We have now finished checking all the DSAs since woody's release, except for a few that we didn't reach any conclusions on. That the following DSAs seem to still be unfixed in sarge: php4 4:4.3.8-1 needed, have 4:4.3.4-4 for DSA-531 netkit-telnet-ssl 0.17.24+0.1-2 needed, have 0.17.24+0.1-1 for DSA-529 pavuk (unfixed; bug #264684) for DSA-527 rlpr (unfixed; bug #255402) for DSA-524 lha 1.14i-8 needed, have 1.14i-2 for DSA-515 log2mail (unfixed; bug #264687) for DSA-513 mysql-dfsg 4.0.18-6 needed, have 4.0.18-5 for DSA-483 hsftp 1.15-1 needed, have 1.12-1 for DSA-447 trr19 (unfixed; bug #264702) for DSA-430 slocate (unfixed; bug #226103) for DSA-428 tomcat4 4.1.24-2 needed, have 4.0.4-4 for DSA-395 gtksee 0.5.6-1 needed, have 0.5.2-0.1 for DSA-337 tomcat4 4.1.16-1 needed, have 4.0.4-4 for DSA-225 The above list is now generated automatically by newraff:~joeyh/checkdsa.pl. Here's the full report: [04 Aug 2004] DSA-536 libpng - several vulnerabilities {CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 CAN-2004-0768} - libpng 1.0.15-6 - libpng3 1.2.5.0-7 [02 Aug 2004] DSA-535 squirrelmail - several vulnerabilities {CAN-2004-0519 CAN-2004-0520 CAN-2004-0521 CAN-2004-0639} - squirrelmail 2:1.4.3a-0.1 [22 Jul 2004] DSA-534 mailreader - directory traversal {CAN-2002-1581} - mailreader 2.3.29-9 [22 Jul 2004] DSA-533 courier - cross-site scripting {CAN-2004-0591} - courier 0.45.4-4 [22 Jul 2004] DSA-532 libapache-mod-ssl - several vulnerabilities {CAN-2004-0488 CAN-2004-0700} - libapache-mod-ssl 2.8.19-1 [20 Jul 2004] DSA-531 php4 - several vulnerabilities {CAN-2004-0594 CAN-2004-0595} ! php4 4:4.3.8-1 [17 Jul 2004] DSA-530 l2tpd - buffer overflow {CAN-2004-0649} - l2tpd 0.70-pre20031121-2 [17 Jul 2004] DSA-529 netkit-telnet-ssl - format string {CAN-2004-0640} ! netkit-telnet-ssl 0.17.24+0.1-2 [17 Jul 2004] DSA-528 ethereal - denial of service {CAN-2004-0635} - ethereal 0.10.5-1 [03 Jul 2004] DSA-527 pavuk - buffer overflow {CAN-2004-0456} NOTE: DSA is incorrect; pavuk is in sarge and unstable. ! pavuk (unfixed; bug #264684) [03 Jul 2004] DSA-526 webmin - several vulnerabilities {CAN-2004-0582 CAN-2004-0583} - webmin 1.150-1 [24 Jun 2004] DSA-525 apache - buffer overflow {CAN-2004-0492} - apache 1.3.31-2 [19 Jun 2004] DSA-524 rlpr - several vulnerabilities {CAN-2004-0393 CAN-2004-0454} ! rlpr (unfixed; bug #255402) [19 Jun 2004] DSA-523 www-sql - buffer overflow {CAN-2004-0455} - www-sql 0.5.7-18 [19 Jun 2004] DSA-522 super - format string vulnerability {CAN-2004-0579} - super 3.23.0-1 [18 Jun 2004] DSA-521 sup - format string vulnerability {CAN-2004-0451} - sup 1.8-11 [16 Jun 2004] DSA-520 krb5 - buffer overflows {CAN-2004-0523} - krb5 1.3.3-2 [15 Jun 2004] DSA-519 cvs - several vulnerabilities {CAN-2004-0416 CAN-2004-0417 CAN-2004-0418} - cvs 1:1.12.9-1 [14 Jun 2004] DSA-518 kdelibs - unsanitised input {CAN-2004-0411} - kdelibs 3.2.3 [10 Jun 2004] DSA-517 cvs - buffer overflow {CAN-2004-0414] - cvs 1.12.9-1 [07 Jun 2004] DSA-516 postgresql - buffer overflow {CAN-2004-0547} - postgresql 07.03.0200-3. [05 Jun 2004] DSA-515 lha - several vulnerabilities {CAN-2004-0234 CAN-2004-0235} ! lha 1.14i-8 NOTE: If 1.14i-8 cannot get into testing, the fix for 1.14i-2.0.1 from the DSA could to updated via t-p-u. [04 Jun 2004] DSA-514 kernel-image-sparc-2.2 - failing function and TLB flush {CAN-2004-0077} - kernel-image-sparc-2.2 9.1 NOTE: did not check other versions of the kernel [03 Jun 2004] DSA-513 log2mail - format string {CAN-2004-0450} ! log2mail (unfixed; bug #264687) [02 Jun 2004] DSA-512 gallery - unauthenticated access {CAN-2004-0522} - gallery 1.4.3-pl2-1 [30 May 2004] DSA-511 ethereal - buffer overflows {CAN-2004-0176 - ethereal 0.10.3-1 [29 May 2004] DSA-510 jftpgw - format string {CAN-2004-0448} - jftpgw 0.13.4-1 [29 May 2004] DSA-509 gatos - privilege escalation {CAN-2004-0395} - gatos 0.0.5-12 [22 May 2004] DSA-508 xpcd - buffer overflow {CAN-2004-0402} - xpcd 2.08-10 [19 May 2004] DSA-507 cadaver - buffer overflow {CAN-2004-0398} - cadaver 0.22.1-3 [19 May 2004] DSA-506 neon - buffer overflow {CAN-2004-0398} - neon 0.24.6.dfsg-1 [19 May 2004] DSA-505 cvs - heap overflow {CAN-2004-0396} - cvs 1.12.5-6 [18 May 2004] DSA-504 heimdal - missing input sanitising {CAN-2004-0434} - heimdal 0.6.2-1 [13 May 2004] DSA-503 mah-jong - missing argument check {CAN-2004-0458} - mah-jong 1.6.2-1 [11 May 2004] DSA-502 exim-tls - buffer overflow {CAN-2004-0399 CAN-2004-0400} NOTE: exim-tls not in sarge [07 May 2004] DSA-501 exim - buffer overflow {CAN-2004-0399 CAN-2004-0400} - exim 3.36-11 - exim4 4.33-1 [01 May 2004] DSA-500 flim - insecure temporary file {CAN-2004-0422} - flim 1:1.14.6+0.20040415-1 [01 May 2004] DSA-499 rsync - directory traversal {CAN-2004-0426} - rsync 2.6.1-1 [30 Apr 2004] DSA-498 libpng - out of bound access {CAN-2004-0421} - libpng 1.0.15-5 - libpng3 1.2.5.0-6 [29 Apr 2004] DSA-497 mc - several vulnerabilities {CAN-2004-0226 CAN-2004-0231 CAN-2004-0232} - mc 1:4.6.0-4.6.1-pre1-2 [29 Apr 2004] DSA-496 eterm - missing input sanitising {CAN-2003-0068} - eterm 0.9.2-6 [26 Apr 2004] DSA-495 linux-kernel-2.4.16-arm - several vulnerabilities {CAN-2003-0127 CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.16 not present. Did not check newer kernels. [21 Apr 2004] DSA-494 ident2 - buffer overflow {CAN-2004-0408} - ident2 1.04-2 [21 Apr 2004] DSA-493 xchat - buffer overflow {CAN-2004-0409} - xchat 2.0.8-1 [18 Apr 2004] DSA-492 iproute - denial of service {CAN-2003-0856} - iproute 20010824-13.1 [17 Apr 2004] DSA-491 linux-kernel-2.4.19-mips - several vulnerabilities {CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.19 not present. Did not