stable/main/binary-amd64/zope2.7_2.7.5-2sarge4_amd64.deb zope2.7 (2.7.5-2sarge4) stable-security; urgency=high * SECURITY UPDATE: Prevent privileges elevation through misuse of HTTP GET. Refs: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view CVE-2007-0240 (Closes: #416500) stable/main/source/zope2.7_2.7.5-2sarge4.dsc stable/main/source/zope2.7_2.7.5-2sarge4.diff.gz zope2.7 (2.7.5-2sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/xmms_1.2.10+cvs20050209-2sarge1_amd64.deb stable/main/binary-amd64/xmms-dev_1.2.10+cvs20050209-2sarge1_amd64.deb xmms (1.2.10+cvs20050209-2sarge1) stable-security; urgency=high * Backported patch from Kees Cook to address integer underflow CVE-2007-0654 and overflow CVE-2007-0653 in BMP loader xmms/bmp.c (see #416423). stable/main/source/xmms_1.2.10+cvs20050209-2sarge1.diff.gz stable/main/source/xmms_1.2.10+cvs20050209-2sarge1.dsc xmms (1.2.10+cvs20050209-2sarge1) stable; urgency=low * upload of source stable/main/source/webcalendar_0.9.45-4sarge6.dsc stable/main/binary-all/webcalendar_0.9.45-4sarge6_all.deb stable/main/source/webcalendar_0.9.45-4sarge6.diff.gz webcalendar (0.9.45-4sarge6) stable; urgency=low * upload of source stable/main/binary-amd64/tcpdump_3.8.3-5sarge2_amd64.deb tcpdump (3.8.3-5sarge2) stable-security; urgency=high * debian/patches/60_CVE-2007-1218.dpatch: New patch, fixes a potential buffer overflow in the 802.11 printer. References: + CVE-2007-1218 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413430 * debian/patches/00list: Update. stable/main/source/tcpdump_3.8.3-5sarge2.diff.gz stable/main/source/tcpdump_3.8.3-5sarge2.dsc tcpdump (3.8.3-5sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/php4-curl_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-recode_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-odbc_4.3.10-19_amd64.deb stable/main/binary-amd64/libapache2-mod-php4_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-mhash_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-snmp_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-mysql_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-gd_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-xslt_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-cli_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-mcal_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-cgi_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-sybase_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-ldap_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-dev_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-domxml_4.3.10-19_amd64.deb stable/main/binary-amd64/libapache-mod-php4_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-common_4.3.10-19_amd64.deb stable/main/binary-amd64/php4-imap_4.3.10-19_amd64.deb php4 (4:4.3.10-19) stable-security; urgency=high * NMU prepared for the security team by the package maintainer * The following security issues are addressed with this update: - CVE-2007-0906: Multiple buffer overflows in various code: * session (addressed in patch for CVE-2007-0910 below) * imap (CVE-2007-0906-imap.patch) * str_replace: (CVE-2007-0906-strreplace.patch) * the zip, sqlite, stream filters, mail, and interbase related vulnerabilities in this CVE do not affect the debian sarge php4 source package. - CVE-2007-0907: Buffer underflow in sapi_header_op (CVE-2007-0907.patch) - CVE-2007-0908: wddx module information disclosure (CVE-2007-0908.patch) - CVE-2007-0909: More buffer overflows: * the odbc_result_all function (CVE-2007-0909-odbc.patch) * various formatted print functions (CVE-2007-0909-printf.patch) - CVE-2007-0910: Clobbering of super-global variables (CVE-2007-0910.patch) - CVE-2007-0988: DoS in unserialize on 64bit platforms (CVE-2007-0988.patch) * The package maintainers would like to thank Joe Orton from redhat and Martin Pitt from ubuntu for their help in the preparation of this update. stable/main/source/php4_4.3.10-19.diff.gz stable/main/source/php4_4.3.10-19.dsc stable/main/binary-all/php4-pear_4.3.10-19_all.deb stable/main/binary-all/php4_4.3.10-19_all.deb php4 (4:4.3.10-19) stable; urgency=low * upload of source stable/main/binary-amd64/openafs-kpasswd_1.3.81-3sarge2_amd64.deb stable/main/binary-amd64/openafs-dbserver_1.3.81-3sarge2_amd64.deb stable/main/binary-amd64/libpam-openafs-kaserver_1.3.81-3sarge2_amd64.deb stable/main/binary-amd64/libopenafs-dev_1.3.81-3sarge2_amd64.deb stable/main/binary-amd64/openafs-client_1.3.81-3sarge2_amd64.deb stable/main/binary-amd64/openafs-fileserver_1.3.81-3sarge2_amd64.deb openafs (1.3.81-3sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Apply upstream patch to disable setuid status on all cells by default. Prior versions of AFS defaulted to honoring setuid bits in the local cell, but since unauthenticated file access in AFS is unencrypted, an attacker could forge packets from an AFS file server to synthesize a setuid binary in AFS. (CVE-2007-1507, OPENAFS-SA-2007-001) stable/main/binary-all/openafs-modules-source_1.3.81-3sarge2_all.deb stable/main/source/openafs_1.3.81-3sarge2.diff.gz stable/main/source/openafs_1.3.81-3sarge2.dsc openafs (1.3.81-3sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libaudio-dev_1.7-2sarge1_amd64.deb stable/main/binary-amd64/nas_1.7-2sarge1_amd64.deb stable/main/binary-amd64/libaudio2_1.7-2sarge1_amd64.deb stable/main/binary-amd64/nas-bin_1.7-2sarge1_amd64.deb nas (1.7-2sarge1) stable-security; urgency=high * High-urgency upload to fix multiple security holes (CVE-2007-1543, CVE-2007-1544, CVE-2007-1545, CVE-2007-1546 and CVE-2007-1547): + accept_att_local buffer overflow through USL connection + server termination through unexistent ID in AddResource + bcopy crash caused by integer overflow in ProcAuWriteElement + invalid memory pointer caused by big num_actions in ProcAuSetElements + another invalid memory pointer caused by big num_actions in ProcAuSetElements + invalid memory pointer in compileInputs + exploits bug 3 in read mode (requires something playing on the server) + NULL pointer caused by too much connections stable/main/binary-all/nas-doc_1.7-2sarge1_all.deb stable/main/source/nas_1.7-2sarge1.dsc stable/main/source/nas_1.7-2sarge1.diff.gz nas (1.7-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-calendar_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-chatzilla_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-psm_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-browser_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-dev_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-js-debugger_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-dom-inspector_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/libnss-dev_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/libnspr4_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/libnss3_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/mozilla-mailnews_1.7.8-1sarge10_amd64.deb stable/main/binary-amd64/libnspr-dev_1.7.8-1sarge10_amd64.deb mozilla (2:1.7.8-1sarge10) stable-security; urgency=critical * fix crash regression in mailnews. updated 5_0013-MFSA-2006-74-CVE-2006-6505-Part-2-2-362512.txt to include that fix stable/main/source/mozilla_1.7.8-1sarge10.diff.gz stable/main/source/mozilla_1.7.8-1sarge10.dsc mozilla (2:1.7.8-1sarge10) stable; urgency=low * upload of source stable/main/binary-amd64/man-db_2.4.2-21sarge1_amd64.deb man-db (2.4.2-21sarge1) stable-security; urgency=low * CVE-2006-4250: Fix a buffer overrun if using -H and the designated web browser (argument to -H or $BROWSER) contains multiple %s expansions. Thanks to Jochen Voß for the report. stable/main/source/man-db_2.4.2-21sarge1.dsc stable/main/source/man-db_2.4.2-21sarge1.diff.gz man-db (2.4.2-21sarge1) stable; urgency=low * upload of source stable/main/source/lookup-el_1.4-3sarge1.dsc stable/main/source/lookup-el_1.4-3sarge1.diff.gz stable/main/binary-all/lookup-el_1.4-3sarge1_all.deb lookup-el (1.4-3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/links2_2.1pre16-1sarge1_amd64.deb links2 (2.1pre16-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Build without smb:// support to avoid potential command execution [CVE-2006-5925]. stable/main/source/links2_2.1pre16-1sarge1.diff.gz stable/main/source/links2_2.1pre16-1sarge1.dsc links2 (2.1pre16-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libwpd8_0.8.1-1sarge1_amd64.deb stable/main/binary-amd64/libwpd8-dev_0.8.1-1sarge1_amd64.deb stable/main/binary-amd64/libwpd-tools_0.8.1-1sarge1_amd64.deb stable/main/binary-amd64/libwpd-stream8_0.8.1-1sarge1_amd64.deb libwpd (0.8.1-1sarge1) stable-security; urgency=high * fix CVE-2007-0002 (various problems which could be used by remote attackers to execute arbitrary code or crash OOo) - thanks Steve Langasek stable/main/source/libwpd_0.8.1-1sarge1.diff.gz stable/main/binary-all/libwpd8-doc_0.8.1-1sarge1_all.deb stable/main/source/libwpd_0.8.1-1sarge1.dsc libwpd (0.8.1-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libkrb53_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-telnetd_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-clients_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-admin-server_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-user_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/libkrb5-dev_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-ftpd_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-kdc_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/libkadm55_1.3.6-2sarge4_amd64.deb stable/main/binary-amd64/krb5-rsh-server_1.3.6-2sarge4_amd64.deb krb5 (1.3.6-2sarge4) stable-security; urgency=emergency * MIT-SA-2007-1: telnet allows login as an arbitrary user when presented with a specially crafted username; CVE-2007-0956 * krb5_klog_syslog has a trivial buffer overflow that can be exploited by network data; CVE-2007-0957. The upstream patch is very intrusive because it fixes each call to syslog to have proper length checking as well as the actual krb5_klog_syslog internals to use vsnprintf rather than vsprintf. I have chosen to only include the change to krb5_klog_syslog for sarge. This is sufficient to fix the problem but is much smaller and less intrusive. (MIT-SA-2007-2) * MIT-SA-2007-3: The GSS-API library can cause a double free if applications treat certain errors decoding a message as errors that require freeing the output buffer. At least the gssapi rpc library does this, so kadmind is vulnerable. Fix the gssapi library because the spec allows applications to treat errors this way. CVE-2007-1216 stable/main/source/krb5_1.3.6-2sarge4.diff.gz stable/main/source/krb5_1.3.6-2sarge4.dsc stable/main/binary-all/krb5-doc_1.3.6-2sarge4_all.deb krb5 (1.3.6-2sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/gpgv-udeb_1.4.1-1.sarge7_amd64.udeb stable/main/binary-amd64/gnupg_1.4.1-1.sarge7_amd64.deb gnupg (1.4.1-1.sarge7) stable-security; urgency=high * Non-maintainer upload by the Security Team * Backported patch from upstream 1.4.7 for CVE-2007-1263. stable/main/source/gnupg_1.4.1-1.sarge7.diff.gz stable/main/source/gnupg_1.4.1-1.sarge7.dsc gnupg (1.4.1-1.sarge7) stable; urgency=low * upload of source stable/main/binary-amd64/gnomemeeting_1.2.1-1sarge1_amd64.deb gnomemeeting (1.2.1-1sarge1) stable-security; urgency=high * Backported fixes for Ekiga/GnomeMeeting CVE-2007-1006/CVE-2007-1007 stable/main/source/gnomemeeting_1.2.1-1sarge1.dsc stable/main/source/gnomemeeting_1.2.1-1sarge1.diff.gz gnomemeeting (1.2.1-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libnss-dns-udeb_2.3.2.ds1-22sarge6_amd64.udeb stable/main/binary-amd64/libc6-dev_2.3.2.ds1-22sarge6_amd64.deb stable/main/binary-amd64/libnss-files-udeb_2.3.2.ds1-22sarge6_amd64.udeb stable/main/binary-amd64/libc6-dbg_2.3.2.ds1-22sarge6_amd64.deb stable/main/binary-amd64/nscd_2.3.2.ds1-22sarge6_amd64.deb stable/main/binary-amd64/libc6-udeb_2.3.2.ds1-22sarge6_amd64.udeb stable/main/binary-amd64/libc6-prof_2.3.2.ds1-22sarge6_amd64.deb stable/main/binary-amd64/libc6-pic_2.3.2.ds1-22sarge6_amd64.deb stable/main/binary-amd64/libc6_2.3.2.ds1-22sarge6_amd64.deb glibc (2.3.2.ds1-22sarge6) stable; urgency=low * control.in/main, rules.d/debhelper.mk: use dh_shlibdeps to set the dependencies of nscd. stable/main/source/glibc_2.3.2.ds1-22sarge6.diff.gz stable/main/binary-all/glibc-doc_2.3.2.ds1-22sarge6_all.deb stable/main/source/glibc_2.3.2.ds1-22sarge6.dsc stable/main/binary-all/locales_2.3.2.ds1-22sarge6_all.deb glibc (2.3.2.ds1-22sarge6) stable; urgency=low * upload of source stable/main/binary-amd64/libmagic-dev_4.12-1sarge1_amd64.deb stable/main/binary-amd64/libmagic1_4.12-1sarge1_amd64.deb stable/main/binary-amd64/file_4.12-1sarge1_amd64.deb file (4.12-1sarge1) stable-security; urgency=high * Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to fix integer underflow in file_printf which can lead to to exploitable heap overflow CVE-2007-1536 (Closes: #415362, #416678). stable/main/source/file_4.12-1sarge1.diff.gz stable/main/source/file_4.12-1sarge1.dsc file (4.12-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libclamav-dev_0.84-2.sarge.15_amd64.deb stable/main/binary-amd64/clamav_0.84-2.sarge.15_amd64.deb stable/main/binary-amd64/clamav-daemon_0.84-2.sarge.15_amd64.deb stable/main/binary-amd64/clamav-milter_0.84-2.sarge.15_amd64.deb stable/main/binary-amd64/clamav-freshclam_0.84-2.sarge.15_amd64.deb stable/main/binary-amd64/libclamav1_0.84-2.sarge.15_amd64.deb clamav (0.84-2.sarge.15) stable-security; urgency=high * Trigger rebuild to cope with expired builds, no code changes. stable/main/source/clamav_0.84-2.sarge.15.dsc stable/main/binary-all/clamav-base_0.84-2.sarge.15_all.deb stable/main/binary-all/clamav-testfiles_0.84-2.sarge.15_all.deb stable/main/source/clamav_0.84-2.sarge.15.diff.gz stable/main/binary-all/clamav-docs_0.84-2.sarge.15_all.deb clamav (0.84-2.sarge.15) stable; urgency=low * upload of source stable/main/binary-amd64/base-installer_1.13.4sarge2_amd64.udeb base-installer (1.13.4sarge2) stable; urgency=high * For the kernel ABI change in Sarge 3.1r3 we should also have updated the default values for debian-installer/kernel/image* in rootskel. Because this was missed, incorrect kernels are now being selected on some architectures. Correcting this in rootskel would mean rebuilding D-I, which we'd like to avoid. As an alternative solution we correct the default in base-installer after reading it. Closes: #412909. * Add myself to uploaders. stable/main/source/base-installer_1.13.4sarge2.tar.gz stable/main/source/base-installer_1.13.4sarge2.dsc base-installer (1.13.4sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libxine1_1.0.1-1sarge5_amd64.deb stable/main/binary-amd64/libxine-dev_1.0.1-1sarge5_amd64.deb xine-lib (1.0.1-1sarge5) stable-security; urgency=high * Fix buffer overflow in Real Media handler. (CVE-2006-6172) stable/main/source/xine-lib_1.0.1-1sarge5.diff.gz stable/main/source/xine-lib_1.0.1-1sarge5.dsc xine-lib (1.0.1-1sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/libxmuu1_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibs-static-pic_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxpm4_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibosmesa4-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libsm6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-gl_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-dri_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibs-static-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libsm6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/x-window-system-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxaw6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xterm_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxt6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxext6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxv1-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxmu6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxp-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxt6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libdps-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxp6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxext-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xvfb_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibosmesa-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxtst-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxmuu-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-glu_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxaw7-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-dri-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libx11-6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/twm_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xbase-clients_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xdm_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxaw6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xserver-common_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxrandr2_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xmh_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xserver-xfree86-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-glu-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxft1-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxaw7-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxpm-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxtrap6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libice6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libx11-6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxp6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxrandr2-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxi6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xfwp_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxt-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/proxymngr_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxtst6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libdps1_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libdps1-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxmu6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-glu-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libsm-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xnest_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xserver-xfree86_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxrandr-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibosmesa4_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/lbxproxy_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa3_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxtst6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxv-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxpm4-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libice-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxmu-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/x-window-system-core_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxtrap6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libice6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-gl-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxaw7_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxi6_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxi-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxft1_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxmuu1-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xlibmesa-gl-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxext6-dbg_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libx11-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxaw6-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xfs_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxtrap-dev_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/xutils_4.3.0.dfsg.1-14sarge3_amd64.deb stable/main/binary-amd64/libxv1_4.3.0.dfsg.1-14sarge3_amd64.deb xfree86 (4.3.0.dfsg.1-14sarge3) stable-security; urgency=high * Non-maintainer update by the Security Team: Fixes several vulnerabilities reported by iDefense (CVE-2006-6101, CVE-2006-6102, CVE-2006-6103) stable/main/binary-all/xfonts-75dpi-transcoded_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfonts-base_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xspecs_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibs-dev_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfree86-common_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibs-pic_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfonts-100dpi-transcoded_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfonts-cyrillic_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/x-dev_4.3.0.dfsg.1-14sarge3_all.deb stable/main/source/xfree86_4.3.0.dfsg.1-14sarge3.diff.gz stable/main/binary-all/xfonts-100dpi_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibmesa-dev_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfonts-75dpi_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibmesa3-dbg_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/x-window-system_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfonts-scalable_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/pm-dev_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibs-dbg_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibs_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xfonts-base-transcoded_4.3.0.dfsg.1-14sarge3_all.deb stable/main/binary-all/xlibs-data_4.3.0.dfsg.1-14sarge3_all.deb stable/main/source/xfree86_4.3.0.dfsg.1-14sarge3.dsc xfree86 (4.3.0.dfsg.1-14sarge3) stable; urgency=low * upload of source stable/main/binary-all/webmin-core_1.180-3sarge1_all.deb stable/main/binary-all/webmin_1.180-3sarge1_all.deb stable/main/source/webmin_1.180-3sarge1.dsc stable/main/source/webmin_1.180-3sarge1.diff.gz webmin (1.180-3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/qvlc_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/kvlc_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-ggi_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/libvlc0-dev_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/gnome-vlc_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-esd_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-sdl_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-plugin-alsa_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-plugin-esd_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-gtk_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-alsa_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-plugin-arts_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/gvlc_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-plugin-sdl_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/mozilla-plugin-vlc_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-gnome_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-qt_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/vlc-plugin-ggi_0.8.1.svn20050314-1sarge2_amd64.deb stable/main/binary-amd64/wxvlc_0.8.1.svn20050314-1sarge2_amd64.deb vlc (0.8.1.svn20050314-1sarge2) stable-security; urgency=high * modules/access/cdda/access.c modules/access/vcdx/access.c: + Fix format string vulnerabilities (CVE-2007-0017) (Closes: #405425). * debian/control: + Build-conflict against libsmbclient-dev to avoid accidentally depending on Samba libraries (Closes: #358026). stable/main/source/vlc_0.8.1.svn20050314-1sarge2.diff.gz stable/main/source/vlc_0.8.1.svn20050314-1sarge2.dsc vlc (0.8.1.svn20050314-1sarge2) stable; urgency=low * upload of source stable/main/source/trac_0.8.1-3sarge7.dsc stable/main/source/trac_0.8.1-3sarge7.diff.gz stable/main/binary-all/trac_0.8.1-3sarge7_all.deb trac (0.8.1-3sarge7) stable; urgency=low * upload of source stable/main/binary-amd64/thttpd-util_2.23beta1-3sarge2_amd64.deb stable/main/binary-amd64/thttpd_2.23beta1-3sarge2_amd64.deb thttpd (2.23beta1-3sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix the insecure use of temporary files when invoked by logrotate. [CVE-2006-4248] stable/main/source/thttpd_2.23beta1-3sarge2.diff.gz stable/main/source/thttpd_2.23beta1-3sarge2.dsc thttpd (2.23beta1-3sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/info_4.7-2.2sarge2_amd64.deb stable/main/binary-amd64/texinfo_4.7-2.2sarge2_amd64.deb texinfo (4.7-2.2sarge2) stable-security; urgency=high * Non-maintainer upload by the Security team. * Incorporate Ubuntu's patch for CAN-2005-3011 (insecure temporary file handling.) stable/main/source/texinfo_4.7-2.2sarge2.dsc stable/main/source/texinfo_4.7-2.2sarge2.diff.gz texinfo (4.7-2.2sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/tar_1.14-2.3_amd64.deb tar (1.14-2.3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Fix arbitrary file overwrite vulnerability in the handling of GNUTYPE_NAMES records in tar files. CVE-2006-6097 stable/main/source/tar_1.14-2.3.diff.gz stable/main/source/tar_1.14-2.3.dsc tar (1.14-2.3) stable; urgency=low * upload of source stable/main/binary-all/systemimager-server-flamethrowerd_3.2.3-6sarge4_all.deb stable/main/binary-all/systemimager-doc_3.2.3-6sarge4_all.deb stable/main/source/systemimager_3.2.3-6sarge4.dsc stable/main/binary-all/systemimager-common_3.2.3-6sarge4_all.deb stable/main/source/systemimager_3.2.3-6sarge4.tar.gz stable/main/binary-all/systemimager-boot-i386-standard_3.2.3-6sarge4_all.deb stable/main/binary-all/systemimager-client_3.2.3-6sarge4_all.deb stable/main/binary-all/systemimager-server_3.2.3-6sarge4_all.deb stable/main/binary-all/systemimager-boot-ia64-standard_3.2.3-6sarge4_all.deb systemimager (3.2.3-6sarge4) stable; urgency=low * upload of source stable/main/binary-all/squirrelmail_1.4.4-10_all.deb stable/main/source/squirrelmail_1.4.4-10.dsc stable/main/source/squirrelmail_1.4.4-10.diff.gz squirrelmail (2:1.4.4-10) stable; urgency=low * upload of source stable/main/source/sql-ledger_2.4.7-2sarge1.diff.gz stable/main/source/sql-ledger_2.4.7-2sarge1.dsc stable/main/binary-all/sql-ledger_2.4.7-2sarge1_all.deb sql-ledger (2.4.7-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/screen_4.0.2-4.1sarge1_amd64.deb screen (4.0.2-4.1sarge1) stable-security; urgency=high * Fix out-of-bands write when processing character codes in UTF-8 sequences. (CVE-2006-4573) stable/main/source/screen_4.0.2-4.1sarge1.dsc stable/main/source/screen_4.0.2-4.1sarge1.diff.gz screen (4.0.2-4.1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/winbind_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/smbclient_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/libsmbclient_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/libsmbclient-dev_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/samba-dbg_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/libpam-smbpass_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/smbfs_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/swat_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/samba_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/samba-common_3.0.14a-3sarge4_amd64.deb stable/main/binary-amd64/python2.3-samba_3.0.14a-3sarge4_amd64.deb samba (3.0.14a-3sarge4) stable-security; urgency=high * Update endless-loop DoS fix to cover another attack vector. stable/main/source/samba_3.0.14a-3sarge4.diff.gz stable/main/binary-all/samba-doc_3.0.14a-3sarge4_all.deb stable/main/source/samba_3.0.14a-3sarge4.dsc samba (3.0.14a-3sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/libopenssl-ruby1.8_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/libruby1.8_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/libruby1.8-dbg_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/ruby1.8_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/libreadline-ruby1.8_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/libtcltk-ruby1.8_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/ruby1.8-dev_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/libdbm-ruby1.8_1.8.2-7sarge5_amd64.deb stable/main/binary-amd64/libgdbm-ruby1.8_1.8.2-7sarge5_amd64.deb ruby1.8 (1.8.2-7sarge5) stable-security; urgency=high * Non-matainer upload by the Security Team. * Fix a denial of service attack in CGI handling (CVE-2006-6303). - Added 905_CVE-2006-6303.patch stable/main/binary-all/rdoc1.8_1.8.2-7sarge5_all.deb stable/main/binary-all/irb1.8_1.8.2-7sarge5_all.deb stable/main/source/ruby1.8_1.8.2-7sarge5.dsc stable/main/binary-all/ruby1.8-elisp_1.8.2-7sarge5_all.deb stable/main/binary-all/ruby1.8-examples_1.8.2-7sarge5_all.deb stable/main/binary-all/ri1.8_1.8.2-7sarge5_all.deb stable/main/source/ruby1.8_1.8.2-7sarge5.diff.gz ruby1.8 (1.8.2-7sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/libtcltk-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libpty-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libruby1.6-dbg_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/ruby1.6-dev_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libreadline-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libcurses-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libsdbm-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libsyslog-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libdbm-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libgdbm-ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/ruby1.6_1.6.8-12sarge3_amd64.deb stable/main/binary-amd64/libtk-ruby1.6_1.6.8-12sarge3_amd64.deb ruby1.6 (1.6.8-12sarge3) stable-security; urgency=high * akira yamada - added debian/patches/817_CVE-2006-5467.patch: - invalid multipart data can make cgi.rb infinite loop and CPU consumption. (CVE-2006-5467) - added debian/patches/818_cgi.rb_quote_boundary.patch: - invalid multipart boundary can make cgi.rb infinite loop and CPU consumption. (JVN#84798830) stable/main/source/ruby1.6_1.6.8-12sarge3.diff.gz stable/main/binary-all/ruby1.6-elisp_1.6.8-12sarge3_all.deb stable/main/binary-all/ruby1.6-examples_1.6.8-12sarge3_all.deb stable/main/source/ruby1.6_1.6.8-12sarge3.dsc stable/main/binary-all/irb1.6_1.6.8-12sarge3_all.deb ruby1.6 (1.6.8-12sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/libqt3-dev_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-odbc_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-designer_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-sqlite_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3-mt-dev_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-psql_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-mt_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-mt-odbc_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-mt-psql_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-mysql_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-mt-sqlite_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3c102-mt-mysql_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-linguist_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3-compat-headers_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-qtconfig_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-assistant_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-dev-tools-compat_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-dev-tools-embedded_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-dev-tools_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/libqt3-headers_3.3.4-3sarge1_amd64.deb stable/main/binary-amd64/qt3-apps-dev_3.3.4-3sarge1_amd64.deb qt-x11-free (3:3.3.4-3sarge1) stable-security; urgency=high * Non-maintainer upload by the security team. * Fix an integer overflow in image handing routines. CVE-2006-4811 stable/main/source/qt-x11-free_3.3.4-3sarge1.dsc stable/main/binary-all/qt3-doc_3.3.4-3sarge1_all.deb stable/main/binary-all/libqt3-i18n_3.3.4-3sarge1_all.deb stable/main/source/qt-x11-free_3.3.4-3sarge1.diff.gz stable/main/binary-all/qt3-examples_3.3.4-3sarge1_all.deb qt-x11-free (3:3.3.4-3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/python2.4_2.4.1-2sarge1_amd64.deb