Debian 1.3.1 r8 has been released. It contains important security fixes, including a new version of the bind DNS server which fixes several buffer overflows present in previous versions of bind. Since this vulnerability is being actively exploited by crackers to gain root access to machines on the Internet, we recommend that you upgrade all your Debian machines to Debian 1.3.1 r8 as soon as possible. (These fixes are also included in the latest snapshot of 'frozen' and 'unstable'.) Included is a list of changes since the last stable version. Christian --- Debian-1.3.1.r8 Sat May 16 14:24:51 CDT 1998 stable/binary-i386/base/debianutils_1.8.9.deb stable/source/base/debianutils_1.8.9.dsc stable/source/base/debianutils_1.8.9.tar.gz debianutils (1.8.9) stable; urgency=HIGH * Recompiled for bo to get mktemp and tempfile. fixes #22385. --- Debian-1.3.1.r7 Mon May 11 14:24:26 CDT 1998 stable/binary-i386/base/textutils_1.22-2.3.deb stable/source/base/textutils_1.22-2.3.diff.gz stable/source/base/textutils_1.22-2.3.dsc textutils (1.22-2.3) stable; urgency=HIGH * Reverted previous /tmp patch and applied patch from Paul Eggert instead. (... whose patch also fixes a similar problem with tac.) * Fixed typo in short description * Bo release. stable/binary-i386/admin/super_3.11.6-0bo1.1.deb stable/source/admin/super_3.11.6-0bo1.1.diff.gz stable/source/admin/super_3.11.6-0bo1.1.dsc stable/source/admin/super_3.11.6.orig.tar.gz super (3.11.6-0bo1.1) bo-updates; urgency=low * New upstream release * Includes a security fix * New Standards-Version * Upload for bo alias stable * This package is tested on Joey's machine stable/binary-i386/admin/sudo_1.5.4-1.1.deb stable/source/admin/sudo_1.5.4-1.1.diff.gz stable/source/admin/sudo_1.5.4-1.1.dsc stable/source/admin/sudo_1.5.4.orig.tar.gz sudo (1.5.4-1.1) stable; urgency=high * libc5 compile * non-maintainer upload by joey@debian.org only for upload the security fix to stable stable/binary-i386/mail/smail_3.2.0.92-3.deb stable/source/mail/smail_3.2.0.92-3.diff.gz stable/source/mail/smail_3.2.0.92-3.dsc stable/source/mail/smail_3.2.0.92.orig.tar.gz smail (3.2.0.92-3) stable; urgency=medium * post/pre-inst/rm scripts changed * Security fix stable/binary-i386/admin/secure-su_961025-2.1.deb stable/binary-i386/base/login_961025-2.1.deb stable/binary-i386/base/passwd_961025-2.1.deb stable/source/base/shadow_961025-2.1.diff.gz stable/source/base/shadow_961025-2.1.dsc shadow (961025-2.1) stable; urgency=high * Non-maintainer upload by one security officer * Fixed security problem reported on bugtraq (Bug#20058) stable/binary-i386/mail/poppassd_1.2-6.deb stable/source/mail/poppassd_1.2-6.diff.gz stable/source/mail/poppassd_1.2-6.dsc poppassd (1.2-6) unstable stable; urgency=low * Removed -o option when invoking passwd. Bug #11219 The new passwd suite does not support the -o option. stable/binary-i386/interpreters/perl-debug_5.003.07-11.deb stable/binary-i386/interpreters/perl-suid_5.003.07-11.deb stable/binary-i386/interpreters/perl_5.003.07-11.deb stable/source/interpreters/perl_5.003.07-11.diff.gz stable/source/interpreters/perl_5.003.07-11.dsc perl (5.003.07-11) stable; urgency=HIGH * Non-maintainer release. * Applied patch by Todd Miller to fix perl -e /tmp security hole. stable/binary-i386/net/netstd_2.16-3.deb stable/source/net/netstd_2.16-3.diff.gz stable/source/net/netstd_2.16-3.dsc netstd (2.16-3) stable; urgency=HIGH * Recompiled on a real bo machine to remove libc6 dependency. stable/binary-i386/net/lpr_5.9-20.1.deb stable/source/net/lpr_5.9-20.1.diff.gz stable/source/net/lpr_5.9-20.1.dsc lpr (5.9-20.1) stable; urgency=high * Fixed buffer overrun in lprm stable/binary-i386/base/kernel-image-2.0.33_2.0.33-3.deb stable/binary-i386/devel/kernel-headers-2.0.33_2.0.33-3.deb stable/source/devel/kernel-source-2.0.33_2.0.33-3.diff.gz stable/source/devel/kernel-source-2.0.33_2.0.33-3.dsc