We have now finished checking all the DSAs since woody's release, except
for a few that we didn't reach any conclusions on. That the following
DSAs seem to still be unfixed in sarge:
php4 4:4.3.8-1 needed, have 4:4.3.4-4 for DSA-531
netkit-telnet-ssl 0.17.24+0.1-2 needed, have 0.17.24+0.1-1 for DSA-529
pavuk (unfixed; bug #264684) for DSA-527
rlpr (unfixed; bug #255402) for DSA-524
lha 1.14i-8 needed, have 1.14i-2 for DSA-515
log2mail (unfixed; bug #264687) for DSA-513
mysql-dfsg 4.0.18-6 needed, have 4.0.18-5 for DSA-483
hsftp 1.15-1 needed, have 1.12-1 for DSA-447
trr19 (unfixed; bug #264702) for DSA-430
slocate (unfixed; bug #226103) for DSA-428
tomcat4 4.1.24-2 needed, have 4.0.4-4 for DSA-395
gtksee 0.5.6-1 needed, have 0.5.2-0.1 for DSA-337
tomcat4 4.1.16-1 needed, have 4.0.4-4 for DSA-225
The above list is now generated automatically by newraff:~joeyh/checkdsa.pl.
Here's the full report:
[04 Aug 2004] DSA-536 libpng - several vulnerabilities
{CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 CAN-2004-0768}
- libpng 1.0.15-6
- libpng3 1.2.5.0-7
[02 Aug 2004] DSA-535 squirrelmail - several vulnerabilities
{CAN-2004-0519 CAN-2004-0520 CAN-2004-0521 CAN-2004-0639}
- squirrelmail 2:1.4.3a-0.1
[22 Jul 2004] DSA-534 mailreader - directory traversal
{CAN-2002-1581}
- mailreader 2.3.29-9
[22 Jul 2004] DSA-533 courier - cross-site scripting
{CAN-2004-0591}
- courier 0.45.4-4
[22 Jul 2004] DSA-532 libapache-mod-ssl - several vulnerabilities
{CAN-2004-0488 CAN-2004-0700}
- libapache-mod-ssl 2.8.19-1
[20 Jul 2004] DSA-531 php4 - several vulnerabilities
{CAN-2004-0594 CAN-2004-0595}
! php4 4:4.3.8-1
[17 Jul 2004] DSA-530 l2tpd - buffer overflow
{CAN-2004-0649}
- l2tpd 0.70-pre20031121-2
[17 Jul 2004] DSA-529 netkit-telnet-ssl - format string
{CAN-2004-0640}
! netkit-telnet-ssl 0.17.24+0.1-2
[17 Jul 2004] DSA-528 ethereal - denial of service
{CAN-2004-0635}
- ethereal 0.10.5-1
[03 Jul 2004] DSA-527 pavuk - buffer overflow
{CAN-2004-0456}
NOTE: DSA is incorrect; pavuk is in sarge and unstable.
! pavuk (unfixed; bug #264684)
[03 Jul 2004] DSA-526 webmin - several vulnerabilities
{CAN-2004-0582 CAN-2004-0583}
- webmin 1.150-1
[24 Jun 2004] DSA-525 apache - buffer overflow
{CAN-2004-0492}
- apache 1.3.31-2
[19 Jun 2004] DSA-524 rlpr - several vulnerabilities
{CAN-2004-0393 CAN-2004-0454}
! rlpr (unfixed; bug #255402)
[19 Jun 2004] DSA-523 www-sql - buffer overflow
{CAN-2004-0455}
- www-sql 0.5.7-18
[19 Jun 2004] DSA-522 super - format string vulnerability
{CAN-2004-0579}
- super 3.23.0-1
[18 Jun 2004] DSA-521 sup - format string vulnerability
{CAN-2004-0451}
- sup 1.8-11
[16 Jun 2004] DSA-520 krb5 - buffer overflows
{CAN-2004-0523}
- krb5 1.3.3-2
[15 Jun 2004] DSA-519 cvs - several vulnerabilities
{CAN-2004-0416 CAN-2004-0417 CAN-2004-0418}
- cvs 1:1.12.9-1
[14 Jun 2004] DSA-518 kdelibs - unsanitised input
{CAN-2004-0411}
- kdelibs 3.2.3
[10 Jun 2004] DSA-517 cvs - buffer overflow
{CAN-2004-0414]
- cvs 1.12.9-1
[07 Jun 2004] DSA-516 postgresql - buffer overflow
{CAN-2004-0547}
- postgresql 07.03.0200-3.
[05 Jun 2004] DSA-515 lha - several vulnerabilities
{CAN-2004-0234 CAN-2004-0235}
! lha 1.14i-8
NOTE: If 1.14i-8 cannot get into testing, the fix for 1.14i-2.0.1
from the DSA could to updated via t-p-u.
[04 Jun 2004] DSA-514 kernel-image-sparc-2.2 - failing function and TLB flush
{CAN-2004-0077}
- kernel-image-sparc-2.2 9.1
NOTE: did not check other versions of the kernel
[03 Jun 2004] DSA-513 log2mail - format string
{CAN-2004-0450}
! log2mail (unfixed; bug #264687)
[02 Jun 2004] DSA-512 gallery - unauthenticated access
{CAN-2004-0522}
- gallery 1.4.3-pl2-1
[30 May 2004] DSA-511 ethereal - buffer overflows
{CAN-2004-0176
- ethereal 0.10.3-1
[29 May 2004] DSA-510 jftpgw - format string
{CAN-2004-0448}
- jftpgw 0.13.4-1
[29 May 2004] DSA-509 gatos - privilege escalation
{CAN-2004-0395}
- gatos 0.0.5-12
[22 May 2004] DSA-508 xpcd - buffer overflow
{CAN-2004-0402}
- xpcd 2.08-10
[19 May 2004] DSA-507 cadaver - buffer overflow
{CAN-2004-0398}
- cadaver 0.22.1-3
[19 May 2004] DSA-506 neon - buffer overflow
{CAN-2004-0398}
- neon 0.24.6.dfsg-1
[19 May 2004] DSA-505 cvs - heap overflow
{CAN-2004-0396}
- cvs 1.12.5-6
[18 May 2004] DSA-504 heimdal - missing input sanitising
{CAN-2004-0434}
- heimdal 0.6.2-1
[13 May 2004] DSA-503 mah-jong - missing argument check
{CAN-2004-0458}
- mah-jong 1.6.2-1
[11 May 2004] DSA-502 exim-tls - buffer overflow
{CAN-2004-0399 CAN-2004-0400}
NOTE: exim-tls not in sarge
[07 May 2004] DSA-501 exim - buffer overflow
{CAN-2004-0399 CAN-2004-0400}
- exim 3.36-11
- exim4 4.33-1
[01 May 2004] DSA-500 flim - insecure temporary file
{CAN-2004-0422}
- flim 1:1.14.6+0.20040415-1
[01 May 2004] DSA-499 rsync - directory traversal
{CAN-2004-0426}
- rsync 2.6.1-1
[30 Apr 2004] DSA-498 libpng - out of bound access
{CAN-2004-0421}
- libpng 1.0.15-5
- libpng3 1.2.5.0-6
[29 Apr 2004] DSA-497 mc - several vulnerabilities
{CAN-2004-0226 CAN-2004-0231 CAN-2004-0232}
- mc 1:4.6.0-4.6.1-pre1-2
[29 Apr 2004] DSA-496 eterm - missing input sanitising
{CAN-2003-0068}
- eterm 0.9.2-6
[26 Apr 2004] DSA-495 linux-kernel-2.4.16-arm - several vulnerabilities
{CAN-2003-0127 CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.16 not present. Did not check newer kernels.
[21 Apr 2004] DSA-494 ident2 - buffer overflow
{CAN-2004-0408}
- ident2 1.04-2
[21 Apr 2004] DSA-493 xchat - buffer overflow
{CAN-2004-0409}
- xchat 2.0.8-1
[18 Apr 2004] DSA-492 iproute - denial of service
{CAN-2003-0856}
- iproute 20010824-13.1
[17 Apr 2004] DSA-491 linux-kernel-2.4.19-mips - several vulnerabilities
{CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.19 not present. Did not check newer kernels.
