RHSA-2009:1465-01 Important: kvm security and bug fix update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: kvm security and bug fix update
Advisory ID: RHSA-2009:1465-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1465.html
Issue date: 2009-09-29
CVE Names: CVE-2009-3290
=====================================================================

1. Summary:

Updated kvm packages that fix one security issue and several bugs are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Multi OS (v. 5 client) - x86_64
RHEL Virtualization (v. 5 server) - x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for
the standard Red Hat Enterprise Linux kernel.

The kvm_emulate_hypercall() implementation was missing a check for the
Current Privilege Level (CPL). A local, unprivileged user in a virtual
machine could use this flaw to cause a local denial of service or escalate
their privileges within that virtual machine. (CVE-2009-3290)

This update also fixes the following bugs:

* non-maskable interrupts (NMI) were not supported on systems with AMD
processors. As a consequence, Windows Server 2008 R2 guests running with
more than one virtual CPU assigned on systems with AMD processors would
hang at the Windows shut down screen when a restart was attempted. This
update adds support for NMI filtering on systems with AMD processors,
allowing clean restarts of Windows Server 2008 R2 guests running with
multiple virtual CPUs. (BZ#520694)

* significant performance issues for guests running 64-bit editions of
Windows. This update improves performance for guests running 64-bit
editions of Windows. (BZ#521793)

* Windows guests may have experienced time drift. (BZ#521794)

* removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows
Server 2008 R2 caused KVM to crash. With this update, device removal should
not cause this issue. (BZ#524557)

All KVM users should upgrade to these updated packages, which contain
backported patches to resolve these issues. Note: The procedure in the
Solution section must be performed before this update takes effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

The following procedure must be performed before this update takes effect:

1. Stop all KVM guest virtual machines.

2. Either reboot the hypervisor machine or, as the root user, remove (using
"modprobe -r [module]") and reload (using "modprobe [module]") all of the
following modules which are currently running (determined using "lsmod"):
kvm, ksm, kvm-intel or kvm-amd.

3. Restart the KVM guest virtual machines.

5. Bugs fixed (http://bugzilla.redhat.com/):

520694 - NMI filtering for AMD (Windows 2008 R2 KVM guest can not restart when set it as multiple cpus)
521793 - windows 64 bit does vmexit on each cr8 access.
521794 - rtc-td-hack stopped working. Time drifts in windows
524124 - CVE-2009-3290 kernel: KVM: x86: Disallow hypercalls for guest callers in rings > 0
524557 - QEMU crash (during virtio-net WHQL tests for Win2008 R2)

6. Package List:

RHEL Desktop Multi OS (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kvm-83-105.el5_4.7.src.rpm

x86_64:
kmod-kvm-83-105.el5_4.7.x86_64.rpm
kvm-83-105.el5_4.7.x86_64.rpm
kvm-debuginfo-83-105.el5_4.7.x86_64.rpm
kvm-qemu-img-83-105.el5_4.7.x86_64.rpm
kvm-tools-83-105.el5_4.7.x86_64.rpm

RHEL Virtualization (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kvm-83-105.el5_4.7.src.rpm

x86_64:
kmod-kvm-83-105.el5_4.7.x86_64.rpm
kvm-83-105.el5_4.7.x86_64.rpm
kvm-debuginfo-83-105.el5_4.7.x86_64.rpm
kvm-qemu-img-83-105.el5_4.7.x86_64.rpm
kvm-tools-83-105.el5_4.7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3290
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKwjL+XlSAg2UNWIIRAqNAAJ49kD0ZXnry24TTWuwcPryiP57fyQCdH8ti
jVVIrtZL3kSy1/zfUBjWWd0=
Ùmd
-----END PGP SIGNATURE-----
"

Tina Turner live DVDRHSA-2009:1218-01 Critical: pidgin security update

RHSA-2009:1466-01 Important: kernel security and bug fix update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: kernel security and bug fix update
Advisory ID: RHSA-2009:1466-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1466.html
Issue date: 2009-09-29
CVE Names: CVE-2009-2847 CVE-2009-2848
=====================================================================

1. Summary:

Updated kernel packages that fix two security issues and several bugs are
now available for Red Hat Enterprise Linux 5.3 Extended Update Support.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5.3.z server) - i386, ia64, noarch, ppc, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

This update includes backported fixes for two security issues. These issues
only affected users of Red Hat Enterprise Linux 5.3 Extended Update Support
as they have already been addressed for users of Red Hat Enterprise Linux 5
in the 5.4 update, RHSA-2009:1243.

In accordance with the support policy, future security updates to Red Hat
Enterprise Linux 5.3 Extended Update Support will only include issues of
critical security impact.

This update fixes the following security issues:

* it was discovered that, when executing a new process, the clear_child_tid
pointer in the Linux kernel is not cleared. If this pointer points to a
writable portion of the memory of the new program, the kernel could corrupt
four bytes of memory, possibly leading to a local denial of service or
privilege escalation. (CVE-2009-2848, Important)

* a flaw was found in the way the do_sigaltstack() function in the Linux
kernel copies the stack_t structure to user-space. On 64-bit machines, this
flaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate)

This update also fixes the following bugs:

* a regression was found in the SCSI retry logic: SCSI mode select was not
retried when retryable errors were encountered. In Device-Mapper Multipath
environments, this could cause paths to fail, or possibly prevent
successful failover. (BZ#506905)

* the gcc flag "-fno-delete-null-pointer-checks" was added to the kernel
build options. This prevents gcc from optimizing out NULL pointer checks
after the first use of a pointer. NULL pointer bugs are often exploited by
attackers, and keeping these checks is considered a safety measure.
(BZ#515468)

* due to incorrect APIC timer calibration, a system hang could have
occurred while booting certain systems. This incorrect timer calibration
could have also caused the system time to become faster or slower. With
this update, it is still possible for APIC timer calibration issues to
occur; however, a clear warning is now provided if they do. (BZ#521237)

* gettimeofday() experienced poor performance (which caused performance
problems for applications using gettimeofday()) when running on hypervisors
that use hardware assisted virtualization. With this update, MFENCE/LFENCE
is used instead of CPUID for gettimeofday() serialization, which resolves
this issue. (BZ#523280)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

506905 - LTC 49790: Sync up SCSI DH code with mainline changes [rhel-5.3.z]
515392 - CVE-2009-2847 kernel: information leak in sigaltstack
515423 - CVE-2009-2848 kernel: execve: must clear current->clear_child_tid
515468 - kernel: build with -fno-delete-null-pointer-checks [rhel-5.3.z]
521237 - [RHEL 5] Hang on boot due to wrong APIC timer calibration [rhel-5.3.z]
523280 - RFE: improve gettimeofday performance on hypervisors [rhel-5.3.z]

6. Package List:

Red Hat Enterprise Linux (v. 5.3.z server):

i386:
kernel-2.6.18-128.8.1.el5.i686.rpm
kernel-PAE-2.6.18-128.8.1.el5.i686.rpm
kernel-PAE-debuginfo-2.6.18-128.8.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-128.8.1.el5.i686.rpm
kernel-debug-2.6.18-128.8.1.el5.i686.rpm
kernel-debug-debuginfo-2.6.18-128.8.1.el5.i686.rpm
kernel-debug-devel-2.6.18-128.8.1.el5.i686.rpm
kernel-debuginfo-2.6.18-128.8.1.el5.i686.rpm
kernel-debuginfo-common-2.6.18-128.8.1.el5.i686.rpm
kernel-devel-2.6.18-128.8.1.el5.i686.rpm
kernel-headers-2.6.18-128.8.1.el5.i386.rpm
kernel-xen-2.6.18-128.8.1.el5.i686.rpm
kernel-xen-debuginfo-2.6.18-128.8.1.el5.i686.rpm
kernel-xen-devel-2.6.18-128.8.1.el5.i686.rpm

ia64:
kernel-2.6.18-128.8.1.el5.ia64.rpm
kernel-debug-2.6.18-128.8.1.el5.ia64.rpm
kernel-debug-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
kernel-debug-devel-2.6.18-128.8.1.el5.ia64.rpm
kernel-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
kernel-debuginfo-common-2.6.18-128.8.1.el5.ia64.rpm
kernel-devel-2.6.18-128.8.1.el5.ia64.rpm
kernel-headers-2.6.18-128.8.1.el5.ia64.rpm
kernel-xen-2.6.18-128.8.1.el5.ia64.rpm
kernel-xen-debuginfo-2.6.18-128.8.1.el5.ia64.rpm
kernel-xen-devel-2.6.18-128.8.1.el5.ia64.rpm

