[Admins] Debian Package Updates on dochas.stdlib.net.

root root at stdlib.net
Thu May 3 06:27:13 IST 2007


apticron report [Thu, 03 May 2007 06:27:04 +0100]
========================================================================

apticron has detected that some packages need upgrading on: 

	dochas.stdlib.net 
	[ 82.195.155.60 2001:770:100:65::2 ]

The following packages are currently pending an upgrade:

	libc6-dev 2.3.2.ds1-22sarge6
	locales 2.3.2.ds1-22sarge6
	libc6 2.3.2.ds1-22sarge6
	man-db 2.4.2-21sarge1
	file 4.12-1sarge1
	libmagic1 4.12-1sarge1
	gnupg 1.4.1-1.sarge7
	libkrb53 1.3.6-2sarge4
	libclamav2 0.90.2-0volatile1
	lsb-base 2.0-7
	clamav-freshclam 0.90.2-0volatile1
	clamav-daemon 0.90.2-0volatile1
	clamav-base 0.90.2-0volatile1
	php4-mysql 4:4.3.10-20
	php4-gd 4:4.3.10-20
	libapache2-mod-php4 4:4.3.10-20
	php4-common 4:4.3.10-20
	tcpdump 3.8.3-5sarge2

========================================================================

Package Details:

Reading changelogs...
--- Changes for krb5 (libkrb53) ---
krb5 (1.3.6-2sarge4) stable-security; urgency=emergency

  * MIT-SA-2007-1: telnet allows  login as an arbitrary user when
    presented with a specially crafted username; CVE-2007-0956 
  * krb5_klog_syslog has a trivial buffer overflow that can be exploited
    by network data; CVE-2007-0957.  The upstream patch is very intrusive
    because it fixes each call to syslog to have proper length checking as
    well as the actual krb5_klog_syslog internals to use vsnprintf rather
    than vsprintf.  I have chosen to only include the change to
    krb5_klog_syslog for sarge.  This is sufficient to fix the problem but
    is much smaller and less intrusive.   (MIT-SA-2007-2)
  * MIT-SA-2007-3: The GSS-API library can cause a double free if
    applications treat certain errors decoding a message as errors that
    require freeing the output buffer.  At least the gssapi rpc library
    does this, so kadmind is vulnerable.    Fix the gssapi library because
    the spec allows applications to treat errors this way.  CVE-2007-1216 

 -- Sam Hartman <hartmans at debian.org>  Sun, 11 Mar 2007 18:52:11 -0400

--- Changes for clamav (clamav-freshclam clamav-daemon clamav-base) ---
clamav (0.90.2-0volatile1) sarge-volatile; urgency=low

  * New upstream version
    - File descriptor leak in PDF handler
    - File descriptor leak in CHM handler
    - Buffer Overflow in CAB File Unstore

 -- Stephen Gran <sgran at debian.org>  Sun, 15 Apr 2007 12:23:00 +0100

clamav (0.90.1-0volatile2) sarge-volatile; urgency=low

  * Maintainer script fix for NotifyClamd in freshclam.conf parse error

 -- Stephen Gran <sgran at debian.org>  Wed,  7 Mar 2007 01:45:29 +0000

clamav (0.90.1-0volatile1) sarge-volatile; urgency=low

  * New upstream version
    - Many memleaks fixed
    - Many potential crashes fixed
  * Patches:
    - freshen 02_milter_sendmail_version_patch
    - freshen 20_clamscan-manpage-update.dpatch
    - freshen 24_nullmailer_ftbfs.dpatch
    - remove 25_soname_bump.dpatch (merged upstream)
    - remove 26_isspace_fix_segv.dpatch (merged upstream)

 -- Stephen Gran <sgran at debian.org>  Fri,  2 Mar 2007 03:56:26 +0000

clamav (0.90-0volatile2) sarge-volatile; urgency=low

  * Fix clamav.examples to actually include what's there, and not what include
    what isn't.  Unsurprisingly, this fixes an FTBFS

 -- Stephen Gran <sgran at debian.org>  Thu,  1 Mar 2007 15:49:55 +0000

clamav (0.90-0volatile1) sarge-volatile; urgency=high

  * Backport for volatile
  * Fix init scripts to work with sarge's lsb-base
  * Revert dh_compat to 4, and eliminate debug package
  * Revert new dpkg-dev variables to sarge approximations

 -- Stephen Gran <sgran at debian.org>  Thu,  1 Mar 2007 02:07:40 +0000

--- Changes for file (file libmagic1) ---
file (4.12-1sarge1) stable-security; urgency=high

  * Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
    fix integer underflow in file_printf which can lead to to exploitable heap
    overflow CVE-2007-1536 (Closes: #415362, #416678).

