Debian 1.3.1 r8 has been released. It contains important security fixes,
including a new version of the bind DNS server which fixes several buffer
overflows present in previous versions of bind. Since this vulnerability is
being actively exploited by crackers to gain root access to machines on the
Internet, we recommend that you upgrade all your Debian machines to Debian
1.3.1 r8 as soon as possible.
(These fixes are also included in the latest snapshot of 'frozen' and
'unstable'.)
Included is a list of changes since the last stable version.
Christian
--- Debian-1.3.1.r8 Sat May 16 14:24:51 CDT 1998
stable/binary-i386/base/debianutils_1.8.9.deb
stable/source/base/debianutils_1.8.9.dsc
stable/source/base/debianutils_1.8.9.tar.gz
debianutils (1.8.9) stable; urgency=HIGH
* Recompiled for bo to get mktemp and tempfile. fixes #22385.
--- Debian-1.3.1.r7 Mon May 11 14:24:26 CDT 1998
stable/binary-i386/base/textutils_1.22-2.3.deb
stable/source/base/textutils_1.22-2.3.diff.gz
stable/source/base/textutils_1.22-2.3.dsc
textutils (1.22-2.3) stable; urgency=HIGH
* Reverted previous /tmp patch and applied patch from Paul Eggert instead.
(... whose patch also fixes a similar problem with tac.)
* Fixed typo in short description
* Bo release.
stable/binary-i386/admin/super_3.11.6-0bo1.1.deb
stable/source/admin/super_3.11.6-0bo1.1.diff.gz
stable/source/admin/super_3.11.6-0bo1.1.dsc
stable/source/admin/super_3.11.6.orig.tar.gz
super (3.11.6-0bo1.1) bo-updates; urgency=low
* New upstream release
* Includes a security fix
* New Standards-Version
* Upload for bo alias stable
* This package is tested on Joey's machine
stable/binary-i386/admin/sudo_1.5.4-1.1.deb
stable/source/admin/sudo_1.5.4-1.1.diff.gz
stable/source/admin/sudo_1.5.4-1.1.dsc
stable/source/admin/sudo_1.5.4.orig.tar.gz
sudo (1.5.4-1.1) stable; urgency=high
* libc5 compile
* non-maintainer upload by joey@debian.org only for upload the security
fix to stable
stable/binary-i386/mail/smail_3.2.0.92-3.deb
stable/source/mail/smail_3.2.0.92-3.diff.gz
stable/source/mail/smail_3.2.0.92-3.dsc
stable/source/mail/smail_3.2.0.92.orig.tar.gz
smail (3.2.0.92-3) stable; urgency=medium
* post/pre-inst/rm scripts changed
* Security fix
stable/binary-i386/admin/secure-su_961025-2.1.deb
stable/binary-i386/base/login_961025-2.1.deb
stable/binary-i386/base/passwd_961025-2.1.deb
stable/source/base/shadow_961025-2.1.diff.gz
stable/source/base/shadow_961025-2.1.dsc
shadow (961025-2.1) stable; urgency=high
* Non-maintainer upload by one security officer
* Fixed security problem reported on bugtraq (Bug#20058)
stable/binary-i386/mail/poppassd_1.2-6.deb
stable/source/mail/poppassd_1.2-6.diff.gz
stable/source/mail/poppassd_1.2-6.dsc
poppassd (1.2-6) unstable stable; urgency=low
* Removed -o option when invoking passwd. Bug #11219
The new passwd suite does not support the -o option.
stable/binary-i386/interpreters/perl-debug_5.003.07-11.deb
stable/binary-i386/interpreters/perl-suid_5.003.07-11.deb
stable/binary-i386/interpreters/perl_5.003.07-11.deb
stable/source/interpreters/perl_5.003.07-11.diff.gz
stable/source/interpreters/perl_5.003.07-11.dsc
perl (5.003.07-11) stable; urgency=HIGH
* Non-maintainer release.
* Applied patch by Todd Miller to fix perl -e /tmp security hole.
stable/binary-i386/net/netstd_2.16-3.deb
stable/source/net/netstd_2.16-3.diff.gz
stable/source/net/netstd_2.16-3.dsc
netstd (2.16-3) stable; urgency=HIGH
* Recompiled on a real bo machine to remove libc6 dependency.
stable/binary-i386/net/lpr_5.9-20.1.deb
stable/source/net/lpr_5.9-20.1.diff.gz
stable/source/net/lpr_5.9-20.1.dsc
lpr (5.9-20.1) stable; urgency=high
* Fixed buffer overrun in lprm
stable/binary-i386/base/kernel-image-2.0.33_2.0.33-3.deb
stable/binary-i386/devel/kernel-headers-2.0.33_2.0.33-3.deb
stable/source/devel/kernel-source-2.0.33_2.0.33-3.diff.gz
stable/source/devel/kernel-source-2.0.33_2.0.33-3.dsc
stable/source/devel/kernel-source-2.0.33_2.0.33.orig.tar.gz
kernel-source-2.0.33 (2.0.33-3) stable unstable; urgency=low
* Built with new kernel-package (3.61).