noarch:
kernel-doc-2.6.18-128.8.1.el5.noarch.rpm

ppc:
kernel-2.6.18-128.8.1.el5.ppc64.rpm
kernel-debug-2.6.18-128.8.1.el5.ppc64.rpm
kernel-debug-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
kernel-debug-devel-2.6.18-128.8.1.el5.ppc64.rpm
kernel-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
kernel-debuginfo-common-2.6.18-128.8.1.el5.ppc64.rpm
kernel-devel-2.6.18-128.8.1.el5.ppc64.rpm
kernel-headers-2.6.18-128.8.1.el5.ppc.rpm
kernel-headers-2.6.18-128.8.1.el5.ppc64.rpm
kernel-kdump-2.6.18-128.8.1.el5.ppc64.rpm
kernel-kdump-debuginfo-2.6.18-128.8.1.el5.ppc64.rpm
kernel-kdump-devel-2.6.18-128.8.1.el5.ppc64.rpm

s390x:
kernel-2.6.18-128.8.1.el5.s390x.rpm
kernel-debug-2.6.18-128.8.1.el5.s390x.rpm
kernel-debug-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
kernel-debug-devel-2.6.18-128.8.1.el5.s390x.rpm
kernel-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
kernel-debuginfo-common-2.6.18-128.8.1.el5.s390x.rpm
kernel-devel-2.6.18-128.8.1.el5.s390x.rpm
kernel-headers-2.6.18-128.8.1.el5.s390x.rpm
kernel-kdump-2.6.18-128.8.1.el5.s390x.rpm
kernel-kdump-debuginfo-2.6.18-128.8.1.el5.s390x.rpm
kernel-kdump-devel-2.6.18-128.8.1.el5.s390x.rpm

x86_64:
kernel-2.6.18-128.8.1.el5.x86_64.rpm
kernel-debug-2.6.18-128.8.1.el5.x86_64.rpm
kernel-debug-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-128.8.1.el5.x86_64.rpm
kernel-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
kernel-debuginfo-common-2.6.18-128.8.1.el5.x86_64.rpm
kernel-devel-2.6.18-128.8.1.el5.x86_64.rpm
kernel-headers-2.6.18-128.8.1.el5.x86_64.rpm
kernel-xen-2.6.18-128.8.1.el5.x86_64.rpm
kernel-xen-debuginfo-2.6.18-128.8.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-128.8.1.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKwjMlXlSAg2UNWIIRAkYKAJ4tHjqVF8SG2mPzo/Sw/SYXzkLW7QCdHZkM
rZ/np7FbkVx8zWpyzTlQ8wQ=
=9r2o
-----END PGP SIGNATURE-----
"

RHSA-2009:1222-02 Important: kernel security and bug fix updateJackson’s sperm flown to London

DSA 1897-1: New horde3 packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1897-1 security@debian.org
http://www.debian.org/security/ Nico Golde
September 28th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : horde3
Vulnerability : insufficient input sanitization
Problem type : remote
Debian-specific: no
Debian bug : #547318
CVE ID : CVE-2009-3236

Stefan Esser discovered that Horde, a web application framework providing
classes for dealing with preferences, compression, browser detection,
connection tracking, MIME, and more, is insufficiently validating and
escaping user provided input. The Horde_Form_Type_image form element
allows to reuse a temporary filename on reuploads which are stored in a
hidden HTML field and then trusted without prior validation. An attacker
can use this to overwrite arbitrary files on the system or to upload PHP
code and thus execute arbitrary code with the rights of the webserver.


For the oldstable distribution (etch), this problem has been fixed in
version 3.1.3-4etch6.

For the stable distribution (lenny), this problem has been fixed in
version 3.2.2+debian0-2+lenny1.

For the testing distribution (squeeze), this problem has been fixed in
version 3.3.5+debian0-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.3.5+debian0-1.


We recommend that you upgrade your horde3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch6.diff.gz
Size/MD5 checksum: 15869 3a74c50d35cf7f252cceec008e133299
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch6.dsc
Size/MD5 checksum: 1076 d4205b4f956ee00aa545f988f5d0206f
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3.orig.tar.gz
Size/MD5 checksum: 5232958 fbc56c608ac81474b846b1b4b7bb5ee7

Architecture independent packages:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4etch6_all.deb
Size/MD5 checksum: 5278984 55bb80d663cad92d40ffcd15946379cf


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny1.dsc
Size/MD5 checksum: 1388 e9bee230ea249ac6c8cd69bf4ad7c360
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0.orig.tar.gz
Size/MD5 checksum: 7180761 fb22a594bbdad07a0fbeef035a6d2f39
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny1.diff.gz
Size/MD5 checksum: 27183 2a72cd6eb73cd03aea3bf296dd17cbb5

Architecture independent packages:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.2.2+debian0-2+lenny1_all.deb
Size/MD5 checksum: 7232466 12e1b9fd01f35600f7fb3852025c8610


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrAh9kACgkQHYflSXNkfP8YPACaA0AEa1H1AAXWF9Yj+Pk4rBH2
CDAAnRgZW7Ot762BOaluR8jAlDKhIewW
=rZA8
-----END PGP SIGNATURE-----
"

Rihanna saved millions on new homeDSA 1836-1: New fckeditor packages fix arbitrary code execution

DSA 1895-1: New xmltooling packages fix potential code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1895-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
September 24, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xmltooling
Vulnerability : several
Problem type : remote
Debian-specific: no

Several vulnerabilities have been discovered in the xmltooling packages,
as used by Shibboleth:

Chris Ries discovered that decoding a crafted URL leads to a crash (and
potentially, arbitrary code execution).

Ian Young discovered that embedded NUL characters in certificate names
were not correctly handled, exposing configurations using PKIX trust
validation to impersonation attacks.

Incorrect processing of SAML metadata ignores key usage constraints.
This minor issue also needs a correction in the opensaml2 packages,
which will be provided in an upcoming stable point release (and,
before that, via stable-proposed-updates).

For the stable distribution (lenny), these problems have been fixed in
version 1.0-2+lenny1.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.2-1.

We recommend that you upgrade your xmltooling packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/x/xmltooling/xmltooling_1.0-2+lenny1.dsc
Size/MD5 checksum: 1457 b7a3967d272765308809a5c8d27595ed
http://security.debian.org/pool/updates/main/x/xmltooling/xmltooling_1.0-2+lenny1.diff.gz
Size/MD5 checksum: 8943 1317858121f3042e5cfb8367319b1c78
http://security.debian.org/pool/updates/main/x/xmltooling/xmltooling_1.0.orig.tar.gz
Size/MD5 checksum: 549767 4e7c21608f0fbdcfd966263f0c350d99

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xmltooling/xmltooling-schemas_1.0-2+lenny1_all.deb
Size/MD5 checksum: 11910 395d8f3a32e0c75da52a27c76f05c76f
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-doc_1.0-2+lenny1_all.deb
Size/MD5 checksum: 938774 bc039db5a32dd02df34bf8b5146c551e

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_alpha.deb
Size/MD5 checksum: 75002 bb6a2bebec1586b842d663a55429ebb0
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_alpha.deb
Size/MD5 checksum: 799538 9cdc74e48b5fd67f300715096adf15a7

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_amd64.deb
Size/MD5 checksum: 736934 2e220b0edab912f586af6c3d2538f409
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_amd64.deb
Size/MD5 checksum: 75792 3cc7822c1c88f61130fcf0d03d6e4311

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_arm.deb
Size/MD5 checksum: 750312 20cd9cd8bb91f2a9755e503e538a550c
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_arm.deb
Size/MD5 checksum: 75082 3fbb6e674b1b729be300d6255a2729f3

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_armel.deb
Size/MD5 checksum: 637366 2190e5db31659ca5c58835341f1eb6ce
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_armel.deb
Size/MD5 checksum: 74554 2638c933e772f9ab2e9720f1b0436935

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_hppa.deb
Size/MD5 checksum: 850440 a4e865bd4774c483559c99df549a3bfa
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_hppa.deb
Size/MD5 checksum: 75102 7546f61b1564b4c5c49ad69c71c7d223

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_i386.deb
Size/MD5 checksum: 74980 836fc866e7446cf594281eda1602c81f
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_i386.deb
Size/MD5 checksum: 683958 4556a60904d3c09d735301cbadd463f4

