ppc.rpm
kdelibs-3.5.4-22.el5_3.ppc64.rpm
kdelibs-apidocs-3.5.4-22.el5_3.ppc.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.ppc.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.ppc64.rpm
kdelibs-devel-3.5.4-22.el5_3.ppc.rpm
kdelibs-devel-3.5.4-22.el5_3.ppc64.rpm

s390x:
kdelibs-3.5.4-22.el5_3.s390.rpm
kdelibs-3.5.4-22.el5_3.s390x.rpm
kdelibs-apidocs-3.5.4-22.el5_3.s390x.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.s390.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.s390x.rpm
kdelibs-devel-3.5.4-22.el5_3.s390.rpm
kdelibs-devel-3.5.4-22.el5_3.s390x.rpm

x86_64:
kdelibs-3.5.4-22.el5_3.i386.rpm
kdelibs-3.5.4-22.el5_3.x86_64.rpm
kdelibs-apidocs-3.5.4-22.el5_3.x86_64.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.i386.rpm
kdelibs-debuginfo-3.5.4-22.el5_3.x86_64.rpm
kdelibs-devel-3.5.4-22.el5_3.i386.rpm
kdelibs-devel-3.5.4-22.el5_3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKQ6kVXlSAg2UNWIIRAo9XAJwKpMEhv/37duSqRlfqWFPKJuf6EwCfeAdz
lPsEfDtUGZRxsZL1OqEvr54=
=qIbs
-----END PGP SIGNATURE-----
"

RHSA-2009:1128-01 Important: kdelibs security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: kdelibs security update
Advisory ID: RHSA-2009:1128-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1128.html
Issue date: 2009-06-25
CVE Names: CVE-2009-1698
=====================================================================

1. Summary:

Updated kdelibs packages that fix one security issue are now available for
Red Hat Enterprise Linux 3.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Description:

The kdelibs packages provide libraries for the K Desktop Environment (KDE).

A flaw was found in the way the KDE CSS parser handled content for the
CSS "style" attribute. A remote attacker could create a specially-crafted
CSS equipped HTML page, which once visited by an unsuspecting user, could
cause a denial of service (Konqueror crash) or, potentially, execute
arbitrary code with the privileges of the user running Konqueror.
(CVE-2009-1698)

Users should upgrade to these updated packages, which contain a backported
patch to correct this issue. The desktop must be restarted (log out, then
log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

506469 - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)

6. Package List:

Red Hat Enterprise Linux AS version 3:

Source:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdelibs-3.1.3-6.13.src.rpm

i386:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-devel-3.1.3-6.13.i386.rpm

ia64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.ia64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.ia64.rpm
kdelibs-devel-3.1.3-6.13.ia64.rpm

ppc:
kdelibs-3.1.3-6.13.ppc.rpm
kdelibs-3.1.3-6.13.ppc64.rpm
kdelibs-debuginfo-3.1.3-6.13.ppc.rpm
kdelibs-debuginfo-3.1.3-6.13.ppc64.rpm
kdelibs-devel-3.1.3-6.13.ppc.rpm

s390:
kdelibs-3.1.3-6.13.s390.rpm
kdelibs-debuginfo-3.1.3-6.13.s390.rpm
kdelibs-devel-3.1.3-6.13.s390.rpm

s390x:
kdelibs-3.1.3-6.13.s390.rpm
kdelibs-3.1.3-6.13.s390x.rpm
kdelibs-debuginfo-3.1.3-6.13.s390.rpm
kdelibs-debuginfo-3.1.3-6.13.s390x.rpm
kdelibs-devel-3.1.3-6.13.s390x.rpm

x86_64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.x86_64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.x86_64.rpm
kdelibs-devel-3.1.3-6.13.x86_64.rpm

Red Hat Desktop version 3:

Source:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdelibs-3.1.3-6.13.src.rpm

i386:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-devel-3.1.3-6.13.i386.rpm

x86_64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.x86_64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.x86_64.rpm
kdelibs-devel-3.1.3-6.13.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

Source:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdelibs-3.1.3-6.13.src.rpm

i386:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-devel-3.1.3-6.13.i386.rpm

ia64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.ia64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.ia64.rpm
kdelibs-devel-3.1.3-6.13.ia64.rpm

x86_64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.x86_64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.x86_64.rpm
kdelibs-devel-3.1.3-6.13.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

Source:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdelibs-3.1.3-6.13.src.rpm

i386:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-devel-3.1.3-6.13.i386.rpm

ia64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.ia64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.ia64.rpm
kdelibs-devel-3.1.3-6.13.ia64.rpm

x86_64:
kdelibs-3.1.3-6.13.i386.rpm
kdelibs-3.1.3-6.13.x86_64.rpm
kdelibs-debuginfo-3.1.3-6.13.i386.rpm
kdelibs-debuginfo-3.1.3-6.13.x86_64.rpm
kdelibs-devel-3.1.3-6.13.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKQ6kdXlSAg2UNWIIRAo5tAJ0Zts1uZ0U5S7a6AiSnEwkEoTQqVgCfR9Rh
FQeBEHnddU57Wi6g3b2P5ng=
=JkeI
-----END PGP SIGNATURE-----
"

USN-782-1: Thunderbird vulnerabilities  

Posted by Daniela Mehler

"Ubuntu Security Notice USN-782-1 June 25, 2009
thunderbird vulnerabilities
CVE-2009-1303, CVE-2009-1305, CVE-2009-1306, CVE-2009-1307,
CVE-2009-1308, CVE-2009-1309, CVE-2009-1392, CVE-2009-1833,
CVE-2009-1836, CVE-2009-1838, CVE-2009-1841
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
thunderbird 2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1

Ubuntu 8.10:
thunderbird 2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1

Ubuntu 9.04:
thunderbird 2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1

After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.