stable/main/binary-amd64/python2.4-dev_2.4.1-2sarge1_amd64.deb stable/main/binary-amd64/python2.4-dbg_2.4.1-2sarge1_amd64.deb stable/main/binary-amd64/python2.4-tk_2.4.1-2sarge1_amd64.deb stable/main/binary-amd64/python2.4-gdbm_2.4.1-2sarge1_amd64.deb python2.4 (2.4.1-2sarge1) stable-security; urgency=high * SECURITY UPDATE: crafted wide unicode strings can overflow heap leading to arbitrary code execution. * Add 'debian/patches/sf1541585.dpatch' to fix overflow. * References CVE-2006-4980 http://svn.python.org/view?view=rev&rev=51466 stable/main/source/python2.4_2.4.1-2sarge1.dsc stable/main/binary-all/python2.4-doc_2.4.1-2sarge1_all.deb stable/main/binary-all/idle-python2.4_2.4.1-2sarge1_all.deb stable/main/source/python2.4_2.4.1-2sarge1.diff.gz stable/main/binary-all/python2.4-examples_2.4.1-2sarge1_all.deb python2.4 (2.4.1-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/python2.3-dev_2.3.5-3sarge2_amd64.deb stable/main/binary-amd64/python2.3_2.3.5-3sarge2_amd64.deb stable/main/binary-amd64/python2.3-gdbm_2.3.5-3sarge2_amd64.deb stable/main/binary-amd64/python2.3-tk_2.3.5-3sarge2_amd64.deb stable/main/binary-amd64/python2.3-mpz_2.3.5-3sarge2_amd64.deb python2.3 (2.3.5-3sarge2) stable-security; urgency=high * SECURITY UPDATE: crafted wide unicode strings can overflow heap leading to arbitrary code execution. * Add 'debian/patches/unicode-repr.dpatch' to fix overflow. * References CVE-2006-4980 http://svn.python.org/view?view=rev&rev=51466 stable/main/source/python2.3_2.3.5-3sarge2.dsc stable/main/binary-all/python2.3-doc_2.3.5-3sarge2_all.deb stable/main/binary-all/idle-python2.3_2.3.5-3sarge2_all.deb stable/main/source/python2.3_2.3.5-3sarge2.diff.gz stable/main/binary-all/python2.3-examples_2.3.5-3sarge2_all.deb python2.3 (2.3.5-3sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/pstotext_1.9-1sarge2_amd64.deb pstotext (1.9-1sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Fix arbitrary shell commmand execution due to insufficient sanitising of filenames. Patch by J.H.M. Dassen. stable/main/source/pstotext_1.9-1sarge2.dsc stable/main/source/pstotext_1.9-1sarge2.diff.gz pstotext (1.9-1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/proftpd-mysql_1.2.10-15sarge4_amd64.deb stable/main/binary-amd64/proftpd-common_1.2.10-15sarge4_amd64.deb stable/main/binary-amd64/proftpd-pgsql_1.2.10-15sarge4_amd64.deb stable/main/binary-amd64/proftpd_1.2.10-15sarge4_amd64.deb stable/main/binary-amd64/proftpd-ldap_1.2.10-15sarge4_amd64.deb proftpd (1.2.10-15sarge4) stable-security; urgency=high Fixes a buffer overflow for mod_radius, found in 1.2.10 and missed before releasing. http://www.securityfocus.com/bid/16535 http://bugs.proftpd.org/show_bug.cgi?id=2658 Patch: 35.CVE_2005_4816 stable/main/source/proftpd_1.2.10-15sarge4.diff.gz stable/main/binary-all/proftpd-doc_1.2.10-15sarge4_all.deb stable/main/source/proftpd_1.2.10-15sarge4.dsc proftpd (1.2.10-15sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/pinball_0.3.1-3.sarge1_amd64.deb stable/main/binary-amd64/pinball-dev_0.3.1-3.sarge1_amd64.deb pinball (0.3.1-3.sarge1) stable; urgency=high * Non-maintainer upload by the Stable Release team. * Fix uninstallability on powerpc. stable/main/source/pinball_0.3.1-3.sarge1.dsc stable/main/binary-all/pinball-data_0.3.1-3.sarge1_all.deb stable/main/source/pinball_0.3.1-3.sarge1.diff.gz pinball (0.3.1-3.sarge1) stable; urgency=low * upload of source stable/main/source/phpmyadmin_2.6.2-3sarge3.diff.gz stable/main/binary-all/phpmyadmin_2.6.2-3sarge3_all.deb stable/main/source/phpmyadmin_2.6.2-3sarge3.dsc phpmyadmin (4:2.6.2-3sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/php4-ldap_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-snmp_4.3.10-18_amd64.deb stable/main/binary-amd64/libapache-mod-php4_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-sybase_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-recode_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-odbc_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-xslt_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-mcal_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-gd_4.3.10-18_amd64.deb stable/main/binary-amd64/libapache2-mod-php4_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-cli_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-curl_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-common_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-imap_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-mysql_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-cgi_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-dev_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-domxml_4.3.10-18_amd64.deb stable/main/binary-amd64/php4-mhash_4.3.10-18_amd64.deb php4 (4:4.3.10-18) stable-security; urgency=high * NMU by the Security Team: * Fix buffer overflows in htmlentities() and htmlspecialchars() (CVE-2006-5465) stable/main/binary-all/php4-pear_4.3.10-18_all.deb stable/main/source/php4_4.3.10-18.dsc stable/main/binary-all/php4_4.3.10-18_all.deb stable/main/source/php4_4.3.10-18.diff.gz php4 (4:4.3.10-18) stable; urgency=low * upload of source stable/main/binary-amd64/pdns-server_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-backend-geo_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-backend-sqlite_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-backend-ldap_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-backend-pgsql_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-backend-pipe_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-recursor_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns-backend-mysql_2.9.17-13sarge3_amd64.deb stable/main/binary-amd64/pdns_2.9.17-13sarge3_amd64.deb pdns (2.9.17-13sarge3) stable-security; urgency=high * NMU by the Security Team: * Fix stack overflow in DNS recursor. stable/main/source/pdns_2.9.17-13sarge3.diff.gz stable/main/binary-all/pdns-doc_2.9.17-13sarge3_all.deb stable/main/source/pdns_2.9.17-13sarge3.dsc pdns (2.9.17-13sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/openvpn_2.0-1sarge4_amd64.deb openvpn (2.0-1sarge4) stable; urgency=low * Fixed bug in init.d script that made the restart action to fail, this was specially nasty when remotely upgrading the package through a VPN connection. (Reported in: #337951, #317339, #338162) stable/main/source/openvpn_2.0-1sarge4.dsc stable/main/source/openvpn_2.0-1sarge4.diff.gz openvpn (2.0-1sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/openssh-client-udeb_3.8.1p1-8.sarge.6_amd64.udeb stable/main/binary-amd64/ssh-askpass-gnome_3.8.1p1-8.sarge.6_amd64.deb stable/main/binary-amd64/ssh_3.8.1p1-8.sarge.6_amd64.deb stable/main/binary-amd64/openssh-server-udeb_3.8.1p1-8.sarge.6_amd64.udeb openssh (1:3.8.1p1-8.sarge.6) stable-security; urgency=high * Non-maintainer upload by the Security team * Apply patch to correct a possible denial of service vulnerability caused by a signal handler race condition. CVE-2006-5051 stable/main/source/openssh_3.8.1p1-8.sarge.6.dsc stable/main/source/openssh_3.8.1p1-8.sarge.6.diff.gz openssh (1:3.8.1p1-8.sarge.6) stable; urgency=low * upload of source stable/main/binary-amd64/netrik_1.15.3-1sarge1_amd64.deb netrik (1.15.3-1sarge1) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Properly sanitize filenames used for editing form fields. [CVE-2006-6678] stable/main/source/netrik_1.15.3-1sarge1.dsc stable/main/source/netrik_1.15.3-1sarge1.diff.gz netrik (1.15.3-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8e.2_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8e.2_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8e.2_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8e.2_amd64.deb mozilla-thunderbird (1.0.2-2.sarge1.0.8e.2) stable-security; urgency=critical * fix regression in 0015-MFSA-2006-68-CVE-2006-6497-Part-3-348304.txt stable/main/source/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2.diff.gz stable/main/source/mozilla-thunderbird_1.0.2-2.sarge1.0.8e.2.dsc mozilla-thunderbird (1.0.2-2.sarge1.0.8e.2) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-firefox-dom-inspector_1.0.4-2sarge15_amd64.deb stable/main/binary-amd64/mozilla-firefox-gnome-support_1.0.4-2sarge15_amd64.deb stable/main/binary-amd64/mozilla-firefox_1.0.4-2sarge15_amd64.deb mozilla-firefox (1.0.4-2sarge15) stable-security; urgency=critical * layout/xul/base/src/nsMenuFrame.cpp: Fix for regression from Alexander Sack. stable/main/source/mozilla-firefox_1.0.4-2sarge15.dsc stable/main/source/mozilla-firefox_1.0.4-2sarge15.diff.gz mozilla-firefox (1.0.4-2sarge15) stable; urgency=low * upload of source stable/main/binary-amd64/libnspr4_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-dev_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/libnspr-dev_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-js-debugger_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-calendar_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/libnss-dev_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/libnss3_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-chatzilla_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-mailnews_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-browser_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-psm_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla_1.7.8-1sarge8_amd64.deb stable/main/binary-amd64/mozilla-dom-inspector_1.7.8-1sarge8_amd64.deb mozilla (2:1.7.8-1sarge8) stable-security; urgency=critical * Security update to backport the fixes from Mozilla branch 1.8.0.8. * 4_0014-MFSA2006-65-CVE-2006-5464-Part-1-310267.patch, 4_0015-MFSA2006-65-CVE-2006-5464-Part-2-350370.patch, 4_0016-MFSA2006-65-CVE-2006-5464-Part-3-307809.patch, 4_0018-MFSA2006-65-CVE-2006-5464-Part-4-351328.patch: Fixes for CVE-2006-5464 aka first part of mfsa2006-65 (Crashes with evidence of memory corruption (rv:1.8.0.8)). * 4_0001-MFSA2006-65-CVE-2006-5748-Part-1-350238.patch, 4_0002-MFSA2006-65-CVE-2006-5748-Part-2-351973.patch, 4_0005-MFSA2006-65-CVE-2006-5748-Part-3-352606.patch, 4_0008-MFSA2006-65-CVE-2006-5748-Part-4-349527.patch, 4_0010-MFSA2006-65-CVE-2006-5748-Part-5-354924.patch: Fixes for CVE-2006-5748 aka last part of mfsa2006-65 (Crashes with evidence of memory corruption (rv:1.8.0.8)). * 4_0019-MFSA2006-66-CVE-2006-5462-356215.patch: Fix for "RSA Signature Forgery (variant)", CVE-2006-5462 aka mfsa2006-66. * 4_0020-MFSA2006-67-CVE-2006-5463-355655.patch: Fix for "Running Script can be recompiled", CVE-2006-5463 aka mfsa2006-67. * 4_0006-noMFSA-CVE-2006-4310-351255.patch: Fix for CVE-2006-4310 (Remote DOS in FTP error handling), from bz#351255. * 4_0003-noMFSA-353264.patch, 4_0011-noMFSA-313400.patch, 4_0012-noMFSA-353704.patch, 4_0013-noMFSA-352264.patch, 4_0017-noMFSA-350524.patch: Many patches to fix crashes that can be triggered by malicious pages, no mfsa. bz#313400, bz#350524, bz#352264, bz#353264, bz#353704. * 4_0004-noMFSA-regression-fix-352873.patch: Fixes a regression introduced by a previous security update. bz#352873. * 4_0007-noMFSA-337744.patch: Protocol parsing tightening to avoid reading from the filesystem by unexpected resource or chrome urls. bz#337744. * 4_0009-noMFSA-334110.patch: A fix that goes along fixing a buffer overflow in libpng. bz#334110. stable/main/source/mozilla_1.7.8-1sarge8.diff.gz stable/main/source/mozilla_1.7.8-1sarge8.dsc mozilla (2:1.7.8-1sarge8) stable; urgency=low * upload of source stable/main/binary-amd64/ftpd_0.17-20sarge2_amd64.deb linux-ftpd (0.17-20sarge2) stable-security; urgency=high * Sarge security release. * Fixed ftpd from doing chdir while runing as root. (Closes: #384454) Thanks a lot to Paul Szabo for finding out and the patch. (CVE-2006-5778) stable/main/source/linux-ftpd_0.17-20sarge2.diff.gz stable/main/source/linux-ftpd_0.17-20sarge2.dsc linux-ftpd (0.17-20sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/links_0.99+1.00pre12-1sarge1_amd64.deb links (0.99+1.00pre12-1sarge1) stable-security; urgency=high * Security non-maintainer upload. * Fix vulnerability in smb:// URI handling by rejecting '"' and ';' characters which could be used for remote command execution; patch backported from upstream 1.00pre19. (CVE-2006-5925) stable/main/source/links_0.99+1.00pre12-1sarge1.diff.gz stable/main/binary-all/links-ssl_0.99+1.00pre12-1sarge1_all.deb stable/main/source/links_0.99+1.00pre12-1sarge1.dsc links (0.99+1.00pre12-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libsoup2.2-7_2.2.3-2sarge1_amd64.deb stable/main/binary-amd64/libsoup2.2-dev_2.2.3-2sarge1_amd64.deb libsoup (2.2.3-2sarge1) stable-security; urgency=high * Fix remotely exploitable DoS vulnerability stable/main/binary-all/libsoup2.2-doc_2.2.3-2sarge1_all.deb stable/main/source/libsoup_2.2.3-2sarge1.diff.gz stable/main/source/libsoup_2.2.3-2sarge1.dsc libsoup (2.2.3-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libpam-ldap_178-1sarge3_amd64.deb libpam-ldap (178-1sarge3) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied Red Hat patch to fix authentication bypass [CVE-2006-5170] stable/main/source/libpam-ldap_178-1sarge3.diff.gz stable/main/source/libpam-ldap_178-1sarge3.dsc libpam-ldap (178-1sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/libgtop2-dev_2.6.0-4sarge1_amd64.deb stable/main/binary-amd64/libgtop2-2_2.6.0-4sarge1_amd64.deb stable/main/binary-amd64/libgtop2-daemon_2.6.0-4sarge1_amd64.deb libgtop2 (2.6.0-4sarge1) stable-security; urgency=high * SECURITY: New patch, 20_proc_map-overflow.patch, fixes overflow in /proc/maps parsing code; (CVE-2006-0235) stable/main/source/libgtop2_2.6.0-4sarge1.diff.gz stable/main/source/libgtop2_2.6.0-4sarge1.dsc libgtop2 (2.6.0-4sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libgsf-1-dev_1.11.1-1sarge1_amd64.deb stable/main/binary-amd64/libgsf-gnome-1_1.11.1-1sarge1_amd64.deb stable/main/binary-amd64/libgsf-gnome-1-dbg_1.11.1-1sarge1_amd64.deb stable/main/binary-amd64/libgsf-1-dbg_1.11.1-1sarge1_amd64.deb stable/main/binary-amd64/libgsf-gnome-1-dev_1.11.1-1sarge1_amd64.deb stable/main/binary-amd64/libgsf-1_1.11.1-1sarge1_amd64.deb libgsf (1.11.1-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied patch forwarded by Ray Dassen to fix a heap overflow problem stable/main/source/libgsf_1.11.1-1sarge1.diff.gz stable/main/source/libgsf_1.11.1-1sarge1.dsc libgsf (1.11.1-1sarge1) stable; urgency=low * upload of source stable/main/binary-all/libcrypt-cbc-perl_2.12-1sarge2_all.deb stable/main/source/libcrypt-cbc-perl_2.12-1sarge2.dsc stable/main/source/libcrypt-cbc-perl_2.12-1sarge2.diff.gz libcrypt-cbc-perl (2.12-1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/l2tpns_2.0.14-1sarge1_amd64.deb l2tpns (2.0.14-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Secrutiy Team * Fix potential remote code execution in cluster code. [CVE-2006-5873] stable/main/source/l2tpns_2.0.14-1sarge1.diff.gz stable/main/source/l2tpns_2.0.14-1sarge1.dsc l2tpns (2.0.14-1sarge1) stable; urgency=low * upload of source stable/main/source/kernel-source-2.6.8_2.6.8-16sarge6.dsc stable/main/binary-all/kernel-tree-2.6.8_2.6.8-16sarge6_all.deb stable/main/binary-all/kernel-doc-2.6.8_2.6.8-16sarge6_all.deb stable/main/binary-all/kernel-patch-debian-2.6.8_2.6.8-16sarge6_all.deb stable/main/binary-all/kernel-source-2.6.8_2.6.8-16sarge6_all.deb stable/main/source/kernel-source-2.6.8_2.6.8-16sarge6.diff.gz kernel-source-2.6.8 (2.6.8-16sarge6) stable; urgency=low * upload of source stable/main/binary-amd64/kernel-headers-2.6.8-12_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-amd64-k8-smp_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-amd64-k8-smp_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-amd64-generic_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-amd64-k8_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-amd64-k8_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-amd64-generic_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-em64t-p4_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-em64t-p4-smp_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-em64t-p4-smp_2.6.8-16sarge6_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-em64t-p4_2.6.8-16sarge6_amd64.deb