check newer kernels. [17 Apr 2004] DSA-490 zope - arbitrary code execution {CVE-2002-0688} - zope 2.6.0-0.1 [17 Apr 2004] DSA-489 linux-kernel-2.4.17-mips+mipsel - several vulnerabilities {CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.17 not present. Did not check newer kernels. [16 Apr 2004] DSA-488 logcheck - insecure temporary directory {CAN-2004-0404} - logcheck 1.1.1-13.2 [16 Apr 2004] DSA-487 neon - format string {CAN-2004-0179} - newo 0.24.5-1 [16 Apr 2004] DSA-486 cvs - several vulnerabilities {CAN-2004-0180 CAN-2004-0405} - cvs 1:1.12.5-4 [14 Apr 2004] DSA-485 ssmtp - format string {CAN-2004-0156} - ssmtp 2.60.7 [14 Apr 2004] DSA-484 xonix - failure to drop privileges {CAN-2004-0157} - xonix 1.4-21 [14 Apr 2004] DSA-483 mysql - insecure temporary file creation {CAN-2004-0381} - mysql-dfsg 4.0.18-4 {CAN-2004-0388} ! mysql-dfsg 4.0.18-6 [14 Apr 2004] DSA-482 linux-kernel-2.4.17-apus+s390 - several vulnerabilities {CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.17 not present. Did not check newer kernels. [14 Apr 2004] DSA-481 linux-kernel-2.4.17-ia64 - several vulnerabilities {CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.17 not present. Did not check newer kernels. [14 Apr 2004] DSA-480 linux-kernel-2.4.17+2.4.18-hppa - several vulnerabilities {CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.17/18 not present. Did not check newer kernels. [14 Apr 2004] DSA-479 linux-kernel-2.4.18-alpha+i386+powerpc - several vulnerabilities {CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178} NOTE: 2.4.18 not present. Did not check newer kernels. [06 Apr 2004] DSA-478 tcpdump - denial of service {CAN-2004-0183 CAN-2004-0184} - tcpdump 3.7.2-4 [06 Apr 2004] DSA-477 xine-ui - insecure temporary file creation {CAN-2004-0372} - xine-ui 0.99.1-1 [06 Apr 2004] DSA-476 heimdal - cross-realm {CAN-2004-0371} - heimdal 0.6.1-1 [05 Apr 2004] DSA-475 linux-kernel-2.4.18-hppa - several vulnerabilities {CAN-2003-0961 CAN-2003-0985 CAN-2004-0077} NOTE: 2.4.18 not present. Did not check newer kernels. [03 Apr 2004] DSA-474 squid - ACL bypass {CAN-2004-0189} - squid 2.5.5-1 [03 Apr 2004] DSA-473 oftpd - denial of service {CAN-2004-0376} - oftpd 20040304-1 [03 Apr 2004] DSA-472 fte - several vulnerabilities {CAN-2003-0648} - fte 0.50.0-1.1 [02 Apr 2004] DSA-471 interchange - missing input sanitising {CAN-2004-0374} - interchange 5.0.1-1 [01 Apr 2004] DSA-470 linux-kernel-2.4.17-hppa - several vulnerabilities {CAN-2003-0961 CAN-2003-0985 CAN-2004-0077} NOTE: 2.4.17 not present. Did not check newer kernels. [29 Mar 2004] DSA-469 pam-pgsql - missing input sanitising {CAN-2004-0366} - pam-pgsql 0.5.2-7.1 [24 Mar 2004] DSA-468 emil - several vulnerabilities {CAN-2004-0152 CAN-2004-0153} - emil 2.1.0-beta9-14 [23 Mar 2004] DSA-467 ecartis - several vulnerabilities {CAN-2003-0781 CAN-2003-0782} - ecartis 1.0.0+cvs.20030911 [18 Mar 2004] DSA-466 linux-kernel-2.2.10-powerpc-apus - failing function and TLB flush {CAN-2004-0077} NOTE: 2.2.10 not present. Did not check newer kernels. [17 Mar 2004] DSA-465 openssl - several vulnerabilities {CAN-2004-0079 CAN-2004-0081} - openssl 0.9.7d-1 NOTE: CAN-2004-0081 only affects 0.9.6. NOTE: 0.9.7d also fixes CAN-2004-0112 - openssl 0.9.6l [16 Mar 2004] DSA-464 gdk-pixbuf - broken image handling {CAN-2004-0111} - gdk-pixbuf 0.22.0-3 [12 Mar 2004] DSA-463 samba - privilege escalation {CAN-2004-0186} - samba 3.0.2-2 [12 Mar 2004] DSA-462 xitalk - missing privilege release {CAN-2004-0151} - xitalk 1.1.11-11 [11 Mar 2004] DSA-461 calife - buffer overflow {CAN-2004-0188} - calife 2.8.6-1 [10 Mar 2004] DSA-460 sysstat - insecure temporary file {CAN-2004-0108} - sysstat 5.0.2-1 [10 Mar 2004] DSA-459 kdelibs - cookie path traversal {CAN-2003-0592} - kdelibs 4:3.1.3-1 [09 Mar 2004] DSA-458 python2.2 - buffer overflow {CAN-2004-0150} NOTE: not affected according to DSA [08 Mar 2004] DSA-457 wu-ftpd - several vulnerabilities CAN-2004-0148 CAN-2004-0185} - wu-ftpd 2.6.2-17.1 [06 Mar 2004] DSA-456 linux-kernel-2.2.19-arm - failing function and TLB flush {CAN-2004-0077} NOTE: 2.2.19 not present. Did not check newer kernels. [03 Mar 2004] DSA-455 libxml - buffer overflows {CAN-2004-0110} - libxml 1.8.17-5 - libxml2 2.6.6-1 [02 Mar 2004] DSA-454 linux-kernel-2.2.22-alpha - failing function and TLB flush {CAN-2004-0077} NOTE: 2.2.22 not present. Did not check newer kernels. [02 Mar 2004] DSA-453 linux-kernel-2.2.20-i386+m68k+powerpc - failing function and TLB flush {CAN-2004-0077} NOTE: 2.2.20 not present. Did not check newer kernels. [29 Feb 2004] DSA-452 libapache-mod-python - denial of service {CAN-2003-0973} - libapache-mod-python 2:2.7.10-1 [27 Feb 2004] DSA-451 xboing - buffer overflows {CAN-2004-0149} - xboing 2.4-26.1 [27 Feb 2004] DSA-450 linux-kernel-2.4.19-mips - several vulnerabilities {CAN-2003-0961 CAN-2003-0985 CAN-2004-0077} NOTE: 2.4.19 not present. Did not check newer kernels. [24 Feb 2004] DSA-449 metamail - buffer overflow, format string bugs {CAN-2004-0104 CAN-2004-0105} - metamail 2.7-45.2 [22 Feb 2004] DSA-448 pwlib - several vulnerabilities {CAN-2004-0097} - pwlib 1.5.2-4 [22 Feb 2004] DSA-447 hsftp - format string {CAN-2004-0159} ! hsftp 1.15-1 [21 Feb 2004] DSA-446 synaesthesia - insecure file creation {CAN-2004-0160} DSA notes not setuid anymore so ok [21 Feb 2004] DSA-445 lbreakout2 - buffer overflow {CAN-2004-0158} - lbreakout2 2.4 [20 Feb 2004] DSA-444 linux-kernel-2.4.17-ia64 - missing function return value check {CAN-2004-0077} NOTE: 2.4.17 not present. Did not check newer kernels. [19 Feb 2004] DSA-443 xfree86 - several vulnerabilities {CAN-2003-0690} - xfree86 4.3.0-0pre1v2 {CAN-2004-0083 