[17 Apr 2004] DSA-490 zope - arbitrary code execution
{CVE-2002-0688}
- zope 2.6.0-0.1
[17 Apr 2004] DSA-489 linux-kernel-2.4.17-mips+mipsel - several vulnerabilities
{CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.17 not present. Did not check newer kernels.
[16 Apr 2004] DSA-488 logcheck - insecure temporary directory
{CAN-2004-0404}
- logcheck 1.1.1-13.2
[16 Apr 2004] DSA-487 neon - format string
{CAN-2004-0179}
- newo 0.24.5-1
[16 Apr 2004] DSA-486 cvs - several vulnerabilities
{CAN-2004-0180 CAN-2004-0405}
- cvs 1:1.12.5-4
[14 Apr 2004] DSA-485 ssmtp - format string
{CAN-2004-0156}
- ssmtp 2.60.7
[14 Apr 2004] DSA-484 xonix - failure to drop privileges
{CAN-2004-0157}
- xonix 1.4-21
[14 Apr 2004] DSA-483 mysql - insecure temporary file creation
{CAN-2004-0381}
- mysql-dfsg 4.0.18-4
{CAN-2004-0388}
! mysql-dfsg 4.0.18-6
[14 Apr 2004] DSA-482 linux-kernel-2.4.17-apus+s390 - several vulnerabilities
{CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.17 not present. Did not check newer kernels.
[14 Apr 2004] DSA-481 linux-kernel-2.4.17-ia64 - several vulnerabilities
{CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.17 not present. Did not check newer kernels.
[14 Apr 2004] DSA-480 linux-kernel-2.4.17+2.4.18-hppa - several vulnerabilities
{CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.17/18 not present. Did not check newer kernels.
[14 Apr 2004] DSA-479 linux-kernel-2.4.18-alpha+i386+powerpc - several vulnerabilities
{CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178}
NOTE: 2.4.18 not present. Did not check newer kernels.
[06 Apr 2004] DSA-478 tcpdump - denial of service
{CAN-2004-0183 CAN-2004-0184}
- tcpdump 3.7.2-4
[06 Apr 2004] DSA-477 xine-ui - insecure temporary file creation
{CAN-2004-0372}
- xine-ui 0.99.1-1
[06 Apr 2004] DSA-476 heimdal - cross-realm
{CAN-2004-0371}
- heimdal 0.6.1-1
[05 Apr 2004] DSA-475 linux-kernel-2.4.18-hppa - several vulnerabilities
{CAN-2003-0961 CAN-2003-0985 CAN-2004-0077}
NOTE: 2.4.18 not present. Did not check newer kernels.
[03 Apr 2004] DSA-474 squid - ACL bypass
{CAN-2004-0189}
- squid 2.5.5-1
[03 Apr 2004] DSA-473 oftpd - denial of service
{CAN-2004-0376}
- oftpd 20040304-1
[03 Apr 2004] DSA-472 fte - several vulnerabilities
{CAN-2003-0648}
- fte 0.50.0-1.1
[02 Apr 2004] DSA-471 interchange - missing input sanitising
{CAN-2004-0374}
- interchange 5.0.1-1
[01 Apr 2004] DSA-470 linux-kernel-2.4.17-hppa - several vulnerabilities
{CAN-2003-0961 CAN-2003-0985 CAN-2004-0077}
NOTE: 2.4.17 not present. Did not check newer kernels.
[29 Mar 2004] DSA-469 pam-pgsql - missing input sanitising
{CAN-2004-0366}
- pam-pgsql 0.5.2-7.1
[24 Mar 2004] DSA-468 emil - several vulnerabilities
{CAN-2004-0152 CAN-2004-0153}
- emil 2.1.0-beta9-14
[23 Mar 2004] DSA-467 ecartis - several vulnerabilities
{CAN-2003-0781 CAN-2003-0782}
- ecartis 1.0.0+cvs.20030911
[18 Mar 2004] DSA-466 linux-kernel-2.2.10-powerpc-apus - failing function and TLB flush
{CAN-2004-0077}
NOTE: 2.2.10 not present. Did not check newer kernels.
[17 Mar 2004] DSA-465 openssl - several vulnerabilities
{CAN-2004-0079 CAN-2004-0081}
- openssl 0.9.7d-1
NOTE: CAN-2004-0081 only affects 0.9.6.
NOTE: 0.9.7d also fixes CAN-2004-0112
- openssl 0.9.6l
[16 Mar 2004] DSA-464 gdk-pixbuf - broken image handling
{CAN-2004-0111}
- gdk-pixbuf 0.22.0-3
[12 Mar 2004] DSA-463 samba - privilege escalation
{CAN-2004-0186}
- samba 3.0.2-2
[12 Mar 2004] DSA-462 xitalk - missing privilege release
{CAN-2004-0151}
- xitalk 1.1.11-11
[11 Mar 2004] DSA-461 calife - buffer overflow
{CAN-2004-0188}
- calife 2.8.6-1
[10 Mar 2004] DSA-460 sysstat - insecure temporary file
{CAN-2004-0108}
- sysstat 5.0.2-1
[10 Mar 2004] DSA-459 kdelibs - cookie path traversal
{CAN-2003-0592}
- kdelibs 4:3.1.3-1
[09 Mar 2004] DSA-458 python2.2 - buffer overflow
{CAN-2004-0150}
NOTE: not affected according to DSA
[08 Mar 2004] DSA-457 wu-ftpd - several vulnerabilities
CAN-2004-0148 CAN-2004-0185}
- wu-ftpd 2.6.2-17.1
[06 Mar 2004] DSA-456 linux-kernel-2.2.19-arm - failing function and TLB flush
{CAN-2004-0077}
NOTE: 2.2.19 not present. Did not check newer kernels.
[03 Mar 2004] DSA-455 libxml - buffer overflows
{CAN-2004-0110}
- libxml 1.8.17-5
- libxml2 2.6.6-1
[02 Mar 2004] DSA-454 linux-kernel-2.2.22-alpha - failing function and TLB flush
{CAN-2004-0077}
NOTE: 2.2.22 not present. Did not check newer kernels.
[02 Mar 2004] DSA-453 linux-kernel-2.2.20-i386+m68k+powerpc - failing function and TLB flush
{CAN-2004-0077}
NOTE: 2.2.20 not present. Did not check newer kernels.
[29 Feb 2004] DSA-452 libapache-mod-python - denial of service
{CAN-2003-0973}
- libapache-mod-python 2:2.7.10-1
[27 Feb 2004] DSA-451 xboing - buffer overflows
{CAN-2004-0149}
- xboing 2.4-26.1
[27 Feb 2004] DSA-450 linux-kernel-2.4.19-mips - several vulnerabilities
{CAN-2003-0961 CAN-2003-0985 CAN-2004-0077}
NOTE: 2.4.19 not present. Did not check newer kernels.
[24 Feb 2004] DSA-449 metamail - buffer overflow, format string bugs
{CAN-2004-0104 CAN-2004-0105}
- metamail 2.7-45.2
[22 Feb 2004] DSA-448 pwlib - several vulnerabilities
{CAN-2004-0097}
- pwlib 1.5.2-4
[22 Feb 2004] DSA-447 hsftp - format string
{CAN-2004-0159}
! hsftp 1.15-1
[21 Feb 2004] DSA-446 synaesthesia - insecure file creation
{CAN-2004-0160}
DSA notes not setuid anymore so ok
[21 Feb 2004] DSA-445 lbreakout2 - buffer overflow
{CAN-2004-0158}
- lbreakout2 2.4
[20 Feb 2004] DSA-444 linux-kernel-2.4.17-ia64 - missing function return value check
{CAN-2004-0077}
NOTE: 2.4.17 not present. Did not check newer kernels.
[19 Feb 2004] DSA-443 xfree86 - several vulnerabilities
{CAN-2003-0690}
- xfree86 4.3.0-0pre1v2
{CAN-2004-0083 CAN-2004-0084 CAN-2004-0106}
- xfree86 4.3.0-1
{CAN-2004-0093 CAN-2004-0094}
- xfree86 4.2.1-6
[19 Feb 2004] DSA-442 linux-kernel-2.4.17-s390 - several vulnerabilities
{CAN-2003-0001 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364 CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 CVE-2002-0429}
NOTE: 2.4.17 not present. Did not check newer kernels.