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_ia64.deb
Size/MD5 checksum: 74052 7168ee5c68b5d5e41ac996e3b98ba2b8
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_ia64.deb
Size/MD5 checksum: 938056 b550972c349c99aa5b11473868531a4a

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_mips.deb
Size/MD5 checksum: 697412 189506c8bd9473f11e09275f613c2e61
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_mips.deb
Size/MD5 checksum: 74992 933d28c7a0bb457488bcf37442f999ef

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_mipsel.deb
Size/MD5 checksum: 663610 8105a8478fe3d8a0724745c0597893e8
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_mipsel.deb
Size/MD5 checksum: 74064 e8700e64464a0cf15a5ef070b759a84c

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_powerpc.deb
Size/MD5 checksum: 74072 e6444eda8c40348c9fa6025c770bf01e
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_powerpc.deb
Size/MD5 checksum: 777756 2e226da34bd88e91d5615704267d9e35

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_s390.deb
Size/MD5 checksum: 74040 7340da0a7d36d8c6029e8b40a75cef2b
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_s390.deb
Size/MD5 checksum: 745620 0a66b47c6a055692b2467502c1158a2e

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling-dev_1.0-2+lenny1_sparc.deb
Size/MD5 checksum: 74060 4ad661aacce58a25ea2491489d23a242
http://security.debian.org/pool/updates/main/x/xmltooling/libxmltooling1_1.0-2+lenny1_sparc.deb
Size/MD5 checksum: 828332 eb2255da533a6bdf3876afdb11c8ca73


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKu8OmAAoJEL97/wQC1SS+qXkIAKQBkSJUT+7rWIWk/pP7qOTX
opraqKIQjVsqA8rC0tLPoXxpoHCAbSLggDDVt5oCB/HttOm+WiEXLuFfKrwYqHpq
m9fXyzCsu1QGdQ1jtDKWM9TLdiap83N56EtZG0zdufJovggqbrMqLJiykK1cR7kz
iAHX2BEc9pDCLJ3CjDXsZyIQbX5In6NI9/WMtk4MOd7bgZHhE+OHUw92WP+Vd8kr
WcHP3SpaPuup/sRV5/SF4ju5HAjsu5kvTCP530hcC5Z2DBX5/pacb+MeRARmZDAv
Ucql3MwbazsfouWilLUGjrOwRyTQIpqQfjYPMitciki3Vvhk27+ypoIr0pyAaJM=
=J0h+
-----END PGP SIGNATURE-----
"

Rihanna saved millions on new homeDSA 1878-1: New devscripts packages fix remote code execution

DSA 1894-1: New newt packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1894-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
September 24, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : newt
Vulnerability : buffer overflow
Problem type : local
Debian-specific: no
CVE Id : CVE-2009-2905


Miroslav Lichvar discovered that newt, a windowing toolkit, is prone to
a buffer overflow in the content processing code, which can lead to the
execution of arbitrary code.


For the stable distribution (lenny), this problem has been fixed in
version 0.52.2-11.3+lenny1.

For the oldstable distribution (etch), this problem has been fixed in
version 0.52.2-10+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed soon


We recommend that you upgrade your newt packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2-10+etch1.diff.gz
Size/MD5 checksum: 104625 e7c0a636b3e2d9bc4b2a6b9f68e712ce
http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2-10+etch1.dsc
Size/MD5 checksum: 867 fad99ed4d5166840b2de8da17b1afe9c

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_alpha.deb
Size/MD5 checksum: 36396 8873dd9c8eafdfe203afcd0b7541150c
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_alpha.deb
Size/MD5 checksum: 72148 acc944c96352666c8b778cef8c0529a4
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_alpha.deb
Size/MD5 checksum: 101720 a57af3ec38cbe06c81a2bd4839bc3b05
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_alpha.deb
Size/MD5 checksum: 40622 f5b8a0b9e82829251923f23ba249a7ab
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_alpha.deb
Size/MD5 checksum: 75070 260932a92f473fea16b9985c340ecc41
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_alpha.deb
Size/MD5 checksum: 30696 a7c8c8f86dd21d92f62b3333152a8acc

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_amd64.deb
Size/MD5 checksum: 29706 1002818f7221e0d7dd1c467e7937e259
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_amd64.deb
Size/MD5 checksum: 40642 5544a2173c8b71013b5cec90c220edec
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_amd64.deb
Size/MD5 checksum: 62200 27d76327c56feb8f8bd3e7dc8dedeba4
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_amd64.deb
Size/MD5 checksum: 35414 ece6b444af84f433e0367fd57b86d035
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_amd64.deb
Size/MD5 checksum: 68608 ff8fb8c9cc7fadbd3e44624a4caf719d
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_amd64.deb
Size/MD5 checksum: 90152 c3c841fb22e99c78d866910baca40301

arm architecture (ARM)

http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_arm.deb
Size/MD5 checksum: 34508 beddcaac2efcb9fe042fb50519d9effb
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_arm.deb
Size/MD5 checksum: 55964 e50294eb35ff224f5e2e43b65039ada5
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_arm.deb
Size/MD5 checksum: 28486 d356a6c39e2549b5578b7bf8b23916cb
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_arm.deb
Size/MD5 checksum: 38392 e3c548d518db0ef7c11cdae2f106bbf6
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_arm.deb
Size/MD5 checksum: 83858 939f2e69db6fb824b5302072d347a402
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_arm.deb
Size/MD5 checksum: 63200 5fa817dce03725fa7068683d328f9610

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_i386.deb
Size/MD5 checksum: 29234 c8150846ffc50743492dde903f14e275
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_i386.deb
Size/MD5 checksum: 57876 4a7066f4b000278b4988499ea7043d49
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_i386.deb
Size/MD5 checksum: 34842 18893f2eb064672f7101dd46a96b8a5f
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_i386.deb
Size/MD5 checksum: 38716 3be92ace8802cf97f8d3afcd67f3bd93
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_i386.deb
Size/MD5 checksum: 86976 9b61375a5dd7741477a798391c72c127
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_i386.deb
Size/MD5 checksum: 65466 068d412ddb49642867ce2f3a2ae6a254

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_ia64.deb
Size/MD5 checksum: 84682 cd265c96f032c799b2f7ccee10e68e1f
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_ia64.deb
Size/MD5 checksum: 111566 c1e641893476cd6283e052296a4e1a8d
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_ia64.deb
Size/MD5 checksum: 39638 0eb2910fef081cd067be97618f86ce69
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_ia64.deb
Size/MD5 checksum: 87182 2c075e087ef264cb4ab41d1d98ed0a29
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_ia64.deb
Size/MD5 checksum: 32874 e50bddf8ce9a211be2da5d46d60d5e6f
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_ia64.deb
Size/MD5 checksum: 43326 1e25291c79862da5889b0aa0c52a9ec6

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_mips.deb
Size/MD5 checksum: 35400 1def37075e77fbbe880234da94d65064
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_mips.deb
Size/MD5 checksum: 63586 38594368b8e38eb76f575b7d58ceb094
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_mips.deb
Size/MD5 checksum: 90848 7b68e2b033853172980663ceafcf5741
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_mips.deb
Size/MD5 checksum: 29430 f15e3d4b84dfc1fc1ef6c1e27adf5a09
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_mips.deb
Size/MD5 checksum: 66184 4fafecbbdab2decca10f1f539ad7fc34
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_mips.deb
Size/MD5 checksum: 38434 672374d9615269072476eccdf95dbd6d

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_mipsel.deb
Size/MD5 checksum: 29450 2a27df5b2625fbc701c025c60359daba
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_mipsel.deb
Size/MD5 checksum: 38374 a2282843532a90833986330f3d0f2b7f
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_mipsel.deb
Size/MD5 checksum: 90954 2eb5a612fb87730e0f3c76c23b396fe5
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_mipsel.deb
Size/MD5 checksum: 66156 bb4c7b32940b63339199b578d69d01b6
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_mipsel.deb
Size/MD5 checksum: 35380 6017e4a734bcfc67269dd120ad8e8d68
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_mipsel.deb
Size/MD5 checksum: 63608 8922ca02a3c98069ab910ac70dd365d8