CAN-2004-0084 CAN-2004-0106} - xfree86 4.3.0-1 {CAN-2004-0093 CAN-2004-0094} - xfree86 4.2.1-6 [19 Feb 2004] DSA-442 linux-kernel-2.4.17-s390 - several vulnerabilities {CAN-2003-0001 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364 CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 CVE-2002-0429} NOTE: 2.4.17 not present. Did not check newer kernels. [18 Feb 2004] DSA-441 linux-kernel-2.4.17-mips+mipsel - missing function return value check {CAN-2004-0077} NOTE: 2.4.17 not present. Did not check newer kernels. [18 Feb 2004] DSA-440 linux-kernel-2.4.17-powerpc-apus - several vulnerabilities {CAN-2003-0961 CAN-2003-0985 CAN-2004-0077} NOTE: 2.4.17 not present. Did not check newer kernels. [18 Feb 2004] DSA-439 linux-kernel-2.4.16-arm - several vulnerabilities {CAN-2003-0961 CAN-2003-0985 CAN-2004-0077} NOTE: 2.4.16 not present. Did not check newer kernels. [18 Feb 2004] DSA-438 linux-kernel-2.4.18-alpha+i386+powerpc - missing function return value check {CAN-2004-0077} NOTE: 2.4.17 not present. Did not check newer kernels. [11 Feb 2004] DSA-437 cgiemail - open mail relay {CAN-2002-1575} - cgiemail 1.6-20 [08 Feb 2004] DSA-436 mailman - several vulnerabilities {CAN-2003-0991} NOTE: apparently specific to mailman 2.0, not 2.1? {CAN-2003-0965} - mailman 2.1.4-1 {CAN-2003-0038} - mailman 2.1.1-1 [06 Feb 2004] DSA-435 mpg123 - heap overflow {CAN-2003-0865} - mpg123 0.59r-15 [05 Feb 2004] DSA-434 gaim - several vulnerabilities {CAN-2004-0005 CAN-2004-0006 CAN-2004-0007 CAN-2004-0008} - gaim 1:0.75-2 [04 Feb 2004] DSA-433 kernel-patch-2.4.17-mips - integer overflow {CAN-2003-0961} NOTE: 2.4.17 not present. Did not check newer kernels. [03 Feb 2004] DSA-432 crawl - buffer overflow {CAN-2004-0103} - crawl 4.0.0beta26-4 [01 Feb 2004] DSA-431 perl - information leak {CAN-2003-0618} - perl 5.8.3-3 [28 Jan 2004] DSA-430 trr19 - missing privilege release {CAN-2004-0047} ! trr19 (unfixed; bug #264702) [26 Jan 2004] DSA-429 gnupg - cryptographic weakness {CAN-2003-0971} - gnupg 1.2.4-1 [20 Jan 2004] DSA-428 slocate - buffer overflow {CAN-2003-0848} ! slocate (unfixed; bug #226103) [19 Jan 2004] DSA-427 linux-kernel-2.4.17-mips+mipsel - missing boundary check {CAN-2003-0985} NOTE: 2.4.17 not present. Did not check newer kernels. [18 Jan 2004] DSA-426 netpbm-free - insecure temporary files {CAN-2003-0924} - netpbm-free 2:9.25-9 [16 Jan 2004] DSA-425 tcpdump - multiple vulnerabilities {CAN-2003-1029 CAN-2003-0989 CAN-2004-0055 CAN-2004-0057} HELP: No idea if this is fixed, we have a new upstream version HELP: that came out after these advisories, but neither the debian nor HELP: the upstream changelog seem to mention them. NOTE: Mailed maintainr. [16 Jan 2004] DSA-424 mc - buffer overflow {CAN-2003-1023} - mc 1:4.6.0-4.6.1-pre1-1 [15 Jan 2004] DSA-423 linux-kernel-2.4.17-ia64 - several vulnerabilities {CAN-2003-0001 CAN-2003-0018 CAN-2003-0127 CAN-2003-0461 CAN-2003-0462 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 CAN-2003-0961 CAN-2003-0985} NOTE: 2.4.17 not present. Did not check newer kernels. [13 Jan 2004] DSA-422 cvs - remote vulnerability - cvs 1.11.11 [12 Jan 2004] DSA-421 mod-auth-shadow - password expiration {CAN-2004-0041} - mod-auth-shadow 1.4-1 [12 Jan 2004] DSA-420 jitterbug - improperly sanitised input {CAN-2004-0028} - jitterbug 1.6.2-4.5 [09 Jan 2004] DSA-419 phpgroupware - missing filename sanitising, SQL injection {CAN-2004-0016 CAN-2004-0017} - phpgroupware 0.9.14.007-4 [07 Jan 2004] DSA-418 vbox3 - privilege leak {CAN-2004-0015} - vbox3 0.1.8 [07 Jan 2004] DSA-417 linux-kernel-2.4.18-powerpc+alpha - missing boundary check {CAN-2003-0961 CAN-2003-0985} NOTE: 2.4.18 not present. Did not check newer kernels. [06 Jan 2004] DSA-416 fsp - buffer overflow, directory traversal {CAN-2003-1022, CAN-2004-0011} - fsp 2.81.b18-1 [06 Jan 2004] DSA-415 zebra - denial of service {CAN-2003-0795 CAN-2003-0858} - quagga 0.96.4x-4 [06 Jan 2004] DSA-414 jabber - denial of service {CAN-2004-0013} - jabber 1.4.3-1 [06 Jan 2004] DSA-413 linux-kernel-2.4.18 - missing boundary check {CAN-2003-0985} NOTE: 2.4.18 not present. Did not check newer kernels. [05 Jan 2004] DSA-412 nd - buffer overflows {CAN-2004-0014} - nd 0.8.2-1 [05 Jan 2004] DSA-411 mpg321 - format string vulnerability {CAN-2003-0969} - mpg321 0.2.10.3 [05 Jan 2004] DSA-410 libnids - buffer overflow {CAN-2003-0850} - libnids 1.18-1 [05 Jan 2004] DSA-409 bind - denial of service {CAN-2003-0914} - bind 1:8.4.3-1 [05 Jan 2004] DSA-408 screen - integer overflow {CAN-2003-0972} - screen 4.0.2-0.1 [05 Jan 2004] DSA-407 ethereal - buffer overflows {CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013 - ethereal 0.10.0-1 [05 Jan 2004] DSA-406 lftp - buffer overflow - lftp 2.6.10-1 [30 Dec 2003] DSA-405 xsok - missing privilege release {CAN-2003-0949} - xsok 1.02-11 [04 Dec 2003] DSA-404 rsync - heap overflow {CAN-2003-0962} - rsync 2.5.6-1.1 [01 Dec 2003] DSA-403 kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18 - local root exploit {CAN-2003-0961} NOTE: 2.4.18 not present in sarge, did not check newer kernels. [17 Nov 2003] DSA-402 minimalist - unsanitised input {CAN-2003-0902} - minimalist 2.4-1 [17 Nov 2003] DSA-401 hylafax - format strings {CAN-2003-0886} - hylafax 1:4.1.8-1 [11 Nov 2003] DSA-400 omega-rpg - buffer overflow {CAN-2003-0932} - omega-rpg 0.90-pa9-11 [10 Nov 2003] DSA-399 epic4 - buffer overflow {CAN-2003-0328} - epic4 1:1.1.11.20030409-2 [10 Nov 2003] DSA-398 conquest - buffer overflow {CAN-2003-0933} - conquest 7.2-5 [07 Nov 2003] DSA-397 postgresql - buffer overflow {CAN-2003-0901} - postgresql 7.3.4 [29 Oct 2003] DSA-396 thttpd - missing input sanitizing, wrong