[18 Feb 2004] DSA-441 linux-kernel-2.4.17-mips+mipsel - missing function return value check
{CAN-2004-0077}
NOTE: 2.4.17 not present. Did not check newer kernels.
[18 Feb 2004] DSA-440 linux-kernel-2.4.17-powerpc-apus - several vulnerabilities
{CAN-2003-0961 CAN-2003-0985 CAN-2004-0077}
NOTE: 2.4.17 not present. Did not check newer kernels.
[18 Feb 2004] DSA-439 linux-kernel-2.4.16-arm - several vulnerabilities
{CAN-2003-0961 CAN-2003-0985 CAN-2004-0077}
NOTE: 2.4.16 not present. Did not check newer kernels.
[18 Feb 2004] DSA-438 linux-kernel-2.4.18-alpha+i386+powerpc - missing function return value check
{CAN-2004-0077}
NOTE: 2.4.17 not present. Did not check newer kernels.
[11 Feb 2004] DSA-437 cgiemail - open mail relay
{CAN-2002-1575}
- cgiemail 1.6-20
[08 Feb 2004] DSA-436 mailman - several vulnerabilities
{CAN-2003-0991}
NOTE: apparently specific to mailman 2.0, not 2.1?
{CAN-2003-0965}
- mailman 2.1.4-1
{CAN-2003-0038}
- mailman 2.1.1-1
[06 Feb 2004] DSA-435 mpg123 - heap overflow
{CAN-2003-0865}
- mpg123 0.59r-15
[05 Feb 2004] DSA-434 gaim - several vulnerabilities
{CAN-2004-0005 CAN-2004-0006 CAN-2004-0007 CAN-2004-0008}
- gaim 1:0.75-2
[04 Feb 2004] DSA-433 kernel-patch-2.4.17-mips - integer overflow
{CAN-2003-0961}
NOTE: 2.4.17 not present. Did not check newer kernels.
[03 Feb 2004] DSA-432 crawl - buffer overflow
{CAN-2004-0103}
- crawl 4.0.0beta26-4
[01 Feb 2004] DSA-431 perl - information leak
{CAN-2003-0618}
- perl 5.8.3-3
[28 Jan 2004] DSA-430 trr19 - missing privilege release
{CAN-2004-0047}
! trr19 (unfixed; bug #264702)
[26 Jan 2004] DSA-429 gnupg - cryptographic weakness
{CAN-2003-0971}
- gnupg 1.2.4-1
[20 Jan 2004] DSA-428 slocate - buffer overflow
{CAN-2003-0848}
! slocate (unfixed; bug #226103)
[19 Jan 2004] DSA-427 linux-kernel-2.4.17-mips+mipsel - missing boundary check
{CAN-2003-0985}
NOTE: 2.4.17 not present. Did not check newer kernels.
[18 Jan 2004] DSA-426 netpbm-free - insecure temporary files
{CAN-2003-0924}
- netpbm-free 2:9.25-9
[16 Jan 2004] DSA-425 tcpdump - multiple vulnerabilities
{CAN-2003-1029 CAN-2003-0989 CAN-2004-0055 CAN-2004-0057}
HELP: No idea if this is fixed, we have a new upstream version
HELP: that came out after these advisories, but neither the debian nor
HELP: the upstream changelog seem to mention them.
NOTE: Mailed maintainr.
[16 Jan 2004] DSA-424 mc - buffer overflow
{CAN-2003-1023}
- mc 1:4.6.0-4.6.1-pre1-1
[15 Jan 2004] DSA-423 linux-kernel-2.4.17-ia64 - several vulnerabilities
{CAN-2003-0001 CAN-2003-0018 CAN-2003-0127 CAN-2003-0461 CAN-2003-0462 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 CAN-2003-0961 CAN-2003-0985}
NOTE: 2.4.17 not present. Did not check newer kernels.
[13 Jan 2004] DSA-422 cvs - remote vulnerability
- cvs 1.11.11
[12 Jan 2004] DSA-421 mod-auth-shadow - password expiration
{CAN-2004-0041}
- mod-auth-shadow 1.4-1
[12 Jan 2004] DSA-420 jitterbug - improperly sanitised input
{CAN-2004-0028}
- jitterbug 1.6.2-4.5
[09 Jan 2004] DSA-419 phpgroupware - missing filename sanitising, SQL injection
{CAN-2004-0016 CAN-2004-0017}
- phpgroupware 0.9.14.007-4
[07 Jan 2004] DSA-418 vbox3 - privilege leak
{CAN-2004-0015}
- vbox3 0.1.8
[07 Jan 2004] DSA-417 linux-kernel-2.4.18-powerpc+alpha - missing boundary check
{CAN-2003-0961 CAN-2003-0985}
NOTE: 2.4.18 not present. Did not check newer kernels.
[06 Jan 2004] DSA-416 fsp - buffer overflow, directory traversal
{CAN-2003-1022, CAN-2004-0011}
- fsp 2.81.b18-1
[06 Jan 2004] DSA-415 zebra - denial of service
{CAN-2003-0795 CAN-2003-0858}
- quagga 0.96.4x-4
[06 Jan 2004] DSA-414 jabber - denial of service
{CAN-2004-0013}
- jabber 1.4.3-1
[06 Jan 2004] DSA-413 linux-kernel-2.4.18 - missing boundary check
{CAN-2003-0985}
NOTE: 2.4.18 not present. Did not check newer kernels.
[05 Jan 2004] DSA-412 nd - buffer overflows
{CAN-2004-0014}
- nd 0.8.2-1
[05 Jan 2004] DSA-411 mpg321 - format string vulnerability
{CAN-2003-0969}
- mpg321 0.2.10.3
[05 Jan 2004] DSA-410 libnids - buffer overflow
{CAN-2003-0850}
- libnids 1.18-1
[05 Jan 2004] DSA-409 bind - denial of service
{CAN-2003-0914}
- bind 1:8.4.3-1
[05 Jan 2004] DSA-408 screen - integer overflow
{CAN-2003-0972}
- screen 4.0.2-0.1
[05 Jan 2004] DSA-407 ethereal - buffer overflows
{CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013
- ethereal 0.10.0-1
[05 Jan 2004] DSA-406 lftp - buffer overflow
- lftp 2.6.10-1
[30 Dec 2003] DSA-405 xsok - missing privilege release
{CAN-2003-0949}
- xsok 1.02-11
[04 Dec 2003] DSA-404 rsync - heap overflow
{CAN-2003-0962}
- rsync 2.5.6-1.1
[01 Dec 2003] DSA-403 kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18 - local root exploit
{CAN-2003-0961}
NOTE: 2.4.18 not present in sarge, did not check newer kernels.