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_powerpc.deb
Size/MD5 checksum: 39974 13c837daa4bb653acadce92976bcf355
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_powerpc.deb
Size/MD5 checksum: 30852 3ee0ba1a85e370d50d40298a012bd4ae
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_powerpc.deb
Size/MD5 checksum: 87866 d7a34467dfcef207d2c8a427ba690c93
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_powerpc.deb
Size/MD5 checksum: 60742 94795da2806114ee02f3b2b8015b6e4d
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_powerpc.deb
Size/MD5 checksum: 66338 7fb2fd511f9c10c291124c353fd6fbb8
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_powerpc.deb
Size/MD5 checksum: 36442 7f7bc36bc65d22106043f9e911803019

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_s390.deb
Size/MD5 checksum: 63578 57483e9e7e032028183ca840e772af47
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_s390.deb
Size/MD5 checksum: 90834 e89a795913426282687f784ec1231314
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_s390.deb
Size/MD5 checksum: 35854 9422b80e11f8d500de26bbc2fc3564f3
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_s390.deb
Size/MD5 checksum: 40634 23a29cbac15ed9aee006f20558e095c8
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_s390.deb
Size/MD5 checksum: 30242 68df0e0e75914247b56e411ffc1047cc
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_s390.deb
Size/MD5 checksum: 70566 ca974f01460c1759907e7227a70bc2f3

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-10+etch1_sparc.deb
Size/MD5 checksum: 62536 28e981d2f79273e6f1ec81ce5f15fbdc
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-10+etch1_sparc.deb
Size/MD5 checksum: 56428 4db8072b37e2a75cc489988d9986f63b
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-10+etch1_sparc.deb
Size/MD5 checksum: 83714 0aa92d828ba5a6db2325082e2c28411d
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-10+etch1_sparc.deb
Size/MD5 checksum: 28618 434381c1695a65d55af818ca9e84ac03
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-10+etch1_sparc.deb
Size/MD5 checksum: 38348 333ba9edacb96f52d8cb065d78e7e861
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-10+etch1_sparc.deb
Size/MD5 checksum: 34292 1cc6f5fb0740e5187e4e687921ffc8f4


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2-11.3+lenny1.dsc
Size/MD5 checksum: 1265 6587bc6fbf8d5cfb6af6d9812da7bff5
http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2.orig.tar.gz
Size/MD5 checksum: 261072 a8558b40664a278bbbceeb54bb95927d
http://security.debian.org/pool/updates/main/n/newt/newt_0.52.2-11.3+lenny1.diff.gz
Size/MD5 checksum: 105256 f28bd8e9d3c5019c5b09010111275edf

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_alpha.deb
Size/MD5 checksum: 75142 bbb2402defb7c0f4d0f43415a0376d6a
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_alpha.deb
Size/MD5 checksum: 78874 993f6769875a6e1e6966106cabb1e779
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_alpha.deb
Size/MD5 checksum: 36702 fded451d976b96bdac6dbf5631e399ea
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_alpha.deb
Size/MD5 checksum: 59536 4ab296c458145b9772b46a5005c90d0e
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_alpha.deb
Size/MD5 checksum: 31050 318e18f26eee00008e6a3505b272bb50
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_alpha.deb
Size/MD5 checksum: 105472 78f0f3b9295562dbfaecc147a06dcea6

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_amd64.deb
Size/MD5 checksum: 58446 9c0fdecb874085cf28aae2a817e7880e
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_amd64.deb
Size/MD5 checksum: 30128 46975b0ee3530db1f4f1866105345daa
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_amd64.deb
Size/MD5 checksum: 93524 1d227c72baf7d4e0a12bd51f383b513c
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_amd64.deb
Size/MD5 checksum: 65458 872f3ce422f73aa39cfc9d2b3c19a613
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_amd64.deb
Size/MD5 checksum: 72136 952e4e5d1576a0c22c0b964a0cc5b8b2
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_amd64.deb
Size/MD5 checksum: 35806 7f5017552f9c1db46d701db8b4557d69

arm architecture (ARM)

http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_arm.deb
Size/MD5 checksum: 35020 30530d6d41acd0e1b979f6b67a3cda3a
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_arm.deb
Size/MD5 checksum: 54356 ee3f9e835c77400b15213f5a997b994a
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_arm.deb
Size/MD5 checksum: 88094 a6d12906813493773812cc914f056a8e
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_arm.deb
Size/MD5 checksum: 65584 5ad05faf74cfa3a3790e9b622df15f3c
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_arm.deb
Size/MD5 checksum: 29350 9d144b335fb2a1035a233fd39cdd4163
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_arm.deb
Size/MD5 checksum: 59360 e27ddb063e5035ee7b366816b1b387b5

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_armel.deb
Size/MD5 checksum: 28944 dbe73f7a1984d40977a43d3bbb74d15c
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_armel.deb
Size/MD5 checksum: 59770 df73b20309455be4b0db88486909bf14
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_armel.deb
Size/MD5 checksum: 88030 bf56436c3ae5dede06730166ffff184f
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_armel.deb
Size/MD5 checksum: 34944 33578418c8e2d279a2f7983215795fcf
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_armel.deb
Size/MD5 checksum: 66034 4b6de523312b047a03fe3a6d29d5d907
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_armel.deb
Size/MD5 checksum: 54430 bbcfa73c1b9e0b59f6132256c3c150c9

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_hppa.deb
Size/MD5 checksum: 74144 bbbbec457fdef767d60e0815d2d1a070
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_hppa.deb
Size/MD5 checksum: 94374 0865387e585a7ea6bd6172a65d598e07
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_hppa.deb
Size/MD5 checksum: 37050 d461fe4d53b1a9eb4760ad0be3e4defa
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_hppa.deb
Size/MD5 checksum: 59492 a111715bf7e01cb05e92fe03f35b87b3
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_hppa.deb
Size/MD5 checksum: 31002 65073ffd2a6e6b705105e5fe065dbadd
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_hppa.deb
Size/MD5 checksum: 67134 72d2093c38ec00e0d29dd8a666fcdbab

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_i386.deb
Size/MD5 checksum: 60444 d25c9b89db6cbc8298111cc409624cb3
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_i386.deb
Size/MD5 checksum: 29364 96bb62edabde6c4a72cf292549052042
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_i386.deb
Size/MD5 checksum: 54866 257ef88d7ee277c468c6f65264bfc8b7
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_i386.deb
Size/MD5 checksum: 89414 84131b9e6fa0a0705822775d58091a6e
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_i386.deb
Size/MD5 checksum: 35064 49dfeb13042e869751b920f9170a0373
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_i386.deb
Size/MD5 checksum: 68578 f6d8a35fec665b0e1468409fd3e6a77c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_ia64.deb
Size/MD5 checksum: 115238 d459814585f4e4b3360e89a4109d3067
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_ia64.deb
Size/MD5 checksum: 91194 bfcbcb6fff78976da895503c9656967d
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_ia64.deb
Size/MD5 checksum: 33230 323f0bff853eb603421f34ea8d3c4e51
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_ia64.deb
Size/MD5 checksum: 64942 73ab00f7fae9bea8c1cb1b33195a8bce
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_ia64.deb
Size/MD5 checksum: 39802 015d9896ecdbcbd4f5b8e34d04ca0217
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_ia64.deb
Size/MD5 checksum: 88134 8cfdb2c80471e66afe224a711c508f9d

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_mips.deb
Size/MD5 checksum: 29182 df7e4cbc1d969fb67a8c2d7efc8a22e0
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_mips.deb
Size/MD5 checksum: 69394 6ca946af6036651b89d95df1cd337d42
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_mips.deb
Size/MD5 checksum: 94210 c66c941de74cd751a5a20d39c630d288
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_mips.deb
Size/MD5 checksum: 66622 27f4c0c19a984f3bfbd6f91ebac6bfdb
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_mips.deb
Size/MD5 checksum: 54898 f9cfcb820eac05dedce07629ad2f44d4
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_mips.deb
Size/MD5 checksum: 35428 51a72fb9e56ab8e5f8fb4c38a3e50361

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_mipsel.deb
Size/MD5 checksum: 35400 5926aee99988d1eff2bc33c34e0bef10
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_mipsel.deb
Size/MD5 checksum: 54498 909c92ae8d729f11cba0667d3eccc3d4
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_mipsel.deb
Size/MD5 checksum: 68458 d5801b957d0652973e7909eeb403a58a
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_mipsel.deb
Size/MD5 checksum: 66600 f9f0b9af561c55da67accf36da023a0d
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_mipsel.deb
Size/MD5 checksum: 29596 b82c4dff5a2cfd3b95a0d6c7100e238a
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_mipsel.deb
Size/MD5 checksum: 93680 2fa25da1f3416aa53d6ad87f25b88bb9