calculation {CAN-2002-1562 CAN-2003-0899} - thttpd 2.23beta1-2.3 [15 Oct 2003] DSA-395 tomcat4 - incorrect input handling {CAN-2003-0866} ! tomcat4 4.1.24-2 NOTE another RC (unreproducible?) bug and missing deps (#263201) NOTE are keeping the fix out of testing [11 Oct 2003] DSA-394 openssl095 - ASN.1 parsing vulnerability {CAN-2003-0543 CAN-2003-0544 CAN-2003-0545} - openssl 0.9.7c - openssl096 0.9.6k [01 Oct 2003] DSA-393 openssl - denial of service {CAN-2003-0543 CAN-2003-0544 CAN-2003-0545} - openssl 0.9.7c - openssl096 0.9.6k [29 Sep 2003] DSA-392 webfs - buffer overflows, file and directory exposure {CAN-2003-0832 CAN-2003-0833} - webfs 1.20 [28 Sep 2003] DSA-391 freesweep - buffer overflow {CAN-2003-0828} - freesweep 0.88-4.1 [26 Sep 2003] DSA-390 marbles - buffer overflow {CAN-2003-0830} NOTE not present in sid, sarge [20 Sep 2003] DSA-389 ipmasq - insecure packet filtering rules {CAN-2003-0785} - ipmasq 3.5.12 [19 Sep 2003] DSA-388 kdebase - several vulnerabilities {CAN-2003-0690 CAN-2003-0692} - kdebase 4:3.2 [18 Sep 2003] DSA-387 gopher - buffer overflows {CAN-2003-0805} - gopher 3.0.6 [18 Sep 2003] DSA-386 libmailtools-perl - input validation bug {CAN-2002-1271} - libmailtools-perl 1.51 [18 Sep 2003] DSA-385 hztty - buffer overflows {CAN-2003-0783} - hztty 2.0-6 [17 Sep 2003] DSA-384 sendmail - buffer overflows {CAN-2003-0681 CAN-2003-0694} - sendmail 8.12.10-1 [17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability {CAN-2003-0693} {CAN-2003-0695} {CAN-2003-0682} HELP: Screwy changelog does not make sense. Filed bug. [16 Sep 2003] DSA-382 ssh - possible remote vulnerability {CAN-2003-0693} - openssh 1:3.6.1p2-6.0 {CAN-2003-0695} - openssh 1:3.7.1 {CAN-2003-0682} - openssh 1:3.6.1p2-9 [13 Sep 2003] DSA-381 mysql - buffer overflow {CAN-2003-0780} - mysql-dfsg 4.0.15-1 [12 Sep 2003] DSA-380 xfree86 - buffer overflows, denial of service {CAN-2003-0063} - xfree86 4.2.1-11 {CAN-2003-0071} - xfree86 4.2.1-11 {CAN-2002-0164} - xfree86 4.2.1-11 {CAN-2003-0730} - xfree86 4.2.1-12 [11 Sep 2003] DSA-379 sane-backends - several vulnerabilities {CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778} - sane-backends 1.0.11-1 [07 Sep 2003] DSA-378 mah-jong - buffer overflows, denial of service {CAN-2003-0705 CAN-2003-0706} - mah-jong 1.5.6-2 [04 Sep 2003] DSA-377 wu-ftpd - insecure program execution {CVE-1999-0997} - wu-ftpd 2.6.2-15 [04 Sep 2003] DSA-376 exim - buffer overflow {CAN-2003-0743} - exim 3.36-8 [29 Aug 2003] DSA-375 node - buffer overflow, format string {CAN-2003-0707 CAN-2003-0708} - node 0.3.2-1 [26 Aug 2003] DSA-374 libpam-smb - buffer overflow {CAN-2003-0686} NOTE: not in sid/sarge [16 Aug 2003] DSA-373 autorespond - buffer overflow {CAN-2003-0654} - autorespond 2.0.4-1 [16 Aug 2003] DSA-372 netris - buffer overflow {CAN-2003-0685} - netris 0.52-1 [11 Aug 2003] DSA-371 perl - cross-site scripting {CAN-2003-0615} - perl 5.8.0-19 [08 Aug 2003] DSA-370 pam-pgsql - format string {CAN-2003-0672} - pam-pgsql 0.5.2-7 [08 Aug 2003] DSA-369 zblast - buffer overflow {CAN-2003-0613} - zblast 1.2.1-7 [08 Aug 2003] DSA-368 xpcd - buffer overflow {CAN-2003-0649} - xpcd 2.08-9 [08 Aug 2003] DSA-367 xtokkaetama - buffer overflow {CAN-2003-0652} - xtokkaetama 1.0b-9 [05 Aug 2003] DSA-366 eroaster - insecure temporary file {CAN-2003-0656} - eroaster 2.2.0-0.5-1 [05 Aug 2003] DSA-365 phpgroupware - several vulnerabilities {CAN-2003-0504 CAN-2003-0599 CAN-2003-0657} - phpgroupware 0.9.14.007-1) [04 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution {CAN-2003-0620 CAN-2003-0645} - man-db 2.4.1-13 [03 Aug 2003] DSA-363 postfix - denial of service, bounce-scanning {CAN-2003-0468 CAN-2003-0540} - postfix 1.1.12 [02 Aug 2003] DSA-362 mindi - insecure temporary file {CAN-2003-0617} - mindi 0.86-1 [01 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities {CAN-2003-0459 CAN-2003-0370} - kdelibs 4:3.1.3-1 [01 Aug 2003] DSA-360 xfstt - several vulnerabilities {CAN-2003-0581} - xfstt 1.5-1 {CAN-2003-0625} - xfstt 1.5.1-1 [31 Jul 2003] DSA-359 atari800 - buffer overflows {CAN-2003-0630} - atari800 1.3.1-2 [31 Jul 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities {CAN-2003-0461 CAN-2003-0462 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 CAN-2003-0018 CAN-2003-0619 CAN-2003-0643} NOTE: 2.4.18/2.4.20 not in unstable/testing. Did not check newer ones. [31 Jul 2003] DSA-357 wu-ftpd - remote root exploit - wu-ftpd 2.6.2-12 [30 Jul 2003] DSA-356 xtokkaetama - buffer overflows {CAN-2003-0611} - xtokkaetama 1.0b-8 [30 Jul 2003] DSA-355 gallery - cross-site scripting {CAN-2003-0614} - gallery 1.3.4-3 [29 Jul 2003] DSA-354 xconq - buffer overflows {CAN-2003-0607} - xconq 7.4.1-2.1 [29 Jul 2003] DSA-353 sup - insecure temporary file {CAN-2003-0606} - sup 1.8-9 [22 Jul 2003] DSA-352 fdclone - insecure temporary directory {CAN-2003-0596} - fdclone 2.04-1 [16 Jul 2003] DSA-351 php4 - cross-site scripting {CAN-2003-0442} - php4 4:4.3.2+rc3-1 [15 Jul 2003] DSA-350 falconseye - buffer overflow {CAN-2003-0358} NOTE: note in testing, fixed in unstable - falconseye 1.9.3-9 [14 Jul 2003] DSA-349 nfs-utils - buffer overflow {CAN-2003-0252} - nfs-utils 1:1.0.3-2 [11 Jul 2003] DSA-348 traceroute-nanog - integer overflow, buffer overflow {CAN-2003-0453} - traceroute-nanog 6.1.1-1.3 [08 Jul 2003] DSA-347 teapop - SQL injection {CAN-2003-0515} - teapop 0.3.5-2 [08 Jul 2003] DSA-346 phpsysinfo - directory traversal {CAN-2003-0536} - phpsysinfo 2.1-1 [08 Jul 2003] DSA-345 xbl - buffer overflow {CAN-2003-0535} - xbl 1.0k-6 [08 Jul 2003] DSA-344 unzip - directory traversal {CAN-2003-0282 - unzip 5.50-3 [08 Jul 2003] DSA-343 skk, ddskk - insecure temporary file {CAN-2003-0539} - skk 10.62a-6 - ddskk 12.1.cvs.20030622-1 [07 Jul 2003] DSA-342 mozart - unsafe mailcap configuration {CAN-2003-0538} NOTE: mozart is not in sarge - mozart 1.2.5.20030212-2 [07 Jul 2003] DSA-341 liece - insecure temporary file {CAN-2003-0537} - liece 2.0+0.20030527cvs-1 [06 Jul 2003] DSA-340 x-face-el - insecure temporary file - x-face-el 1.3.6.23-1 [06 Jul 2003] DSA-339 semi - insecure temporary file {CAN-2003-0440} - semi 1.14.5+20030609-1 [29 Jun 2003] DSA-338 proftpd - SQL injection {CAN-2003-0500} - proftpd 1.2.8-8 [29 Jun 2003] DSA-337 gtksee - buffer overflow {CAN-2003-0444} ! gtksee 0.5.6-1 NOTE: security hole was unfixed for 1 year in unstable until NMU NOTE: effectively unmaintained [29 Jun 2003] DSA-336 linux-kernel-2.2.20 - several vulnerabilities {CAN-2002-1380 CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0364 CAN-2003-0246 CAN-2003-0244 CAN-2003-0247 CAN-2003-0248} - kernel-source-2.2.25 2.2.25-3 NOTE: did not check newer kernels [28 Jun 2003] DSA-335 mantis - incorrect permissions {CAN-2003-0499} - mantis 0.17.5-6 [28 Jun 2003] DSA-334 xgalaga - buffer overflows {CAN-2003-0454} - xgalaga 2.0.34-22 [27 Jun 2003] DSA-333 acm - integer overflow {CVE-2002-0391} - acm 5.0-10 [27 Jun 2003] DSA-332 linux-kernel-2.4.17 - several vulnerabilities {CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364} NOTE: note in the archive, and did not check newer kernels [27 Jun 2003] DSA-331 imagemagick - insecure temporary file {CAN-2003-0455} - imagemagick 4:5.5.7-1 [23 Jun 2003] DSA-330 tcptraceroute - failure to drop root privileges {CAN-2003-0489} - tcptraceroute 1.4-4 [20 Jun 2003] DSA-329 osh - buffer overflows {CAN-2003-0452} - osh 1.7-12 [19 Jun 2003] DSA-328 webfs - buffer overflow {CAN-2003-0445} - webfs 1.20 [19 Jun 2003] DSA-327 xbl - buffer overflows {CAN-2003-0451} - xbl 1.0k-5 [19 Jun 2003] DSA-326 orville-write - buffer overflows {CAN-2003-0441} - orville-write 2.54-1 [19 Jun 2003] DSA-325 eldav - insecure temporary file {CAN-2003-0438} - eldav 0.7.2-1 [18 Jun 2003] DSA-324 ethereal - several vulnerabilities {CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432} - ethereal 0.9.13-1. [16 Jun 2003] DSA-323 noweb - insecure temporary files {CAN-2003-0381} - noweb 2.10c-2 [16 Jun 2003] DSA-322 typespeed - buffer overflow {CAN-2003-0435} - typespeed 0.4.4 [13 Jun 2003] DSA-321 radiusd-cistron - buffer overflow {CAN-2003-0450} - radiusd-cistron 1.6.6-2 [13 Jun 2003] DSA-320 mikmod - buffer overflow {CAN-2003-0427} - mikmod 3.1.6-6 [12 Jun 2003] DSA-319 webmin - session ID spoofing {CAN-2003-0101} - webmin 1.070-1 [12 Jun 2003] DSA-318 lyskom-server - denial of service {CAN-2003-0366} - lyskom-server 2.0.7-2 [11 Jun 2003] DSA-317 cupsys - denial of service {CAN-2003-0195} - cupsys 1.1.19final-1 [11 Jun 2003] DSA-316 nethack - buffer overflow, incorrect permissions {CAN-2003-0358 CAN-2003-0359} - nethack 3.4.1-1 NOTE: DSA contains some strange non-nethack version numbers [11 Jun 2003] DSA-315 gnocatan - buffer overflows, denial of service {CAN-2003-0433} HELP: no mention of any security fixes in debian changelog, HELP: upstream changelog. Mailed maintainer. [11 Jun 2003] DSA-314 atftp - buffer overflow {CAN-2003-0380} - atftp 0.6.2 [11 Jun 2003] DSA-313 ethereal - buffer overflows, integer overflows {CAN-2003-0356 CAN-2003-0357} - ethereal 0.9.12-1 [09 Jun 2003] DSA-312 kernel-patch-2.4.18-powerpc - several vulnerabilities {CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248} NOTE: not in unstable/testing. Did not check other versions. [08 Jun 2003] DSA-311 linux-kernel-2.4.18 - several vulnerabilities {CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364} NOTE: not in unstable/testing. Did not check other versions. [08 Jun 2003] DSA-310 xaos - improper setuid-root execution {CAN-2003-0385} - xaos 3.1r-4 [06 Jun 2003] DSA-309 eterm - buffer overflow {CAN-2003-0382} - eterm 0.9.2-1 [06 Jun 2003] DSA-308 gzip - insecure temporary files {CVE-1999-1332 CAN-2003-0367} - gzip 1.3.5-6 [27 May 2003] DSA-307 gps - multiple vulnerabilities {CAN-2003-0361 CAN-2003-0360 CAN-2003-0362} - gps 1.1.0-1 [19 May 2003] DSA-306 ircii-pana - buffer overflows, integer overflow {CAN-2003-0321 CAN-2003-0322 CAN-2003-0328} - ircii-pana 1:1.0-0c19-8 [15 May 2003] DSA-305 sendmail - insecure temporary files {CAN-2003-0308} - sendmail 8.12.9-2 [15 May 2003] DSA-304 lv - privilege escalation {CAN-2003-0188} - lv 4.49.5-2 [15 May 2003] DSA-303 mysql - privilege escalation {CAN-2003-0073} - mysql-dfsg 4.0.12-2 {CAN-2003-0150} HELP: not sure if this is fixed [07 May 2003] DSA-302 fuzz - privilege escalation {CAN-2003-0261} - fuzz 0.6-7.1 [07 May 2003] DSA-301 libgtop - buffer overflow {CAN-2001-0928} - libgtop 1.0.13-4 [06 May 2003] DSA-300 balsa - buffer overflow {CAN-2003-0167} - balse 2.0.10 [06 May 2003] DSA-299 leksbot - improper setuid-root execution {CAN-2003-0262} - lexbot 1.2-5 [02 May 2003] DSA-298 epic4 - buffer overflows {CAN-2003-0323} - epic4 1:1.1.11.20030409-1 [01 May 2003] DSA-297 snort - integer overflow, buffer overflow {CAN-2003-0033 CAN-2003-0209} - snort 2.0.0-1 [30 Apr 2003] DSA-296 kdebase - insecure execution {CAN-2003-0204} - kdebase 4:3.1.0-1 [30 Apr 2003] DSA-295 pptpd - buffer overflow {CAN-2003-0213} - pptpd 1.1.4-0.b3.2 [23 Apr 2003] DSA-294 gkrellm-newsticker - missing quoting, incomplete parser {CAN-2003-0205 CAN-2003-0206} NOTE: not in unstable/testing [23 Apr 2003] DSA-293 kdelibs - insecure execution {CAN-2003-0204} - kdebase 4:3.1.0-1 [22 Apr 2003] DSA-292 mime-support - insecure temporary file creation {CAN-2003-0214} - mime-support 3.23-1 [22 Apr 2003] DSA-291 ircii - buffer overflows {CAN-2003-0323} - ircii 20030315-1 [17 Apr 2003] DSA-290 sendmail-wide - char-to-int conversion {CAN-2003-0161} - sendmail-wide 8.12.9+3.5Wbeta-1 [17 Apr 2003] DSA-289 rinetd - incorrect memory resizing {CAN-2003-0212} - rinetd 0.61-2 [17 Apr 2003] DSA-288 openssl - several vulnerabilities {CAN-2003-0147 CAN-2003-0131} - openssl 0.9.7b-1 - openssl096 0.9.6j-1 [15 Apr 2003] DSA-287 epic - buffer overflows {CAN-2003-0324} - epic4 1:1.1.11.20030409-1 [14 Apr 2003] DSA-286 gs-common - insecure temporary file {CAN-2003-0207} - gs-common 0.3.3.1 [14 Apr 2003] DSA-285 lprng - insecure temporary file {CAN-2003-0136} - lprng 3.8.20-4. [12 Apr 2003] DSA-284 kdegraphics - insecure execution {CAN-2003-0204} - kdegraphics 4:3.1.0-1 [11 Apr 2003] DSA-283 xfsdump - insecure file creation {CAN-2003-0173} - xfsdump 2.2.8-1 [09 Apr 2003] DSA-282 glibc - integer overflow {CAN-2003-0028} - glibc 2.3.1-16 [08 Apr 2003] DSA-281 moxftp - buffer overflow {CAN-2003-0203} - moxftp 2.2-18.20 [07 Apr 2003] DSA-280 samba - buffer overflow {CAN-2003-0201 CAN-2003-0196} - samba 3.0 [07 Apr 2003] DSA-279 metrics - insecure temporary file creation {CAN-2003-0202} NOTE: note in unstable/testing [04 Apr 2003] DSA-278 sendmail - char-to-int conversion {CAN-2003-0161} - sendmail 8.12.9-1 [03 Apr 2003] DSA-277 apcupsd - buffer overflows, format string {CAN-2003-0098 CAN-2003-0099} - apcupsd 3.8.5-1.2 [03 Apr 2003] DSA-276 linux-kernel-s390 - local privilege escalation {CAN-2003-0127} NOTE: this version is not in sarge, did not check others [02 Apr 2003] DSA-275 lpr-ppd - buffer overflow {CAN-2003-0144} - lpr-ppd 1:0.72-3 [28 Mar 2003] DSA-274 mutt - buffer overflow {CAN-2003-0167} - mutt 1.4.0 [28 Mar 2003] DSA-273 krb4 - Cryptographic weakness {CAN-2003-0138 CAN-2003-0139} - krb4 1.2.2-1 [28 Mar 2003] DSA-272 dietlibc - integer overflow {CAN-2003-0028} - dietlibc 0.22-2 [27 Mar 2003] DSA-271 ecartis - unauthorized password change {CAN-2003-0162} - ecartis 1.0.0+cvs.20030321-1 [27 Mar 2003] DSA-270 linux-kernel-mips - local privilege escalation {CAN-2003-0127} NOTE: not in unstable/testing, did not check other versions [26 Mar 2003] DSA-269 heimdal - Cryptographic weakness {CAN-2003-0138} - heimdal 0.5.2-1 [25 Mar 2003] DSA-268 mutt - buffer overflow {CAN-2003-0140} - mutt 1.5.4-1 [24 Mar 2003] DSA-267 lpr - buffer overflow {CAN-2003-0144} - lpr 1:2000.05.07-4.20 [24 Mar 2003] DSA-266 krb5 - several vulnerabilities {CAN-2003-0028} - krb5 1.3.3-2 NOTE: changelog does not mention this one, verified patch from NOTE: Tom Yu was applied to this version. {CAN-2003-0072} - krb5 1.2.7-3 NOTE: changelog does not mention this one, verified patch from NOTE: upstream was applied to this version. {CAN-2003-0082} - krb5 1.3.3-2 {CAN-2003-0138 VU#623217} - krb5 1.2.7-3 {CAN-2003-0139 VU#442569} - krb5 1.2.7-3 [21 Mar 2003] DSA-265 bonsai - several vulnerabilities {CAN-2003-0152 CAN-2003-0153 CAN-2003-0154 CAN-2003-0155} - bonsai 1.3+cvs20030317-1 [19 Mar 2003] DSA-264 lxr - missing filename sanitizing {CAN-2003-0156} - lxr 0.3-4 [17 Mar 2003] DSA-263 netpbm-free - math overflow errors {CAN-2003-0146} - netpbm-free 2:9.20-9 [15 Mar 2003] DSA-262 samba - remote exploit {CAN-2003-0085 CAN-2003-0086} - samba 2.2.8 [14 Mar 2003] DSA-261 tcpdump - infinite loop {CAN-2003-0093 CAN-2003-0145} NOTE: DSA reports sid was not affected, sarge has sid version [13 Mar 2003] DSA-260 file - buffer overflow {CAN-2003-0102} - file 3.40-1.1 [12 Mar 2003] DSA-259 qpopper - mail user privilege escalation {CAN-2003-0143} - qpopper 4.0.4-9 [10 Mar 2003] DSA-258 ethereal - format string vulnerability {CAN-2003-0081} - ethereal 0.9.9-2 [04 Mar 2003] DSA-257 sendmail - remote exploit {CAN-2002-1337} - sendmail 8.12.8 [28 Feb 2003] DSA-256 mhc - insecure temporary file {CAN-2003-0120} - mhc 0.25+20030224-1 [27 Feb 2003] DSA-255 tcpdump - infinite loop {CAN-2003-0108 CAN-2002-0380} - tcpdump 3.7.1-1.2 [27 Feb 2003] DSA-254 traceroute-nanog - buffer overflow {CAN-2002-1051 CAN-2002-1364 CAN-2002-1386 CAN-2002-1387} - traceroute-nanog 6.3.0-1 [24 Feb 2003] DSA-253 openssl - information leak {CAN-2003-0078} - openssl 0.9.7a-1 [21 Feb 2003] DSA-252 slocate - buffer overflow {CAN-2003-0056} - slocate 2.7-1 [14 Feb 2003] DSA-251 w3m - missing HTML quoting {CAN-2002-1335 CAN-2002-1348} - w3m 0.3.2.2-1 [12 Feb 2003] DSA-250 w3mmee-ssl - missing HTML quoting {CAN-2002-1335 CAN-2002-1348} NOTE: not in sid/sarge [11 Feb 2003] DSA-249 w3mmee - missing HTML quoting {CAN-2002-1335 CAN-2002-1348} - w3mmee 0.3.p24.17-3 [31 Jan 2003] DSA-248 hypermail - buffer overflows {CAN-2003-0057} - hypermail 2.1.6-1 [30 Jan 2003] DSA-247 courier-ssl - missing input sanitizing {CAN-2003-0040} - courier 0.40.2-3 [29 Jan 2003] DSA-246 tomcat - information exposure, cross site scripting {CAN-2003-0042 CAN-2003-0043 CAN-2003-0044} NOTE: tomcat not in sid/sarge NOTE: tomcat4 not affected [28 Jan 2003] DSA-245 dhcp3 - ignored counter boundary {CAN-2003-0039} - dhcp3 1.1.2-1 [27 Jan 2003] DSA-244 noffle - buffer overflows {CAN-2003-0037} - noffle 1.1.2-1 [24 Jan 2003] DSA-243 kdemultimedia - several vulnerabilities {CAN-2002-1393} - kdemultimedia 4:3.1 [24 Jan 2003] DSA-242 kdebase - several vulnerabilities {CAN-2002-1393} - kdebase 4:3.1 [24 Jan 2003] DSA-241 kdeutils - several vulnerabilities {CAN-2002-1393} - kdeutils 4:3.1 [23 Jan 2003] DSA-240 kdegames - several vulnerabilities {CAN-2002-1393} - kdegames 4:3.1 [23 Jan 2003] DSA-239 kdesdk - several vulnerabilities {CAN-2002-1393} - kdesdk 4:3.1 [23 Jan 2003] DSA-238 kdepim - several vulnerabilities {CAN-2002-1393} - kdepim 4:3.1 [22 Jan 2003] DSA-237 kdenetwork - several vulnerabilities {CAN-2002-1393} - kdenetwork 