Details follow:

Several flaws were discovered in the JavaScript engine of Thunderbird. If a
user had JavaScript enabled and were tricked into viewing malicious web
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1303, CVE-2009-1305, CVE-2009-1392, CVE-2009-1833,
CVE-2009-1838)

Several flaws were discovered in the way Thunderbird processed malformed
URI schemes. If a user were tricked into viewing a malicious website and
had JavaScript and plugins enabled, a remote attacker could execute
arbitrary JavaScript or steal private data. (CVE-2009-1306, CVE-2009-1307,
CVE-2009-1309)

Cefn Hoile discovered Thunderbird did not adequately protect against
embedded third-party stylesheets. If JavaScript were enabled, an attacker
could exploit this to perform script injection attacks using XBL bindings.
(CVE-2009-1308)

Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that
Thunderbird did not properly handle error responses when connecting to a
proxy server. If a user had JavaScript enabled while using Thunderbird to
view websites and a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2009-1836)

It was discovered that Thunderbird could be made to run scripts with
elevated privileges. If a user had JavaScript enabled while having
certain non-default add-ons installed and were tricked into viewing a
malicious website, an attacker could cause a chrome privileged object, such
as the browser sidebar, to run arbitrary code via interactions with the
attacker controlled website. (CVE-2009-1841)


Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1.diff.gz
Size/MD5: 129375 50f163cb84ce93993d4e3a7b2f11ef64
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1.dsc
Size/MD5: 2368 8038ba3ba27520e380f39b989a57130c
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly.orig.tar.gz
Size/MD5: 37790894 f04e5745655a0720ba5f37a968df290d

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_all.deb
Size/MD5: 60564 63b6eee61fce05ac62c1735b99580458
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_all.deb
Size/MD5: 60550 98653777b440983e0a5d8764d42a0cea

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 3783728 842547585887a63ca7dc6e4fdf1984b3
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 85448 0697d17c399e80f613775dae2a6490d5
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 12412834 2c41d864fb6889e149c2c39a61717e4f

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
Size/MD5: 3770530 e3ede36cc0599b0586d47f637879db44
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
Size/MD5: 80840 0658a9fad40b9678fc7c37a06bf9aec6
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
Size/MD5: 10982636 4cd6e3b52bb41302f4fab065dfdbb6f9

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 3768330 277a47cf856821877f6a7f903c16095c
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 80576 781b6b72a98046251ebcc69e29a07f1a
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 10829794 b38988dbaa2e055ce2167ca7c3ede57d

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 3787538 30525ea17b19ca6a3037510521fa62d2
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 83848 45727a77365efa4979e02e8421a2c75d
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 12255960 eba7111f498e268fd316d3b10243c58e

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 3768722 2b2e0ac937b14f1718a2b03e6e8f8a4e
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 80296 bc51f99b9c9ccba11af3c233581a51df
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 11257500 93fd35a33bf02271c9c1d0c42159f2e3

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1.diff.gz
Size/MD5: 130171 fffd1290f2a94ea1af6e09aae28a45b3
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1.dsc
Size/MD5: 2350 ed418b42a976a5b90236858b3c0ab4e3
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly.orig.tar.gz
Size/MD5: 37790894 f04e5745655a0720ba5f37a968df290d

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_all.deb
Size/MD5: 60872 c208ef55c11bb1415c38eac776712a8c
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_all.deb
Size/MD5: 60860 f968fe3507cdbabe971dae4145240d79

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_amd64.deb
Size/MD5: 3737230 9b97e87156258d87953df9e6889c9a17
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_amd64.deb
Size/MD5: 85616 fc687f588f4c2749bbe0800699fe0f3d
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_amd64.deb
Size/MD5: 12439672 2af5289f2761ba39bbc4c965407347f0

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_i386.deb
Size/MD5: 3721796 75c2d7d1e1729b402971ebfc3ba83319
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_i386.deb
Size/MD5: 81208 6c827e62a1b407b2e9e96821bfc547b5
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_i386.deb
Size/MD5: 11044694 6dd9d9f06e06c6fb57869837e0566f5a

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_lpia.deb
Size/MD5: 3718302 9c07e471cd961e2ec86a9d3125f49eed
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_lpia.deb
Size/MD5: 80918 0051146fc0ea1aef32c69a1aad623b61
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_lpia.deb
Size/MD5: 10866146 59641fc3c2e8d571c24a70a6314d6b39

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_powerpc.deb
Size/MD5: 3736442 0b810be2b1d3b694d8c70827defa624b
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_powerpc.deb
Size/MD5: 84084 3ede09a9a37de7c8a7f4044ff23aca64
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_powerpc.deb
Size/MD5: 12217834 fee3c22defa9a1d25c87ea2e7364bd5a

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_sparc.deb
Size/MD5: 3724330 67c1ea90443b28a318c09db29b2166bf
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_sparc.deb
Size/MD5: 80926 f27dafba64ee8bee5a95c5a0ed46cf47
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1_sparc.deb
Size/MD5: 11193104 d2b4ed46e5b2852177f34a58bca294b7

Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1.diff.gz
Size/MD5: 131710 8e09ef4040310a7210d044d883b2d0c8
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1.dsc
Size/MD5: 2350 cccc236d2e73384d0676e321d6aad10d
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly.orig.tar.gz
Size/MD5: 37790894 f04e5745655a0720ba5f37a968df290d

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_all.deb
Size/MD5: 61254 f1dc248f2e11b00e25112d6662aa11d4
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_all.deb
Size/MD5: 61244 6ce3e8cd57e5af79261006a99d598934

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_amd64.deb
Size/MD5: 3737488 8c17faee20cdb33cfca540818f62612d
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_amd64.deb
Size/MD5: 85966 b2b4d31d20b9d204147e09d234fcb052
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_amd64.deb
Size/MD5: 12440604 241c0db68fe894a68f9b05f6bdf72c00

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_i386.deb
Size/MD5: 3722372 675b0a247e184abe0a6045b6709a1f29
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_i386.deb
Size/MD5: 81624 ece46402338cef56dfc45f9cba30f819
http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_i386.deb
Size/MD5: 11046758 f0e857e8a54259ee33869904f49d22a0