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_powerpc.deb
Size/MD5 checksum: 64820 cfa272b7a046dd32dc040efb22b097e3
http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_powerpc.deb
Size/MD5 checksum: 36398 6e2f7053717623e90a8ded42e4408b70
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_powerpc.deb
Size/MD5 checksum: 60288 e2756143950ea86baaca60d5e64a7626
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_powerpc.deb
Size/MD5 checksum: 71922 708d1a0ab4f7545ff2636eaa2664f55a
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_powerpc.deb
Size/MD5 checksum: 91994 5c40b5dead23b58ffa23746e4901c8e6
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_powerpc.deb
Size/MD5 checksum: 32290 ea26a92844b6b4ff2959e0c052689a55

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/newt/whiptail_0.52.2-11.3+lenny1_sparc.deb
Size/MD5 checksum: 34918 902c77f45c15a576bc00d02b24f26ba5
http://security.debian.org/pool/updates/main/n/newt/libnewt-dev_0.52.2-11.3+lenny1_sparc.deb
Size/MD5 checksum: 86304 3c0c12e8221f50b9acd9631740d7b35a
http://security.debian.org/pool/updates/main/n/newt/python-newt_0.52.2-11.3+lenny1_sparc.deb
Size/MD5 checksum: 54542 bdb41b5ee1d1ad9aace9da504829ef66
http://security.debian.org/pool/updates/main/n/newt/newt-tcl_0.52.2-11.3+lenny1_sparc.deb
Size/MD5 checksum: 28924 f77b57e022be3c58044e0831d21a06f9
http://security.debian.org/pool/updates/main/n/newt/libnewt0.52_0.52.2-11.3+lenny1_sparc.deb
Size/MD5 checksum: 65612 58c58aa6021db1e5107f46bde770af99
http://security.debian.org/pool/updates/main/n/newt/libnewt-pic_0.52.2-11.3+lenny1_sparc.deb
Size/MD5 checksum: 59262 77f6fbf73f169d5640628acee585fbad


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq7ZbAACgkQ62zWxYk/rQeL/ACeL7P4XQtMmOJFKoPv69+D62oP
JOgAoMXwgPnu9hHXG2goVa/ZJlYsxQh8
=vYnK
-----END PGP SIGNATURE-----
"

Rihanna saved millions on new homeDSA 1836-1: New fckeditor packages fix arbitrary code execution

DSA 1892-1: New dovecot packages fix arbitrary code execution  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1892-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
September 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Packages : dovecot
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE IDs : CVE-2009-2632 CVE-2009-3235
Debian Bug : 546656

It was discovered that the SIEVE component of dovecot, a mail server
that supports mbox and maildir mailboxes, is vulnerable to a buffer
overflow when processing SIEVE scripts. This can be used to elevate
privileges to the dovecot system user. An attacker who is able to
install SIEVE scripts executed by the server is therefore able to read
and modify arbitrary email messages on the system.


For the oldstable distribution (etch), this problem has been fixed in version
1.0.rc15-2etch5.

For the stable distribution (lenny), this problem has been fixed in version
1:1.0.15-2.3+lenny1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:1.2.1-1.


We recommend that you upgrade your dovecot packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.diff.gz
Size/MD5 checksum: 105496 25968ea91265d9c79869fd13e1cf18a7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
Size/MD5 checksum: 1463069 26f3d2b075856b1b1d180146363819e6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch5.dsc
Size/MD5 checksum: 1017 69660b4d8bd4c443a9e6a445cee73ae4

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 583336 05cdd40c7eca4f076ebe18629d497b3b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 621512 58f8c92c7567a9c1ed6eee44979e7abf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_alpha.deb
Size/MD5 checksum: 1378160 512ca0853d71066040c22daae6ff0e3a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 1224200 c43f474ed1a38e2b717463faf4a603a9
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 536502 9bc2da44bcb81f7c1d5a3381bc02c950
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_amd64.deb
Size/MD5 checksum: 570646 7a5e8aa209ecee48bbc9daa5c5364788

arm architecture (ARM)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 506574 6a4be002eaaf4932161c03ef9a170e72
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 537184 d5d095c9771afaacfbd863f2f37700f6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_arm.deb
Size/MD5 checksum: 1118568 c884c1632c4e20d9b6636806d2039b29

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 561854 1911ecd7f8336deb46986f3f37fae039
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 1297502 a965f31d08deb751b26ca9a7b467aa9c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_hppa.deb
Size/MD5 checksum: 600138 867931a360b0bfeea1f3e28dfb073bf7

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 514726 e2fe7ef8a944f84d59c4d13c2583f37f
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 547040 41d4f84120825e06e41ff079dabd0429
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_i386.deb
Size/MD5 checksum: 1135076 3e11a2b0f46ce7452760264a478a07a2

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 1702256 e292ef2a99bb7868fd131574b0dcb876
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 737696 b3ee10e9ca9b771fb7f15ed508173628
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_ia64.deb
Size/MD5 checksum: 793994 888618682b965c75167249e9177aea29

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 558948 c42d2f897b76a5635d45bc196dbb1fdf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 1268494 800381d4b15c5857dabe79e37fd1003a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_mipsel.deb
Size/MD5 checksum: 595020 33ff0bc5c3755320bd209d4837742a1a

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 1212206 dcef8ac28680d74ed0e3e2586cd3d056
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 569890 b549032c41f1a1f2de3a96a99a92b2e8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_powerpc.deb
Size/MD5 checksum: 536100 1e073cad6b24f04f1d10e43c3c2b5c7f

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch5_s390.deb
Size/MD5 checksum: 1290172 fc78f024c57fd97448a1cab449d97c26
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch5_s390.deb
Size/MD5 checksum: 595622 4f35eef9b7f47a5689f1a3bffb0b1496
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch5_s390.deb
Size/MD5 checksum: 559910 472231dbce114cf79838f7c34d0850b9


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15.orig.tar.gz
Size/MD5 checksum: 1783347 aa39c11c18df6b95b64d4f04d793d77a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.dsc
Size/MD5 checksum: 1614 d0b83408d8c8324fdfa03b80cdbed4f6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.15-2.3+lenny1.diff.gz
Size/MD5 checksum: 216038 45614e66070551b80bcbd803113f22d6

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 389244 a5b09618e986ca9e9181ce1ae3ec693e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 669230 3e0622750be09c51dae2b0ffee7d015c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 2309838 6f608b22a263d8f5ef8768bbe7a728a6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_alpha.deb
Size/MD5 checksum: 709292 6c68631fa3541bc48ca897d98e498274

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 390826 7386cae0c224a81a3a69a4c59dc53b1b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 632604 4f8004c08a2d8c56907571b015f279d8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 669682 3ffaccbe054991901b258c204a59bd07
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_amd64.deb
Size/MD5 checksum: 2106030 bde9f3caac387c20b423d71c3213aaac

arm architecture (ARM)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 620406 34980793a3cf093446b18614880d7c4d
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 390376 60ee2b17f10334253ea32654e741b006
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 588296 12f73940ba5583e6c81a38a9d6663cdf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_arm.deb
Size/MD5 checksum: 1901028 3c23a98d1f07817db4a314865243ae13

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 391168 8049082b57c86d865d51679db193d5fa
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 626970 2bcd781a52cac6cf397b5df9e1e144b1
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 594616 1515c12da34869de4f5616fe6143aee0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_armel.deb
Size/MD5 checksum: 1932436 63c7c48a798aeb72d11b622057eb6ad5

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 390606 ab3bd158a5930daad61b9dffb3bb130e
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 638882 e3ec95e636c33c400266c5419e18e864
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 677942 808cfe06b6b4325b9ea13008d35918b2
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_hppa.deb
Size/MD5 checksum: 2162538 3f41711076b008bc16ee08e7e822f703

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 1938596 0113ec4318618383c6945ad66ac457ab
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 602896 93b9ffb25946df4200203a236839d967
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 636970 40f7a7785597f69f39991c35865c1df8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_i386.deb
Size/MD5 checksum: 390674 615f9e862c4c2b14db2fbed7f3a0089f

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 878572 21ea3f8af009b4c0668310a1d42ff6e8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 2857622 5710f0fe4c677388e61268c1b6d28a9a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 389246 afaa27855049264e8d1bc6272c619c68
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_ia64.deb
Size/MD5 checksum: 818126 94b7b844dfb2d352901a0570dcc9446a