[17 Nov 2003] DSA-402 minimalist - unsanitised input
{CAN-2003-0902}
- minimalist 2.4-1
[17 Nov 2003] DSA-401 hylafax - format strings
{CAN-2003-0886}
- hylafax 1:4.1.8-1
[11 Nov 2003] DSA-400 omega-rpg - buffer overflow
{CAN-2003-0932}
- omega-rpg 0.90-pa9-11
[10 Nov 2003] DSA-399 epic4 - buffer overflow
{CAN-2003-0328}
- epic4 1:1.1.11.20030409-2
[10 Nov 2003] DSA-398 conquest - buffer overflow
{CAN-2003-0933}
- conquest 7.2-5
[07 Nov 2003] DSA-397 postgresql - buffer overflow
{CAN-2003-0901}
- postgresql 7.3.4
[29 Oct 2003] DSA-396 thttpd - missing input sanitizing, wrong calculation
{CAN-2002-1562 CAN-2003-0899}
- thttpd 2.23beta1-2.3
[15 Oct 2003] DSA-395 tomcat4 - incorrect input handling
{CAN-2003-0866}
! tomcat4 4.1.24-2
NOTE another RC (unreproducible?) bug and missing deps (#263201)
NOTE are keeping the fix out of testing
[11 Oct 2003] DSA-394 openssl095 - ASN.1 parsing vulnerability
{CAN-2003-0543 CAN-2003-0544 CAN-2003-0545}
- openssl 0.9.7c
- openssl096 0.9.6k
[01 Oct 2003] DSA-393 openssl - denial of service
{CAN-2003-0543 CAN-2003-0544 CAN-2003-0545}
- openssl 0.9.7c
- openssl096 0.9.6k
[29 Sep 2003] DSA-392 webfs - buffer overflows, file and directory exposure
{CAN-2003-0832 CAN-2003-0833}
- webfs 1.20
[28 Sep 2003] DSA-391 freesweep - buffer overflow
{CAN-2003-0828}
- freesweep 0.88-4.1
[26 Sep 2003] DSA-390 marbles - buffer overflow
{CAN-2003-0830}
NOTE not present in sid, sarge
[20 Sep 2003] DSA-389 ipmasq - insecure packet filtering rules
{CAN-2003-0785}
- ipmasq 3.5.12
[19 Sep 2003] DSA-388 kdebase - several vulnerabilities
{CAN-2003-0690 CAN-2003-0692}
- kdebase 4:3.2
[18 Sep 2003] DSA-387 gopher - buffer overflows
{CAN-2003-0805}
- gopher 3.0.6
[18 Sep 2003] DSA-386 libmailtools-perl - input validation bug
{CAN-2002-1271}
- libmailtools-perl 1.51
[18 Sep 2003] DSA-385 hztty - buffer overflows
{CAN-2003-0783}
- hztty 2.0-6
[17 Sep 2003] DSA-384 sendmail - buffer overflows
{CAN-2003-0681 CAN-2003-0694}
- sendmail 8.12.10-1
[17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability
{CAN-2003-0693}
{CAN-2003-0695}
{CAN-2003-0682}
HELP: Screwy changelog does not make sense. Filed bug.
[16 Sep 2003] DSA-382 ssh - possible remote vulnerability
{CAN-2003-0693}
- openssh 1:3.6.1p2-6.0
{CAN-2003-0695}
- openssh 1:3.7.1
{CAN-2003-0682}
- openssh 1:3.6.1p2-9
[13 Sep 2003] DSA-381 mysql - buffer overflow
{CAN-2003-0780}
- mysql-dfsg 4.0.15-1
[12 Sep 2003] DSA-380 xfree86 - buffer overflows, denial of service
{CAN-2003-0063}
- xfree86 4.2.1-11
{CAN-2003-0071}
- xfree86 4.2.1-11
{CAN-2002-0164}
- xfree86 4.2.1-11
{CAN-2003-0730}
- xfree86 4.2.1-12
[11 Sep 2003] DSA-379 sane-backends - several vulnerabilities
{CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778}
- sane-backends 1.0.11-1
[07 Sep 2003] DSA-378 mah-jong - buffer overflows, denial of service
{CAN-2003-0705 CAN-2003-0706}
- mah-jong 1.5.6-2
[04 Sep 2003] DSA-377 wu-ftpd - insecure program execution
{CVE-1999-0997}
- wu-ftpd 2.6.2-15
[04 Sep 2003] DSA-376 exim - buffer overflow
{CAN-2003-0743}
- exim 3.36-8
[29 Aug 2003] DSA-375 node - buffer overflow, format string
{CAN-2003-0707 CAN-2003-0708}
- node 0.3.2-1
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
{CAN-2003-0686}
NOTE: not in sid/sarge
[16 Aug 2003] DSA-373 autorespond - buffer overflow
{CAN-2003-0654}
- autorespond 2.0.4-1
[16 Aug 2003] DSA-372 netris - buffer overflow
{CAN-2003-0685}
- netris 0.52-1
[11 Aug 2003] DSA-371 perl - cross-site scripting
{CAN-2003-0615}
- perl 5.8.0-19
[08 Aug 2003] DSA-370 pam-pgsql - format string
{CAN-2003-0672}
- pam-pgsql 0.5.2-7
[08 Aug 2003] DSA-369 zblast - buffer overflow
{CAN-2003-0613}
- zblast 1.2.1-7
[08 Aug 2003] DSA-368 xpcd - buffer overflow
{CAN-2003-0649}
- xpcd 2.08-9
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow
{CAN-2003-0652}
- xtokkaetama 1.0b-9
[05 Aug 2003] DSA-366 eroaster - insecure temporary file
{CAN-2003-0656}
- eroaster 2.2.0-0.5-1
[05 Aug 2003] DSA-365 phpgroupware - several vulnerabilities
{CAN-2003-0504 CAN-2003-0599 CAN-2003-0657}
- phpgroupware 0.9.14.007-1)
[04 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution
{CAN-2003-0620 CAN-2003-0645}
- man-db 2.4.1-13
[03 Aug 2003] DSA-363 postfix - denial of service, bounce-scanning
{CAN-2003-0468 CAN-2003-0540}
- postfix 1.1.12
[02 Aug 2003] DSA-362 mindi - insecure temporary file
{CAN-2003-0617}
- mindi 0.86-1
[01 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities
{CAN-2003-0459 CAN-2003-0370}
- kdelibs 4:3.1.3-1
[01 Aug 2003] DSA-360 xfstt - several vulnerabilities
{CAN-2003-0581}
- xfstt 1.5-1
{CAN-2003-0625}
- xfstt 1.5.1-1
[31 Jul 2003] DSA-359 atari800 - buffer overflows
{CAN-2003-0630}
- atari800 1.3.1-2
[31 Jul 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities
{CAN-2003-0461 CAN-2003-0462 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 CAN-2003-0018 CAN-2003-0619 CAN-2003-0643}
NOTE: 2.4.18/2.4.20 not in unstable/testing. Did not check newer ones.
[31 Jul 2003] DSA-357 wu-ftpd - remote root exploit
- wu-ftpd 2.6.2-12
[30 Jul 2003] DSA-356 xtokkaetama - buffer overflows
{CAN-2003-0611}
- xtokkaetama 1.0b-8
[30 Jul 2003] DSA-355 gallery - cross-site scripting
{CAN-2003-0614}
- gallery 1.3.4-3
[29 Jul 2003] DSA-354 xconq - buffer overflows
{CAN-2003-0607}
- xconq 7.4.1-2.1
[29 Jul 2003] DSA-353 sup - insecure temporary file
{CAN-2003-0606}
- sup 1.8-9
[22 Jul 2003] DSA-352 fdclone - insecure temporary directory
{CAN-2003-0596}
- fdclone 2.04-1
[16 Jul 2003] DSA-351 php4 - cross-site scripting
{CAN-2003-0442}
- php4 4:4.3.2+rc3-1
[15 Jul 2003] DSA-350 falconseye - buffer overflow
{CAN-2003-0358}
NOTE: note in testing, fixed in unstable
- falconseye 1.9.3-9
[14 Jul 2003] DSA-349 nfs-utils - buffer overflow
{CAN-2003-0252}
- nfs-utils 1:1.0.3-2
[11 Jul 2003] DSA-348 traceroute-nanog - integer overflow, buffer overflow
{CAN-2003-0453}
- traceroute-nanog 6.1.1-1.3
[08 Jul 2003] DSA-347 teapop - SQL injection
{CAN-2003-0515}
- teapop 0.3.5-2
[08 Jul 2003] DSA-346 phpsysinfo - directory traversal
{CAN-2003-0536}
- phpsysinfo 2.1-1
[08 Jul 2003] DSA-345 xbl - buffer overflow
{CAN-2003-0535}
- xbl 1.0k-6
[08 Jul 2003] DSA-344 unzip - directory traversal
{CAN-2003-0282
- unzip 5.50-3
[08 Jul 2003] DSA-343 skk, ddskk - insecure temporary file
{CAN-2003-0539}