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_lpia.deb
Size/MD5: 3718718 04d49b21a51e00ba9c59dbe9c4d6c6eb
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_lpia.deb
Size/MD5: 81346 578d2de932e11e2227d424aa0e209d37
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_lpia.deb
Size/MD5: 10866580 a885ed7a9dd993ff857f076a22c1493c

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_powerpc.deb
Size/MD5: 3736688 950f25db3b3f0f2bf1bd744379915eba
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_powerpc.deb
Size/MD5: 84464 3e50b5d4dd0cd869830c7785bbe38eb9
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_powerpc.deb
Size/MD5: 12218566 3d25deedfb55e218320e8a3f378b6bf8

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_sparc.deb
Size/MD5: 3724916 f925b4c5b5d3ff19525c6a650bc1ec8d
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_sparc.deb
Size/MD5: 81232 ea70b7b8c8670f1797e73267f2e42540
http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1_sparc.deb
Size/MD5: 11191552 dd69cd928c72ee2f6d45955cebaf8d7f



--uXxzq0nDebZQVNAZ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpEE58ACgkQW0JvuRdL8BrN2ACfeapMIJmezB12h8RMLmhZB4Q5
ugwAoJ/IkhO5RgfmpHGS2/IrszjmdhAa
=ybKL
-----END PGP SIGNATURE-----
"

RHSA-2009:1125-01 Moderate: thunderbird security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: thunderbird security update
Advisory ID: RHSA-2009:1125-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1125.html
Issue date: 2009-06-25
CVE Names: CVE-2009-1303 CVE-2009-1305 CVE-2009-1306
CVE-2009-1307 CVE-2009-1309 CVE-2009-1392
CVE-2009-1833 CVE-2009-1838
=====================================================================

1. Summary:

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed HTML mail content.
An HTML mail message containing malicious content could cause Thunderbird
to crash or, potentially, execute arbitrary code as the user running
Thunderbird. (CVE-2009-1392, CVE-2009-1303, CVE-2009-1305, CVE-2009-1833,
CVE-2009-1838)

Several flaws were found in the way malformed HTML mail content was
processed. An HTML mail message containing malicious content could execute
arbitrary JavaScript in the context of the mail message, possibly
presenting misleading data to the user, or stealing sensitive information
such as login credentials. (CVE-2009-1306, CVE-2009-1307, CVE-2009-1309)

Note: JavaScript support is disabled by default in Thunderbird. None of the
above issues are exploitable unless JavaScript is enabled.

All Thunderbird users should upgrade to this updated package, which
resolves these issues. All running instances of Thunderbird must be
restarted for the update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

496253 - CVE-2009-1303 Firefox 2 and 3 Layout engine crash
496256 - CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash
496262 - CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI
496263 - CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol
496267 - CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
503568 - CVE-2009-1392 Firefox browser engine crashes
503570 - CVE-2009-1833 Firefox JavaScript engine crashes
503580 - CVE-2009-1838 Firefox arbitrary code execution flaw

6. Package List:

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.5.0.12-23.el4.src.rpm

i386:
thunderbird-1.5.0.12-23.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.i386.rpm

ia64:
thunderbird-1.5.0.12-23.el4.ia64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.ia64.rpm

ppc:
thunderbird-1.5.0.12-23.el4.ppc.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.ppc.rpm

s390:
thunderbird-1.5.0.12-23.el4.s390.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.s390.rpm

s390x:
thunderbird-1.5.0.12-23.el4.s390x.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.s390x.rpm

x86_64:
thunderbird-1.5.0.12-23.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.5.0.12-23.el4.src.rpm

i386:
thunderbird-1.5.0.12-23.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.i386.rpm

x86_64:
thunderbird-1.5.0.12-23.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.5.0.12-23.el4.src.rpm

i386:
thunderbird-1.5.0.12-23.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.i386.rpm

ia64:
thunderbird-1.5.0.12-23.el4.ia64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.ia64.rpm

x86_64:
thunderbird-1.5.0.12-23.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.5.0.12-23.el4.src.rpm

i386:
thunderbird-1.5.0.12-23.el4.i386.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.i386.rpm

ia64:
thunderbird-1.5.0.12-23.el4.ia64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.ia64.rpm

x86_64:
thunderbird-1.5.0.12-23.el4.x86_64.rpm
thunderbird-debuginfo-1.5.0.12-23.el4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1838
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKQ5W2XlSAg2UNWIIRAnatAKCvi55u9VQGzGqskg8kiRrpPmiUvgCfaX7J
CgKbp105yaojyMIk0JvU7yc=
=Uvb6
-----END PGP SIGNATURE-----
"

RHSA-2009:1123-01 Moderate: gstreamer-plugins-good security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: gstreamer-plugins-good security update
Advisory ID: RHSA-2009:1123-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1123.html
Issue date: 2009-06-25
CVE Names: CVE-2009-1932
=====================================================================

1. Summary:

Updated gstreamer-plugins-good packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Description:

GStreamer is a streaming media framework, based on graphs of filters which
operate on media data. GStreamer Good Plug-ins is a collection of
well-supported, good quality GStreamer plug-ins.

Multiple integer overflow flaws, that could lead to a buffer overflow, were
found in the GStreamer Good Plug-ins PNG decoding handler. An attacker
could create a specially-crafted PNG file that would cause an application
using the GStreamer Good Plug-ins library to crash or, potentially, execute
arbitrary code as the user running the application when parsed.
(CVE-2009-1932)

All users of gstreamer-plugins-good are advised to upgrade to these updated
packages, which contain a backported patch to correct these issues. After
installing the update, all applications using GStreamer Good Plug-ins (such
as some media playing applications) must be restarted for the changes to
take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