4:3.1 [22 Jan 2003] DSA-236 kdelibs - several vulnerabilities {CAN-2002-1393} - kdelibs 4:3.1 [22 Jan 2003] DSA-235 kdegraphics - several vulnerabilities {CAN-2002-1393} - kdegraphics 4:3.1 [22 Jan 2003] DSA-234 kdeadmin - several vulnerabilities {CAN-2002-1393} - kdeadmin 4:3.1 [21 Jan 2003] DSA-233 cvs - doubly freed memory {CAN-2003-0015} - cvs 1.11.2-5.1 [20 Jan 2003] DSA-232 cupsys - several vulnerabilities {CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 CAN-2002-1384} - cupsys 1.1.18-1 [17 Jan 2003] DSA-231 dhcp3 - stack overflows {CAN-2003-0026} - dhcp3 3.0+3.0.1rc11-1 [16 Jan 2003] DSA-230 bugzilla - insecure permissions, spurious backup files NOTE: not in testing due to 3 newer security holes {CAN-2003-0012} - bugzilla 2.16.2 {CAN-2003-0013} - bugzilla 2.16.2 [15 Jan 2003] DSA-229 imp - SQL injection {CAN-2003-0025} NOTE: I think imp3 is ok. [14 Jan 2003] DSA-228 libmcrypt - buffer overflows and memory leak {CAN-2003-0031 CAN-2003-0032} - libmcrypt 2.5.5-1 [13 Jan 2003] DSA-227 openldap2 - buffer overflows and other bugs {CAN-2002-1378 CAN-2002-1379 CAN-2002-1508} - openldap2 2.0.27-3 [10 Jan 2003] DSA-226 xpdf-i - integer overflow {CAN-2002-1384} - xpdf 2.01-2 [09 Jan 2003] DSA-225 tomcat4 - source disclosure {CAN-2002-1394} ! tomcat4 4.1.16-1 NOTE another RC (unreproducible?) bug and missing deps (#263201) NOTE are keeping the fix out of testing NOTE this is the second unfixed security hole in tomcat4 in testing.. [08 Jan 2003] DSA-224 canna - buffer overflow and more {CAN-2002-1158 CAN-2002-1159} - canna 3.6p1-1 [07 Jan 2003] DSA-223 geneweb - information exposure {CAN-2002-1390} - geneweb 4.09-1 [06 Jan 2003] DSA-222 xpdf - integer overflow {CAN-2002-1384} - xpdf 2.01-2 [03 Jan 2003] DSA-221 mhonarc - cross site scripting {CAN-2002-1388} - mhonarc 2.5.14-1 [02 Jan 2003] DSA-220 squirrelmail - cross site scripting {CAN-2002-1341} - squirrelmail 1:1.3.2-2 ------- These processed by Djoumé SALVETTI <salvetti@crans.org> ----- [31 Dec 2002] DSA-219 dhcpcd - remote command execution {CAN-2002-1403} - dhcpcd 1.3.22pl2-2 [30 Dec 2002] DSA-218 bugzilla - cross site scripting NOTE: not in testing, fixed in unstable (bugzilla 2.16.2-1). [27 Dec 2002] DSA-217 typespeed - buffer overflow {CAN-2002-1389} - typespeed 0.4.2-2 [24 Dec 2002] DSA-216 fetchmail - buffer overflow {CAN-2002-1365} - fetchmail 6.2.0-1 [23 Dec 2002] DSA-215 cyrus-imapd - buffer overflow {CAN-2002-1580} - cyrus-imapd 1.5.19-9.10 [20 Dec 2002] DSA-214 kdnetwork - buffer overflows {CAN-2002-1306} - kdenetwork 2.2.2-14.20 NOTE: there is a typo in the DSA, the name of the package is kdenetwork. [19 Dec 2002] DSA-213 libpng - buffer overflow {CAN-2002-1363} - libpng 1.0.12-7 - libpng3 1.2.5-8 [17 Dec 2002] DSA-212 mysql - multiple problems {CAN-2002-1373 CAN-2002-1374 CAN-2002-1375 CAN-2002-1376} - mysql-dfsg 4.0.7.gamma-1 [13 Dec 2002] DSA-211 micq - denial of service {CAN-2002-1362} NOTE: not in testing nor unstable (was fixed in 0.4.9.4-1) [13 Dec 2002] DSA-210 lynx - CRLF injection {CAN-2002-1405} - lynx 2.8.4.1b-4 NOTE: lynx-ssl not in testing nor unstable. [12 Dec 2002] DSA-209 wget - directory traversal {CAN-2002-1344} - wget 1.8.2-8 [12 Dec 2002] DSA-208 perl - broken safe compartment {CAN-2002-1323} - perl 5.8.0-14 [11 Dec 2002] DSA-207 tetex-bin - arbitrary command execution {CAN-2002-0836} - tetex-bin 1.0.7+20021025-4 [10 Dec 2002] DSA-206 tcpdump - denial of service {CAN-2002-1350} - tcpdump 3.7.2-1 [10 Dec 2002] DSA-205 gtetrinet - buffer overflow - gtetrinet 0.4.4-1 NOTE: no CAN not CVE for this one [05 Dec 2002] DSA-204 kdelibs - arbitrary program execution {CAN-2002-1281 CAN-2002-1282} - kdelibs 4:3.1.0-1 [04 Dec 2002] DSA-203 smb2www - arbitrary command execution {CAN-2002-1342} - smb2www 980804-17 [03 Dec 2002] DSA-202 im - insecure temporary files {CAN-2002-1395} - im 141-20 [02 Dec 2002] DSA-201 freeswan - denial of service {CAN-2002-0666 VU#459371} - freeswan 1.99-1 [22 Nov 2002] DSA-200 samba - remote exploit {CAN-2002-1318} - samba 2.99.cvs.20020713-1 [19 Nov 2002] DSA-199 mhonarc - cross site scripting {CAN-2002-1307} - mhonarc 2.5.13-1 [18 Nov 2002] DSA-198 nullmailer - denial of service {CAN-2002-1313} - nullmailer 1.00RC5-17 [15 Nov 2002] DSA-197 courier - buffer overflow {CAN-2002-1311} - courier 0.40.0-1 [14 Nov 2002] DSA-196 bind - several vulnerabilities {CAN-2002-0029 CAN-2002-1219 CAN-2002-1220 CAN-2002-1221} - bind 8.3.3-3 [13 Nov 2002] DSA-195 apache-perl - several vulnerabilities {CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233} - apache-perl 1.3.26-1.1-1.27-3-1 [12 Nov 2002] DSA-194 masqmail - buffer overflows {CAN-2002-1279} - masqmail 0.2.15-1 [11 Nov 2002] DSA-193 kdenetwork - buffer overflow {CAN-2002-1247} - kdenetwok 2.2.2-14.3 [08 Nov 2002] DSA-192 html2ps - arbitrary code execution {CAN-2002-1275} - html2ps 1.0b3-2 [07 Nov 2002] DSA-191 squirrelmail - cross site scripting {CAN-2002-1131 CAN-2002-1132 CAN-2002-1276} - squirrelmail 1.2.8-1.1 [07 Nov 2002] DSA-190 wmaker - buffer overflow {CAN-2002-1277} - wmaker 0.80.1-4 [06 Nov 2002] DSA-189 luxman - local root exploit {CAN-2002-1245} - luxman 0.41-19 [05 Nov 2002] DSA-188 apache-ssl - several vulnerabilities {CAN-2002-0839 CAN-2002-0840 CAN-2002-0843} - apache 1.3.27-0.1 {CAN-2001-0131 CAN-2002-1233} - apache 1.3.27-1 HELP: note sure about this NOTE: I have mailed maintainers {NO-CAN Several buffer overflows in ApacheBench} HELP: I don't know about this NOTE: I have mailed maintainers [04 Nov 2002] DSA-187 apache - several vulnerabilities {CAN-2002-0839 CAN-2002-0840 CAN-2002-0843} - apache 1.3.27-0.1 {CAN-2001-0131 CAN-2002-1233} - apache 1.3.27-1 HELP: note sure about