Executive summary: Packages that had DSAs in 2003 and are still not fixed yet in sarge include tomcat4 and gtksee. Grep for "!" for details. I was unable to reach a conclusion for three packages, ssh-krb5, gnotocan, and mysql. Grep for HELP. Packages that need to be updated in sarge, or removed, are indicated with "!". Packages that are already fixed in sarge are indicated with "-". CVS's related to the DSA are listed in brackets. [30 Dec 2003] DSA-405 xsok - missing privilege release {CAN-2003-0949} - xsok 1.02-11 [04 Dec 2003] DSA-404 rsync - heap overflow {CAN-2003-0962} - rsync 2.5.6-1.1 [01 Dec 2003] DSA-403 kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18 - local root exploit {CAN-2003-0961} # NOTE: 2.4.18 not present in sarge, did not check newer kernels. [17 Nov 2003] DSA-402 minimalist - unsanitised input {CAN-2003-0902} - minimalist 2.4-1 [17 Nov 2003] DSA-401 hylafax - format strings {CAN-2003-0886} - hylafax 1:4.1.8-1 [11 Nov 2003] DSA-400 omega-rpg - buffer overflow {CAN-2003-0932} - omega-rpg 0.90-pa9-11 [10 Nov 2003] DSA-399 epic4 - buffer overflow {CAN-2003-0328} - epic4 1:1.1.11.20030409-2 [10 Nov 2003] DSA-398 conquest - buffer overflow {CAN-2003-0933} - conquest 7.2-5 [07 Nov 2003] DSA-397 postgresql - buffer overflow {CAN-2003-0901} - postgresql 7.3.4 [29 Oct 2003] DSA-396 thttpd - missing input sanitizing, wrong calculation {CAN-2002-1562 CAN-2003-0899} - thttpd 2.23beta1-2.3 [15 Oct 2003] DSA-395 tomcat4 - incorrect input handling {CAN-2003-0866} ! tomcat4 4.1.24-2 # NOTE another RC (unreproducible?) bug and missing deps (#263201) # NOTE are keeping the fix out of testing [11 Oct 2003] DSA-394 openssl095 - ASN.1 parsing vulnerability {CAN-2003-0543 CAN-2003-0544 CAN-2003-0545} - openssl 0.9.7c - openssl096 0.9.6k [01 Oct 2003] DSA-393 openssl - denial of service {CAN-2003-0543 CAN-2003-0544 CAN-2003-0545} - openssl 0.9.7c - openssl096 0.9.6k [29 Sep 2003] DSA-392 webfs - buffer overflows, file and directory exposure {CAN-2003-0832 CAN-2003-0833} - webfs 1.20 [28 Sep 2003] DSA-391 freesweep - buffer overflow {CAN-2003-0828} - freesweep 0.88-4.1 [26 Sep 2003] DSA-390 marbles - buffer overflow {CAN-2003-0830} # NOTE not present in sid, sarge [20 Sep 2003] DSA-389 ipmasq - insecure packet filtering rules {CAN-2003-0785} - ipmasq 3.5.12 [19 Sep 2003] DSA-388 kdebase - several vulnerabilities {CAN-2003-0690 CAN-2003-0692} - kdebase 4:3.2 [18 Sep 2003] DSA-387 gopher - buffer overflows {CAN-2003-0805} - gopher 3.0.6 [18 Sep 2003] DSA-386 libmailtools-perl - input validation bug {CAN-2002-1271} - libmailtools-perl 1.51 [18 Sep 2003] DSA-385 hztty - buffer overflows {CAN-2003-0783} - hztty 2.0-6 [17 Sep 2003] DSA-384 sendmail - buffer overflows {CAN-2003-0681 CAN-2003-0694} - sendmail 8.12.10-1 [17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability {CAN-2003-0693} {CAN-2003-0695} {CAN-2003-0682} # HELP: Screwy changelog does not make sense. Filed bug. [16 Sep 2003] DSA-382 ssh - possible remote vulnerability {CAN-2003-0693} - openssh 1:3.6.1p2-6.0 {CAN-2003-0695} - openssh 1:3.7.1 {CAN-2003-0682} - openssh 1:3.6.1p2-9 [13 Sep 2003] DSA-381 mysql - buffer overflow {CAN-2003-0780} - mysql-dfsg 4.0.15-1 [12 Sep 2003] DSA-380 xfree86 - buffer overflows, denial of service {CAN-2003-0063} - xfree86 4.2.1-11 {CAN-2003-0071} - xfree86 4.2.1-11 {CAN-2002-0164} - xfree86 4.2.1-11 {CAN-2003-0730} - xfree86 4.2.1-12 [11 Sep 2003] DSA-379 sane-backends - several vulnerabilities {CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778} - sane-backends 1.0.11-1 [07 Sep 2003] DSA-378 mah-jong - buffer overflows, denial of service {CAN-2003-0705 CAN-2003-0706} - mah-jong 1.5.6-2 [04 Sep 2003] DSA-377 wu-ftpd - insecure program execution {CVE-1999-0997} - wu-ftpd 2.6.2-15 [04 Sep 2003] DSA-376 exim - buffer overflow {CAN-2003-0743} - exim 3.36-8 [29 Aug 2003] DSA-375 node - buffer overflow, format string {CAN-2003-0707 CAN-2003-0708} - node 0.3.2-1 [26 Aug 2003] DSA-374 libpam-smb - buffer overflow {CAN-2003-0686} # NOTE: not in sid/sarge [16 Aug 2003] DSA-373 autorespond - buffer overflow {CAN-2003-0654} - autorespond 2.0.4-1 [16 Aug 2003] DSA-372 netris - buffer overflow {CAN-2003-0685} - netris 0.52-1 [11 Aug 2003] DSA-371 perl - cross-site scripting {CAN-2003-0615} - perl 5.8.0-19 [08 Aug 2003] DSA-370 pam-pgsql - format string {CAN-2003-0672} - pam-pgsql 0.5.2-7 [08 Aug 2003] DSA-369 zblast - buffer overflow {CAN-2003-0613} - zblast 1.2.1-7 [08 Aug 2003] DSA-368 xpcd - buffer overflow {CAN-2003-0649} - xpcd 2.08-9 [08 Aug 2003] DSA-367 xtokkaetama - buffer overflow {CAN-2003-0652} - xtokkaetama 1.0b-9 [05 Aug 2003] DSA-366 eroaster - insecure temporary file {CAN-2003-0656} - eroaster 2.2.0-0.5-1 [05 Aug 2003] DSA-365 phpgroupware - several vulnerabilities {CAN-2003-0504 CAN-2003-0599 CAN-2003-0657} - phpgroupware 0.9.14.007-1) [04 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution {CAN-2003-0620 CAN-2003-0645} - man-db 2.4.1-13 [03 Aug 2003] DSA-363 postfix - denial of service, bounce-scanning {CAN-2003-0468 CAN-2003-0540} - postfix 1.1.12 [02 Aug 2003] DSA-362 mindi - insecure temporary file {CAN-2003-0617} - mindi 0.86-1 [01 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities {CAN-2003-0459 CAN-2003-0370} - kdelibs 4:3.1.3-1 [01 Aug 2003] DSA-360 xfstt - several vulnerabilities {CAN-2003-0581} - xfstt 1.5-1 {CAN-2003-0625} - xfstt 1.5.1-1 [31 Jul 2003] DSA-359 atari800 - buffer overflows {CAN-2003-0630} - atari800 1.3.1-2 [31 Jul 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities {CAN-2003-0461 CAN-2003-0462 