504199 - CVE-2009-1932 gstreamer-plugins-good: PNG decoder integer overflow

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gstreamer-plugins-good-0.10.9-1.el5_3.2.src.rpm

i386:
gstreamer-plugins-good-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.i386.rpm

x86_64:
gstreamer-plugins-good-0.10.9-1.el5_3.2.x86_64.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gstreamer-plugins-good-0.10.9-1.el5_3.2.src.rpm

i386:
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.i386.rpm

x86_64:
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.x86_64.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gstreamer-plugins-good-0.10.9-1.el5_3.2.src.rpm

i386:
gstreamer-plugins-good-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.i386.rpm

ia64:
gstreamer-plugins-good-0.10.9-1.el5_3.2.ia64.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.ia64.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.ia64.rpm

ppc:
gstreamer-plugins-good-0.10.9-1.el5_3.2.ppc.rpm
gstreamer-plugins-good-0.10.9-1.el5_3.2.ppc64.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.ppc.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.ppc64.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.ppc.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.ppc64.rpm

s390x:
gstreamer-plugins-good-0.10.9-1.el5_3.2.s390x.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.s390.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.s390x.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.s390.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.s390x.rpm

x86_64:
gstreamer-plugins-good-0.10.9-1.el5_3.2.x86_64.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.2.x86_64.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.i386.rpm
gstreamer-plugins-good-devel-0.10.9-1.el5_3.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1932
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKQ4eEXlSAg2UNWIIRAiLdAKC5bZUNPxI4synr0j7CfbL3bPytMwCgoBCM
Ae6GATtczLUJQ/rQQjhebV8=
=BUjR
-----END PGP SIGNATURE-----
"

USN-791-2: Moodle vulnerability  

Posted by Daniela Mehler

"Ubuntu Security Notice USN-791-2 June 24, 2009
moodle vulnerability
CVE-2009-1171
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
moodle 1.9.4.dfsg-0ubuntu1.1

After a standard system upgrade you need to access the Moodle instance
and accept the database update to clear any invalid cached data.

Details follow:

Christian Eibl discovered that the TeX filter in Moodle allowed any
function to be used. An authenticated remote attacker could post
a specially crafted TeX formula to execute arbitrary TeX functions,
potentially reading any file accessible to the web server user, leading
to a loss of privacy. (CVE-2009-1171, MSA-09-0009)


Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.9.4.dfsg-0ubuntu1.1.diff.gz
Size/MD5: 37358 a51bee20ca3560c1b390b1e12e42c5f1
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.9.4.dfsg-0ubuntu1.1.dsc
Size/MD5: 1477 a842e53d8330a56f47d09a1c19f78f11
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.9.4.dfsg.orig.tar.gz
Size/MD5: 12969234 6263f780d52114c8d6eced8308b66aa7

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.9.4.dfsg-0ubuntu1.1_all.deb
Size/MD5: 9663672 12cd163fe02d67cda7f972bb5744e3e1


--rqzD5py0kzyFAOWN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpChmUACgkQH/9LqRcGPm2WIQCcDE2X05QHrLaGJaY0tZX6UqaP
D78An1aNov2heZOPxGC2//NW2izmEY84
=ayd4
-----END PGP SIGNATURE-----
"

RHSA-2009:1130-01 Critical: kdegraphics security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: kdegraphics security update
Advisory ID: RHSA-2009:1130-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1130.html
Issue date: 2009-06-25
CVE Names: CVE-2009-0945 CVE-2009-1709
=====================================================================

1. Summary:

Updated kdegraphics packages that fix two security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64

3. Description:

The kdegraphics packages contain applications for the K Desktop Environment
(KDE). Scalable Vector Graphics (SVG) is an XML-based language to describe
vector images. KSVG is a framework aimed at implementing the latest W3C SVG
specifications.

A use-after-free flaw was found in the KDE KSVG animation element
implementation. A remote attacker could create a specially-crafted SVG
image, which once opened by an unsuspecting user, could cause a denial of
service (Konqueror crash) or, potentially, execute arbitrary code with the
privileges of the user running Konqueror. (CVE-2009-1709)

A NULL pointer dereference flaw was found in the KDE, KSVG SVGList
interface implementation. A remote attacker could create a
specially-crafted SVG image, which once opened by an unsuspecting user,
would cause memory corruption, leading to a denial of service (Konqueror
crash). (CVE-2009-0945)

All users of kdegraphics should upgrade to these updated packages, which
contain backported patches to correct these issues. The desktop must be
restarted (log out, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

506246 - CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG animation element (DoS, ACE)
506703 - CVE-2009-0945 kdegraphics: KSVG NULL-pointer dereference in the SVGList interface implementation (ACE)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-13.el5_3.src.rpm

i386:
kdegraphics-3.5.4-13.el5_3.i386.rpm
kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm

x86_64:
kdegraphics-3.5.4-13.el5_3.x86_64.rpm
kdegraphics-debuginfo-3.5.4-13.el5_3.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-13.el5_3.src.rpm

i386:
kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm
kdegraphics-devel-3.5.4-13.el5_3.i386.rpm

x86_64:
kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm
kdegraphics-debuginfo-3.5.4-13.el5_3.x86_64.rpm
kdegraphics-devel-3.5.4-13.el5_3.i386.rpm
kdegraphics-devel-3.5.4-13.el5_3.x86_64.rpm

RHEL Optional Productivity Applications (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdegraphics-3.5.4-13.el5_3.src.rpm

i386:
kdegraphics-3.5.4-13.el5_3.i386.rpm
kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm
kdegraphics-devel-3.5.4-13.el5_3.i386.rpm

x86_64:
kdegraphics-3.5.4-13.el5_3.x86_64.rpm
kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm
kdegraphics-debuginfo-3.5.4-13.el5_3.x86_64.rpm
kdegraphics-devel-3.5.4-13.el5_3.i386.rpm
kdegraphics-devel-3.5.4-13.el5_3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709
http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKQ6krXlSAg2UNWIIRApsVAJwLS5oXtRA131j2vAvGD0/PxXZU+wCeJNKd
UVUGWZM2j0tnzzuj3ZmbOZk=
=9si/
-----END PGP SIGNATURE-----
"

RHSA-2009:1126-01 Moderate: thunderbird security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: thunderbird security update
Advisory ID: RHSA-2009:1126-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1126.html
Issue date: 2009-06-25
CVE Names: CVE-2009-1303 CVE-2009-1305 CVE-2009-1306
CVE-2009-1307 CVE-2009-1308 CVE-2009-1309
CVE-2009-1392 CVE-2009-1833 CVE-2009-1836
CVE-2009-1838
=====================================================================