 -- Daniel Baumann <daniel at debian.org>  Thu, 29 Mar 2007 20:28:00 +0200

--- Changes for gnupg ---
gnupg (1.4.1-1.sarge7) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Backported patch from upstream 1.4.7 for CVE-2007-1263.

 -- Moritz Muehlenhoff <jmm at debian.org>  Mon, 12 Mar 2007 18:48:15 +0000

--- Changes for php4 (php4-mysql php4-gd libapache2-mod-php4 php4-common) ---
php4 (4:4.3.10-20) oldstable-security; urgency=high

  * NMU prepared for the security team by the package maintainer.
  * The following security issues are addressed with this update:
    - CVE-2007-0910/MOPB-32 session_decode() Double Free Vulnerability
      * note that this is an update to the previous version of the upstream
        fix for CVE-2007-0910, which introduced a seperate exploit path.
    - CVE-2007-1286/MOPB-04 unserialize() ZVAL Reference Counter Overflow
    - CVE-2007-1380/MOPB-10 php_binary Session Deserialization Information Leak
    - CVE-2007-1521/MOPB-22 session_regenerate_id() Double Free Vulnerability
    - CVE-2007-1583/MOPB-26 mb_parse_str() register_globals Activation Vuln.
    - CVE-2007-1777/MOPB-35 zip_entry_read() Integer Overflow Vulnerability
  * The other security issues resulting from the "Month of PHP bugs" either
    did not affect the version of php4 shipped in sarge, or did not merit
    a security update according to the established security policy for php
    in debian.  You are encouraged to verify that your configuration is not
    affected by any of the other vulnerabilities by visiting:
        http://www.php-security.org/

 -- sean finney <seanius at debian.org>  Mon, 23 Apr 2007 18:19:17 +0200

php4 (4:4.3.10-19) stable-security; urgency=high

  * NMU prepared for the security team by the package maintainer
  * The following security issues are addressed with this update:
    - CVE-2007-0906: Multiple buffer overflows in various code:
      * session (addressed in patch for CVE-2007-0910 below)
      * imap (CVE-2007-0906-imap.patch)
      * str_replace: (CVE-2007-0906-strreplace.patch)
      * the zip, sqlite, stream filters, mail, and interbase related 
        vulnerabilities in this CVE do not affect the debian sarge php4 
        source package.
    - CVE-2007-0907: Buffer underflow in sapi_header_op (CVE-2007-0907.patch)
    - CVE-2007-0908: wddx module information disclosure (CVE-2007-0908.patch)
    - CVE-2007-0909: More buffer overflows:
      * the odbc_result_all function (CVE-2007-0909-odbc.patch)
      * various formatted print functions (CVE-2007-0909-printf.patch)
    - CVE-2007-0910: Clobbering of super-global variables (CVE-2007-0910.patch)
    - CVE-2007-0988: DoS in unserialize on 64bit platforms (CVE-2007-0988.patch)
  * The package maintainers would like to thank Joe Orton from redhat and
    Martin Pitt from ubuntu for their help in the preparation of this update.

 -- sean finney <seanius at debian.org>  Tue, 27 Feb 2007 00:31:08 +0100

--- Changes for tcpdump ---
tcpdump (3.8.3-5sarge2) stable-security; urgency=high

  * debian/patches/60_CVE-2007-1218.dpatch: New patch, fixes a potential
    buffer overflow in the 802.11 printer. References:
    + CVE-2007-1218
    + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413430
  * debian/patches/00list: Update.

 -- Romain Francoise <rfrancoise at debian.org>  Sun, 18 Mar 2007 23:21:06 +0100

--- Changes for glibc (libc6-dev locales libc6) ---
glibc (2.3.2.ds1-22sarge6) stable; urgency=low

  * control.in/main, rules.d/debhelper.mk: use dh_shlibdeps to set the
    dependencies of nscd.

 -- Aurelien Jarno <aurel32 at debian.org>  Sun,  4 Mar 2007 01:10:12 +0100

--- Changes for man-db ---
man-db (2.4.2-21sarge1) stable-security; urgency=low

  * CVE-2006-4250: Fix a buffer overrun if using -H and the designated web
    browser (argument to -H or $BROWSER) contains multiple %s expansions.
    Thanks to Jochen Voß for the report.

 -- Colin Watson <cjwatson at debian.org>  Wed,  8 Nov 2006 23:00:04 -0800

========================================================================

You can perform the upgrade by issuing the command:

	apt-get dist-upgrade

as root on dochas.stdlib.net

It is recommended that you simulate the upgrade first to confirm that
the actions that would be taken are reasonable. The upgrade may be 
simulated by issuing the command:

	apt-get -s dist-upgrade

-- 
apticron



More information about the Admins mailing list