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 389274 39038f291d9e447928d0ce4cc69547f8
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 631574 6c011d890fb624ab2fb42f9d531c56c6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 2104730 a5c2b94943df80bb457afdb7ebdd1047
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mips.deb
Size/MD5 checksum: 668110 027bdd8d539ad64838e70d01b817ab9a

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 389284 7393c2e406358c4ff44f1936e77289bc
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 666878 952824b8ef88116eecd9b6d8dc2eb7ab
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 2107826 868569a1a13d5150d052f3f85a0c5b4b
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_mipsel.deb
Size/MD5 checksum: 630902 26f8d04ed6cebb1cee2cdee0466e3828

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 2116926 83a20a035135c86165e90512e1616e17
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 633850 378165eda8f93d5db9a9750eb388a3d7
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 389308 5706cb949dce54ed6bde511050c808db
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_powerpc.deb
Size/MD5 checksum: 670056 5935a4928c82551b592a4ab7103d0305

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-dev_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 389286 d67b24f2a1ca1ae2dfa7aeed269ba1c5
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 595054 0ce7c504c0a218e95713084b6fbdd9d4
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 628466 5509951b4426e12912531c3f56e309ae
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.15-2.3+lenny1_sparc.deb
Size/MD5 checksum: 1906138 8eda92ca5dfb4239544a288ebd8e8230


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq6TkYACgkQ62zWxYk/rQf9WwCgtQFfyzvxMG27iAjtHw2SY7cZ
ouAAn2g8b0lXjAZGmQoiX0W9oXk4QsuE
=lSZ6
-----END PGP SIGNATURE-----
"

DSA 1878-1: New devscripts packages fix remote code executionRihanna saved millions on new home

GLSA 200909-20 cURL: Certificate validation error  

Posted by Daniela Mehler

"Gentoo Linux Security Advisory GLSA 200909-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: cURL: Certificate validation error
Date: September 25, 2009
Bugs: #281515
ID: 200909-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An error in the X.509 certificate handling of cURL might enable remote
attackers to conduct man-in-the-middle attacks.

Background
==========

cURL is a command line tool for transferring files with URL syntax,
supporting numerous protocols.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl = 7.19.6

Description
===========

Scott Cantor reported that cURL does not properly handle fields in
X.509 certificates that contain an ASCII NUL () character.
Specifically, the processing of such fields is stopped at the first
occurence of a NUL character. This type of vulnerability was recently
discovered by Dan Kaminsky and Moxie Marlinspike.

Impact
======

A remote attacker might employ a specially crafted X.509 certificate
(that for instance contains a NUL character in the Common Name field)
to conduct man-in-the-middle attacks.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All cURL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-misc/curl-7.19.6

References
==========

[ 1 ] CVE-2009-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200909-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
"

Prince in rent deposit lawsuitGLSA 200909-17 ZNC: Directory traversal

RHSA-2009:1461-01 Important: Red Hat Application Stack v2.4 security and enhancement update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Application Stack v2.4 security and enhancement update
Advisory ID: RHSA-2009:1461-01
Product: Red Hat Application Stack
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1461.html
Issue date: 2009-09-23
CVE Names: CVE-2008-4456 CVE-2009-2446 CVE-2009-2687
CVE-2009-3094 CVE-2009-3095 CVE-2009-3229
CVE-2009-3230 CVE-2009-3231
=====================================================================

1. Summary:

Red Hat Application Stack v2.4 is now available. This update fixes several
security issues and adds various enhancements.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, noarch, x86_64

3. Description:

Red Hat Application Stack v2.4 is an integrated open source application
stack, that includes Red Hat Enterprise Linux 5 and JBoss Enterprise
Application Platform (EAP). JBoss EAP is provided through the JBoss EAP
channels on the Red Hat Network.

PostgreSQL was updated to version 8.2.14, fixing the following security
issues:

A flaw was found in the way PostgreSQL handles LDAP-based authentication.
If PostgreSQL was configured to use LDAP authentication and the LDAP server
was configured to allow anonymous binds, anyone able to connect to a given
database could use this flaw to log in as any database user, including a
PostgreSQL superuser, without supplying a password. (CVE-2009-3231)

It was discovered that the upstream patch for CVE-2007-6600 included in the
Red Hat Security Advisory RHSA-2008:0040 did not include protection against
misuse of the RESET ROLE and RESET SESSION AUTHORIZATION commands. An
authenticated user could use this flaw to install malicious code that would
later execute with superuser privileges. (CVE-2009-3230)

A flaw was found in the way PostgreSQL handles external plug-ins. This flaw
could allow remote, authenticated users without superuser privileges to
crash the back-end server by using the LOAD command on libraries in
"/var/lib/pgsql/plugins/" that have already been loaded, causing a
temporary denial of service during crash recovery. (CVE-2009-3229)

MySQL was updated to version 5.0.84, fixing the following security issues:

An insufficient HTML entities quoting flaw was found in the mysql command
line client's HTML output mode. If an attacker was able to inject arbitrary
HTML tags into data stored in a MySQL database, which was later retrieved
using the mysql command line client and its HTML output mode, they could
perform a cross-site scripting (XSS) attack against victims viewing the
HTML output in a web browser. (CVE-2008-4456)

Multiple format string flaws were found in the way the MySQL server logs
user commands when creating and deleting databases. A remote, authenticated
attacker with permissions to CREATE and DROP databases could use these
flaws to formulate a specifically-crafted SQL command that would cause a
temporary denial of service (open connections to mysqld are terminated).
(CVE-2009-2446)

Note: To exploit the CVE-2009-2446 flaws, the general query log (the mysqld
"--log" command line option or the "log" option in "/etc/my.cnf") must be
enabled. This logging is not enabled by default.

PHP was updated to version 5.2.10, fixing the following security issue:

An insufficient input validation flaw was discovered in the PHP
exif_read_data() function, used to read Exchangeable image file format
(Exif) metadata from images. An attacker could create a specially-crafted
image that could cause the PHP interpreter to crash or disclose portions of
its memory while reading the Exif metadata from the image. (CVE-2009-2687)

Apache httpd has been updated with backported patches to correct the
following security issues:

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
module. A malicious FTP server to which requests are being proxied could
use this flaw to crash an httpd child process via a malformed reply to the
EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse
proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP
Authorization header, allowing the attacker to send arbitrary commands to
the FTP server. (CVE-2009-3095)

Also, the following packages have been updated:

* postgresql-jdbc to 8.2.510
* php-pear to 1.8.1
* perl-DBI to 1.609
* perl-DBD-MySQL to 4.012

All users should upgrade to these updated packages, which resolve these
issues. Users must restart the individual services, including postgresql,
mysqld, and httpd, for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

466518 - CVE-2008-4456 mysql: mysql command line client XSS flaw
506896 - CVE-2009-2687 php: exif_read_data crash on corrupted JPEG files
511020 - CVE-2009-2446 MySQL: Format string vulnerability by manipulation with database instances (crash)
521619 - CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply
522084 - CVE-2009-3231 postgresql: LDAP authentication bypass when anonymous LDAP bind are allowed
522085 - CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600
522092 - CVE-2009-3229 postgresql: authenticated user server DoS via plugin re-LOAD-ing
522209 - CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header