1. Summary:

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed HTML mail content.
An HTML mail message containing malicious content could cause Thunderbird
to crash or, potentially, execute arbitrary code as the user running
Thunderbird. (CVE-2009-1392, CVE-2009-1303, CVE-2009-1305, CVE-2009-1833,
CVE-2009-1838)

Several flaws were found in the way malformed HTML mail content was
processed. An HTML mail message containing malicious content could execute
arbitrary JavaScript in the context of the mail message, possibly
presenting misleading data to the user, or stealing sensitive information
such as login credentials. (CVE-2009-1306, CVE-2009-1307, CVE-2009-1308,
CVE-2009-1309)

A flaw was found in the way Thunderbird handled error responses returned
from proxy servers. If an attacker is able to conduct a man-in-the-middle
attack against a Thunderbird instance that is using a proxy server, they
may be able to steal sensitive information from the site Thunderbird is
displaying. (CVE-2009-1836)

Note: JavaScript support is disabled by default in Thunderbird. None of the
above issues are exploitable unless JavaScript is enabled.

All Thunderbird users should upgrade to this updated package, which
resolves these issues. All running instances of Thunderbird must be
restarted for the update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

456202 - Launch thunderbird with option "-contentLocale" will get warning message
496253 - CVE-2009-1303 Firefox 2 and 3 Layout engine crash
496256 - CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash
496262 - CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI
496263 - CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol
496266 - CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings
496267 - CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
503568 - CVE-2009-1392 Firefox browser engine crashes
503570 - CVE-2009-1833 Firefox JavaScript engine crashes
503578 - CVE-2009-1836 Firefox SSL tampering via non-200 responses to proxy CONNECT requests
503580 - CVE-2009-1838 Firefox arbitrary code execution flaw

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.22-2.el5_3.src.rpm

i386:
thunderbird-2.0.0.22-2.el5_3.i386.rpm
thunderbird-debuginfo-2.0.0.22-2.el5_3.i386.rpm

x86_64:
thunderbird-2.0.0.22-2.el5_3.x86_64.rpm
thunderbird-debuginfo-2.0.0.22-2.el5_3.x86_64.rpm

RHEL Optional Productivity Applications (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-2.0.0.22-2.el5_3.src.rpm

i386:
thunderbird-2.0.0.22-2.el5_3.i386.rpm
thunderbird-debuginfo-2.0.0.22-2.el5_3.i386.rpm

x86_64:
thunderbird-2.0.0.22-2.el5_3.x86_64.rpm
thunderbird-debuginfo-2.0.0.22-2.el5_3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1303
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1305
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1838
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKQ5XGXlSAg2UNWIIRAkjDAJ9Du5M9D1ihI93WrGBfCGBS/wajlgCeLIgS
iBYRAOfSreGamk0/Pe2Ar/8=
=k3Bd
-----END PGP SIGNATURE-----
"

DSA 1821-1: New amule packages fix insufficient input sanitising  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1821-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
June 22, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : amule
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-1440
Debian Bug : 525078


Sam Hocevar discovered that amule, a client for the eD2k and Kad
networks, does not properly sanitise the filename, when using the
preview function. This could lead to the injection of arbitrary commands
passed to the video player.

For the stable distribution (lenny), this problem has been fixed in
version 2.2.1-1+lenny2.

The oldstable distribution (etch) is not affected by this issue.

For the testing distribution (squeeze) this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.5-1.1.


We recommend that you upgrade your amule packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1.orig.tar.gz
Size/MD5 checksum: 5945095 4af457cf1112cd2c23f133f98d0b1123
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.diff.gz
Size/MD5 checksum: 21192 cbae4dfde8c2ee4108354ae5a3b33b7c
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.dsc
Size/MD5 checksum: 1360 44eaea8c76492a09197b4764f6602c38

Architecture independent packages:

http://security.debian.org/pool/updates/main/a/amule/amule-common_2.2.1-1+lenny2_all.deb
Size/MD5 checksum: 2253976 3a393eacd88cbe16e4c6714d244b600c

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_alpha.deb
Size/MD5 checksum: 464220 8d763c84917f2591e724d9db0c3bf730
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_alpha.deb
Size/MD5 checksum: 1428344 8924427d6f9f3c7c59b04829b1e689e4
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_alpha.deb
Size/MD5 checksum: 1350778 af463e0b04b01767c32a4d40cd611065
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_alpha.deb
Size/MD5 checksum: 2094352 e12c37ac77be795df6b6e57503b2085e

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_amd64.deb
Size/MD5 checksum: 1294100 fd70acd8c4b1c86aa09da145450de94b
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_amd64.deb
Size/MD5 checksum: 448166 64d61b24c0307c21e6a13cc676bb7361
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_amd64.deb
Size/MD5 checksum: 1192552 6a3c91f293913531a70dd4647cffa6e7
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_amd64.deb
Size/MD5 checksum: 1858846 2933a8ad9f7dda33940efff5ee9194b6

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_arm.deb
Size/MD5 checksum: 449514 1dee31e34becbb25690e98f5bcb7fc81
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_arm.deb
Size/MD5 checksum: 1976994 ebff75684dbab7ac1b6b5f0f217acd35
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_arm.deb
Size/MD5 checksum: 1266254 a8ca8a7f528ef533baf6a4022f15d625
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_arm.deb
Size/MD5 checksum: 1351714 a66eb56243ef7c70957dbaebfafc0ae7

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_armel.deb
Size/MD5 checksum: 429464 ac82fc01cf3792d837b68df26d2509aa
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_armel.deb
Size/MD5 checksum: 1092808 3a8d674aa4f3c1a5bfb2836e4d5e5d3f
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_armel.deb
Size/MD5 checksum: 1236006 205dae928f6231ce664ce1bde3c222cc
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_armel.deb
Size/MD5 checksum: 1765870 fac2d32b45a4f69d631aedc004103450