kernel-image-2.6.8-amd64 (2.6.8-16sarge6) stable-security; urgency=high * Build against kernel-tree-2.6.8-16sarge6: * perfmon-fd-refcnt.dpatch [SECURITY][ia64] Fix file descriptor leak in perfmonctl system call which could be used as a local denial of service attack by depleting the system of file descriptors See CVE-2006-3741 * ia64-sparc-cross-region-mappings.dpatch [SECURITY] Prevent cross-region mappings on ia64 and sparc which could be used in a local DoS attack (system crash) See CVE-2006-4538 * __block_prepare_write-recovery.dpatch [SECURITY] Fix an information leak in __block_prepare_write() See CVE-2006-4813 * atm-clip-freed-skb-deref.dpatch [SECURITY] Avoid dereferencing an already freed skb, preventing a potential remote DoS (system crash) vector See CVE-2006-4997 * ip6_flowlabel-lockup.dpatch [SECURITY] Fix local DoS attack vector (lockups, oopses) in the sequence handling for /proc/net/ip6_flowlabel See CVE-2006-5619 * ppc-alignment-exception-table-check.dpatch [SECURITY][ppc] Avoid potential DoS which can be triggered by some futex ops See CVE-2006-5649 * s390-uaccess-memleak.dpatch [SECURITY][s390] Fix memory leak in copy_from_user by clearing the remaining bytes of the kernel buffer after a fault on the userspace address in copy_from_user() See CVE-2006-5174 * smbfs-honor-mount-opts.dpatch Honor uid, gid and mode mount options for smbfs even when unix extensions are enabled See CVE-2006-5871 * bridge-get_fdb_entries-overflow.dpatch Protect against possible overflow in get_fdb_entries See CVE-2006-5751 stable/main/source/kernel-image-2.6.8-amd64_2.6.8-16sarge6.tar.gz stable/main/source/kernel-image-2.6.8-amd64_2.6.8-16sarge6.dsc kernel-image-2.6.8-amd64 (2.6.8-16sarge6) stable; urgency=low * upload of source stable/main/binary-all/ingo1_1.0.1-1sarge1_all.deb stable/main/source/ingo1_1.0.1-1sarge1.dsc stable/main/source/ingo1_1.0.1-1sarge1.diff.gz ingo1 (1.0.1-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libmagick++6_6.0.6.2-2.9_amd64.deb stable/main/binary-amd64/libmagick++6-dev_6.0.6.2-2.9_amd64.deb stable/main/binary-amd64/imagemagick_6.0.6.2-2.9_amd64.deb stable/main/binary-amd64/libmagick6-dev_6.0.6.2-2.9_amd64.deb stable/main/binary-amd64/libmagick6_6.0.6.2-2.9_amd64.deb stable/main/binary-amd64/perlmagick_6.0.6.2-2.9_amd64.deb imagemagick (6:6.0.6.2-2.9) stable-security; urgency=high * Non-maintainer upload for the Security Team. * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456. Avoid bogus second read in macro call. Patch thanks to Vladimir Nadvornik. (CVE-2007-0770) stable/main/source/imagemagick_6.0.6.2-2.9.diff.gz stable/main/source/imagemagick_6.0.6.2-2.9.dsc imagemagick (6:6.0.6.2-2.9) stable; urgency=low * upload of source stable/main/binary-amd64/gv_3.6.1-10sarge2_amd64.deb gv (1:3.6.1-10sarge2) stable-security; urgency=high * Fix patch application breakage * Also extent patch for corner case previously unhandled stable/main/source/gv_3.6.1-10sarge2.diff.gz stable/main/source/gv_3.6.1-10sarge2.dsc gv (1:3.6.1-10sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libgtk2.0-0-dbg_2.6.4-3.2_amd64.deb stable/main/binary-amd64/gtk2.0-examples_2.6.4-3.2_amd64.deb stable/main/binary-amd64/libgtk2.0-0_2.6.4-3.2_amd64.deb stable/main/binary-amd64/gtk2-engines-pixbuf_2.6.4-3.2_amd64.deb stable/main/binary-amd64/libgtk2.0-dev_2.6.4-3.2_amd64.deb stable/main/binary-amd64/libgtk2.0-bin_2.6.4-3.2_amd64.deb gtk+2.0 (2.6.4-3.2) stable-security; urgency=high * Non-maintainer upload targetted at stable-security. * SECURITY: New patch, 030_CVE-2007-0010_error-handling-in-pixbuf-loaders, to fix error handling in pixbuf loaders; CVE-2007-0010; RedHat #218755, #218932. stable/main/source/gtk+2.0_2.6.4-3.2.diff.gz stable/main/binary-all/libgtk2.0-doc_2.6.4-3.2_all.deb stable/main/source/gtk+2.0_2.6.4-3.2.dsc stable/main/binary-all/libgtk2.0-common_2.6.4-3.2_all.deb gtk+2.0 (2.6.4-3.2) stable; urgency=low * upload of source stable/main/binary-amd64/gpgv-udeb_1.4.1-1.sarge6_amd64.udeb stable/main/binary-amd64/gnupg_1.4.1-1.sarge6_amd64.deb gnupg (1.4.1-1.sarge6) stable-security; urgency=high * Non-maintainer upload by the Security Team, based on a patch by Bernhard Herzog. * Added patch to fix crash in ask_outfile_name [g10/openfile.c, 24_CVE-2006-6169.dpatch] * Added patch to fix remotely controllable function pointer bug [g10/encr-data.c, 24_CVE-2006-6235.dpatch] stable/main/source/gnupg_1.4.1-1.sarge6.dsc stable/main/source/gnupg_1.4.1-1.sarge6.diff.gz gnupg (1.4.1-1.sarge6) stable; urgency=low * upload of source stable/main/binary-amd64/libnss-dns-udeb_2.3.2.ds1-22sarge5_amd64.udeb stable/main/binary-amd64/libc6_2.3.2.ds1-22sarge5_amd64.deb stable/main/binary-amd64/libc6-prof_2.3.2.ds1-22sarge5_amd64.deb stable/main/binary-amd64/libnss-files-udeb_2.3.2.ds1-22sarge5_amd64.udeb stable/main/binary-amd64/libc6-udeb_2.3.2.ds1-22sarge5_amd64.udeb stable/main/binary-amd64/nscd_2.3.2.ds1-22sarge5_amd64.deb stable/main/binary-amd64/libc6-dev_2.3.2.ds1-22sarge5_amd64.deb stable/main/binary-amd64/libc6-pic_2.3.2.ds1-22sarge5_amd64.deb stable/main/binary-amd64/libc6-dbg_2.3.2.ds1-22sarge5_amd64.deb glibc (2.3.2.ds1-22sarge5) stable; urgency=low * Aurelien Jarno - Update debian/patches/90_glibc232-timezones.dpatch with tzdata 2006p-1. This includes DST rules for West Australia and support for the "Energy Policy Act 2005". stable/main/source/glibc_2.3.2.ds1-22sarge5.diff.gz stable/main/binary-all/locales_2.3.2.ds1-22sarge5_all.deb stable/main/binary-all/glibc-doc_2.3.2.ds1-22sarge5_all.deb stable/main/source/glibc_2.3.2.ds1-22sarge5.dsc glibc (2.3.2.ds1-22sarge5) stable; urgency=low * upload of source stable/main/binary-all/flexbackup_1.2.1-2sarge1_all.deb stable/main/source/flexbackup_1.2.1-2sarge1.dsc stable/main/source/flexbackup_1.2.1-2sarge1.diff.gz flexbackup (1.2.1-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/fetchmail_6.2.5-12sarge5_amd64.deb fetchmail (6.2.5-12sarge5) stable-security; urgency=high * SECURITY UPDATE: password can leak in cleartext when SSL configured. * Makefile.in, tls.c, pop2.c, pop3.c, imap.c, smtp.c, fetchmail.h: fixes extracted from Ubuntu who got it backporting from upstream. [CVE-2006-5867] stable/main/source/fetchmail_6.2.5-12sarge5.diff.gz stable/main/source/fetchmail_6.2.5-12sarge5.dsc stable/main/binary-all/fetchmail-ssl_6.2.5-12sarge5_all.deb stable/main/binary-all/fetchmailconf_6.2.5-12sarge5_all.deb fetchmail (6.2.5-12sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/eximon_3.36-16sarge1_amd64.deb stable/main/binary-amd64/exim_3.36-16sarge1_amd64.deb exim (3.36-16sarge1) stable; urgency=low * NMU with maintainer's consent (cleared a long time ago) * acked by the stable release team * change package description to clearly show that exim 3 is deprecated stable/main/source/exim_3.36-16sarge1.dsc stable/main/source/exim_3.36-16sarge1.diff.gz exim (3.36-16sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/evince_0.1.5-2sarge1_amd64.deb evince (0.1.5-2sarge1) stable-security; urgency=high * SECURITY: new patch, 10_CVE-2006-5864.patch, fixes a buffer overflow in the PostScript processor; thanks Kees Cook; CVE-2006-5864; closes: #402063. stable/main/source/evince_0.1.5-2sarge1.dsc stable/main/source/evince_0.1.5-2sarge1.diff.gz evince (0.1.5-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/ethereal-dev_0.10.10-2sarge9_amd64.deb stable/main/binary-amd64/tethereal_0.10.10-2sarge9_amd64.deb stable/main/binary-amd64/ethereal-common_0.10.10-2sarge9_amd64.deb stable/main/binary-amd64/ethereal_0.10.10-2sarge9_amd64.deb ethereal (0.10.10-2sarge9) stable-security; urgency=high * Non-maintainer upload by the Security Team * Backported fixes for several vulnerabilities: * Memory exhaustion denial of service in the XOT dissector * Off-by-one buffer overflow in MIME Multipart dissector stable/main/source/ethereal_0.10.10-2sarge9.diff.gz stable/main/source/ethereal_0.10.10-2sarge9.dsc ethereal (0.10.10-2sarge9) stable; urgency=low * upload of source stable/main/source/enemies-of-carlotta_1.0.3-1sarge1.dsc stable/main/binary-all/enemies-of-carlotta_1.0.3-1sarge1_all.deb stable/main/source/enemies-of-carlotta_1.0.3-1sarge1.diff.gz enemies-of-carlotta (1.0.3-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/elog_2.5.7+r1558-4+sarge3_amd64.deb elog (2.5.7+r1558-4+sarge3) stable-security; urgency=high * Security update: + Backport r1748-r1745 from upstream's Subversion repository: "Prevent crash if logbook 'global*' is accessed and a logbook 'global*' is defined in config file" This bug was reported by OS2A team. More details could be found in "#397875: ELOG Web Logbook Remote Denial of Service Vulnerability" + Backport the patch from Debian Security Audit team (r1749 in repository). Thanks to Ulf Harnhammar. Details could be found in #392016. Short excerpt from this bug report is quoted below: "There are some incorrect handling of *printf() calls and format strings. They lead to ELOG crashing completely, with the potential of executing arbitrary machine code programs under some conditions. There are also some cross-site scripting issues." + HTML log entries are open to XSS vulnerabilites as demonstrated in #389361. Though HTML mode had not been enabled by default in this version of Elog, add "HTML default = 2" option to elog.conf for extra safety. Thanks to this option, the checkbox which enables HTML mode is not even shown during log entry. stable/main/source/elog_2.5.7+r1558-4+sarge3.dsc stable/main/source/elog_2.5.7+r1558-4+sarge3.diff.gz elog (2.5.7+r1558-4+sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/elinks-lite_0.10.4-7.1_amd64.deb stable/main/binary-amd64/elinks_0.10.4-7.1_amd64.deb elinks (0.10.4-7.1) stable-security; urgency=high * Backport patch from links to fix security bug in smb:// URI handling: '"' and ';' characters could be used for remote command execution (CVE-2006-5925). stable/main/source/elinks_0.10.4-7.1.diff.gz stable/main/source/elinks_0.10.4-7.1.dsc elinks (0.10.4-7.1) stable; urgency=low * upload of source stable/main/binary-amd64/clamav-daemon_0.84-2.sarge.13_amd64.deb stable/main/binary-amd64/clamav_0.84-2.sarge.13_amd64.deb stable/main/binary-amd64/clamav-milter_0.84-2.sarge.13_amd64.deb stable/main/binary-amd64/clamav-freshclam_0.84-2.sarge.13_amd64.deb stable/main/binary-amd64/libclamav-dev_0.84-2.sarge.13_amd64.deb stable/main/binary-amd64/libclamav1_0.84-2.sarge.13_amd64.deb clamav (0.84-2.sarge.13) stable-security; urgency=low * libclamav/message.c: Unusual MIME Encoding Content Filter Bypass [ CVE-2006-6406 ] (closes: #401873) * clamscan/clamscan.c clamscan/manager.c clamscan/options.c clamav-milter/clamav-milter.c shared/cfgparser.c clamd/server-th.c libclamav/scanners.c libclamav/mbox.c libclamav/clamav.h etc/clamd.conf: nested multipart DoS [ CVE-2006-XXXX ] (closes: 401874) stable/main/binary-all/clamav-docs_0.84-2.sarge.13_all.deb stable/main/source/clamav_0.84-2.sarge.13.diff.gz stable/main/source/clamav_0.84-2.sarge.13.dsc stable/main/binary-all/clamav-base_0.84-2.sarge.13_all.deb stable/main/binary-all/clamav-testfiles_0.84-2.sarge.13_all.deb clamav (0.84-2.sarge.13) stable; urgency=low * upload of source stable/main/binary-all/cacti_0.8.6c-7sarge4_all.deb stable/main/source/cacti_0.8.6c-7sarge4.dsc stable/main/source/cacti_0.8.6c-7sarge4.diff.gz cacti (0.8.6c-7sarge4) stable; urgency=low * upload of source stable/main/binary-all/bugzilla_2.16.7-7sarge2_all.deb stable/main/source/bugzilla_2.16.7-7sarge2.diff.gz stable/main/source/bugzilla_2.16.7-7sarge2.dsc stable/main/binary-all/bugzilla-doc_2.16.7-7sarge2_all.deb bugzilla (2.16.7-7sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/dnsutils_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/bind9_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/lwresd_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/libisccc0_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/libisccfg0_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/libdns16_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/libbind-dev_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/bind9-host_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/libisc7_9.2.4-1sarge2_amd64.deb stable/main/binary-amd64/liblwres1_9.2.4-1sarge2_amd64.deb bind9 (1:9.2.4-1sarge2) stable; urgency=low * Backport fix for CVE-2007-0494 (delta between 9.2.7 and 9.2.8) stable/main/source/bind9_9.2.4-1sarge2.diff.gz stable/main/source/bind9_9.2.4-1sarge2.dsc stable/main/binary-all/bind9-doc_9.2.4-1sarge2_all.deb bind9 (1:9.2.4-1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/asterisk_1.0.7.dfsg.1-2sarge4_amd64.deb stable/main/binary-amd64/asterisk-gtk-console_1.0.7.dfsg.1-2sarge4_amd64.deb stable/main/binary-amd64/asterisk-h323_1.0.7.dfsg.1-2sarge4_amd64.deb asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high * Non-maintainer upload * Backported fix for buffer overflow in chan_skinny driver induced by an undetected integer underflow [debian/patches/99_CVE-2006-5444.dpatch] (Closes: #394025) stable/main/binary-all/asterisk-web-vmail_1.0.7.dfsg.1-2sarge4_all.deb stable/main/source/asterisk_1.0.7.dfsg.1-2sarge4.diff.gz stable/main/binary-all/asterisk-dev_1.0.7.dfsg.1-2sarge4_all.deb stable/main/binary-all/asterisk-sounds-main_1.0.7.dfsg.1-2sarge4_all.deb stable/main/source/asterisk_1.0.7.dfsg.1-2sarge4.dsc stable/main/binary-all/asterisk-doc_1.0.7.dfsg.1-2sarge4_all.deb stable/main/binary-all/asterisk-config_1.0.7.dfsg.1-2sarge4_all.deb asterisk (1:1.0.7.dfsg.1-2sarge4) stable; urgency=low * upload of source stable/main/binary-all/base-config_2.53.10.2-0.0.0.1.pure64_all.deb stable/main/source/base-config_2.53.10.2-0.0.0.1.pure64.dsc stable/main/source/base-config_2.53.10.2-0.0.0.1.pure64.tar.gz base-config (2.53.10.2-0.0.0.1.pure64) stable; urgency=low * Replace the Mirrors.masterlist with one for amd64. stable/main/binary-amd64/zope2.7_2.7.5-2sarge3_amd64.deb zope2.7 (2.7.5-2sarge3) stable-security; urgency=high * SECURITY UPDATE: Arbitrary file inclusion. * Disable 'csv_table' ReST directive in included docutils to prevent reading arbitrary files through ReST documents. stable/main/source/zope2.7_2.7.5-2sarge3.dsc stable/main/source/zope2.7_2.7.5-2sarge3.diff.gz zope2.7 (2.7.5-2sarge3) stable; urgency=low * upload of source stable/main/binary-all/usermin-gnupg_1.110-3.1_all.deb stable/main/binary-all/usermin_1.110-3.1_all.deb stable/main/binary-all/usermin-postgresql_1.110-3.1_all.deb stable/main/binary-all/usermin-usermount_1.110-3.1_all.deb stable/main/binary-all/usermin-htaccess_1.110-3.1_all.deb stable/main/binary-all/usermin-cron_1.110-3.1_all.deb stable/main/binary-all/usermin-procmail_1.110-3.1_all.deb stable/main/binary-all/usermin-htpasswd_1.110-3.1_all.deb stable/main/source/usermin_1.110-3.1.diff.gz stable/main/binary-all/usermin-cshrc_1.110-3.1_all.deb stable/main/binary-all/usermin-man_1.110-3.1_all.deb stable/main/binary-all/usermin-mailbox_1.110-3.1_all.deb stable/main/binary-all/usermin-schedule_1.110-3.1_all.deb stable/main/binary-all/usermin-chfn_1.110-3.1_all.deb stable/main/binary-all/usermin-spamassassin_1.110-3.1_all.deb stable/main/binary-all/usermin-shell_1.110-3.1_all.deb stable/main/binary-all/usermin-fetchmail_1.110-3.1_all.deb stable/main/binary-all/usermin-quota_1.110-3.1_all.deb stable/main/binary-all/usermin-mysql_1.110-3.1_all.deb stable/main/binary-all/usermin-forward_1.110-3.1_all.deb stable/main/binary-all/usermin-commands_1.110-3.1_all.deb stable/main/source/usermin_1.110-3.1.dsc stable/main/binary-all/usermin-plan_1.110-3.1_all.deb stable/main/binary-all/usermin-proc_1.110-3.1_all.deb stable/main/binary-all/usermin-tunnel_1.110-3.1_all.deb stable/main/binary-all/usermin-changepass_1.110-3.1_all.deb stable/main/binary-all/usermin-ssh_1.110-3.1_all.deb stable/main/binary-all/usermin-updown_1.110-3.1_all.deb stable/main/binary-all/usermin-at_1.110-3.1_all.deb