stable/source/devel/kernel-source-2.0.33_2.0.33.orig.tar.gz kernel-source-2.0.33 (2.0.33-3) stable unstable; urgency=low * Built with new kernel-package (3.61). * Added support for fat32 (fixes #14042). stable/binary-i386/net/ircd_2.9.32-3.1.deb stable/source/net/ircd_2.9.32-3.1.diff.gz stable/source/net/ircd_2.9.32-3.1.dsc ircd (2.9.32-3.1) stable unstable; urgency=low * Non-maintainer release. * Fixed posinst not to use /tmp/$$ which is a security hole [#11764] * Fixed permissions on /etc/ircd so that it isn't world readable [#11831, #11837 (1/2)]. * Fixed inetd.conf so that ircd is run as irc and not as root [#11831, #11837 (2/2)]. * Fixed postinst not to use '/' as a seperator for sed since that character could well be in /etc/news/organization [#11822] * Adapted debian/rules to build with altgcc (libc5) so that package can go into stable. stable/binary-i386/base/gzip_1.2.4-26.1.deb stable/source/base/gzip_1.2.4-26.1.diff.gz stable/source/base/gzip_1.2.4-26.1.dsc gzip (1.2.4-26.1) stable; urgency=HIGH * Recompiled for bo to get buffer overflow fix. * Non-maintainer upload stable/binary-i386/text/groff_1.10-3.5.deb stable/source/text/groff_1.10-3.5.diff.gz stable/source/text/groff_1.10-3.5.dsc groff (1.10-3.5) stable; urgency=high * Compiled under debian-1.3.1 (libc5) as a security bugfix; used version number 3.5 (instead of 5) to avoid downgrading for hamm. * Avoided execution of arbitrary code embedded in documents; added warning WARN_SECURITY, enabled by default, to warn about .sy directives, but not yet documented in manpage. Warning mode enabled by default via ifdef, should be toggled by option flag. (need coordination with upstream maintainer.) * Applied patch from Brian Mays <bem5r@virginia.edu> to pic/tex.cc to cast a long double value to double (fixes #13788) * Changed name of manpages me and msafer to groff_me and groff_msafer. stable/binary-i386/doc/dwww_1.4.2-1.deb stable/source/doc/dwww_1.4.2-1.dsc stable/source/doc/dwww_1.4.2-1.tar.gz dwww (1.4.2-1) stable; urgency=high * Another CGI security bug that allowed execution of arbitrary commands. I am now specifying a set of acceptable characters, rather than excluding certain ones and using perl -T. Fixes bug #18107 (Thanks to Martin Bialasinksi) * I know there are lots of other non-security bugs outstanding. They will be fixed in an upcoming, more substantial release. * Compiled for libc5 for bo-updates. stable/binary-i386/mail/deliver_2.1.13-0.deb stable/source/mail/deliver_2.1.13-0.diff.gz stable/source/mail/deliver_2.1.13-0.dsc stable/source/mail/deliver_2.1.13.orig.tar.gz deliver (2.1.13-0) stable; urgency=high * Libc5 upload for stable. * Updated to latest policy. * Converted to use debhelper. * Pristine source. * Updated version to fix security buffer overflow. stable/binary-i386/games/cxhextris_1.0-3bo1.deb stable/source/games/cxhextris_1.0-3bo1.diff.gz stable/source/games/cxhextris_1.0-3bo1.dsc cxhextris (1.0-3bo1) stable; urgency=HIGH * Fixes buffer overflows that could grant users access to the games group. stable/binary-all/devel/cvs-pcl_1.9.10+openbsd-2bo1.1.deb stable/binary-i386/devel/cvs_1.9.10+openbsd-2bo1.1.deb stable/source/devel/cvs_1.9.10+openbsd-2bo1.1.diff.gz stable/source/devel/cvs_1.9.10+openbsd-2bo1.1.dsc stable/source/devel/cvs_1.9.10+openbsd.orig.tar.gz cvs (1.9.10+openbsd-2bo1.1) stable; urgency=low * Re-compiled for bo-updates (closes: Bug#15484) * #ifndef'ed several functions that are present in libc * Fixes security hole stable/binary-i386/net/bind_4.9.7-2.deb stable/source/net/bind_4.9.7-2.diff.gz stable/source/net/bind_4.9.7-2.dsc stable/source/net/bind_4.9.7.orig.tar.gz bind (4.9.7-2) stable; urgency=HIGH * Applied patch from Mark Andrews to fix problem where bind followed symlinks in /var/tmp. The patch makes bind use directories specified in named.{boot,conf} for temporaries and debug dumps.
Attachment:
pgpGzv3QE3CO7.pgp
Description: PGP signature