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_hppa.deb
Size/MD5 checksum: 1442768 9b34faff8e0338be7a872d24ce6f6116
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_hppa.deb
Size/MD5 checksum: 1351038 56ed6958e047640353ec93342d522deb
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_hppa.deb
Size/MD5 checksum: 2098164 77a7a340f20e60bd2d9d62126f5da5b4
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_hppa.deb
Size/MD5 checksum: 465580 e9b5ee45e63b84dbd30cdbcb8663c833

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_i386.deb
Size/MD5 checksum: 441412 7d950e97f28fc52a2ad904c97d695647
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_i386.deb
Size/MD5 checksum: 1282022 41cb881f954cfee01544cc79cc637de9
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_i386.deb
Size/MD5 checksum: 1834186 092acc92d4efd8f8cfcdfc20d91bf1e4
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_i386.deb
Size/MD5 checksum: 1160416 59a189fcb605d3cd53c25157ac08775e

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_ia64.deb
Size/MD5 checksum: 1543554 e48c437c956f1a7fa663bb4f7c86ae98
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_ia64.deb
Size/MD5 checksum: 2354916 49d3399f61a5d25fa53d61093d0d6aa4
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_ia64.deb
Size/MD5 checksum: 1594620 ae20084bfa0522b83263bab081671835
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_ia64.deb
Size/MD5 checksum: 491456 253e201bce8de74d789c01596a87950d

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_mips.deb
Size/MD5 checksum: 1244756 95fc39ecfdbe4c8be3b07cc8e26727f3
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_mips.deb
Size/MD5 checksum: 1329214 09b790f67e09fc528300d137b199f5ce
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_mips.deb
Size/MD5 checksum: 1952694 00cbb0c1cd2710710131f38cf7dd000f
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_mips.deb
Size/MD5 checksum: 444304 42da3ebfcdfaaf6c2f3df7edb9355ef1

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_mipsel.deb
Size/MD5 checksum: 1903990 c593afa800e0d46e565b89a29d9f1d84
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_mipsel.deb
Size/MD5 checksum: 1286918 ab7f0967f74ce64dbbe004c6fbd66ee1
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_mipsel.deb
Size/MD5 checksum: 1231682 c2c6ffe9862979549089cd7a86b848e9
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_mipsel.deb
Size/MD5 checksum: 443016 961d4bf791fa0fcb6f9e508369370745

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_powerpc.deb
Size/MD5 checksum: 1369070 e7ea8113da751779df3f27c22a290167
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_powerpc.deb
Size/MD5 checksum: 1233354 5dee3db5c0be3c25fea36c9e0585aabd
http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_powerpc.deb
Size/MD5 checksum: 1952042 8be4209ffbc1d92bda69a4a7c225871c
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_powerpc.deb
Size/MD5 checksum: 459252 4f50ff6ebb0c8f51def95a0231231ac3

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_s390.deb
Size/MD5 checksum: 1845666 276351af0fd557f30dddfe163a778a49
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_s390.deb
Size/MD5 checksum: 441768 a18c5708f99b5dc49c0f9a73dc06d153
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_s390.deb
Size/MD5 checksum: 1301370 873dd9d9b0c965c81c4d38b6d2b2073e
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_s390.deb
Size/MD5 checksum: 1143174 c249ffbc639a4b922f2e85a4ae7cf822

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_sparc.deb
Size/MD5 checksum: 1886608 721e115be6a2739137a6829157152ab5
http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_sparc.deb
Size/MD5 checksum: 1161476 d40bd787ba3017e6378add6127792dfd
http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_sparc.deb
Size/MD5 checksum: 1319292 8eca735707f026977e2b949a0e465c4c
http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_sparc.deb
Size/MD5 checksum: 442942 d2083c9c69c3279dc70fa5cdd225210c


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpAFtAACgkQ62zWxYk/rQfSFACfQUGKUm7ztVec8X7NqiqQHIHk
9RsAoJ9luiSBGNWvoXSOKSwhOCSNWu56
=F6dh
-----END PGP SIGNATURE-----
"

RHSA-2009:1109-01 Critical: acroread security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: acroread security update
Advisory ID: RHSA-2009:1109-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1109.html
Issue date: 2009-06-17
CVE Names: CVE-2009-0198 CVE-2009-0509 CVE-2009-0510
CVE-2009-0511 CVE-2009-0512 CVE-2009-0888
CVE-2009-0889 CVE-2009-1855 CVE-2009-1856
CVE-2009-1857 CVE-2009-1858 CVE-2009-1859
CVE-2009-1861 CVE-2009-2028
=====================================================================

1. Summary:

Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4
Extras, and Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 Extras - i386, x86_64
Red Hat Desktop version 3 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 3 Extras - i386, x86_64
Red Hat Enterprise Linux WS version 3 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
RHEL Desktop Supplementary (v. 5 client) - i386, x86_64
RHEL Supplementary (v. 5 server) - i386, x86_64

3. Description:

Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).

Multiple security flaws were discovered in Adobe Reader. A specially
crafted PDF file could cause Adobe Reader to crash or, potentially, execute
arbitrary code as the user running Adobe Reader when opened.
(CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512,
CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857,
CVE-2009-1858, CVE-2009-1859, CVE-2009-1861, CVE-2009-2028)

All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 8.1.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

505049 - acroread: multiple security fixes in version 8.1.6 (APSB09-07)