usermin (1.110-3.1) stable; urgency=low * upload of source stable/main/source/trac_0.8.1-3sarge5.dsc stable/main/binary-all/trac_0.8.1-3sarge5_all.deb stable/main/source/trac_0.8.1-3sarge5.diff.gz trac (0.8.1-3sarge5) stable; urgency=low * upload of source stable/main/source/systemimager_3.2.3-6sarge3.dsc stable/main/binary-all/systemimager-boot-i386-standard_3.2.3-6sarge3_all.deb stable/main/binary-all/systemimager-server-flamethrowerd_3.2.3-6sarge3_all.deb stable/main/source/systemimager_3.2.3-6sarge3.tar.gz stable/main/binary-all/systemimager-common_3.2.3-6sarge3_all.deb stable/main/binary-all/systemimager-server_3.2.3-6sarge3_all.deb stable/main/binary-all/systemimager-client_3.2.3-6sarge3_all.deb stable/main/binary-all/systemimager-doc_3.2.3-6sarge3_all.deb stable/main/binary-all/systemimager-boot-ia64-standard_3.2.3-6sarge3_all.deb systemimager (3.2.3-6sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/streamripper_1.61.7-1sarge1_amd64.deb streamripper (1.61.7-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team: * Fix bufferoverflows in lib/http.c [CVE-2006-3124] stable/main/source/streamripper_1.61.7-1sarge1.diff.gz stable/main/source/streamripper_1.61.7-1sarge1.dsc streamripper (1.61.7-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libmilter0_8.13.4-3sarge3_amd64.deb stable/main/binary-amd64/libmilter-dev_8.13.4-3sarge3_amd64.deb stable/main/binary-amd64/rmail_8.13.4-3sarge3_amd64.deb stable/main/binary-amd64/sendmail-bin_8.13.4-3sarge3_amd64.deb stable/main/binary-amd64/sensible-mda_8.13.4-3sarge3_amd64.deb sendmail (8.13.4-3sarge3) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied patch to fix denial of service, Bug#385054, CVE-2006-4434, debian/patches/8.13/8.13.4/z_CVE-2006-4434.patch stable/main/source/sendmail_8.13.4-3sarge3.dsc stable/main/binary-all/sendmail-base_8.13.4-3sarge3_all.deb stable/main/binary-all/sendmail_8.13.4-3sarge3_all.deb stable/main/binary-all/sendmail-doc_8.13.4-3sarge3_all.deb stable/main/binary-all/sendmail-cf_8.13.4-3sarge3_all.deb stable/main/source/sendmail_8.13.4-3sarge3.diff.gz sendmail (8.13.4-3sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/libreadline-ruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/libgdbm-ruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/libtcltk-ruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/libdbm-ruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/ruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/libruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/libopenssl-ruby1.8_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/ruby1.8-dev_1.8.2-7sarge4_amd64.deb stable/main/binary-amd64/libruby1.8-dbg_1.8.2-7sarge4_amd64.deb ruby1.8 (1.8.2-7sarge4) stable-security; urgency=high * akira yamada - added debian/patches/903_JVN-83768862.patch and debian/patches/904_JVN-13947696.patch from Kobayashi Noritada (closes: #378029): - JVN#83768862: Alias features cannot handle safe levels correclty, so it can be safety bypass. - JVN#13947696: Some methods have defects that they can call other methods, which really should be prohibited, in safe level 4. stable/main/binary-all/ruby1.8-examples_1.8.2-7sarge4_all.deb stable/main/binary-all/ruby1.8-elisp_1.8.2-7sarge4_all.deb stable/main/binary-all/ri1.8_1.8.2-7sarge4_all.deb stable/main/source/ruby1.8_1.8.2-7sarge4.dsc stable/main/binary-all/rdoc1.8_1.8.2-7sarge4_all.deb stable/main/source/ruby1.8_1.8.2-7sarge4.diff.gz stable/main/binary-all/irb1.8_1.8.2-7sarge4_all.deb ruby1.8 (1.8.2-7sarge4) stable; urgency=low * upload of source stable/main/binary-all/python2.1-textwrap_0.3.7-2sarge1_all.deb stable/main/source/python-docutils_0.3.7-2sarge1.diff.gz stable/main/source/python-docutils_0.3.7-2sarge1.dsc stable/main/binary-all/python2.1-difflib_0.3.7-2sarge1_all.deb stable/main/binary-all/python2.2-textwrap_0.3.7-2sarge1_all.deb stable/main/binary-all/python2.2-docutils_0.3.7-2sarge1_all.deb stable/main/binary-all/python-roman_0.3.7-2sarge1_all.deb stable/main/binary-all/python-docutils_0.3.7-2sarge1_all.deb stable/main/binary-all/python2.3-docutils_0.3.7-2sarge1_all.deb stable/main/binary-all/python2.4-docutils_0.3.7-2sarge1_all.deb python-docutils (0.3.7-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libssl0.9.6_0.9.6m-1sarge4_amd64.deb openssl096 (0.9.6m-1sarge4) stable-security; urgency=high * Non-maintainer upload by the Security Team * Correct patch for CVE-2006-2940 to avoid the possibility of dereferencing an uninitialized pointer. stable/main/source/openssl096_0.9.6m-1sarge4.diff.gz stable/main/source/openssl096_0.9.6m-1sarge4.dsc openssl096 (0.9.6m-1sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/libcrypto0.9.7-udeb_0.9.7e-3sarge4_amd64.udeb stable/main/binary-amd64/openssl_0.9.7e-3sarge4_amd64.deb stable/main/binary-amd64/libssl0.9.7_0.9.7e-3sarge4_amd64.deb stable/main/binary-amd64/libssl-dev_0.9.7e-3sarge4_amd64.deb openssl (0.9.7e-3sarge4) stable-security; urgency=high * Non-maintainer upload by the Security Team * Correct patch for CVE-2006-2940 to avoid the possibility of dereferencing an uninitialized pointer. stable/main/source/openssl_0.9.7e-3sarge4.diff.gz stable/main/source/openssl_0.9.7e-3sarge4.dsc openssl (0.9.7e-3sarge4) stable; urgency=low * upload of source stable/main/binary-amd64/ssh-krb5_3.8.1p1-7sarge1_amd64.deb openssh-krb5 (3.8.1p1-7sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team: * Fix potential code injection through double free() in fatal() signal handler. (CVE-2006-5051) * Fix CPU exhaustion vulnerability in CRC attack detection. (CVE-2006-4924) stable/main/source/openssh-krb5_3.8.1p1-7sarge1.dsc stable/main/source/openssh-krb5_3.8.1p1-7sarge1.diff.gz openssh-krb5 (3.8.1p1-7sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libmysqlclient14_4.1.11a-4sarge7_amd64.deb stable/main/binary-amd64/mysql-client-4.1_4.1.11a-4sarge7_amd64.deb stable/main/binary-amd64/libmysqlclient14-dev_4.1.11a-4sarge7_amd64.deb stable/main/binary-amd64/mysql-server-4.1_4.1.11a-4sarge7_amd64.deb mysql-dfsg-4.1 (4.1.11a-4sarge7) stable-security; urgency=low * SECURITY: MySQL when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions. (CVE-2006-4226). Closes: #384798 * SECURITY: Certain SQL queries could crash the server and prevent master-slave replication from continue until manual intervention was taken. (CVE-2006-4380). Closes: #383165 stable/main/source/mysql-dfsg-4.1_4.1.11a-4sarge7.dsc stable/main/binary-all/mysql-common-4.1_4.1.11a-4sarge7_all.deb stable/main/source/mysql-dfsg-4.1_4.1.11a-4sarge7.diff.gz mysql-dfsg-4.1 (4.1.11a-4sarge7) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8c.1_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8c.1_amd64.deb stable/main/binary-amd64/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8c.1_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8c.1_amd64.deb mozilla-thunderbird (1.0.2-2.sarge1.0.8c.1) stable-security; urgency=critical * various security issues addressed (aka 1.5.0.7 backports): 0001-no-mfsa-CVE-2006-2788-321598.txt 0002-MFSA2006-57-Part-1-2-CVE-2006-4565-346090.txt 0003-MFSA2006-57-Part-2-2-CVE-2006-4566-346794.txt 0004-MFSA2006-60-CVE-2006-4340-CVE-2006-4339-Part-1-3-350640.txt 0005-MFSA2006-60-CVE-2006-4340-CVE-2006-4339-Part-2-3-351079.txt 0006-MFSA2006-60-CVE-2006-4340-CVE-2006-4339-Part-3-3-351848.txt 0007-MFSA2006-61-CVE-2006-4568-343168.txt 0008-MFSA-2006-63-CVE-2006-4570-346984-mail-only.txt 0009-MFSA2006-64-CVE-2006-4571-346980-grant-cellmap-patch.txt 0010-MFSA2006-64-CVE-2006-4571-Section-3-5-Part-1-4-345967.txt 0011-MFSA2006-64-CVE-2006-4571-Section-3-5-Part-3-4-348532.txt 0012-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-1-20-268575.txt 0013-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-2-20-306940.txt 0014-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-3-20-307826.txt 0015-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-5-20-337419.txt 0016-MFSA2006-64-CVS-2006-4571-Section-4-5-Part-6-20-337883.txt 0018-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8a-20-348049.txt 0019-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8b-20-348049.txt 0020-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8c-20-348049.txt 0021-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8d-20-348049.txt 0022-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-9-20-205735.txt 0023-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-12-20-348062.txt 0024-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-17-20-349201.txt 0025-MFSA2006-64-CVE-2006-4571-Section-5-5-344085.txt 0026-GetDepth-without-DEBUG-in-BlockFrame.txt 0028-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-7-20-347355-without-svg-bug.txt stable/main/source/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1.diff.gz stable/main/source/mozilla-thunderbird_1.0.2-2.sarge1.0.8c.1.dsc mozilla-thunderbird (1.0.2-2.sarge1.0.8c.1) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-firefox-gnome-support_1.0.4-2sarge11_amd64.deb stable/main/binary-amd64/mozilla-firefox_1.0.4-2sarge11_amd64.deb stable/main/binary-amd64/mozilla-firefox-dom-inspector_1.0.4-2sarge11_amd64.deb mozilla-firefox (1.0.4-2sarge11) stable-security; urgency=critical * content/base/src/nsGenericElement.cpp: Patch from Alexander Sack to fix JavaScript regression that seems to affect Google Maps. (Closes: #385248, #385515) stable/main/source/mozilla-firefox_1.0.4-2sarge11.diff.gz stable/main/source/mozilla-firefox_1.0.4-2sarge11.dsc mozilla-firefox (1.0.4-2sarge11) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-js-debugger_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-browser_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/libnspr4_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-psm_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-dev_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-calendar_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/libnspr-dev_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/libnss-dev_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-chatzilla_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/libnss3_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-dom-inspector_1.7.8-1sarge7.3.1_amd64.deb stable/main/binary-amd64/mozilla-mailnews_1.7.8-1sarge7.3.1_amd64.deb mozilla (2:1.7.8-1sarge7.3.1) stable-security; urgency=critical * fixes various security issues. Patches are: 3_0001-no-mfsa-CVE-2006-2788-321598.txt 3_0002-MFSA2006-57-Part-1-2-CVE-2006-4565-346090.txt 3_0003-MFSA2006-57-Part-2-2-CVE-2006-4566-346794.txt 3_0004-MFSA2006-60-CVE-2006-4340-CVE-2006-4339-Part-1-3-350640.txt 3_0005-MFSA2006-60-CVE-2006-4340-CVE-2006-4339-Part-2-3-351079.txt 3_0006-MFSA2006-60-CVE-2006-4340-CVE-2006-4339-Part-3-3-351848.txt 3_0007-MFSA2006-61-CVE-2006-4568-343168.txt 3_0008-MFSA-2006-63-CVE-2006-4570-346984-mail-only.txt 3_0009-MFSA2006-64-CVE-2006-4571-346980-grant-cellmap-patch.txt 3_0010-MFSA2006-64-CVE-2006-4571-Section-3-5-Part-1-4-345967.txt 3_0011-MFSA2006-64-CVE-2006-4571-Section-3-5-Part-3-4-348532.txt 3_0012-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-1-20-268575.txt 3_0013-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-2-20-306940.txt 3_0014-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-3-20-307826.txt 3_0015-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-5-20-337419.txt 3_0016-MFSA2006-64-CVS-2006-4571-Section-4-5-Part-6-20-337883.txt 3_0018-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8a-20-348049.txt 3_0019-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8b-20-348049.txt 3_0020-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8c-20-348049.txt 3_0021-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-8d-20-348049.txt 3_0022-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-9-20-205735.txt 3_0023-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-12-20-348062.txt 3_0024-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-17-20-349201.txt 3_0025-MFSA2006-64-CVE-2006-4571-Section-5-5-344085.txt 3_0026-GetDepth-without-DEBUG-in-BlockFrame.txt 3_0028-MFSA2006-64-CVE-2006-4571-Section-4-5-Part-7-20-347355-without-svg-bug.txt stable/main/source/mozilla_1.7.8-1sarge7.3.1.diff.gz stable/main/source/mozilla_1.7.8-1sarge7.3.1.dsc mozilla (2:1.7.8-1sarge7.3.1) stable; urgency=low * upload of source stable/main/binary-all/migrationtools_46-1sarge1_all.deb stable/main/source/migrationtools_46-1sarge1.diff.gz stable/main/source/migrationtools_46-1sarge1.dsc migrationtools (46-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libsqlod7.5.00-dev_7.5.00.24-4_amd64.deb stable/main/binary-amd64/python-maxdb_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-sqlcli_7.5.00.24-4_amd64.deb stable/main/binary-amd64/python2.4-maxdb_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-server-7.5.00_7.5.00.24-4_amd64.deb stable/main/binary-amd64/libsqldbc7.5.00_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-lserver_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-server-dbg-7.5.00_7.5.00.24-4_amd64.deb stable/main/binary-amd64/python2.3-maxdb-loader_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-server_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-dbanalyzer_7.5.00.24-4_amd64.deb stable/main/binary-amd64/python2.3-maxdb_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-webtools_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-loadercli_7.5.00.24-4_amd64.deb stable/main/binary-amd64/maxdb-dbmcli_7.5.00.24-4_amd64.deb stable/main/binary-amd64/python-maxdb-loader_7.5.00.24-4_amd64.deb stable/main/binary-amd64/python2.4-maxdb-loader_7.5.00.24-4_amd64.deb stable/main/binary-amd64/libsqlod7.5.00_7.5.00.24-4_amd64.deb stable/main/binary-amd64/libsqldbc7.5.00-dev_7.5.00.24-4_amd64.deb maxdb-7.5.00 (7.5.00.24-4) stable-security; urgency=high * Fix for remotely exploitable buffer overflow. (CVE-2006-4305) stable/main/source/maxdb-7.5.00_7.5.00.24-4.dsc stable/main/source/maxdb-7.5.00_7.5.00.24-4.diff.gz maxdb-7.5.00 (7.5.00.24-4) stable; urgency=low * upload of source stable/main/binary-amd64/mailman_2.1.5-8sarge5_amd64.deb mailman (2.1.5-8sarge5) stable-security; urgency=high * Security update: log injection CVE-2006-4624 stable/main/source/mailman_2.1.5-8sarge5.diff.gz stable/main/source/mailman_2.1.5-8sarge5.dsc mailman (2.1.5-8sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/libwmf-dev_0.2.8.3-2sarge1_amd64.deb stable/main/binary-amd64/libwmf-bin_0.2.8.3-2sarge1_amd64.deb stable/main/binary-amd64/libwmf0.2-7_0.2.8.3-2sarge1_amd64.deb libwmf (0.2.8.3-2sarge1) stable-security; urgency=high * NMU by the Security Team: * Fix integer overflow in player.c (CVE-2006-3376) stable/main/source/libwmf_0.2.8.3-2sarge1.dsc stable/main/binary-all/libwmf-doc_0.2.8.3-2sarge1_all.deb stable/main/source/libwmf_0.2.8.3-2sarge1.diff.gz libwmf (0.2.8.3-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libmusicbrainz4_2.1.1-3sarge1_amd64.deb stable/main/binary-amd64/libmusicbrainz4-dev_2.1.1-3sarge1_amd64.deb libmusicbrainz-2.1 (2.1.1-3sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Added patch by Lukász Lalinsky and me to fix several buffer overflows [lib/http.cpp, lib/rdfparse.c, debian/patches/02-CVE-2006-4197.patch] stable/main/source/libmusicbrainz-2.1_2.1.1-3sarge1.dsc stable/main/source/libmusicbrainz-2.1_2.1.1-3sarge1.diff.gz libmusicbrainz-2.1 (2.1.1-3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libmusicbrainz2-dev_2.0.2-10sarge1_amd64.deb stable/main/binary-amd64/python2.3-musicbrainz_2.0.2-10sarge1_amd64.deb stable/main/binary-amd64/python2.2-musicbrainz_2.0.2-10sarge1_amd64.deb stable/main/binary-amd64/python2.1-musicbrainz_2.0.2-10sarge1_amd64.deb stable/main/binary-amd64/libmusicbrainz2_2.0.2-10sarge1_amd64.deb stable/main/binary-amd64/python-musicbrainz_2.0.2-10sarge1_amd64.deb libmusicbrainz-2.0 (2.0.2-10sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Added patch by Lukász Lalinsky and me to fix several buffer overflows [lib/http.cpp, lib/rdfparse.c, debian/patches/03-CVE-2006-4197.patch] stable/main/source/libmusicbrainz-2.0_2.0.2-10sarge1.dsc stable/main/source/libmusicbrainz-2.0_2.0.2-10sarge1.diff.gz libmusicbrainz-2.0 (2.0.2-10sarge1) stable; urgency=low * upload of source stable/main/source/kernel-source-2.6.8_2.6.8-16sarge5.diff.gz stable/main/binary-all/kernel-doc-2.6.8_2.6.8-16sarge5_all.deb stable/main/binary-all/kernel-source-2.6.8_2.6.8-16sarge5_all.deb stable/main/source/kernel-source-2.6.8_2.6.8-16sarge5.dsc stable/main/binary-all/kernel-patch-debian-2.6.8_2.6.8-16sarge5_all.deb stable/main/binary-all/kernel-tree-2.6.8_2.6.8-16sarge5_all.deb kernel-source-2.6.8 (2.6.8-16sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/kernel-headers-2.6.8-12-em64t-p4_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-em64t-p4_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-amd64-k8-smp_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-amd64-k8-smp_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-em64t-p4-smp_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-amd64-generic_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-amd64-generic_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-amd64-k8_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12-amd64-k8_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-image-2.6.8-12-em64t-p4-smp_2.6.8-16sarge5_amd64.deb stable/main/binary-amd64/kernel-headers-2.6.8-12_2.6.8-16sarge5_amd64.deb kernel-image-2.6.8-amd64 (2.6.8-16sarge5) stable-security; urgency=high * Build against kernel-tree-2.6.8-16sarge5: * [ERRATA] madvise_remove-restrict.dpatch [SECURITY] The 2.6.8-16sarge3 changelog associated this patch with CVE-2006-1524. However, this patch fixes an mprotect issue that was split off from the original report into CVE-2006-2071. 