this NOTE: I have mailed maintainers {NO-CAN Several buffer overflows in ApacheBench} HELP: I don't know about this NOTE: I have mailed maintainers [01 Nov 2002] DSA-186 log2mail - buffer overflow {CAN-2002-1251} - log2mail 0.2.6-1 [31 Oct 2002] DSA-185 heimdal - buffer overflow {CAN-2002-1235} - heimdal 0.4e-22 [30 Oct 2002] DSA-184 krb4 - buffer overflow {CAN-2002-1235} - krb4 1.1-11-8 [29 Oct 2002] DSA-183 krb5 - buffer overflow {CAN-2002-1235} - krb5 1.2.6-2 [28 Oct 2002] DSA-182 kdegraphics - buffer overflow {CAN-2002-0838} - kdegraphics 2.2.2-6.9 [22 Oct 2002] DSA-181 libapache-mod-ssl - cross site scripting {CAN-2002-1157} - libapache-mod-ssl 2.8.9-2.3 [21 Oct 2002] DSA-180 nis - information leak {CAN-2002-1232} - nis 3.9-6.2 [18 Oct 2002] DSA-179 gnome-gv - buffer overflow {CAN-2002-0838} - gnome-gv 1.99.7-9 [17 Oct 2002] DSA-178 heimdal - remote command execution {CAN-2002-1225, CAN-2002-1226} - heimdal 0.4e-21 [17 Oct 2002] DSA-177 pam - serious security violation {CAN-2002-1227} - pam 0.76-6 [16 Oct 2002] DSA-176 gv - buffer overflow {CAN-2002-0838} - gv 3.5.8-27 [15 Oct 2002] DSA-175 syslog-ng - buffer overflow {CAN-2002-1200} - syslog-ng 1.5.21-1 [14 Oct 2002] DSA-174 heartbeat - buffer overflow {CAN-2002-1215} - heartbeat 0.4.9.2-1 [09 Oct 2002] DSA-173 bugzilla - privilege escalation {CAN-2002-1196} NOTE: not in testing, fixed in unstable (bugzilla 2.16.0-2.1) [08 Oct 2002] DSA-172 tkmail - insecure temporary files {CAN-2002-1193} NOTE: not in testing nor unstable (was fixed in 4.0beta9-9) [07 Oct 2002] DSA-171 fetchmail - buffer overflows {CAN-2002-1175, CAN-2002-1174} - fetchmail 6.1.0-1 NOTE: fetchmail-ssl not in testing, fixed in unstable (fetchmail-ssl 6.1.0-1) [04 Oct 2002] DSA-170 tomcat4 - source code disclosure {CAN-2002-1148} ! tomcat4 4.1.12-1 NOTE: only 4.0.4-4 in testing (which seems to be vulnerable) [25 Sep 2002] DSA-169 htcheck - cross site scripting {CAN-2002-1195} - htcheck 1.1-1.2 [18 Sep 2002] DSA-168 php - bypassing safe_mode, CRLF injection {CAN-2002-0985 CAN-2002-0986} - php3 3.0.18-23.2 - php4 4.2.3-3 NOTE: php3 is not in testing, it seems to be wait for tiff and gcc transition NOTE: and is out of date on alpha and arm [16 Sep 2002] DSA-167 kdelibs - cross site scripting {CAN-2002-1151} - kdelibs 2.2.2-14 NOTE: there is a typo in the DSA that mentionned Konquerer instead of kdelibs [13 Sep 2002] DSA-166 purity - buffer overflows {CAN-2002-1124} - purity 1-16 [12 Sep 2002] DSA-165 postgresql - buffer overflows {CAN-2002-0972 CAN-2002-1398 CAN-2002-1400 CAN-2002-1401 CVE-2002-1402} - postgresql 7.2.2-2 [10 Sep 2002] DSA-164 cacti - arbitrary code execution {CAN-2002-1477 CAN-2002-1478} - cacti 0.6.8a-2 [09 Sep 2002] DSA-163 mhonarc - cross site scripting {CVE-2002-0738} - mhonarc 2.5.11-1 [06 Sep 2002] DSA-162 ethereal - buffer overflow {CAN-2002-0834} - ethereal 0.9.6-1 [04 Sep 2002] DSA-161 mantis - privilege escalation {CAN-2002-1115 CAN-2002-1116} - mantis 0.17.5-2 [03 Sep 2002] DSA-160 scrollkeeper - insecure temporary file creation {CAN-2002-0662} - scrollkeeper 0.3.11-2 [28 Aug 2002] DSA-159 python - insecure temporary files {CAN-2002-1119} - python2.1 2.1.3-6a - python2.2 2.2.1-8 NOTE: python1.5 not in testing nor unstable (was fixed in 1.5.2-24) NOTE: python2.3 is not vulnerable [27 Aug 2002] DSA-158 gaim - arbitrary program execution {CVE-2002-0989} - gaim 0.59.1-2 [23 Aug 2002] DSA-157 irssi-text - denial of service {CAN-2002-0983} - irssi-text 0.8.5-2 [22 Aug 2002] DSA-156 epic4-script-light - arbitrary script execution {CVE-2002-0984} - epic4-script-light 2.7.30p5-2 [17 Aug 2002] DSA-155 kdelibs - privacy escalation with Konqueror {CAN-2002-0970} - kdelibs 4:2.2.2-14 [15 Aug 2002] DSA-154 fam - privilege escalation {CVE-2002-0875} - fam 2.6.8-1 [14 Aug 2002] DSA-153 mantis - cross site code execution and privilege escalation {CAN-2002-1114 CAN-2002-1113 CAN-2002-1112 CAN-2002-1111 CAN-2002-1110} - mantis 0.17.4a-2 [13 Aug 2002] DSA-152 l2tpd - missing random seed {CVE-2002-0872 CVE-2002-0873} NOTE: not in testing (was fixed in unstable 0.68-1) [13 Aug 2002] DSA-151 xinetd - pipe exposure {CVE-2002-0871} - xinetd 2.3.7-1 [13 Aug 2002] DSA-150 interchange - illegal file exposition {CAN-2002-0874} - interchange 4.8.6-1 [13 Aug 2002] DSA-149 glibc - integer overflow {CVE-2002-0391} - glibc 2.2.5-13 [12 Aug 2002] DSA-148 hylafax - buffer overflows and format string vulnerabilities {CVE-2002-1049 CVE-2002-1050 CAN-2001-1034} - hylafax 4.1.2-2.1 [08 Aug 2002] DSA-147 mailman - cross-site scripting {CAN-2002-0388 CAN-2002-0855} - mailman 2.0.12-1 [08 Aug 2002] DSA-146 dietlibc - integer overflow {CVE-2002-0391} - dietlibc 0.20-0cvs20020808 [07 Aug 2002] DSA-145 tinyproxy - doubly freed memory {CVE-2002-0847} - tinyproxy 1.4.3-3 [06 Aug 2002] DSA-144 wwwoffle - improper input handling {CVE-2002-0818} - wwwoffle 2.7d-1 [05 Aug 2002] DSA-143 krb5 - integer overflow {CVE-2002-0391} - krb5 1.2.5-2 [05 Aug 2002] DSA-142 openafs - integer overflow {CVE-2002-0391} - openafs 1.2.6-1 [01 Aug 2002] DSA-141 mpack - buffer overflow {CAN-2002-1425} - mpack 1.5-9 [05 Aug 2002] DSA-140 libpng - buffer overflow {CAN-2002-0660 CAN-2002-0728} - libpng 1.0.12-4 - libpng3 1.2.1-2 [01 Aug 2002] DSA-139 super - format string vulnerability {CVE-2002-0817} - super 3.18.0-3 [01 Aug 2002] DSA-138 gallery - remote exploit {CAN-2002-1412} - gallery 1.3-3 [30 Jul 2002] DSA-137 mm - insecure temporary files {CVE-2002-0658} - mm 1.1.3-7 [30 Jul 2002] DSA-136 openssl - multiple remote exploits {CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659} - openssl 0.9.6e-1 -- see shy jo
Attachment:
signature.asc
Description: Digital signature