6. Package List:

Red Hat Enterprise Linux AS version 3 Extras:

i386:
acroread-8.1.6-1.i386.rpm
acroread-plugin-8.1.6-1.i386.rpm

x86_64:
acroread-8.1.6-1.i386.rpm

Red Hat Desktop version 3 Extras:

i386:
acroread-8.1.6-1.i386.rpm
acroread-plugin-8.1.6-1.i386.rpm

x86_64:
acroread-8.1.6-1.i386.rpm

Red Hat Enterprise Linux ES version 3 Extras:

i386:
acroread-8.1.6-1.i386.rpm
acroread-plugin-8.1.6-1.i386.rpm

x86_64:
acroread-8.1.6-1.i386.rpm

Red Hat Enterprise Linux WS version 3 Extras:

i386:
acroread-8.1.6-1.i386.rpm
acroread-plugin-8.1.6-1.i386.rpm

x86_64:
acroread-8.1.6-1.i386.rpm

Red Hat Enterprise Linux AS version 4 Extras:

i386:
acroread-8.1.6-1.el4.i386.rpm
acroread-plugin-8.1.6-1.el4.i386.rpm

x86_64:
acroread-8.1.6-1.el4.i386.rpm

Red Hat Desktop version 4 Extras:

i386:
acroread-8.1.6-1.el4.i386.rpm
acroread-plugin-8.1.6-1.el4.i386.rpm

x86_64:
acroread-8.1.6-1.el4.i386.rpm

Red Hat Enterprise Linux ES version 4 Extras:

i386:
acroread-8.1.6-1.el4.i386.rpm
acroread-plugin-8.1.6-1.el4.i386.rpm

x86_64:
acroread-8.1.6-1.el4.i386.rpm

Red Hat Enterprise Linux WS version 4 Extras:

i386:
acroread-8.1.6-1.el4.i386.rpm
acroread-plugin-8.1.6-1.el4.i386.rpm

x86_64:
acroread-8.1.6-1.el4.i386.rpm

RHEL Desktop Supplementary (v. 5 client):

i386:
acroread-8.1.6-2.el5.i386.rpm
acroread-plugin-8.1.6-2.el5.i386.rpm

x86_64:
acroread-8.1.6-2.el5.i386.rpm
acroread-plugin-8.1.6-2.el5.i386.rpm

RHEL Supplementary (v. 5 server):

i386:
acroread-8.1.6-2.el5.i386.rpm
acroread-plugin-8.1.6-2.el5.i386.rpm

x86_64:
acroread-8.1.6-2.el5.i386.rpm
acroread-plugin-8.1.6-2.el5.i386.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0888
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1859
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1861
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2028
http://www.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb09-07.html

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKOLTAXlSAg2UNWIIRApNNAJ9xDHV1BSt4vrkhO4drc//0KagXEgCeNj+M
ot0s22MwAAcx6Ida5u6z4S8=
=tMmm
-----END PGP SIGNATURE-----
"

DSA 1822-1: New mahara packages fix cross-site scripting  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1822-1 security@debian.org
http://www.debian.org/security/ Nico Golde
June 23rd, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : mahara
Vulnerability : insufficient input sanitization
Problem type : remote
Debian-specific: no
CVE ID : no CVE ids yet


It was discovered that mahara, an electronic portfolio, weblog, and resume
builder is prone to several cross-site scripting attacks, which allow an
attacker to inject arbitrary HTML or script code and steal potential sensitive
data from other users.


The oldstable distribution (etch) does not contain mahara.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.4-4+lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.5-1.


We recommend that you upgrade your mahara packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3.diff.gz
Size/MD5 checksum: 39703 37ab5bac170c01367202510b3d11c486
http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3.dsc
Size/MD5 checksum: 1303 808210db6028fd5d6cbe439b666c2c84
http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4.orig.tar.gz
Size/MD5 checksum: 2383079 cf1158e4fe3cdba14fb1b71657bf8cc9

Architecture independent packages:

http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny3_all.deb
Size/MD5 checksum: 1637508 d6252dd4544dd00b798d6457dced9591
http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny3_all.deb
Size/MD5 checksum: 7844 8489301d195fe6fa6f7e712dc2053916


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpAm5kACgkQHYflSXNkfP+PIgCfQ04XAE/2gLbL0duTHaK/n+K1
U0QAmgL4kcrfT5mUFP3xXIW9+OGEzfuj
=Fbks
-----END PGP SIGNATURE-----
"

DSA 1817-1: New ctorrent packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1817-1 security@debian.org
http://www.debian.org/security/ Nico Golde
June 17th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : ctorrent
Vulnerability : stack-based buffer overflow
Problem type : local (remote)
Debian-specific: no
Debian bug : 530255
CVE ID : CVE-2009-1759


Michael Brooks discovered that ctorrent, a text-mode bittorrent client,
does not verify the length of file paths in torrent files. An attacker
can exploit this via a crafted torrent that contains a long file path to
execute arbitrary code with the rights of the user opening the file.


The oldstable distribution (etch) does not contain ctorrent.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.4-dnh3.2-1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.4-dnh3.2-1.1.


We recommend that you upgrade your ctorrent packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1.diff.gz
Size/MD5 checksum: 6427 a8eb130df614638863d1de39f80aeb3c
http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1.dsc
Size/MD5 checksum: 1132 2159a81d35c934811cc4b65a5d51c63e
http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2.orig.tar.gz
Size/MD5 checksum: 201651 8c4605ea3a1f6d09da593c25b5ab7dbd

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_alpha.deb
Size/MD5 checksum: 124858 5fce08bb15b4706ae4dc25c20a9da7b4

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_amd64.deb
Size/MD5 checksum: 112618 34ca707d68325c7b3939338d0b0ca7c2

arm architecture (ARM)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_arm.deb
Size/MD5 checksum: 111212 8e4c1fa0ef849a48d3a87e5f68543520

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_armel.deb
Size/MD5 checksum: 109968 60648ec18a34e50b483fbbf3dacba958

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_hppa.deb
Size/MD5 checksum: 126318 e784df9d63ad73e20cc295f9afd3a436

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_i386.deb
Size/MD5 checksum: 107962 d17a52c0f1c4f78cb912159719eaca5d

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_ia64.deb
Size/MD5 checksum: 161648 179939230644da247cc342e8b2695df4

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_mips.deb
Size/MD5 checksum: 123522 efe46dd5e1f6604d01e4e9dccedae3d6

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_mipsel.deb
Size/MD5 checksum: 124204 5af9aa2d675d420684e78250663098a1

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_powerpc.deb
Size/MD5 checksum: 123882 ee2163a4290b1c617e5b0a90caa7b4c4

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_s390.deb
Size/MD5 checksum: 115012 fcb29b56a042601293a48ae9a406fc0b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_sparc.deb
Size/MD5 checksum: 111682 149c6237664380b0d6c6cb74a3006e0d


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAko5aTcACgkQHYflSXNkfP+v/ACfVJIYp9f2lYmdeH6pUO3SmMFi
KFIAoKyTR4/nZu832eu8H82JKf7wfEJ+
=es+I
-----END PGP SIGNATURE-----
"

RHSA-2009:1101-01 Moderate: cscope security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: cscope security update
Advisory ID: RHSA-2009:1101-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1101.html
Issue date: 2009-06-15
CVE Names: CVE-2004-2541 CVE-2006-4262 CVE-2009-0148
CVE-2009-1577
=====================================================================

1. Summary:

An updated cscope package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

cscope is a mature, ncurses-based, C source-code tree browsing tool.