2.6.8 is not vulnerable to CVE-2006-1524 the madvise_remove issue. See CVE-2006-2071 * fs-ext3-bad-nfs-handle.dpatch [SECURITY] James McKenzie discovered a Denial of Service vulnerability in the NFS driver. When exporting an ext3 file system over NFS, a remote attacker could exploit this to trigger a file system panic by sending a specially crafted UDP packet. See CVE-2006-3468 * direct-io-write-mem-leak.dpatch [SECURITY] Fix memory leak in O_DIRECT write. See CVE-2004-2660 * nfs-handle-long-symlinks.dpatch [SECURITY] Fix buffer overflow in NFS readline handling that allows a remote server to cause a denial of service (crash) via a long symlink See CVE-2005-4798 * cdrom-bad-cgc.buflen-assign.dpatch [SECURITY] Fix buffer overflow in dvd_read_bca which could potentially be used by a local user to trigger a buffer overflow via a specially crafted DVD, USB stick, or similar automatically mounted device. See CVE-2006-2935 * usb-serial-ftdi_sio-dos.patch [SECURITY] fix userspace DoS in ftdi_sio driver See CVE-2006-2936 * selinux-tracer-SID-fix.dpatch [SECURITY] Fix vulnerability in selinux_ptrace that prevents local users from changing the tracer SID to the SID of another process See CVE-2006-1052 * netfilter-SO_ORIGINAL_DST-leak.dpatch [SECURITY] Fix information leak in SO_ORIGINAL_DST See CVE-2006-1343 * sg-no-mmap-VM_IO.dpatch [SECURITY] Fix DoS vulnerability whereby a local user could attempt a dio/mmap and cause the sg driver to oops. See CVE-2006-1528 * exit-bogus-bugon.dpatch [SECURITY] Remove bogus BUG() in exit.c which could be maliciously triggered by a local user See CVE-2006-1855 * readv-writev-missing-lsm-check.dpatch, readv-writev-missing-lsm-check-compat.dpatch [SECURITY] Add missing file_permission callback in readv/writev syscalls See CVE-2006-1856 * snmp-nat-mem-corruption-fix.dpatch [SECURITY] Fix memory corruption in snmp_trap_decode See CVE-2006-2444 * kfree_skb-race.dpatch [SECURITY] Fix race between kfree_skb and __skb_unlink See CVE-2006-2446 * hppa-mb-extraneous-semicolon.dpatch, sparc32-mb-extraneous-semicolons.dpatch, sparc64-mb-extraneous-semicolons.dpatch: Fix a syntax error caused by extranous semicolons in smp_mb() macros which resulted in a build failure with kfree_skb-race.dpatch * sctp-priv-elevation.dpatch [SECURITY] Fix SCTP privelege escalation See CVE-2006-3745 * sctp-priv-elevation-2.dpatch [SECURITY] Fix local DoS resulting from sctp-priv-elevation.dpatch See CVE-2006-4535 * ppc-hid0-dos.dpatch [SECURITY][ppc] Fix local DoS by clearing HID0 attention enable on PPC970 at boot time See CVE-2006-4093 * udf-deadlock.dpatch [SECURITY] Fix possible UDF deadlock and memory corruption See CVE-2006-4145 stable/main/source/kernel-image-2.6.8-amd64_2.6.8-16sarge5.tar.gz stable/main/source/kernel-image-2.6.8-amd64_2.6.8-16sarge5.dsc kernel-image-2.6.8-amd64 (2.6.8-16sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/kpager_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdepasswd_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kwin_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/klipper_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kpersonalizer_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdm_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdebase-kio-plugins_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/ksysguardd_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kappfinder_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdebase-dev_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kmenuedit_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/libkonq4-dev_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/ksysguard_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kicker_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/ksplash_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdebase-bin_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/konqueror_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/ktip_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kate_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/khelpcenter_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/ksmserver_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/konqueror-nsplugins_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/libkonq4_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdesktop_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/konsole_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kcontrol_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kdeprint_3.3.2-1sarge3_amd64.deb stable/main/binary-amd64/kfind_3.3.2-1sarge3_amd64.deb kdebase (4:3.3.2-1sarge3) stable-security; urgency=high * Non-maintainer upload by the Security Team * Fix information disclosure vulnerability in kdm [debian/patches/17_CVE-2006-2449-information-disclosure.diff] stable/main/binary-all/kdebase-doc_3.3.2-1sarge3_all.deb stable/main/source/kdebase_3.3.2-1sarge3.dsc stable/main/source/kdebase_3.3.2-1sarge3.diff.gz stable/main/binary-all/kdebase-data_3.3.2-1sarge3_all.deb stable/main/binary-all/xfonts-konsole_3.3.2-1sarge3_all.deb stable/main/binary-all/kdebase_3.3.2-1sarge3_all.deb kdebase (4:3.3.2-1sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/isakmpd_20041012-1sarge1_amd64.deb isakmpd (20041012-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Apply upstream patch to correct CVE-2006-4436 (Debian bug #385894) stable/main/source/isakmpd_20041012-1sarge1.diff.gz stable/main/source/isakmpd_20041012-1sarge1.dsc isakmpd (20041012-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libmagick++6-dev_6.0.6.2-2.7_amd64.deb stable/main/binary-amd64/imagemagick_6.0.6.2-2.7_amd64.deb stable/main/binary-amd64/libmagick6-dev_6.0.6.2-2.7_amd64.deb stable/main/binary-amd64/libmagick++6_6.0.6.2-2.7_amd64.deb stable/main/binary-amd64/perlmagick_6.0.6.2-2.7_amd64.deb stable/main/binary-amd64/libmagick6_6.0.6.2-2.7_amd64.deb imagemagick (6:6.0.6.2-2.7) stable-security; urgency=high * Non-maintainer upload by the Security Team * Fix buffer overflows in SUN bitmap decoder [CVE-2006-3744] * Fix buffer overflows in XCF decoder [CVE-2006-3743] * Fix buffer overflow in display(1) [CVE-2006-2440] stable/main/source/imagemagick_6.0.6.2-2.7.dsc stable/main/source/imagemagick_6.0.6.2-2.7.diff.gz imagemagick (6:6.0.6.2-2.7) stable; urgency=low * upload of source stable/main/binary-amd64/gzip_1.3.5-10sarge2_amd64.deb gzip (1.3.5-10sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team: * Fix several security problems discovered by Tavis Ormandy of Google: - DoS through null pointer deference in the Huffman code (CVE-2006-4334) - Out-of-bands stack write in LZH decompression code (CVE-2006-4335) - Buffer overflow in pack code (CVE-2006-4336) - Buffer overflow in LZH code (CVE-2006-4337) - DoS through an infinite loop in LZH code (CVE-2006-4337) (Patch by Thomas Biege of SuSe) stable/main/source/gzip_1.3.5-10sarge2.dsc stable/main/source/gzip_1.3.5-10sarge2.diff.gz gzip (1.3.5-10sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/gtetrinet_0.7.8-1sarge2_amd64.deb gtetrinet (0.7.8-1sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Rebuild to bypass alpha buildd problems stable/main/source/gtetrinet_0.7.8-1sarge2.dsc stable/main/source/gtetrinet_0.7.8-1sarge2.diff.gz gtetrinet (0.7.8-1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libgnutls11-dev_1.0.16-13.2sarge2_amd64.deb stable/main/binary-amd64/libgnutls11_1.0.16-13.2sarge2_amd64.deb stable/main/binary-amd64/libgnutls11-dbg_1.0.16-13.2sarge2_amd64.deb stable/main/binary-amd64/gnutls-bin_1.0.16-13.2sarge2_amd64.deb gnutls11 (1.0.16-13.2sarge2) stable-security; urgency=high * Pulled from upstream 1.4.2-->1.4.4: Fix PKCS#1 verification to avoid a variant of Bleichenbacher's Crypto 06 rump session attack. See (which is not exactly the same as the problem we fix here). Reported by Yutaka OIWA . See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more information. CVE-2006-4790 stable/main/source/gnutls11_1.0.16-13.2sarge2.diff.gz stable/main/source/gnutls11_1.0.16-13.2sarge2.dsc gnutls11 (1.0.16-13.2sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/gpc-2.1-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libgcc1_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libgcj5-dev_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libgcj5-awt_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/gcj-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/gnat-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/lib32stdc++6_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/cpp-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/gobjc-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/gcc-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/g77-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libgcj5_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/fastjar_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libstdc++6-pic_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libffi3_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libstdc++6-dbg_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libffi3-dev_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/lib32gcc1_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libgnat-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/treelang-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libstdc++6-dev_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/libstdc++6_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/gij-3.4_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/gcc-3.4-base_3.4.3-13sarge1_amd64.deb stable/main/binary-amd64/g++-3.4_3.4.3-13sarge1_amd64.deb gcc-3.4 (3.4.3-13sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied patch by Richard Guenther to prevent directory traversal [fastjar/jartool.c, debian/patches/CVE-2006-3619.dpatch, http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28359] stable/main/binary-all/cpp-3.4-doc_3.4.3-13sarge1_all.deb stable/main/binary-all/gnat-3.4-doc_3.4.3-13sarge1_all.deb stable/main/binary-all/libgcj5-common_3.4.3-13sarge1_all.deb stable/main/binary-all/g77-3.4-doc_3.4.3-13sarge1_all.deb stable/main/binary-all/libstdc++6-doc_3.4.3-13sarge1_all.deb stable/main/source/gcc-3.4_3.4.3-13sarge1.diff.gz stable/main/source/gcc-3.4_3.4.3-13sarge1.dsc stable/main/binary-all/gpc-2.1-3.4-doc_3.4.3-13sarge1_all.deb stable/main/binary-all/gcc-3.4-doc_3.4.3-13sarge1_all.deb gcc-3.4 (3.4.3-13sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/freetype2-demos_2.1.7-6_amd64.deb stable/main/binary-amd64/libfreetype6-udeb_2.1.7-6_amd64.udeb stable/main/binary-amd64/libfreetype6-dev_2.1.7-6_amd64.deb stable/main/binary-amd64/libfreetype6_2.1.7-6_amd64.deb freetype (2.1.7-6) stable-security; urgency=high * Add debian/patches-freetype/CVE-2006-3467_pcf-strlen.patch for CVE-2006-3467, a missing string length check in PCF files that leads to a possibly exploitable integer overflow. Thanks to Martin Pitt for the patch. Closes: #379920. stable/main/source/freetype_2.1.7-6.dsc stable/main/source/freetype_2.1.7-6.diff.gz freetype (2.1.7-6) stable; urgency=low * upload of source stable/main/binary-amd64/ethereal-dev_0.10.10-2sarge8_amd64.deb stable/main/binary-amd64/tethereal_0.10.10-2sarge8_amd64.deb stable/main/binary-amd64/ethereal_0.10.10-2sarge8_amd64.deb stable/main/binary-amd64/ethereal-common_0.10.10-2sarge8_amd64.deb ethereal (0.10.10-2sarge8) stable-security; urgency=high * Non-maintainer upload by the Security Team * Memory exhaustion denial of service in Q.2391 dissector (CVE-2006-4333) stable/main/source/ethereal_0.10.10-2sarge8.dsc stable/main/source/ethereal_0.10.10-2sarge8.diff.gz ethereal (0.10.10-2sarge8) stable; urgency=low * upload of source stable/main/binary-amd64/libdevmapper-dev_1.01.00-4sarge1_amd64.deb stable/main/binary-amd64/dmsetup-udeb_1.01.00-4sarge1_amd64.udeb stable/main/binary-amd64/libdevmapper1.01_1.01.00-4sarge1_amd64.deb stable/main/binary-amd64/dmsetup_1.01.00-4sarge1_amd64.deb stable/main/binary-amd64/libdevmapper1.01-udeb_1.01.00-4sarge1_amd64.udeb devmapper (2:1.01.00-4sarge1) stable; urgency=low * Non-maintainer upload. * LVM devices are created with root:disk ownership and 0660 permissions, which are used by all other disk block devices. This allows backups of LVM logical volumes with tools such as amanda, which run as user backup, a member of the disk group. stable/main/source/devmapper_1.01.00-4sarge1.diff.gz stable/main/source/devmapper_1.01.00-4sarge1.dsc devmapper (2:1.01.00-4sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/deal_3.0.8-2sarge1_amd64.deb deal (3.0.8-2sarge1) stable; urgency=low * Fix segfault on amd64, (int)random() sometimes returned negative numbers (Closes: #383625). stable/main/source/deal_3.0.8-2sarge1.diff.gz stable/main/source/deal_3.0.8-2sarge1.dsc deal (3.0.8-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/cscope_15.5-1.1sarge2_amd64.deb cscope (15.5-1.1sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team: * Fix several buffer overflows. (CVE-2006-4262) stable/main/source/cscope_15.5-1.1sarge2.diff.gz stable/main/source/cscope_15.5-1.1sarge2.dsc cscope (15.5-1.1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/cheesetracker_0.9.9-1sarge1_amd64.deb cheesetracker (0.9.9-1sarge1) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Avoid buffer overflow when loading input files. [CVE-2006-3814] stable/main/source/cheesetracker_0.9.9-1sarge1.dsc stable/main/source/cheesetracker_0.9.9-1sarge1.diff.gz cheesetracker (0.9.9-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/capi4hylafax_01.02.03-10sarge2_amd64.deb capi4hylafax (1:01.02.03-10sarge2) stable-security; urgency=high * Update of the security update: Add the fix to the mgetty mode. Remote arbitrary command execution through TSI string. [CVE-2006-3126] stable/main/source/capi4hylafax_01.02.03-10sarge2.diff.gz stable/main/source/capi4hylafax_01.02.03-10sarge2.dsc capi4hylafax (1:01.02.03-10sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/bomberclone_0.11.5-1sarge2_amd64.deb bomberclone (0.11.5-1sarge2) stable-security; urgency=high * New maintainer. See bug #316569. * Applied patch by Steffen Pohle to fix remote vulnerabilities [ChangeLog, include/network.h, include/packets.h, src/configuration.c, src/network.c, src/packets.c, src/pkgcache.c, CVE-2006-4005, CVE-2006-4006]. See bug #382082. stable/main/source/bomberclone_0.11.5-1sarge2.diff.gz stable/main/binary-all/bomberclone-data_0.11.5-1sarge2_all.deb stable/main/source/bomberclone_0.11.5-1sarge2.dsc bomberclone (0.11.5-1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libisc7_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/libisccc0_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/libbind-dev_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/bind9_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/lwresd_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/dnsutils_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/bind9-host_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/libdns16_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/liblwres1_9.2.4-1sarge1_amd64.deb stable/main/binary-amd64/libisccfg0_9.2.4-1sarge1_amd64.deb bind9 (1:9.2.4-1sarge1) stable; urgency=low * Backport bugfix for 1941 from 9.2.6-P1. Closes: #386237, #386245 - fixes CVE-2006-4095 and CVE-2006-4096. - ncache_adderesult() should set eresult even if no rdataset is passed to it. [RT #15642] stable/main/binary-all/bind9-doc_9.2.4-1sarge1_all.deb stable/main/source/bind9_9.2.4-1sarge1.dsc stable/main/source/bind9_9.2.4-1sarge1.diff.gz bind9 (1:9.2.4-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/apache-perl_1.3.33-6sarge3_amd64.deb stable/main/binary-amd64/apache-dbg_1.3.33-6sarge3_amd64.deb stable/main/binary-amd64/apache-ssl_1.3.33-6sarge3_amd64.deb stable/main/binary-amd64/apache_1.3.33-6sarge3_amd64.deb stable/main/binary-amd64/libapache-mod-perl_1.29.0.3-6sarge3_amd64.deb stable/main/binary-amd64/apache-common_1.3.33-6sarge3_amd64.deb apache (1.3.33-6sarge3) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Added 910_expect_header_xss_CVE-2006-391 to fix a potential XSS issue affecting the use of the Expect header. [CVE-2006-391] * Added 911_mod_imap_xss-CVE-2005-3352 to fix a potential XSS issue when using Referer headers in mod_imap. [CVE02005-3352] stable/main/binary-all/apache-doc_1.3.33-6sarge3_all.deb stable/main/source/apache_1.3.33-6sarge3.dsc stable/main/binary-all/apache-utils_1.3.33-6sarge3_all.deb stable/main/binary-all/apache-dev_1.3.33-6sarge3_all.deb stable/main/source/apache_1.3.33-6sarge3.diff.gz apache (1.3.33-6sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/alsaplayer-daemon_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-jack_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/libalsaplayer-dev_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-alsa_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-common_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/libalsaplayer0_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-esd_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-text_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-gtk_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-oss_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-nas_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer_0.99.76-0.3sarge1_amd64.deb stable/main/binary-amd64/alsaplayer-xosd_0.99.76-0.3sarge1_amd64.deb alsaplayer (0.99.76-0.3sarge1) stable-security; urgency=high * Fix some buffer overflow bugs. (CVE-2006-4089) stable/main/source/alsaplayer_0.99.76-0.3sarge1.diff.gz stable/main/source/alsaplayer_0.99.76-0.3sarge1.dsc alsaplayer (0.99.76-0.3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/dhcp-client_2.0pl5-19.1sarge2_amd64.deb stable/main/binary-amd64/dhcp-relay_2.0pl5-19.1sarge2_amd64.deb stable/main/binary-amd64/dhcp_2.0pl5-19.1sarge2_amd64.deb stable/main/binary-amd64/dhcp-client-udeb_2.0pl5-19.1sarge2_amd64.udeb dhcp (2.0pl5-19.1sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied patch by Andrew Steets to fix denial of service [common/memory.c, debian/patches/z_CVE-2006-3122.patch, Bug#380273] stable/main/binary-amd64/debian-installer-manual_20050317sarge1-0.1amd64_amd64.deb stable/main/source/debian-installer_20050317sarge1-0.1amd64.tar.gz stable/main/source/debian-installer_20050317sarge1-0.1amd64.dsc debian-installer (20050317sarge1-0.1amd64) stable; urgency=low * Don't build the documentation since it doesn't include things for amd64. * Change kernel from 2.6.8-11 to 2.6.8-12 for amd64, so that we actually use the latest version. * Disable the monolithic target for amd64. * Use cut -d '-' instead of -d '.' to get the date. stable/main/binary-amd64/zope2.7_2.7.5-2sarge2_amd64.deb zope2.7 (2.7.5-2sarge2) stable-security; urgency=high * SECURITY UPDATE: Arbitrary file inclusion. * Disable 'raw' ReST directive in included docutils to prevent reading arbitrary files through ReST documents. (Closes: #377285) - CVE-2006-3458 stable/main/source/zope2.7_2.7.5-2sarge2.diff.gz stable/main/source/zope2.7_2.7.5-2sarge2.dsc zope2.7 (2.7.5-2sarge2) stable; urgency=low * upload of source stable/main/source/zope-cmfplone_2.0.4-3sarge1.dsc stable/main/binary-all/plone_2.0.4-3sarge1_all.deb stable/main/source/zope-cmfplone_2.0.4-3sarge1.diff.gz stable/main/binary-all/zope-cmfplone_2.0.4-3sarge1_all.deb zope-cmfplone (2.0.4-3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/xzgv_0.8-3sarge1_amd64.deb xzgv (0.8-3sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied patch by Russell Marks to fix segmentation faults [src/readjpeg.c, CVE-2006-1060] stable/main/source/xzgv_0.8-3sarge1.diff.gz stable/main/source/xzgv_0.8-3sarge1.dsc xzgv (0.8-3sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/xmcd_2.6-17sarge1_amd64.deb stable/main/binary-amd64/cddb_2.6-17sarge1_amd64.deb xmcd (2.6-17sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Fully implemented non-world-writeable directories [libdi_d/config.sh alias xmcdconfig, CVE-2006-2542] stable/main/source/xmcd_2.6-17sarge1.dsc stable/main/source/xmcd_2.6-17sarge1.diff.gz xmcd (2.6-17sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/xine-ui_0.99.3-1sarge1_amd64.deb xine-ui (0.99.3-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Corrected call to report() and printf() to fix format string vulnerabilities [src/xitk/main.c, src/xitk/xine-toolkit/xitk.c, CVE-2006-2230] stable/main/source/xine-ui_0.99.3-1sarge1.diff.gz stable/main/source/xine-ui_0.99.3-1sarge1.dsc xine-ui (0.99.3-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libxine1_1.0.1-1sarge3_amd64.deb stable/main/binary-amd64/libxine-dev_1.0.1-1sarge3_amd64.deb xine-lib (1.0.1-1sarge3) stable-security; urgency=high * Non-maintainer upload by the Security Team. * Applied patch by Diego Petten to fix buffer overflow in the HTTP input plugin [src/input/input_http.c, CVE-2006-2802] stable/main/source/xine-lib_1.0.1-1sarge3.dsc stable/main/source/xine-lib_1.0.1-1sarge3.diff.gz xine-lib (1.0.1-1sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/wzdftpd-mod-perl_0.5.2-1.1sarge2_amd64.deb stable/main/binary-amd64/wzdftpd-mod-tcl_0.5.2-1.1sarge2_amd64.deb stable/main/binary-amd64/wzdftpd_0.5.2-1.1sarge2_amd64.deb stable/main/binary-amd64/wzdftpd-back-mysql_0.5.2-1.1sarge2_amd64.deb stable/main/binary-amd64/wzdftpd-dev_0.5.2-1.1sarge2_amd64.deb wzdftpd (0.5.2-1.1sarge2) stable; urgency=high * Fix depends for wzdftpd-mod-perl and wzdftpd-mod-tcl (Closes: #372531, #369829) stable/main/source/wzdftpd_0.5.2-1.1sarge2.dsc stable/main/source/wzdftpd_0.5.2-1.1sarge2.diff.gz wzdftpd (0.5.2-1.1sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libwv2-dev_0.2.2-1sarge1_amd64.deb stable/main/binary-amd64/libwv2-1_0.2.2-1sarge1_amd64.deb wv2 (0.2.2-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied upstream patch to fix boundary check error [src/word_helper.h, CVE-2006-2197] stable/main/source/wv2_0.2.2-1sarge1.diff.gz stable/main/source/wv2_0.2.2-1sarge1.dsc wv2 (0.2.2-1sarge1) stable; urgency=low * upload of source stable/main/binary-all/webcalendar_0.9.45-4sarge5_all.deb stable/main/source/webcalendar_0.9.45-4sarge5.diff.gz stable/main/source/webcalendar_0.9.45-4sarge5.dsc webcalendar (0.9.45-4sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/vlan_1.8-1sarge1_amd64.deb vlan (1.8-1sarge1) stable; urgency=medium * Fix /etc/network/if-up.d/ip to not set rp_filter to 1 when rp_filter isn't set in /etc/network/interfaces. (Closes: #330673, #378714) * Add myself to Uploaders. stable/main/source/vlan_1.8-1sarge1.dsc stable/main/source/vlan_1.8-1sarge1.diff.gz vlan (1.8-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/typespeed_0.4.4-8sarge1_amd64.deb typespeed (0.4.4-8sarge1) stable; urgency=high * Non-maintainer upload by The Security Team. * Fix a buffer overflow when reading data from across the network. [CVE-2006-1515] stable/main/source/typespeed_0.4.4-8sarge1.dsc stable/main/source/typespeed_0.4.4-8sarge1.diff.gz typespeed (0.4.4-8sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libtiffxx0_3.7.2-7_amd64.deb stable/main/binary-amd64/libtiff4_3.7.2-7_amd64.deb stable/main/binary-amd64/libtiff-tools_3.7.2-7_amd64.deb stable/main/binary-amd64/libtiff-opengl_3.7.2-7_amd64.deb stable/main/binary-amd64/libtiff4-dev_3.7.2-7_amd64.deb tiff (3.7.2-7) stable-security; urgency=high * Non-maintainer upload by the Security Team * Backported patch by Tavis Ormandy to fix several vulnerabilities [libtiff/tif_aux.c, libtiff/tif_dir.c, libtiff/tif_dirinfo.c, libtiff/tif_dirread.c, libtiff/tif_fax3.c, libtiff/tif_jpeg.c, libtiff/tif_next.c, libtiff/tif_pixarlog.c, libtiff/tif_read.c, libtiff/tiffiop.h, debian/patches/CVE-2006-3459-3465.patch] stable/main/source/tiff_3.7.2-7.dsc stable/main/source/tiff_3.7.2-7.diff.gz tiff (3.7.2-7) stable; urgency=low * upload of source stable/main/binary-all/systemimager-client_3.2.3-6sarge2_all.deb stable/main/binary-all/systemimager-boot-i386-standard_3.2.3-6sarge2_all.deb stable/main/source/systemimager_3.2.3-6sarge2.tar.gz stable/main/binary-all/systemimager-server_3.2.3-6sarge2_all.deb stable/main/binary-all/systemimager-common_3.2.3-6sarge2_all.deb stable/main/source/systemimager_3.2.3-6sarge2.dsc stable/main/binary-all/systemimager-server-flamethrowerd_3.2.3-6sarge2_all.deb stable/main/binary-all/systemimager-doc_3.2.3-6sarge2_all.deb stable/main/binary-all/systemimager-boot-ia64-standard_3.2.3-6sarge2_all.deb systemimager (3.2.3-6sarge2) stable; urgency=low * upload of source stable/main/source/squirrelmail_1.4.4-9.diff.gz stable/main/binary-all/squirrelmail_1.4.4-9_all.deb stable/main/source/squirrelmail_1.4.4-9.dsc squirrelmail (2:1.4.4-9) stable; urgency=low * upload of source stable/main/binary-amd64/spamc_3.0.3-2sarge1_amd64.deb spamassassin (3.0.3-2sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied upstream patch to fix remote command execution vulnerability [spamd/spamd.raw, debian/patches/40_CVE-2006-2447.dpatch] stable/main/source/spamassassin_3.0.3-2sarge1.dsc stable/main/source/spamassassin_3.0.3-2sarge1.diff.gz stable/main/binary-all/spamassassin_3.0.3-2sarge1_all.deb spamassassin (3.0.3-2sarge1) stable; urgency=low * upload of source stable/main/source/sitebar_3.2.6-7.1.diff.gz stable/main/source/sitebar_3.2.6-7.1.dsc stable/main/binary-all/sitebar_3.2.6-7.1_all.deb sitebar (3.2.6-7.1) stable; urgency=low * upload of source stable/main/binary-amd64/login_4.0.3-31sarge9_amd64.deb stable/main/binary-amd64/passwd_4.0.3-31sarge9_amd64.deb shadow (1:4.0.3-31sarge9) stable; urgency=low * passwd.postinst: On upgrades from any prior version, chmod 600 various base-config and d-i log files that might contain sensative information, including in some cases, passwords. Thanks to Joey Hess for the patch. Closes: #356939 stable/main/source/shadow_4.0.3-31sarge9.diff.gz stable/main/source/shadow_4.0.3-31sarge9.dsc shadow (1:4.0.3-31sarge9) stable; urgency=low * upload of source stable/main/binary-amd64/libmilter0_8.13.4-3sarge2_amd64.deb stable/main/binary-amd64/rmail_8.13.4-3sarge2_amd64.deb stable/main/binary-amd64/libmilter-dev_8.13.4-3sarge2_amd64.deb stable/main/binary-amd64/sensible-mda_8.13.4-3sarge2_amd64.deb stable/main/binary-amd64/sendmail-bin_8.13.4-3sarge2_amd64.deb sendmail (8.13.4-3sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied upstream patch to fix denial of service [VU#146718, Bug#380258, debian/patches/8.13/8.13.4/z_CVE-2006-1173.patch] stable/main/source/sendmail_8.13.4-3sarge2.diff.gz stable/main/binary-all/sendmail-cf_8.13.4-3sarge2_all.deb stable/main/source/sendmail_8.13.4-3sarge2.dsc stable/main/binary-all/sendmail-doc_8.13.4-3sarge2_all.deb stable/main/binary-all/sendmail_8.13.4-3sarge2_all.deb stable/main/binary-all/sendmail-base_8.13.4-3sarge2_all.deb sendmail (8.13.4-3sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/samba_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/samba-dbg_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/smbfs_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/smbclient_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/samba-common_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/winbind_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/swat_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/libsmbclient-dev_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/python2.3-samba_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/libsmbclient_3.0.14a-3sarge2_amd64.deb stable/main/binary-amd64/libpam-smbpass_3.0.14a-3sarge2_amd64.deb samba (3.0.14a-3sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team: Fix anonymous memory exhaustion DoS. [CVE-2006-3403] stable/main/binary-all/samba-doc_3.0.14a-3sarge2_all.deb stable/main/source/samba_3.0.14a-3sarge2.diff.gz stable/main/source/samba_3.0.14a-3sarge2.dsc samba (3.0.14a-3sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/libruby1.6-dbg_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libsdbm-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libdbm-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libreadline-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/ruby1.6-dev_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libtk-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libcurses-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libsyslog-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libgdbm-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libtcltk-ruby1.6_1.6.8-12sarge2_amd64.deb stable/main/binary-amd64/libpty-ruby1.6_1.6.8-12sarge2_amd64.deb ruby1.6 (1.6.8-12sarge2) stable-security; urgency=high * akira yamada - added debian/patches/815-83768862.patch and debian/patches/816-13947696.patch from Kobayashi Noritada (see: #378029): - JVN#83768862: Alias features cannot handle safe levels correclty, so it can be safety bypass. - JVN#13947696: Some methods have defects that they can call other methods, which really should be prohibited, in safe level 4. (Both issues are tracked as CVE-2006-3694) stable/main/binary-all/ruby1.6-elisp_1.6.8-12sarge2_all.deb stable/main/source/ruby1.6_1.6.8-12sarge2.dsc stable/main/source/ruby1.6_1.6.8-12sarge2.diff.gz stable/main/binary-all/irb1.6_1.6.8-12sarge2_all.deb stable/main/binary-all/ruby1.6-examples_1.6.8-12sarge2_all.deb ruby1.6 (1.6.8-12sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/rssh_2.2.3-1.sarge.2_amd64.deb rssh (2.2.3-1.sarge.2) stable-security; urgency=high * Command line parse fix for a problem introduced with the security fix integrated in 2.2.3-1.sarge.1. [CVE-2006-1320] (Closes: #363978) stable/main/source/rssh_2.2.3-1.sarge.2.dsc stable/main/source/rssh_2.2.3-1.sarge.2.diff.gz rssh (2.2.3-1.sarge.2) stable; urgency=low * upload of source stable/main/binary-amd64/libresmgr-dev_1.0-2sarge2_amd64.deb stable/main/binary-amd64/resmgr_1.0-2sarge2_amd64.deb stable/main/binary-amd64/libresmgr1_1.0-2sarge2_amd64.deb resmgr (1.0-2sarge2) stable-security; urgency=high * Adjusted changelog entry stable/main/source/resmgr_1.0-2sarge2.dsc stable/main/source/resmgr_1.0-2sarge2.diff.gz resmgr (1.0-2sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/quagga_0.98.3-7.2_amd64.deb quagga (0.98.3-7.2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Moved patches named after