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 CAN-2003-0018 CAN-2003-0619 CAN-2003-0643} # NOTE: 2.4.18/2.4.20 not in unstable/testing. Did not check newer ones. [31 Jul 2003] DSA-357 wu-ftpd - remote root exploit - wu-ftpd 2.6.2-12 [30 Jul 2003] DSA-356 xtokkaetama - buffer overflows {CAN-2003-0611} - xtokkaetama 1.0b-8 [30 Jul 2003] DSA-355 gallery - cross-site scripting {CAN-2003-0614} - gallery 1.3.4-3 [29 Jul 2003] DSA-354 xconq - buffer overflows {CAN-2003-0607} - xconq 7.4.1-2.1 [29 Jul 2003] DSA-353 sup - insecure temporary file {CAN-2003-0606} - sup 1.8-9 [22 Jul 2003] DSA-352 fdclone - insecure temporary directory {CAN-2003-0596} - fdclone 2.04-1 [16 Jul 2003] DSA-351 php4 - cross-site scripting {CAN-2003-0442} - php4 4:4.3.2+rc3-1 [15 Jul 2003] DSA-350 falconseye - buffer overflow {CAN-2003-0358} # NOTE: note in testing, fixed in unstable - falconseye 1.9.3-9 [14 Jul 2003] DSA-349 nfs-utils - buffer overflow {CAN-2003-0252} - nfs-utils 1:1.0.3-2 [11 Jul 2003] DSA-348 traceroute-nanog - integer overflow, buffer overflow {CAN-2003-0453} - traceroute-nanog 6.1.1-1.3 [08 Jul 2003] DSA-347 teapop - SQL injection {CAN-2003-0515} - teapop 0.3.5-2 [08 Jul 2003] DSA-346 phpsysinfo - directory traversal {CAN-2003-0536} - phpsysinfo 2.1-1 [08 Jul 2003] DSA-345 xbl - buffer overflow {CAN-2003-0535} - xbl 1.0k-6 [08 Jul 2003] DSA-344 unzip - directory traversal {CAN-2003-0282 - unzip 5.50-3 [08 Jul 2003] DSA-343 skk, ddskk - insecure temporary file {CAN-2003-0539} - skk 10.62a-6 - ddskk 12.1.cvs.20030622-1 [07 Jul 2003] DSA-342 mozart - unsafe mailcap configuration {CAN-2003-0538} # NOTE: mozart is not in sarge - mozart 1.2.5.20030212-2 [07 Jul 2003] DSA-341 liece - insecure temporary file {CAN-2003-0537} - liece 2.0+0.20030527cvs-1 [06 Jul 2003] DSA-340 x-face-el - insecure temporary file - x-face-el 1.3.6.23-1 [06 Jul 2003] DSA-339 semi - insecure temporary file {CAN-2003-0440} - semi 1.14.5+20030609-1 [29 Jun 2003] DSA-338 proftpd - SQL injection {CAN-2003-0500} - proftpd 1.2.8-8 [29 Jun 2003] DSA-337 gtksee - buffer overflow {CAN-2003-0444} ! gtksee 0.5.6-1 NOTE: security hole was unfixed for 1 year in unstable until NMU NOTE: effectively unmaintained [29 Jun 2003] DSA-336 linux-kernel-2.2.20 - several vulnerabilities {CAN-2002-1380 CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0364 CAN-2003-0246 CAN-2003-0244 CAN-2003-0247 CAN-2003-0248} - kernel-source-2.2.25 2.2.25-3 NOTE: did not check newer kernels [28 Jun 2003] DSA-335 mantis - incorrect permissions {CAN-2003-0499} - mantis 0.17.5-6 [28 Jun 2003] DSA-334 xgalaga - buffer overflows {CAN-2003-0454} - xgalaga 2.0.34-22 [27 Jun 2003] DSA-333 acm - integer overflow {CVE-2002-0391} - acm 5.0-10 [27 Jun 2003] DSA-332 linux-kernel-2.4.17 - several vulnerabilities {CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364} # NOTE: not in the archive, and did not check newer kernels [27 Jun 2003] DSA-331 imagemagick - insecure temporary file {CAN-2003-0455} - imagemagick 4:5.5.7-1 [23 Jun 2003] DSA-330 tcptraceroute - failure to drop root privileges {CAN-2003-0489} - tcptraceroute 1.4-4 [20 Jun 2003] DSA-329 osh - buffer overflows {CAN-2003-0452} - osh 1.7-12 [19 Jun 2003] DSA-328 webfs - buffer overflow {CAN-2003-0445} - webfs 1.20 [19 Jun 2003] DSA-327 xbl - buffer overflows {CAN-2003-0451} - xbl 1.0k-5 [19 Jun 2003] DSA-326 orville-write - buffer overflows {CAN-2003-0441} - orville-write 2.54-1 [19 Jun 2003] DSA-325 eldav - insecure temporary file {CAN-2003-0438} - eldav 0.7.2-1 [18 Jun 2003] DSA-324 ethereal - several vulnerabilities {CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432} - ethereal 0.9.13-1. [16 Jun 2003] DSA-323 noweb - insecure temporary files {CAN-2003-0381} - noweb 2.10c-2 [16 Jun 2003] DSA-322 typespeed - buffer overflow {CAN-2003-0435} - typespeed 0.4.4 [13 Jun 2003] DSA-321 radiusd-cistron - buffer overflow {CAN-2003-0450} - radiusd-cistron 1.6.6-2 [13 Jun 2003] DSA-320 mikmod - buffer overflow {CAN-2003-0427} - mikmod 3.1.6-6 [12 Jun 2003] DSA-319 webmin - session ID spoofing {CAN-2003-0101} - webmin 1.070-1 [12 Jun 2003] DSA-318 lyskom-server - denial of service {CAN-2003-0366} - lyskom-server 2.0.7-2 [11 Jun 2003] DSA-317 cupsys - denial of service {CAN-2003-0195} - cupsys 1.1.19final-1 [11 Jun 2003] DSA-316 nethack - buffer overflow, incorrect permissions {CAN-2003-0358 CAN-2003-0359} - nethack 3.4.1-1 NOTE: DSA contains some strange non-nethack version numbers [11 Jun 2003] DSA-315 gnocatan - buffer overflows, denial of service {CAN-2003-0433} HELP: no mention of any security fixes in debian changelog, HELP: upstream changelog. Mailed maintainer. [11 Jun 2003] DSA-314 atftp - buffer overflow {CAN-2003-0380} - atftp 0.6.2 [11 Jun 2003] DSA-313 ethereal - buffer overflows, integer overflows {CAN-2003-0356 CAN-2003-0357} - ethereal 0.9.12-1 [09 Jun 2003] DSA-312 kernel-patch-2.4.18-powerpc - several vulnerabilities {CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248} NOTE: not in unstable/testing. Did not check other versions. [08 Jun 2003] DSA-311 linux-kernel-2.4.18 - several vulnerabilities {CVE-2002-0429 CAN-2003-0001 CAN-2003-0127 CAN-2003-0244 CAN-2003-0246 CAN-2003-0247 CAN-2003-0248 CAN-2003-0364} NOTE: not in unstable/testing. Did not check other versions. [08 Jun 2003] DSA-310 xaos - improper setuid-root execution {CAN-2003-0385} - xaos 3.1r-4 [06 Jun 2003] DSA-309 eterm - buffer overflow {CAN-2003-0382} - eterm 0.9.2-1 [06 Jun 2003] DSA-308 gzip - insecure temporary files {CVE-1999-1332 CAN-2003-0367} - gzip 1.3.5-6 [27 May 2003] DSA-307 gps - multiple vulnerabilities {CAN-2003-0361 