Multiple buffer overflow flaws were found in cscope. An attacker could
create a specially crafted source code file that could cause cscope to
crash or, possibly, execute arbitrary code when browsed with cscope.
(CVE-2004-2541, CVE-2006-4262, CVE-2009-0148, CVE-2009-1577)

All users of cscope are advised to upgrade to this updated package, which
contains backported patches to fix these issues. All running instances of
cscope must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

203645 - CVE-2006-4262 cscope: multiple buffer overflows
490667 - CVE-2004-2541, CVE-2009-0148 cscope: multiple buffer overflows
499174 - CVE-2009-1577 cscope: putstring buffer overflow

6. Package List:

Red Hat Enterprise Linux AS version 3:

Source:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cscope-15.5-16.RHEL3.src.rpm

i386:
cscope-15.5-16.RHEL3.i386.rpm
cscope-debuginfo-15.5-16.RHEL3.i386.rpm

ia64:
cscope-15.5-16.RHEL3.ia64.rpm
cscope-debuginfo-15.5-16.RHEL3.ia64.rpm

ppc:
cscope-15.5-16.RHEL3.ppc.rpm
cscope-debuginfo-15.5-16.RHEL3.ppc.rpm

s390:
cscope-15.5-16.RHEL3.s390.rpm
cscope-debuginfo-15.5-16.RHEL3.s390.rpm

s390x:
cscope-15.5-16.RHEL3.s390x.rpm
cscope-debuginfo-15.5-16.RHEL3.s390x.rpm

x86_64:
cscope-15.5-16.RHEL3.x86_64.rpm
cscope-debuginfo-15.5-16.RHEL3.x86_64.rpm

Red Hat Desktop version 3:

Source:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cscope-15.5-16.RHEL3.src.rpm

i386:
cscope-15.5-16.RHEL3.i386.rpm
cscope-debuginfo-15.5-16.RHEL3.i386.rpm

x86_64:
cscope-15.5-16.RHEL3.x86_64.rpm
cscope-debuginfo-15.5-16.RHEL3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

Source:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cscope-15.5-16.RHEL3.src.rpm

i386:
cscope-15.5-16.RHEL3.i386.rpm
cscope-debuginfo-15.5-16.RHEL3.i386.rpm

ia64:
cscope-15.5-16.RHEL3.ia64.rpm
cscope-debuginfo-15.5-16.RHEL3.ia64.rpm

x86_64:
cscope-15.5-16.RHEL3.x86_64.rpm
cscope-debuginfo-15.5-16.RHEL3.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

Source:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cscope-15.5-16.RHEL3.src.rpm

i386:
cscope-15.5-16.RHEL3.i386.rpm
cscope-debuginfo-15.5-16.RHEL3.i386.rpm

ia64:
cscope-15.5-16.RHEL3.ia64.rpm
cscope-debuginfo-15.5-16.RHEL3.ia64.rpm

x86_64:
cscope-15.5-16.RHEL3.x86_64.rpm
cscope-debuginfo-15.5-16.RHEL3.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/cscope-15.5-10.RHEL4.3.src.rpm

i386:
cscope-15.5-10.RHEL4.3.i386.rpm
cscope-debuginfo-15.5-10.RHEL4.3.i386.rpm

ia64:
cscope-15.5-10.RHEL4.3.ia64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.ia64.rpm

ppc:
cscope-15.5-10.RHEL4.3.ppc.rpm
cscope-debuginfo-15.5-10.RHEL4.3.ppc.rpm

s390:
cscope-15.5-10.RHEL4.3.s390.rpm
cscope-debuginfo-15.5-10.RHEL4.3.s390.rpm

s390x:
cscope-15.5-10.RHEL4.3.s390x.rpm
cscope-debuginfo-15.5-10.RHEL4.3.s390x.rpm

x86_64:
cscope-15.5-10.RHEL4.3.x86_64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/cscope-15.5-10.RHEL4.3.src.rpm

i386:
cscope-15.5-10.RHEL4.3.i386.rpm
cscope-debuginfo-15.5-10.RHEL4.3.i386.rpm

x86_64:
cscope-15.5-10.RHEL4.3.x86_64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/cscope-15.5-10.RHEL4.3.src.rpm

i386:
cscope-15.5-10.RHEL4.3.i386.rpm
cscope-debuginfo-15.5-10.RHEL4.3.i386.rpm

ia64:
cscope-15.5-10.RHEL4.3.ia64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.ia64.rpm

x86_64:
cscope-15.5-10.RHEL4.3.x86_64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/cscope-15.5-10.RHEL4.3.src.rpm

i386:
cscope-15.5-10.RHEL4.3.i386.rpm
cscope-debuginfo-15.5-10.RHEL4.3.i386.rpm

ia64:
cscope-15.5-10.RHEL4.3.ia64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.ia64.rpm

x86_64:
cscope-15.5-10.RHEL4.3.x86_64.rpm
cscope-debuginfo-15.5-10.RHEL4.3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4262
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1577
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKNrzAXlSAg2UNWIIRArrIAJ0WxNf68eHd2MqqPEju6qsRaUsr2ACggfJ9
NgvDE6TPlnbWhos+yKjJ2os=
=jBA3
-----END PGP SIGNATURE-----
"