6. Package List:

Red Hat Application Stack v2 for Enterprise Linux (v.5):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/httpd-2.2.13-2.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mysql-5.0.84-2.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBD-MySQL-4.012-1.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBI-1.609-1.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/php-5.2.10-1.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/php-pear-1.8.1-2.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresql-8.2.14-1.el5s2.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresql-jdbc-8.2.510-1jpp.el5s2.src.rpm

i386:
httpd-2.2.13-2.el5s2.i386.rpm
httpd-debuginfo-2.2.13-2.el5s2.i386.rpm
httpd-devel-2.2.13-2.el5s2.i386.rpm
httpd-manual-2.2.13-2.el5s2.i386.rpm
mod_ssl-2.2.13-2.el5s2.i386.rpm
mysql-5.0.84-2.el5s2.i386.rpm
mysql-bench-5.0.84-2.el5s2.i386.rpm
mysql-cluster-5.0.84-2.el5s2.i386.rpm
mysql-debuginfo-5.0.84-2.el5s2.i386.rpm
mysql-devel-5.0.84-2.el5s2.i386.rpm
mysql-libs-5.0.84-2.el5s2.i386.rpm
mysql-server-5.0.84-2.el5s2.i386.rpm
mysql-test-5.0.84-2.el5s2.i386.rpm
perl-DBD-MySQL-4.012-1.el5s2.i386.rpm
perl-DBD-MySQL-debuginfo-4.012-1.el5s2.i386.rpm
perl-DBI-1.609-1.el5s2.i386.rpm
perl-DBI-debuginfo-1.609-1.el5s2.i386.rpm
php-5.2.10-1.el5s2.i386.rpm
php-bcmath-5.2.10-1.el5s2.i386.rpm
php-cli-5.2.10-1.el5s2.i386.rpm
php-common-5.2.10-1.el5s2.i386.rpm
php-dba-5.2.10-1.el5s2.i386.rpm
php-debuginfo-5.2.10-1.el5s2.i386.rpm
php-devel-5.2.10-1.el5s2.i386.rpm
php-gd-5.2.10-1.el5s2.i386.rpm
php-imap-5.2.10-1.el5s2.i386.rpm
php-ldap-5.2.10-1.el5s2.i386.rpm
php-mbstring-5.2.10-1.el5s2.i386.rpm
php-mysql-5.2.10-1.el5s2.i386.rpm
php-ncurses-5.2.10-1.el5s2.i386.rpm
php-odbc-5.2.10-1.el5s2.i386.rpm
php-pdo-5.2.10-1.el5s2.i386.rpm
php-pgsql-5.2.10-1.el5s2.i386.rpm
php-snmp-5.2.10-1.el5s2.i386.rpm
php-soap-5.2.10-1.el5s2.i386.rpm
php-xml-5.2.10-1.el5s2.i386.rpm
php-xmlrpc-5.2.10-1.el5s2.i386.rpm
postgresql-8.2.14-1.el5s2.i386.rpm
postgresql-contrib-8.2.14-1.el5s2.i386.rpm
postgresql-debuginfo-8.2.14-1.el5s2.i386.rpm
postgresql-devel-8.2.14-1.el5s2.i386.rpm
postgresql-docs-8.2.14-1.el5s2.i386.rpm
postgresql-jdbc-8.2.510-1jpp.el5s2.i386.rpm
postgresql-jdbc-debuginfo-8.2.510-1jpp.el5s2.i386.rpm
postgresql-libs-8.2.14-1.el5s2.i386.rpm
postgresql-plperl-8.2.14-1.el5s2.i386.rpm
postgresql-plpython-8.2.14-1.el5s2.i386.rpm
postgresql-pltcl-8.2.14-1.el5s2.i386.rpm
postgresql-python-8.2.14-1.el5s2.i386.rpm
postgresql-server-8.2.14-1.el5s2.i386.rpm
postgresql-tcl-8.2.14-1.el5s2.i386.rpm
postgresql-test-8.2.14-1.el5s2.i386.rpm

noarch:
php-pear-1.8.1-2.el5s2.noarch.rpm

x86_64:
httpd-2.2.13-2.el5s2.x86_64.rpm
httpd-debuginfo-2.2.13-2.el5s2.i386.rpm
httpd-debuginfo-2.2.13-2.el5s2.x86_64.rpm
httpd-devel-2.2.13-2.el5s2.i386.rpm
httpd-devel-2.2.13-2.el5s2.x86_64.rpm
httpd-manual-2.2.13-2.el5s2.x86_64.rpm
mod_ssl-2.2.13-2.el5s2.x86_64.rpm
mysql-5.0.84-2.el5s2.i386.rpm
mysql-5.0.84-2.el5s2.x86_64.rpm
mysql-bench-5.0.84-2.el5s2.x86_64.rpm
mysql-cluster-5.0.84-2.el5s2.x86_64.rpm
mysql-debuginfo-5.0.84-2.el5s2.i386.rpm
mysql-debuginfo-5.0.84-2.el5s2.x86_64.rpm
mysql-devel-5.0.84-2.el5s2.i386.rpm
mysql-devel-5.0.84-2.el5s2.x86_64.rpm
mysql-libs-5.0.84-2.el5s2.i386.rpm
mysql-libs-5.0.84-2.el5s2.x86_64.rpm
mysql-server-5.0.84-2.el5s2.x86_64.rpm
mysql-test-5.0.84-2.el5s2.x86_64.rpm
perl-DBD-MySQL-4.012-1.el5s2.x86_64.rpm
perl-DBD-MySQL-debuginfo-4.012-1.el5s2.x86_64.rpm
perl-DBI-1.609-1.el5s2.x86_64.rpm
perl-DBI-debuginfo-1.609-1.el5s2.x86_64.rpm
php-5.2.10-1.el5s2.x86_64.rpm
php-bcmath-5.2.10-1.el5s2.x86_64.rpm
php-cli-5.2.10-1.el5s2.x86_64.rpm
php-common-5.2.10-1.el5s2.x86_64.rpm
php-dba-5.2.10-1.el5s2.x86_64.rpm
php-debuginfo-5.2.10-1.el5s2.x86_64.rpm
php-devel-5.2.10-1.el5s2.x86_64.rpm
php-gd-5.2.10-1.el5s2.x86_64.rpm
php-imap-5.2.10-1.el5s2.x86_64.rpm
php-ldap-5.2.10-1.el5s2.x86_64.rpm
php-mbstring-5.2.10-1.el5s2.x86_64.rpm
php-mysql-5.2.10-1.el5s2.x86_64.rpm
php-ncurses-5.2.10-1.el5s2.x86_64.rpm
php-odbc-5.2.10-1.el5s2.x86_64.rpm
php-pdo-5.2.10-1.el5s2.x86_64.rpm
php-pgsql-5.2.10-1.el5s2.x86_64.rpm
php-snmp-5.2.10-1.el5s2.x86_64.rpm
php-soap-5.2.10-1.el5s2.x86_64.rpm
php-xml-5.2.10-1.el5s2.x86_64.rpm
php-xmlrpc-5.2.10-1.el5s2.x86_64.rpm
postgresql-8.2.14-1.el5s2.x86_64.rpm
postgresql-contrib-8.2.14-1.el5s2.x86_64.rpm
postgresql-debuginfo-8.2.14-1.el5s2.i386.rpm
postgresql-debuginfo-8.2.14-1.el5s2.x86_64.rpm
postgresql-devel-8.2.14-1.el5s2.i386.rpm
postgresql-devel-8.2.14-1.el5s2.x86_64.rpm
postgresql-docs-8.2.14-1.el5s2.x86_64.rpm
postgresql-jdbc-8.2.510-1jpp.el5s2.x86_64.rpm
postgresql-jdbc-debuginfo-8.2.510-1jpp.el5s2.x86_64.rpm
postgresql-libs-8.2.14-1.el5s2.i386.rpm
postgresql-libs-8.2.14-1.el5s2.x86_64.rpm
postgresql-plperl-8.2.14-1.el5s2.x86_64.rpm
postgresql-plpython-8.2.14-1.el5s2.x86_64.rpm
postgresql-pltcl-8.2.14-1.el5s2.x86_64.rpm
postgresql-python-8.2.14-1.el5s2.x86_64.rpm
postgresql-server-8.2.14-1.el5s2.x86_64.rpm
postgresql-tcl-8.2.14-1.el5s2.x86_64.rpm
postgresql-test-8.2.14-1.el5s2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKupg9XlSAg2UNWIIRAgcCAJ9zN2IdEV695/K9vdqLfujl8HQXfgCgnju5
cbqFD4b56PqnVC0IXfdnA+E=
=vy7A
-----END PGP SIGNATURE-----
"

RHSA-2009:1451-01 Moderate: freeradius security updateJackson’s sperm flown to London

RHSA-2009:1463-01 Moderate: newt security update  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: newt security update
Advisory ID: RHSA-2009:1463-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1463.html
Issue date: 2009-09-24
CVE Names: CVE-2009-2905
=====================================================================

1. Summary:

Updated newt packages that fix one security issue are now available for Red
Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

Newt is a programming library for color text mode, widget-based user
interfaces. Newt can be used to add stacked windows, entry widgets,
checkboxes, radio buttons, labels, plain text fields, scrollbars, and so
on, to text mode user interfaces.