- skk 10.62a-6
- ddskk 12.1.cvs.20030622-1
[07 Jul 2003] DSA-342 mozart - unsafe mailcap configuration
{CAN-2003-0538}
NOTE: mozart is not in sarge
- mozart 1.2.5.20030212-2
[07 Jul 2003] DSA-341 liece - insecure temporary file
{CAN-2003-0537}
- liece 2.0+0.20030527cvs-1
[06 Jul 2003] DSA-340 x-face-el - insecure temporary file
- x-face-el 1.3.6.23-1
[06 Jul 2003] DSA-339 semi - insecure temporary file
{CAN-2003-0440}
- semi 1.14.5+20030609-1
[29 Jun 2003] DSA-338 proftpd - SQL injection
{CAN-2003-0500}
- proftpd 1.2.8-8
[29 Jun 2003] DSA-337 gtksee - buffer overflow
{CAN-2003-0444}
! gtksee 0.5.6-1
NOTE: security hole was unfixed for 1 year in unstable until NMU
NOTE: effectively unmaintained
[29 Jun 2003] DSA-336 linux-kernel-2.2.20 - several vulnerabilities
{CAN-2002-1380 CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0364 CAN-2003-0246 CAN-2003-0244 CAN-2003-0247 CAN-2003-0248}
- kernel-source-2.2.25 2.2.25-3
NOTE: did not check newer kernels
[28 Jun 2003] DSA-335 mantis - incorrect permissions
{CAN-2003-0499}
- mantis 0.17.5-6
[28 Jun 2003] DSA-334 xgalaga - buffer overflows
{CAN-2003-0454}
- xgalaga 2.0.34-22
[27 Jun 2003] DSA-333 acm - integer overflow
{CVE-2002-0391}
- acm 5.0-10
[27 Jun 2003] DSA-332 linux-kernel-2.4.17 - several vulnerabilities
{CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364}
NOTE: note in the archive, and did not check newer kernels
[27 Jun 2003] DSA-331 imagemagick - insecure temporary file
{CAN-2003-0455}
- imagemagick 4:5.5.7-1
[23 Jun 2003] DSA-330 tcptraceroute - failure to drop root privileges
{CAN-2003-0489}
- tcptraceroute 1.4-4
[20 Jun 2003] DSA-329 osh - buffer overflows
{CAN-2003-0452}
- osh 1.7-12
[19 Jun 2003] DSA-328 webfs - buffer overflow
{CAN-2003-0445}
- webfs 1.20
[19 Jun 2003] DSA-327 xbl - buffer overflows
{CAN-2003-0451}
- xbl 1.0k-5
[19 Jun 2003] DSA-326 orville-write - buffer overflows
{CAN-2003-0441}
- orville-write 2.54-1
[19 Jun 2003] DSA-325 eldav - insecure temporary file
{CAN-2003-0438}
- eldav 0.7.2-1
[18 Jun 2003] DSA-324 ethereal - several vulnerabilities
{CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432}
- ethereal 0.9.13-1.
[16 Jun 2003] DSA-323 noweb - insecure temporary files
{CAN-2003-0381}
- noweb 2.10c-2
[16 Jun 2003] DSA-322 typespeed - buffer overflow
{CAN-2003-0435}
- typespeed 0.4.4
[13 Jun 2003] DSA-321 radiusd-cistron - buffer overflow
{CAN-2003-0450}
- radiusd-cistron 1.6.6-2
[13 Jun 2003] DSA-320 mikmod - buffer overflow
{CAN-2003-0427}
- mikmod 3.1.6-6
[12 Jun 2003] DSA-319 webmin - session ID spoofing
{CAN-2003-0101}
- webmin 1.070-1
[12 Jun 2003] DSA-318 lyskom-server - denial of service
{CAN-2003-0366}
- lyskom-server 2.0.7-2
[11 Jun 2003] DSA-317 cupsys - denial of service
{CAN-2003-0195}
- cupsys 1.1.19final-1
[11 Jun 2003] DSA-316 nethack - buffer overflow, incorrect permissions
{CAN-2003-0358 CAN-2003-0359}
- nethack 3.4.1-1
NOTE: DSA contains some strange non-nethack version numbers
[11 Jun 2003] DSA-315 gnocatan - buffer overflows, denial of service
{CAN-2003-0433}
HELP: no mention of any security fixes in debian changelog,
HELP: upstream changelog. Mailed maintainer.
[11 Jun 2003] DSA-314 atftp - buffer overflow
{CAN-2003-0380}
- atftp 0.6.2
[11 Jun 2003] DSA-313 ethereal - buffer overflows, integer overflows
{CAN-2003-0356 CAN-2003-0357}
- ethereal 0.9.12-1
[09 Jun 2003] DSA-312 kernel-patch-2.4.18-powerpc - several vulnerabilities
{CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248}
NOTE: not in unstable/testing. Did not check other versions.
[08 Jun 2003] DSA-311 linux-kernel-2.4.18 - several vulnerabilities
{CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364}
NOTE: not in unstable/testing. Did not check other versions.
[08 Jun 2003] DSA-310 xaos - improper setuid-root execution
{CAN-2003-0385}
- xaos 3.1r-4
[06 Jun 2003] DSA-309 eterm - buffer overflow
{CAN-2003-0382}
- eterm 0.9.2-1
[06 Jun 2003] DSA-308 gzip - insecure temporary files
{CVE-1999-1332 CAN-2003-0367}
- gzip 1.3.5-6
[27 May 2003] DSA-307 gps - multiple vulnerabilities
{CAN-2003-0361 CAN-2003-0360 CAN-2003-0362}
- gps 1.1.0-1
[19 May 2003] DSA-306 ircii-pana - buffer overflows, integer overflow
{CAN-2003-0321 CAN-2003-0322 CAN-2003-0328}
- ircii-pana 1:1.0-0c19-8
[15 May 2003] DSA-305 sendmail - insecure temporary files
{CAN-2003-0308}
- sendmail 8.12.9-2
[15 May 2003] DSA-304 lv - privilege escalation
{CAN-2003-0188}
- lv 4.49.5-2
[15 May 2003] DSA-303 mysql - privilege escalation
{CAN-2003-0073}
- mysql-dfsg 4.0.12-2
{CAN-2003-0150}
HELP: not sure if this is fixed
[07 May 2003] DSA-302 fuzz - privilege escalation
{CAN-2003-0261}
- fuzz 0.6-7.1
[07 May 2003] DSA-301 libgtop - buffer overflow
{CAN-2001-0928}
- libgtop 1.0.13-4
[06 May 2003] DSA-300 balsa - buffer overflow
{CAN-2003-0167}
- balse 2.0.10
[06 May 2003] DSA-299 leksbot - improper setuid-root execution
{CAN-2003-0262}
- lexbot 1.2-5
[02 May 2003] DSA-298 epic4 - buffer overflows
{CAN-2003-0323}
- epic4 1:1.1.11.20030409-1
[01 May 2003] DSA-297 snort - integer overflow, buffer overflow
{CAN-2003-0033 CAN-2003-0209}
- snort 2.0.0-1
[30 Apr 2003] DSA-296 kdebase - insecure execution
{CAN-2003-0204}
- kdebase 4:3.1.0-1
[30 Apr 2003] DSA-295 pptpd - buffer overflow
{CAN-2003-0213}
- pptpd 1.1.4-0.b3.2
[23 Apr 2003] DSA-294 gkrellm-newsticker - missing quoting, incomplete parser
{CAN-2003-0205 CAN-2003-0206}
NOTE: not in unstable/testing
[23 Apr 2003] DSA-293 kdelibs - insecure execution
{CAN-2003-0204}
- kdebase 4:3.1.0-1
[22 Apr 2003] DSA-292 mime-support - insecure temporary file creation
{CAN-2003-0214}
- mime-support 3.23-1
[22 Apr 2003] DSA-291 ircii - buffer overflows
{CAN-2003-0323}
- ircii 20030315-1
[17 Apr 2003] DSA-290 sendmail-wide - char-to-int conversion
{CAN-2003-0161}
- sendmail-wide 8.12.9+3.5Wbeta-1
[17 Apr 2003] DSA-289 rinetd - incorrect memory resizing
{CAN-2003-0212}
- rinetd 0.61-2
[17 Apr 2003] DSA-288 openssl - several vulnerabilities
{CAN-2003-0147 CAN-2003-0131}
- openssl 0.9.7b-1
- openssl096 0.9.6j-1
[15 Apr 2003] DSA-287 epic - buffer overflows
{CAN-2003-0324}
- epic4 1:1.1.11.20030409-1
[14 Apr 2003] DSA-286 gs-common - insecure temporary file
{CAN-2003-0207}
- gs-common 0.3.3.1
[14 Apr 2003] DSA-285 lprng - insecure temporary file
{CAN-2003-0136}
- lprng 3.8.20-4.