* Added support for fat32 (fixes #14042).
stable/binary-i386/net/ircd_2.9.32-3.1.deb
stable/source/net/ircd_2.9.32-3.1.diff.gz
stable/source/net/ircd_2.9.32-3.1.dsc
ircd (2.9.32-3.1) stable unstable; urgency=low
* Non-maintainer release.
* Fixed posinst not to use /tmp/$$ which is a security hole [#11764]
* Fixed permissions on /etc/ircd so that it isn't world readable [#11831,
#11837 (1/2)].
* Fixed inetd.conf so that ircd is run as irc and not as root [#11831,
#11837 (2/2)].
* Fixed postinst not to use '/' as a seperator for sed since that
character could well
be in /etc/news/organization [#11822]
* Adapted debian/rules to build with altgcc (libc5) so that package can
go into stable.
stable/binary-i386/base/gzip_1.2.4-26.1.deb
stable/source/base/gzip_1.2.4-26.1.diff.gz
stable/source/base/gzip_1.2.4-26.1.dsc
gzip (1.2.4-26.1) stable; urgency=HIGH
* Recompiled for bo to get buffer overflow fix.
* Non-maintainer upload
stable/binary-i386/text/groff_1.10-3.5.deb
stable/source/text/groff_1.10-3.5.diff.gz
stable/source/text/groff_1.10-3.5.dsc
groff (1.10-3.5) stable; urgency=high
* Compiled under debian-1.3.1 (libc5) as a security bugfix; used
version number 3.5 (instead of 5) to avoid downgrading for hamm.
* Avoided execution of arbitrary code embedded in documents;
added warning WARN_SECURITY, enabled by default, to warn about .sy
directives, but not yet documented in manpage. Warning mode enabled
by default via ifdef, should be toggled by option flag. (need
coordination with upstream maintainer.)
* Applied patch from Brian Mays <bem5r@virginia.edu> to pic/tex.cc to
cast a long double value to double (fixes #13788)
* Changed name of manpages me and msafer to groff_me and groff_msafer.
stable/binary-i386/doc/dwww_1.4.2-1.deb
stable/source/doc/dwww_1.4.2-1.dsc
stable/source/doc/dwww_1.4.2-1.tar.gz
dwww (1.4.2-1) stable; urgency=high
* Another CGI security bug that allowed execution of arbitrary
commands. I am now specifying a set of acceptable characters, rather
than excluding certain ones and using perl -T. Fixes bug #18107
(Thanks to Martin Bialasinksi)
* I know there are lots of other non-security bugs outstanding. They will
be fixed in an upcoming, more substantial release.
* Compiled for libc5 for bo-updates.
stable/binary-i386/mail/deliver_2.1.13-0.deb
stable/source/mail/deliver_2.1.13-0.diff.gz
stable/source/mail/deliver_2.1.13-0.dsc
stable/source/mail/deliver_2.1.13.orig.tar.gz
deliver (2.1.13-0) stable; urgency=high
* Libc5 upload for stable.
* Updated to latest policy.
* Converted to use debhelper.
* Pristine source.
* Updated version to fix security buffer overflow.
stable/binary-i386/games/cxhextris_1.0-3bo1.deb
stable/source/games/cxhextris_1.0-3bo1.diff.gz
stable/source/games/cxhextris_1.0-3bo1.dsc
cxhextris (1.0-3bo1) stable; urgency=HIGH
* Fixes buffer overflows that could grant users access to the games
group.
stable/binary-all/devel/cvs-pcl_1.9.10+openbsd-2bo1.1.deb
stable/binary-i386/devel/cvs_1.9.10+openbsd-2bo1.1.deb
stable/source/devel/cvs_1.9.10+openbsd-2bo1.1.diff.gz
stable/source/devel/cvs_1.9.10+openbsd-2bo1.1.dsc
stable/source/devel/cvs_1.9.10+openbsd.orig.tar.gz
cvs (1.9.10+openbsd-2bo1.1) stable; urgency=low
* Re-compiled for bo-updates (closes: Bug#15484)
* #ifndef'ed several functions that are present in libc
* Fixes security hole
stable/binary-i386/net/bind_4.9.7-2.deb
stable/source/net/bind_4.9.7-2.diff.gz
stable/source/net/bind_4.9.7-2.dsc
stable/source/net/bind_4.9.7.orig.tar.gz
bind (4.9.7-2) stable; urgency=HIGH
* Applied patch from Mark Andrews to fix problem where bind followed
symlinks in /var/tmp. The patch makes bind use directories specified
in named.{boot,conf} for temporaries and debug dumps.
Attachment:
pgpGzv3QE3CO7.pgp
Description: PGP signature