the old rejected CVE name to refer to CVE-2006-2223. * Added a fifth patch to fix CVE-2006-2223 or CVE-2006-2224 resp. * Applied security patch that fixes a bug which allowed local users to cause a denial of service (CPU consumption) via a certain sh ip bgp command entered in the telnet interface [bgpd/bgp_community.c, CVE-2006-2276, closes: #366980] stable/main/source/quagga_0.98.3-7.2.diff.gz stable/main/source/quagga_0.98.3-7.2.dsc stable/main/binary-all/quagga-doc_0.98.3-7.2_all.deb quagga (0.98.3-7.2) stable; urgency=low * upload of source stable/main/binary-amd64/python2.2-pgsql_2.4.0-5sarge1_amd64.deb stable/main/binary-amd64/python2.3-pgsql_2.4.0-5sarge1_amd64.deb stable/main/binary-amd64/python2.1-pgsql_2.4.0-5sarge1_amd64.deb python-pgsql (2.4.0-5sarge1) stable; urgency=high * In routines PgQuoteString() and PgQuoteBytea(), quotes are now escaped as '', not as \' (closes: #369250). In some multi-byte encodings you can exploit \' escaping to inject SQL code, and so \' no longer works for such client encodings with newer PostgreSQL servers. Thanks to Martin Pitt for the patch. * Reference: CVE-2006-2314. stable/main/source/python-pgsql_2.4.0-5sarge1.diff.gz stable/main/source/python-pgsql_2.4.0-5sarge1.dsc stable/main/binary-all/python-pgsql_2.4.0-5sarge1_all.deb python-pgsql (2.4.0-5sarge1) stable; urgency=low * upload of source stable/main/binary-all/file-preseed_1.01.2_all.udeb stable/main/binary-all/network-preseed_1.01.2_all.udeb preseed (1.01.2) stable; urgency=low * upload of source stable/main/source/preseed_1.01.2.tar.gz stable/main/source/preseed_1.01.2.dsc preseed (1.01.2) stable; urgency=low * upload of source stable/main/binary-amd64/ppxp_0.2001080415-10sarge2_amd64.deb stable/main/binary-amd64/ppxp-x11_0.2001080415-10sarge2_amd64.deb stable/main/binary-amd64/ppxp-dev_0.2001080415-10sarge2_amd64.deb stable/main/binary-amd64/ppxp-tcltk_0.2001080415-10sarge2_amd64.deb ppxp (0.2001080415-10sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team * No changes rebuild due to the release stable/main/source/ppxp_0.2001080415-10sarge2.diff.gz stable/main/source/ppxp_0.2001080415-10sarge2.dsc ppxp (0.2001080415-10sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/ppp-udeb_2.4.3-20050321+2sarge1_amd64.udeb stable/main/binary-amd64/ppp_2.4.3-20050321+2sarge1_amd64.deb ppp (2.4.3-20050321+2sarge1) stable-security; urgency=medium * Non-maintainer upload by the Security Team * Applied patch by Marcus Meissner to honor the return value of a potentially failing setuid() call [pppd/plugins/winbind.c, debian/patches/zzz-CVE-2006-2194] stable/main/source/ppp_2.4.3-20050321+2sarge1.diff.gz stable/main/source/ppp_2.4.3-20050321+2sarge1.dsc stable/main/binary-all/ppp-dev_2.4.3-20050321+2sarge1_all.deb ppp (2.4.3-20050321+2sarge1) stable; urgency=low * upload of source stable/main/source/postgrey_1.21-1sarge1.diff.gz stable/main/source/postgrey_1.21-1sarge1.dsc stable/main/binary-all/postgrey_1.21-1sarge1_all.deb postgrey (1.21-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/libecpg-dev_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/libpgtcl-dev_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/postgresql_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/postgresql-dev_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/libpq3_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/postgresql-client_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/libecpg4_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/libpgtcl_7.4.7-6sarge3_amd64.deb stable/main/binary-amd64/postgresql-contrib_7.4.7-6sarge3_amd64.deb postgresql (7.4.7-6sarge3) stable; urgency=low * debian/patches/57quote-escaping.patch: - contrib/dbmirror/DBMirror.pl: Fix parsing of quotes escaped as '' in the PendingData table to make the script work with the updated quoting method introduced in 7.4.7-6sarge2 (using \' escaping is insecure). - Closes: #372115 stable/main/binary-all/postgresql-doc_7.4.7-6sarge3_all.deb stable/main/source/postgresql_7.4.7-6sarge3.diff.gz stable/main/source/postgresql_7.4.7-6sarge3.dsc postgresql (7.4.7-6sarge3) stable; urgency=low * upload of source stable/main/source/popfile_0.22.2-2sarge1.diff.gz stable/main/source/popfile_0.22.2-2sarge1.dsc stable/main/binary-all/popfile_0.22.2-2sarge1_all.deb popfile (0.22.2-2sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/pinball-dev_0.3.1-3sarge1_amd64.deb stable/main/binary-amd64/pinball_0.3.1-3sarge1_amd64.deb pinball (0.3.1-3sarge1) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Avoid loading levels and compiled plugins from user-controllable locations. [CVE-2006-2196] stable/main/source/pinball_0.3.1-3sarge1.diff.gz stable/main/binary-all/pinball-data_0.3.1-3sarge1_all.deb stable/main/source/pinball_0.3.1-3sarge1.dsc pinball (0.3.1-3sarge1) stable; urgency=low * upload of source stable/main/source/phpldapadmin_0.9.5-3sarge3.diff.gz stable/main/source/phpldapadmin_0.9.5-3sarge3.dsc stable/main/binary-all/phpldapadmin_0.9.5-3sarge3_all.deb phpldapadmin (0.9.5-3sarge3) stable; urgency=low * upload of source stable/main/binary-all/phpgroupware-stocks_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-fudforum_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-admin_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-registration_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-manual_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-img_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-polls_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-headlines_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-dj_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-chat_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-hr_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-tts_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-projects_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-notes_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-skel_0.9.16.005-3.sarge5_all.deb stable/main/source/phpgroupware_0.9.16.005-3.sarge5.dsc stable/main/binary-all/phpgroupware-filemanager_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-developer-tools_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-phpbrain_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-calendar_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-comic_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-ftp_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-core_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-xmlrpc_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-eldaptir_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-phpsysinfo_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-phpgwapi_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-infolog_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-wiki_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-bookmarks_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-email_0.9.16.005-3.sarge5_all.deb stable/main/source/phpgroupware_0.9.16.005-3.sarge5.diff.gz stable/main/binary-all/phpgroupware-nntp_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-forum_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-phonelog_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-news-admin_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-sitemgr_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-soap_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-setup_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-addressbook_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-messenger_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-preferences_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-etemplate_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-felamimail_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-folders_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-todo_0.9.16.005-3.sarge5_all.deb stable/main/binary-all/phpgroupware-qmailldap_0.9.16.005-3.sarge5_all.deb phpgroupware (0.9.16.005-3.sarge5) stable; urgency=low * upload of source stable/main/source/phpbb2_2.0.13+1-6sarge3.dsc stable/main/binary-all/phpbb2_2.0.13-6sarge3_all.deb stable/main/binary-all/phpbb2-conf-mysql_2.0.13-6sarge3_all.deb stable/main/source/phpbb2_2.0.13+1-6sarge3.diff.gz stable/main/binary-all/phpbb2-languages_2.0.13-6sarge3_all.deb phpbb2 (2.0.13+1-6sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/perl-debug_5.8.4-8sarge5_amd64.deb stable/main/binary-amd64/libperl5.8_5.8.4-8sarge5_amd64.deb stable/main/binary-amd64/perl_5.8.4-8sarge5_amd64.deb stable/main/binary-amd64/perl-suid_5.8.4-8sarge5_amd64.deb stable/main/binary-amd64/perl-base_5.8.4-8sarge5_amd64.deb stable/main/binary-amd64/libperl-dev_5.8.4-8sarge5_amd64.deb perl (5.8.4-8sarge5) stable; urgency=low * Apply upstream changes #23084 and #23085 to correct problems with the utf8/taint fix and Tk 804.27 . stable/main/source/perl_5.8.4-8sarge5.diff.gz stable/main/binary-all/libcgi-fast-perl_5.8.4-8sarge5_all.deb stable/main/source/perl_5.8.4-8sarge5.dsc stable/main/binary-all/perl-modules_5.8.4-8sarge5_all.deb stable/main/binary-all/perl-doc_5.8.4-8sarge5_all.deb perl (5.8.4-8sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/osiris_4.0.6-1sarge1_amd64.deb stable/main/binary-amd64/osirisd_4.0.6-1sarge1_amd64.deb stable/main/binary-amd64/osirismd_4.0.6-1sarge1_amd64.deb osiris (4.0.6-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Applied patch by Ulf Harnhammar to fix arbitrary code execution and other problems [osirisd/logging.c, osirismd/logging.c, CVE-2006-3120] stable/main/source/osiris_4.0.6-1sarge1.diff.gz stable/main/source/osiris_4.0.6-1sarge1.dsc osiris (4.0.6-1sarge1) stable; urgency=low * upload of source stable/main/binary-amd64/openvpn_2.0-1sarge3_amd64.deb openvpn (2.0-1sarge3) stable-security; urgency=low * Sarge security release. - Applied upstream patches to disallow "setenv" to be pushed to clients from the server. (CVE-2006-1629) stable/main/source/openvpn_2.0-1sarge3.dsc stable/main/source/openvpn_2.0-1sarge3.diff.gz openvpn (2.0-1sarge3) stable; urgency=low * upload of source stable/main/binary-amd64/ncompress_4.2.4-15sarge2_amd64.deb ncompress (4.2.4-15sarge2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Correction of the security patch by Ludwig Nussel [compress42.c, CVE-2006-1168] stable/main/source/ncompress_4.2.4-15sarge2.dsc stable/main/source/ncompress_4.2.4-15sarge2.diff.gz ncompress (4.2.4-15sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/nagios-pgsql_1.3-cvs.20050402-2.sarge.2_amd64.deb stable/main/binary-amd64/nagios-text_1.3-cvs.20050402-2.sarge.2_amd64.deb stable/main/binary-amd64/nagios-mysql_1.3-cvs.20050402-2.sarge.2_amd64.deb nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high * Non-maintainer upload by the Security Team * Add overflow protection for Content-Length [cgi/getcgi.c, debian/patches/99999_CVE-2006-2162.dpatch] stable/main/source/nagios_1.3-cvs.20050402-2.sarge.2.dsc stable/main/source/nagios_1.3-cvs.20050402-2.sarge.2.diff.gz stable/main/binary-all/nagios-common_1.3-cvs.20050402-2.sarge.2_all.deb nagios (2:1.3-cvs.20050402-2.sarge.2) stable; urgency=low * upload of source stable/main/binary-amd64/mysql-server-4.1_4.1.11a-4sarge5_amd64.deb stable/main/binary-amd64/libmysqlclient14-dev_4.1.11a-4sarge5_amd64.deb stable/main/binary-amd64/libmysqlclient14_4.1.11a-4sarge5_amd64.deb stable/main/binary-amd64/mysql-client-4.1_4.1.11a-4sarge5_amd64.deb mysql-dfsg-4.1 (4.1.11a-4sarge5) stable-security; urgency=low * Security upload prepared for the security team by the Debian MySQL package maintainers. * Fixed DoS bug where any user could crash the server with "SELECT str_to_date(1, NULL);" (CVE-2006-3081). The vulnerability was discovered by Kanatoko . Closes: #373913 * Fixed DoS bug where any user could crash the server with "SELECT date_format('%d%s', 1); (CVE-2006-3469). The vulnerability was discovered by Maillefer Jean-David and filed as MySQL bug #20729. Closes: #375694 stable/main/binary-all/mysql-common-4.1_4.1.11a-4sarge5_all.deb stable/main/source/mysql-dfsg-4.1_4.1.11a-4sarge5.dsc stable/main/source/mysql-dfsg-4.1_4.1.11a-4sarge5.diff.gz mysql-dfsg-4.1 (4.1.11a-4sarge5) stable; urgency=low * upload of source stable/main/binary-amd64/libmysqlclient12_4.0.24-10sarge2_amd64.deb stable/main/binary-amd64/libmysqlclient12-dev_4.0.24-10sarge2_amd64.deb stable/main/binary-amd64/mysql-client_4.0.24-10sarge2_amd64.deb stable/main/binary-amd64/mysql-server_4.0.24-10sarge2_amd64.deb mysql-dfsg (4.0.24-10sarge2) stable-security; urgency=low * Security upload prepared for the security team by the debian mysql package maintainers. * Extracted upstream patch to fix from the diff of 4.1.18 and 4.1.19 to fix the following bugs: - When sending a specifically malformed login packet, the server fills the response with uninitialized memory content which could contain sensitive information. (CVE-2006-1516) - An authenticated user could read random memory from MySQL server, by taking advantage of a non checked packet length. (CVE-2006-1517) - An authenticated user could remotely execute arbitrary commands by taking advantage of a stack overflow. (CVE-2006-1518) Closes: #366043, #366048 * Backported upstream patch to fix a bug which allows local users to bypass logging mechanisms via SQL queries that contain the NULL character. (CVE-2006-0903). Closes: #366162 stable/main/source/mysql-dfsg_4.0.24-10sarge2.diff.gz stable/main/binary-all/mysql-common_4.0.24-10sarge2_all.deb stable/main/source/mysql-dfsg_4.0.24-10sarge2.dsc mysql-dfsg (4.0.24-10sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/mutt_1.5.9-2sarge2_amd64.deb mutt (1.5.9-2sarge2) stable-security; urgency=high * Fix buffer overflow in IMAP parsing code stable/main/source/mutt_1.5.9-2sarge2.diff.gz stable/main/source/mutt_1.5.9-2sarge2.dsc mutt (1.5.9-2sarge2) stable; urgency=low * upload of source stable/main/binary-amd64/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.8a_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.8a_amd64.deb stable/main/binary-amd64/mozilla-thunderbird_1.0.2-2.sarge1.0.8a_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8a_amd64.deb stable/main/binary-amd64/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.8a_amd64.deb mozilla-thunderbird (1.0.2-2.sarge1.0.8a) stable-security; urgency=critical * This release backports several security issue fixed in thunderbird 1.5.0.4. the patches listed below can be found in debian/patches/tbird.1.0.8-1.0.8a: + CVE-2006-2787 : 0001-mfsa2006-31-319263-336601-336313.patch + CVE-2006-2786 1/2 : 0002-mfsa2006-33-Part-1-2-329746.patch + CVE-2006-2786 1/2 : 0003-mfsa2006-33-Part-2-2-330214.patch + CVE-2006-2785 2/2 : 0004-mfsa2006-34-329521-329468.patch + CVE-2006-2775 : 0005-mfsa2006-35-329677.patch 0024-mfsa2006-35-335142-regression-1-2-for-329677.patch 0025-mfsa2006-35-337841-regression-part-2-2-for-329677.patch + CVE-2006-2784 : 0006-mfsa2006-36-330037.patch + CVE-2006-2776 : 0007-mfsa2006-37-330773-with-belt-and-braces.patch + CVE-2006-2778 : 0008-mfsa2006-38-330897.patch + CVE-2006-1942 : 0009-mfsa2006-39-CVE-2006-1942-334341.patch + CVE-2006-2781 : 0010-mfsa2006-40-334384-sea.patch 0010-mfsa2006-40-334384.patch + CVE-2006-2782 : 0011-mfsa2006-41-334977.patch + CVE-2006-2783 : 0012-mfsa2006-42-335816.patch + CVE-2006-2777 : 0013-mfsa2006-43-336830.patch + CVE-2006-2779 3/6 : 0014-mfsa2006-32-Part-3-7-326501.patch + CVE-2006-2779 4/6 : 0015-mfsa2006-32-Part-4a-7-326931.patch + CVE-2006-2779 4/6 : 0016-mfsa2006-32-Part-4b-7-329219.patch + CVE-2006-2779 4/6 : 0017-mfsa2006-32-Part-4c-7-330818-proper-aviary.patch + CVE-2006-2779 6/6 : 0018-content-html-document-src-nsHTMLContentSink.cpp-332971-mfsa2006-32-Part-6-7.patch + CVE-2006-2780 : 0019-js-src-jsstr.c-335535-mfsa2006-32-Part-7-7.patch + CVE-2006-2779 5/6 : 0021-mfsa2006-32-Part-5-7-327712.patch * Note: CVE-2006-2779 (mfsa2006-32) is only partially fixed. Missing are tricky parts 1/6 and 2/6 from advisory: 1/6: Removing nested