[12 Apr 2003] DSA-284 kdegraphics - insecure execution
{CAN-2003-0204}
- kdegraphics 4:3.1.0-1
[11 Apr 2003] DSA-283 xfsdump - insecure file creation
{CAN-2003-0173}
- xfsdump 2.2.8-1
[09 Apr 2003] DSA-282 glibc - integer overflow
{CAN-2003-0028}
- glibc 2.3.1-16
[08 Apr 2003] DSA-281 moxftp - buffer overflow
{CAN-2003-0203}
- moxftp 2.2-18.20
[07 Apr 2003] DSA-280 samba - buffer overflow
{CAN-2003-0201 CAN-2003-0196}
- samba 3.0
[07 Apr 2003] DSA-279 metrics - insecure temporary file creation
{CAN-2003-0202}
NOTE: note in unstable/testing
[04 Apr 2003] DSA-278 sendmail - char-to-int conversion
{CAN-2003-0161}
- sendmail 8.12.9-1
[03 Apr 2003] DSA-277 apcupsd - buffer overflows, format string
{CAN-2003-0098 CAN-2003-0099}
- apcupsd 3.8.5-1.2
[03 Apr 2003] DSA-276 linux-kernel-s390 - local privilege escalation
{CAN-2003-0127}
NOTE: this version is not in sarge, did not check others
[02 Apr 2003] DSA-275 lpr-ppd - buffer overflow
{CAN-2003-0144}
- lpr-ppd 1:0.72-3
[28 Mar 2003] DSA-274 mutt - buffer overflow
{CAN-2003-0167}
- mutt 1.4.0
[28 Mar 2003] DSA-273 krb4 - Cryptographic weakness
{CAN-2003-0138 CAN-2003-0139}
- krb4 1.2.2-1
[28 Mar 2003] DSA-272 dietlibc - integer overflow
{CAN-2003-0028}
- dietlibc 0.22-2
[27 Mar 2003] DSA-271 ecartis - unauthorized password change
{CAN-2003-0162}
- ecartis 1.0.0+cvs.20030321-1
[27 Mar 2003] DSA-270 linux-kernel-mips - local privilege escalation
{CAN-2003-0127}
NOTE: not in unstable/testing, did not check other versions
[26 Mar 2003] DSA-269 heimdal - Cryptographic weakness
{CAN-2003-0138}
- heimdal 0.5.2-1
[25 Mar 2003] DSA-268 mutt - buffer overflow
{CAN-2003-0140}
- mutt 1.5.4-1
[24 Mar 2003] DSA-267 lpr - buffer overflow
{CAN-2003-0144}
- lpr 1:2000.05.07-4.20
[24 Mar 2003] DSA-266 krb5 - several vulnerabilities
{CAN-2003-0028}
- krb5 1.3.3-2
NOTE: changelog does not mention this one, verified patch from
NOTE: Tom Yu was applied to this version.
{CAN-2003-0072}
- krb5 1.2.7-3
NOTE: changelog does not mention this one, verified patch from
NOTE: upstream was applied to this version.
{CAN-2003-0082}
- krb5 1.3.3-2
{CAN-2003-0138 VU#623217}
- krb5 1.2.7-3
{CAN-2003-0139 VU#442569}
- krb5 1.2.7-3
[21 Mar 2003] DSA-265 bonsai - several vulnerabilities
{CAN-2003-0152 CAN-2003-0153 CAN-2003-0154 CAN-2003-0155}
- bonsai 1.3+cvs20030317-1
[19 Mar 2003] DSA-264 lxr - missing filename sanitizing
{CAN-2003-0156}
- lxr 0.3-4
[17 Mar 2003] DSA-263 netpbm-free - math overflow errors
{CAN-2003-0146}
- netpbm-free 2:9.20-9
[15 Mar 2003] DSA-262 samba - remote exploit
{CAN-2003-0085 CAN-2003-0086}
- samba 2.2.8
[14 Mar 2003] DSA-261 tcpdump - infinite loop
{CAN-2003-0093 CAN-2003-0145}
NOTE: DSA reports sid was not affected, sarge has sid version
[13 Mar 2003] DSA-260 file - buffer overflow
{CAN-2003-0102}
- file 3.40-1.1
[12 Mar 2003] DSA-259 qpopper - mail user privilege escalation
{CAN-2003-0143}
- qpopper 4.0.4-9
[10 Mar 2003] DSA-258 ethereal - format string vulnerability
{CAN-2003-0081}
- ethereal 0.9.9-2
[04 Mar 2003] DSA-257 sendmail - remote exploit
{CAN-2002-1337}
- sendmail 8.12.8
[28 Feb 2003] DSA-256 mhc - insecure temporary file
{CAN-2003-0120}
- mhc 0.25+20030224-1
[27 Feb 2003] DSA-255 tcpdump - infinite loop
{CAN-2003-0108 CAN-2002-0380}
- tcpdump 3.7.1-1.2
[27 Feb 2003] DSA-254 traceroute-nanog - buffer overflow
{CAN-2002-1051 CAN-2002-1364 CAN-2002-1386 CAN-2002-1387}
- traceroute-nanog 6.3.0-1
[24 Feb 2003] DSA-253 openssl - information leak
{CAN-2003-0078}
- openssl 0.9.7a-1
[21 Feb 2003] DSA-252 slocate - buffer overflow
{CAN-2003-0056}
- slocate 2.7-1
[14 Feb 2003] DSA-251 w3m - missing HTML quoting
{CAN-2002-1335 CAN-2002-1348}
- w3m 0.3.2.2-1
[12 Feb 2003] DSA-250 w3mmee-ssl - missing HTML quoting
{CAN-2002-1335 CAN-2002-1348}
NOTE: not in sid/sarge
[11 Feb 2003] DSA-249 w3mmee - missing HTML quoting
{CAN-2002-1335 CAN-2002-1348}
- w3mmee 0.3.p24.17-3
[31 Jan 2003] DSA-248 hypermail - buffer overflows
{CAN-2003-0057}
- hypermail 2.1.6-1
[30 Jan 2003] DSA-247 courier-ssl - missing input sanitizing
{CAN-2003-0040}
- courier 0.40.2-3
[29 Jan 2003] DSA-246 tomcat - information exposure, cross site scripting
{CAN-2003-0042 CAN-2003-0043 CAN-2003-0044}
NOTE: tomcat not in sid/sarge
NOTE: tomcat4 not affected
[28 Jan 2003] DSA-245 dhcp3 - ignored counter boundary
{CAN-2003-0039}
- dhcp3 1.1.2-1
[27 Jan 2003] DSA-244 noffle - buffer overflows
{CAN-2003-0037}
- noffle 1.1.2-1
[24 Jan 2003] DSA-243 kdemultimedia - several vulnerabilities
{CAN-2002-1393}
- kdemultimedia 4:3.1
[24 Jan 2003] DSA-242 kdebase - several vulnerabilities
{CAN-2002-1393}
- kdebase 4:3.1
[24 Jan 2003] DSA-241 kdeutils - several vulnerabilities
{CAN-2002-1393}
- kdeutils 4:3.1
[23 Jan 2003] DSA-240 kdegames - several vulnerabilities
{CAN-2002-1393}
- kdegames 4:3.1
[23 Jan 2003] DSA-239 kdesdk - several vulnerabilities
{CAN-2002-1393}
- kdesdk 4:3.1
[23 Jan 2003] DSA-238 kdepim - several vulnerabilities
{CAN-2002-1393}
- kdepim 4:3.1
[22 Jan 2003] DSA-237 kdenetwork - several vulnerabilities
{CAN-2002-1393}
- kdenetwork 4:3.1
[22 Jan 2003] DSA-236 kdelibs - several vulnerabilities
{CAN-2002-1393}
- kdelibs 4:3.1
[22 Jan 2003] DSA-235 kdegraphics - several vulnerabilities
{CAN-2002-1393}
- kdegraphics 4:3.1
[22 Jan 2003] DSA-234 kdeadmin - several vulnerabilities
{CAN-2002-1393}
- kdeadmin 4:3.1
[21 Jan 2003] DSA-233 cvs - doubly freed memory
{CAN-2003-0015}
- cvs 1.11.2-5.1
[20 Jan 2003] DSA-232 cupsys - several vulnerabilities
{CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 CAN-2002-1384}
- cupsys 1.1.18-1
[17 Jan 2003] DSA-231 dhcp3 - stack overflows
{CAN-2003-0026}
- dhcp3 3.0+3.0.1rc11-1
[16 Jan 2003] DSA-230 bugzilla - insecure permissions, spurious backup files
NOTE: not in testing due to 3 newer security holes
{CAN-2003-0012}
- bugzilla 2.16.2
{CAN-2003-0013}
- bugzilla 2.16.2
[15 Jan 2003] DSA-229 imp - SQL injection
{CAN-2003-0025}
NOTE: I think imp3 is ok.