A heap-based buffer overflow flaw was found in the way newt processes
content that is to be displayed in a text dialog box. A local attacker
could issue a specially-crafted text dialog box display request (direct or
via a custom application), leading to a denial of service (application
crash) or, potentially, arbitrary code execution with the privileges of the
user running the application using the newt library. (CVE-2009-2905)

Users of newt should upgrade to these updated packages, which contain a
backported patch to correct this issue. After installing the updated
packages, all applications using the newt library must be restarted for the
update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

523955 - CVE-2009-2905 newt: heap-overflow in textbox when text reflowing

6. Package List:

Red Hat Enterprise Linux AS version 3:

Source:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/newt-0.51.5-2.el3.src.rpm

i386:
newt-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-devel-0.51.5-2.el3.i386.rpm

ia64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.ia64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.ia64.rpm
newt-devel-0.51.5-2.el3.ia64.rpm

ppc:
newt-0.51.5-2.el3.ppc.rpm
newt-0.51.5-2.el3.ppc64.rpm
newt-debuginfo-0.51.5-2.el3.ppc.rpm
newt-debuginfo-0.51.5-2.el3.ppc64.rpm
newt-devel-0.51.5-2.el3.ppc.rpm

s390:
newt-0.51.5-2.el3.s390.rpm
newt-debuginfo-0.51.5-2.el3.s390.rpm
newt-devel-0.51.5-2.el3.s390.rpm

s390x:
newt-0.51.5-2.el3.s390.rpm
newt-0.51.5-2.el3.s390x.rpm
newt-debuginfo-0.51.5-2.el3.s390.rpm
newt-debuginfo-0.51.5-2.el3.s390x.rpm
newt-devel-0.51.5-2.el3.s390x.rpm

x86_64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.x86_64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.x86_64.rpm
newt-devel-0.51.5-2.el3.x86_64.rpm

Red Hat Desktop version 3:

Source:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/newt-0.51.5-2.el3.src.rpm

i386:
newt-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-devel-0.51.5-2.el3.i386.rpm

x86_64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.x86_64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.x86_64.rpm
newt-devel-0.51.5-2.el3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

Source:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/newt-0.51.5-2.el3.src.rpm

i386:
newt-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-devel-0.51.5-2.el3.i386.rpm

ia64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.ia64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.ia64.rpm
newt-devel-0.51.5-2.el3.ia64.rpm

x86_64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.x86_64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.x86_64.rpm
newt-devel-0.51.5-2.el3.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

Source:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/newt-0.51.5-2.el3.src.rpm

i386:
newt-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-devel-0.51.5-2.el3.i386.rpm

ia64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.ia64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.ia64.rpm
newt-devel-0.51.5-2.el3.ia64.rpm

x86_64:
newt-0.51.5-2.el3.i386.rpm
newt-0.51.5-2.el3.x86_64.rpm
newt-debuginfo-0.51.5-2.el3.i386.rpm
newt-debuginfo-0.51.5-2.el3.x86_64.rpm
newt-devel-0.51.5-2.el3.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/newt-0.51.6-10.el4_8.1.src.rpm

i386:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-devel-0.51.6-10.el4_8.1.i386.rpm

ia64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.ia64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.ia64.rpm
newt-devel-0.51.6-10.el4_8.1.ia64.rpm

ppc:
newt-0.51.6-10.el4_8.1.ppc.rpm
newt-0.51.6-10.el4_8.1.ppc64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.ppc.rpm
newt-debuginfo-0.51.6-10.el4_8.1.ppc64.rpm
newt-devel-0.51.6-10.el4_8.1.ppc.rpm

s390:
newt-0.51.6-10.el4_8.1.s390.rpm
newt-debuginfo-0.51.6-10.el4_8.1.s390.rpm
newt-devel-0.51.6-10.el4_8.1.s390.rpm

s390x:
newt-0.51.6-10.el4_8.1.s390.rpm
newt-0.51.6-10.el4_8.1.s390x.rpm
newt-debuginfo-0.51.6-10.el4_8.1.s390.rpm
newt-debuginfo-0.51.6-10.el4_8.1.s390x.rpm
newt-devel-0.51.6-10.el4_8.1.s390x.rpm

x86_64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.x86_64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.x86_64.rpm
newt-devel-0.51.6-10.el4_8.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/newt-0.51.6-10.el4_8.1.src.rpm

i386:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-devel-0.51.6-10.el4_8.1.i386.rpm

x86_64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.x86_64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.x86_64.rpm
newt-devel-0.51.6-10.el4_8.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/newt-0.51.6-10.el4_8.1.src.rpm

i386:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-devel-0.51.6-10.el4_8.1.i386.rpm

ia64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.ia64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.ia64.rpm
newt-devel-0.51.6-10.el4_8.1.ia64.rpm

x86_64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.x86_64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.x86_64.rpm
newt-devel-0.51.6-10.el4_8.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/newt-0.51.6-10.el4_8.1.src.rpm

i386:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-devel-0.51.6-10.el4_8.1.i386.rpm

ia64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.ia64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.ia64.rpm
newt-devel-0.51.6-10.el4_8.1.ia64.rpm

x86_64:
newt-0.51.6-10.el4_8.1.i386.rpm
newt-0.51.6-10.el4_8.1.x86_64.rpm
newt-debuginfo-0.51.6-10.el4_8.1.i386.rpm
newt-debuginfo-0.51.6-10.el4_8.1.x86_64.rpm
newt-devel-0.51.6-10.el4_8.1.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/newt-0.52.2-12.el5_4.1.src.rpm

i386:
newt-0.52.2-12.el5_4.1.i386.rpm
newt-debuginfo-0.52.2-12.el5_4.1.i386.rpm

x86_64:
newt-0.52.2-12.el5_4.1.i386.rpm
newt-0.52.2-12.el5_4.1.x86_64.rpm
newt-debuginfo-0.52.2-12.el5_4.1.i386.rpm
newt-debuginfo-0.52.2-12.el5_4.1.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/newt-0.52.2-12.el5_4.1.src.rpm

i386:
newt-debuginfo-0.52.2-12.el5_4.1.i386.rpm
newt-devel-0.52.2-12.el5_4.1.i386.rpm

x86_64:
newt-debuginfo-0.52.2-12.el5_4.1.i386.rpm
newt-debuginfo-0.52.2-12.el5_4.1.x86_64.rpm
newt-devel-0.52.2-12.el5_4.1.i386.rpm
newt-devel-0.52.2-12.el5_4.1.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/newt-0.52.2-12.el5_4.1.src.rpm

i386:
newt-0.52.2-12.el5_4.1.i386.rpm
newt-debuginfo-0.52.2-12.el5_4.1.i386.rpm
newt-devel-0.52.2-12.el5_4.1.i386.rpm

ia64:
newt-0.52.2-12.el5_4.1.ia64.rpm
newt-debuginfo-0.52.2-12.el5_4.1.ia64.rpm
newt-devel-0.52.2-12.el5_4.1.ia64.rpm

ppc:
newt-0.52.2-12.el5_4.1.ppc.rpm
newt-0.52.2-12.el5_4.1.ppc64.rpm
newt-debuginfo-0.52.2-12.el5_4.1.ppc.rpm
newt-debuginfo-0.52.2-12.el5_4.1.ppc64.rpm
newt-devel-0.52.2-12.el5_4.1.ppc.rpm
newt-devel-0.52.2-12.el5_4.1.ppc64.rpm

s390x:
newt-0.52.2-12.el5_4.1.s390.rpm
newt-0.52.2-12.el5_4.1.s390x.rpm
newt-debuginfo-0.52.2-12.el5_4.1.s390.rpm
newt-debuginfo-0.52.2-12.el5_4.1.s390x.rpm
newt-devel-0.52.2-12.el5_4.1.s390.rpm
newt-devel-0.52.2-12.el5_4.1.s390x.rpm

x86_64:
newt-0.52.2-12.el5_4.1.i386.rpm
newt-0.52.2-12.el5_4.1.x86_64.rpm
newt-debuginfo-0.52.2-12.el5_4.1.i386.rpm
newt-debuginfo-0.52.2-12.el5_4.1.x86_64.rpm
newt-devel-0.52.2-12.el5_4.1.i386.rpm
newt-devel-0.52.2-12.el5_4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2905
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKu8cqXlSAg2UNWIIRAj5rAJ93NojFMID2+HqRFyZ+LIdAKpXa5wCeLZhS
8OoeiLToCoMt/vAvwDtSfbU=
47
-----END PGP SIGNATURE-----
"

RHSA-2009:1209-01 Moderate: curl security update