[14 Jan 2003] DSA-228 libmcrypt - buffer overflows and memory leak
{CAN-2003-0031 CAN-2003-0032}
- libmcrypt 2.5.5-1
[13 Jan 2003] DSA-227 openldap2 - buffer overflows and other bugs
{CAN-2002-1378 CAN-2002-1379 CAN-2002-1508}
- openldap2 2.0.27-3
[10 Jan 2003] DSA-226 xpdf-i - integer overflow
{CAN-2002-1384}
- xpdf 2.01-2
[09 Jan 2003] DSA-225 tomcat4 - source disclosure
{CAN-2002-1394}
! tomcat4 4.1.16-1
NOTE another RC (unreproducible?) bug and missing deps (#263201)
NOTE are keeping the fix out of testing
NOTE this is the second unfixed security hole in tomcat4 in testing..
[08 Jan 2003] DSA-224 canna - buffer overflow and more
{CAN-2002-1158 CAN-2002-1159}
- canna 3.6p1-1
[07 Jan 2003] DSA-223 geneweb - information exposure
{CAN-2002-1390}
- geneweb 4.09-1
[06 Jan 2003] DSA-222 xpdf - integer overflow
{CAN-2002-1384}
- xpdf 2.01-2
[03 Jan 2003] DSA-221 mhonarc - cross site scripting
{CAN-2002-1388}
- mhonarc 2.5.14-1
[02 Jan 2003] DSA-220 squirrelmail - cross site scripting
{CAN-2002-1341}
- squirrelmail 1:1.3.2-2
------- These processed by Djoumé SALVETTI <salvetti@crans.org> -----
[31 Dec 2002] DSA-219 dhcpcd - remote command execution
{CAN-2002-1403}
- dhcpcd 1.3.22pl2-2
[30 Dec 2002] DSA-218 bugzilla - cross site scripting
NOTE: not in testing, fixed in unstable (bugzilla 2.16.2-1).
[27 Dec 2002] DSA-217 typespeed - buffer overflow
{CAN-2002-1389}
- typespeed 0.4.2-2
[24 Dec 2002] DSA-216 fetchmail - buffer overflow
{CAN-2002-1365}
- fetchmail 6.2.0-1
[23 Dec 2002] DSA-215 cyrus-imapd - buffer overflow
{CAN-2002-1580}
- cyrus-imapd 1.5.19-9.10
[20 Dec 2002] DSA-214 kdnetwork - buffer overflows
{CAN-2002-1306}
- kdenetwork 2.2.2-14.20
NOTE: there is a typo in the DSA, the name of the package is kdenetwork.
[19 Dec 2002] DSA-213 libpng - buffer overflow
{CAN-2002-1363}
- libpng 1.0.12-7
- libpng3 1.2.5-8
[17 Dec 2002] DSA-212 mysql - multiple problems
{CAN-2002-1373 CAN-2002-1374 CAN-2002-1375 CAN-2002-1376}
- mysql-dfsg 4.0.7.gamma-1
[13 Dec 2002] DSA-211 micq - denial of service
{CAN-2002-1362}
NOTE: not in testing nor unstable (was fixed in 0.4.9.4-1)
[13 Dec 2002] DSA-210 lynx - CRLF injection
{CAN-2002-1405}
- lynx 2.8.4.1b-4
NOTE: lynx-ssl not in testing nor unstable.
[12 Dec 2002] DSA-209 wget - directory traversal
{CAN-2002-1344}
- wget 1.8.2-8
[12 Dec 2002] DSA-208 perl - broken safe compartment
{CAN-2002-1323}
- perl 5.8.0-14
[11 Dec 2002] DSA-207 tetex-bin - arbitrary command execution
{CAN-2002-0836}
- tetex-bin 1.0.7+20021025-4
[10 Dec 2002] DSA-206 tcpdump - denial of service
{CAN-2002-1350}
- tcpdump 3.7.2-1
[10 Dec 2002] DSA-205 gtetrinet - buffer overflow
- gtetrinet 0.4.4-1
NOTE: no CAN not CVE for this one
[05 Dec 2002] DSA-204 kdelibs - arbitrary program execution
{CAN-2002-1281 CAN-2002-1282}
- kdelibs 4:3.1.0-1
[04 Dec 2002] DSA-203 smb2www - arbitrary command execution
{CAN-2002-1342}
- smb2www 980804-17
[03 Dec 2002] DSA-202 im - insecure temporary files
{CAN-2002-1395}
- im 141-20
[02 Dec 2002] DSA-201 freeswan - denial of service
{CAN-2002-0666 VU#459371}
- freeswan 1.99-1
[22 Nov 2002] DSA-200 samba - remote exploit
{CAN-2002-1318}
- samba 2.99.cvs.20020713-1
[19 Nov 2002] DSA-199 mhonarc - cross site scripting
{CAN-2002-1307}
- mhonarc 2.5.13-1
[18 Nov 2002] DSA-198 nullmailer - denial of service
{CAN-2002-1313}
- nullmailer 1.00RC5-17
[15 Nov 2002] DSA-197 courier - buffer overflow
{CAN-2002-1311}
- courier 0.40.0-1
[14 Nov 2002] DSA-196 bind - several vulnerabilities
{CAN-2002-0029 CAN-2002-1219 CAN-2002-1220 CAN-2002-1221}
- bind 8.3.3-3
[13 Nov 2002] DSA-195 apache-perl - several vulnerabilities
{CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233}
- apache-perl 1.3.26-1.1-1.27-3-1
[12 Nov 2002] DSA-194 masqmail - buffer overflows
{CAN-2002-1279}
- masqmail 0.2.15-1
[11 Nov 2002] DSA-193 kdenetwork - buffer overflow
{CAN-2002-1247}
- kdenetwok 2.2.2-14.3
[08 Nov 2002] DSA-192 html2ps - arbitrary code execution
{CAN-2002-1275}
- html2ps 1.0b3-2
[07 Nov 2002] DSA-191 squirrelmail - cross site scripting
{CAN-2002-1131 CAN-2002-1132 CAN-2002-1276}
- squirrelmail 1.2.8-1.1
[07 Nov 2002] DSA-190 wmaker - buffer overflow
{CAN-2002-1277}
- wmaker 0.80.1-4
[06 Nov 2002] DSA-189 luxman - local root exploit
{CAN-2002-1245}
- luxman 0.41-19
[05 Nov 2002] DSA-188 apache-ssl - several vulnerabilities
{CAN-2002-0839 CAN-2002-0840 CAN-2002-0843}
- apache 1.3.27-0.1
{CAN-2001-0131 CAN-2002-1233}
- apache 1.3.27-1
HELP: note sure about this
NOTE: I have mailed maintainers
{NO-CAN Several buffer overflows in ApacheBench}
HELP: I don't know about this
NOTE: I have mailed maintainers
[04 Nov 2002] DSA-187 apache - several vulnerabilities
{CAN-2002-0839 CAN-2002-0840 CAN-2002-0843}
- apache 1.3.27-0.1
{CAN-2001-0131 CAN-2002-1233}
- apache 1.3.27-1
HELP: note sure about this
NOTE: I have mailed maintainers
{NO-CAN Several buffer overflows in ApacheBench}
HELP: I don't know about this
NOTE: I have mailed maintainers
[01 Nov 2002] DSA-186 log2mail - buffer overflow
{CAN-2002-1251}
- log2mail 0.2.6-1
[31 Oct 2002] DSA-185 heimdal - buffer overflow
{CAN-2002-1235}
- heimdal 0.4e-22
[30 Oct 2002] DSA-184 krb4 - buffer overflow
{CAN-2002-1235}
- krb4 1.1-11-8
[29 Oct 2002] DSA-183 krb5 - buffer overflow
{CAN-2002-1235}
- krb5 1.2.6-2
[28 Oct 2002] DSA-182 kdegraphics - buffer overflow
{CAN-2002-0838}
- kdegraphics 2.2.2-6.9
[22 Oct 2002] DSA-181 libapache-mod-ssl - cross site scripting
{CAN-2002-1157}
- libapache-mod-ssl 2.8.9-2.3
[21 Oct 2002] DSA-180 nis - information leak
{CAN-2002-1232}
- nis 3.9-6.2
[18 Oct 2002] DSA-179 gnome-gv - buffer overflow
{CAN-2002-0838}
- gnome-gv 1.99.7-9
[17 Oct 2002] DSA-178 heimdal - remote command execution
{CAN-2002-1225, CAN-2002-1226}
- heimdal 0.4e-21
[17 Oct 2002] DSA-177 pam - serious security violation
{CAN-2002-1227}
- pam 0.76-6
[16 Oct 2002] DSA-176 gv - buffer overflow
{CAN-2002-0838}
- gv 3.5.8-27
[15 Oct 2002] DSA-175 syslog-ng - buffer overflow
{CAN-2002-1200}
- syslog-ng 1.5.21-1
[14 Oct 2002] DSA-174 heartbeat - buffer overflow
{CAN-2002-1215}
- heartbeat 0.4.9.2-1
[09 Oct 2002] DSA-173 bugzilla - privilege escalation
{CAN-2002-1196}
NOTE: not in testing, fixed in unstable (bugzilla 2.16.0-2.1)
[08 Oct 2002] DSA-172 tkmail - insecure temporary files
{CAN-2002-1193}
NOTE: not in testing nor unstable (was fixed in 4.0beta9-9)
[07 Oct 2002] DSA-171 fetchmail - buffer overflows
{CAN-2002-1175, CAN-2002-1174}
- fetchmail 6.1.0-1
NOTE: fetchmail-ssl not in testing, fixed in unstable (fetchmail-ssl 6.1.0-1)
[04 Oct 2002] DSA-170 tomcat4 - source code disclosure
{CAN-2002-1148}
! tomcat4 4.1.12-1
NOTE: only 4.0.4-4 in testing (which seems to be vulnerable)
[25 Sep 2002] DSA-169 htcheck - cross site scripting
{CAN-2002-1195}
- htcheck 1.1-1.2
[18 Sep 2002] DSA-168 php - bypassing safe_mode, CRLF injection
{CAN-2002-0985 CAN-2002-0986}
- php3 3.0.18-23.2
- php4 4.2.3-3
NOTE: php3 is not in testing, it seems to be wait for tiff and gcc transition
NOTE: and is out of date on alpha and arm
[16 Sep 2002] DSA-167 kdelibs - cross site scripting
{CAN-2002-1151}
- kdelibs 2.2.2-14
NOTE: there is a typo in the DSA that mentionned Konquerer instead of kdelibs
[13 Sep 2002] DSA-166 purity - buffer overflows
{CAN-2002-1124}
- purity 1-16
[12 Sep 2002] DSA-165 postgresql - buffer overflows
{CAN-2002-0972 CAN-2002-1398 CAN-2002-1400 CAN-2002-1401 CVE-2002-1402}
- postgresql 7.2.2-2
[10 Sep 2002] DSA-164 cacti - arbitrary code execution
{CAN-2002-1477 CAN-2002-1478}
- cacti 0.6.8a-2
[09 Sep 2002] DSA-163 mhonarc - cross site scripting
{CVE-2002-0738}
- mhonarc 2.5.11-1
[06 Sep 2002] DSA-162 ethereal - buffer overflow
{CAN-2002-0834}
- ethereal 0.9.6-1
[04 Sep 2002] DSA-161 mantis - privilege escalation
{CAN-2002-1115 CAN-2002-1116}
- mantis 0.17.5-2
[03 Sep 2002] DSA-160 scrollkeeper - insecure temporary file creation
{CAN-2002-0662}
- scrollkeeper 0.3.11-2
[28 Aug 2002] DSA-159 python - insecure temporary files
{CAN-2002-1119}
- python2.1 2.1.3-6a
- python2.2 2.2.1-8
NOTE: python1.5 not in testing nor unstable (was fixed in 1.5.2-24)
NOTE: python2.3 is not vulnerable
[27 Aug 2002] DSA-158 gaim - arbitrary program execution
{CVE-2002-0989}
- gaim 0.59.1-2
[23 Aug 2002] DSA-157 irssi-text - denial of service
{CAN-2002-0983}
- irssi-text 0.8.5-2
[22 Aug 2002] DSA-156 epic4-script-light - arbitrary script execution
{CVE-2002-0984}
- epic4-script-light 2.7.30p5-2
[17 Aug 2002] DSA-155 kdelibs - privacy escalation with Konqueror
{CAN-2002-0970}
- kdelibs 4:2.2.2-14
[15 Aug 2002] DSA-154 fam - privilege escalation
{CVE-2002-0875}
- fam 2.6.8-1
[14 Aug 2002] DSA-153 mantis - cross site code execution and privilege escalation
{CAN-2002-1114 CAN-2002-1113 CAN-2002-1112 CAN-2002-1111 CAN-2002-1110}
- mantis 0.17.4a-2
[13 Aug 2002] DSA-152 l2tpd - missing random seed
{CVE-2002-0872 CVE-2002-0873}
NOTE: not in testing (was fixed in unstable 0.68-1)
[13 Aug 2002] DSA-151 xinetd - pipe exposure
{CVE-2002-0871}
- xinetd 2.3.7-1
[13 Aug 2002] DSA-150 interchange - illegal file exposition
{CAN-2002-0874}
- interchange 4.8.6-1
[13 Aug 2002] DSA-149 glibc - integer overflow
{CVE-2002-0391}
- glibc 2.2.5-13
[12 Aug 2002] DSA-148 hylafax - buffer overflows and format string vulnerabilities
{CVE-2002-1049 CVE-2002-1050 CAN-2001-1034}
- hylafax 4.1.2-2.1
[08 Aug 2002] DSA-147 mailman - cross-site scripting
{CAN-2002-0388 CAN-2002-0855}
- mailman 2.0.12-1
[08 Aug 2002] DSA-146 dietlibc - integer overflow
{CVE-2002-0391}
- dietlibc 0.20-0cvs20020808
[07 Aug 2002] DSA-145 tinyproxy - doubly freed memory
{CVE-2002-0847}
- tinyproxy 1.4.3-3
[06 Aug 2002] DSA-144 wwwoffle - improper input handling
{CVE-2002-0818}
- wwwoffle 2.7d-1
[05 Aug 2002] DSA-143 krb5 - integer overflow
{CVE-2002-0391}
- krb5 1.2.5-2
[05 Aug 2002] DSA-142 openafs - integer overflow
{CVE-2002-0391}
- openafs 1.2.6-1
[01 Aug 2002] DSA-141 mpack - buffer overflow
{CAN-2002-1425}
- mpack 1.5-9
[05 Aug 2002] DSA-140 libpng - buffer overflow
{CAN-2002-0660 CAN-2002-0728}
- libpng 1.0.12-4
- libpng3 1.2.1-2
[01 Aug 2002] DSA-139 super - format string vulnerability
{CVE-2002-0817}
- super 3.18.0-3
[01 Aug 2002] DSA-138 gallery - remote exploit
{CAN-2002-1412}
- gallery 1.3-3
[30 Jul 2002] DSA-137 mm - insecure temporary files
{CVE-2002-0658}
- mm 1.1.3-7
[30 Jul 2002] DSA-136 openssl - multiple remote exploits
{CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659}
- openssl 0.9.6e-1
--
see shy jo
Attachment:
signature.asc
Description: Digital signature