CAN-2003-0360 CAN-2003-0362} - gps 1.1.0-1 [19 May 2003] DSA-306 ircii-pana - buffer overflows, integer overflow {CAN-2003-0321 CAN-2003-0322 CAN-2003-0328} - ircii-pana 1:1.0-0c19-8 [15 May 2003] DSA-305 sendmail - insecure temporary files {CAN-2003-0308} - sendmail 8.12.9-2 [15 May 2003] DSA-304 lv - privilege escalation {CAN-2003-0188} - lv 4.49.5-2 [15 May 2003] DSA-303 mysql - privilege escalation {CAN-2003-0073} - mysql-dfsg 4.0.12-2 {CAN-2003-0150} HELP: not sure if this is fixed [07 May 2003] DSA-302 fuzz - privilege escalation {CAN-2003-0261} - fuzz 0.6-7.1 [07 May 2003] DSA-301 libgtop - buffer overflow {CAN-2001-0928} - libgtop 1.0.13-4 [06 May 2003] DSA-300 balsa - buffer overflow {CAN-2003-0167} - balse 2.0.10 [06 May 2003] DSA-299 leksbot - improper setuid-root execution {CAN-2003-0262} - lexbot 1.2-5 [02 May 2003] DSA-298 epic4 - buffer overflows {CAN-2003-0323} - epic4 1:1.1.11.20030409-1 [01 May 2003] DSA-297 snort - integer overflow, buffer overflow {CAN-2003-0033 CAN-2003-0209} - snort 2.0.0-1 [30 Apr 2003] DSA-296 kdebase - insecure execution {CAN-2003-0204} - kdebase 4:3.1.0-1 [30 Apr 2003] DSA-295 pptpd - buffer overflow {CAN-2003-0213} - pptpd 1.1.4-0.b3.2 [23 Apr 2003] DSA-294 gkrellm-newsticker - missing quoting, incomplete parser {CAN-2003-0205 CAN-2003-0206} # NOTE: not in unstable/testing [23 Apr 2003] DSA-293 kdelibs - insecure execution {CAN-2003-0204} - kdebase 4:3.1.0-1 [22 Apr 2003] DSA-292 mime-support - insecure temporary file creation {CAN-2003-0214} - mime-support 3.23-1 [22 Apr 2003] DSA-291 ircii - buffer overflows {CAN-2003-0323} - ircii 20030315-1 [17 Apr 2003] DSA-290 sendmail-wide - char-to-int conversion {CAN-2003-0161} - sendmail-wide 8.12.9+3.5Wbeta-1 [17 Apr 2003] DSA-289 rinetd - incorrect memory resizing {CAN-2003-0212} - rinetd 0.61-2 [17 Apr 2003] DSA-288 openssl - several vulnerabilities {CAN-2003-0147 CAN-2003-0131} - openssl 0.9.7b-1 - openssl096 0.9.6j-1 [15 Apr 2003] DSA-287 epic - buffer overflows {CAN-2003-0324} - epic4 1:1.1.11.20030409-1 [14 Apr 2003] DSA-286 gs-common - insecure temporary file {CAN-2003-0207} - gs-common 0.3.3.1 [14 Apr 2003] DSA-285 lprng - insecure temporary file {CAN-2003-0136} - lprng 3.8.20-4. [12 Apr 2003] DSA-284 kdegraphics - insecure execution {CAN-2003-0204} - kdegraphics 4:3.1.0-1 [11 Apr 2003] DSA-283 xfsdump - insecure file creation {CAN-2003-0173} - xfsdump 2.2.8-1 [09 Apr 2003] DSA-282 glibc - integer overflow {CAN-2003-0028} - glibc 2.3.1-16 [08 Apr 2003] DSA-281 moxftp - buffer overflow {CAN-2003-0203} - moxftp 2.2-18.20 [07 Apr 2003] DSA-280 samba - buffer overflow {CAN-2003-0201 CAN-2003-0196} - samba 3.0 [07 Apr 2003] DSA-279 metrics - insecure temporary file creation {CAN-2003-0202} # NOTE: note in unstable/testing [04 Apr 2003] DSA-278 sendmail - char-to-int conversion {CAN-2003-0161} - sendmail 8.12.9-1 [03 Apr 2003] DSA-277 apcupsd - buffer overflows, format string {CAN-2003-0098 CAN-2003-0099} - apcupsd 3.8.5-1.2 [03 Apr 2003] DSA-276 linux-kernel-s390 - local privilege escalation {CAN-2003-0127} # NOTE: this version is not in sarge, did not check others [02 Apr 2003] DSA-275 lpr-ppd - buffer overflow {CAN-2003-0144} - lpr-ppd 1:0.72-3 [28 Mar 2003] DSA-274 mutt - buffer overflow {CAN-2003-0167} - mutt 1.4.0 [28 Mar 2003] DSA-273 krb4 - Cryptographic weakness {CAN-2003-0138 CAN-2003-0139} - krb4 1.2.2-1 [28 Mar 2003] DSA-272 dietlibc - integer overflow {CAN-2003-0028} - dietlibc 0.22-2 [27 Mar 2003] DSA-271 ecartis - unauthorized password change {CAN-2003-0162} - ecartis 1.0.0+cvs.20030321-1 [27 Mar 2003] DSA-270 linux-kernel-mips - local privilege escalation {CAN-2003-0127} # NOTE: not in unstable/testing, did not check other versions [26 Mar 2003] DSA-269 heimdal - Cryptographic weakness {CAN-2003-0138} - heimdal 0.5.2-1 [25 Mar 2003] DSA-268 mutt - buffer overflow {CAN-2003-0140} - mutt 1.5.4-1 [24 Mar 2003] DSA-267 lpr - buffer overflow {CAN-2003-0144} - lpr 1:2000.05.07-4.20 [24 Mar 2003] DSA-266 krb5 - several vulnerabilities {CAN-2003-0028} - krb5 1.3.3-2 NOTE: changelog does not mention this one, verified patch from NOTE: Tom Yu was applied to this version. {CAN-2003-0072} - krb5 1.2.7-3 NOTE: changelog does not mention this one, verified patch from NOTE: upstream was applied to this version. {CAN-2003-0082} - krb5 1.3.3-2 {CAN-2003-0138 VU#623217} - krb5 1.2.7-3 {CAN-2003-0139 VU#442569} - krb5 1.2.7-3 [21 Mar 2003] DSA-265 bonsai - several vulnerabilities {CAN-2003-0152 CAN-2003-0153 CAN-2003-0154 CAN-2003-0155} - bonsai 1.3+cvs20030317-1 [19 Mar 2003] DSA-264 lxr - missing filename sanitizing {CAN-2003-0156} - lxr 0.3-4 [17 Mar 2003] DSA-263 netpbm-free - math overflow errors {CAN-2003-0146} - netpbm-free 2:9.20-9 [15 Mar 2003] DSA-262 samba - remote exploit {CAN-2003-0085 CAN-2003-0086} - samba 2.2.8 [14 Mar 2003] DSA-261 tcpdump - infinite loop {CAN-2003-0093 CAN-2003-0145} # NOTE: DSA reports sid was not affected, sarge has sid version [13 Mar 2003] DSA-260 file - buffer overflow {CAN-2003-0102} - file 3.40-1.1 [12 Mar 2003] DSA-259 qpopper - mail user privilege escalation {CAN-2003-0143} - qpopper 4.0.4-9 [10 Mar 2003] DSA-258 ethereal - format string vulnerability {CAN-2003-0081} - ethereal 0.9.9-2 [04 Mar 2003] DSA-257 sendmail - remote exploit {CAN-2002-1337} - sendmail 8.12.8 [28 Feb 2003] DSA-256 mhc - insecure temporary file {CAN-2003-0120} - mhc 0.25+20030224-1 [27 Feb 2003] DSA-255 tcpdump - infinite loop {CAN-2003-0108 CAN-2002-0380} - tcpdump 3.7.1-1.2 [27 Feb 2003] DSA-254 traceroute-nanog - buffer overflow {CAN-2002-1051 CAN-2002-1364 CAN-2002-1386 CAN-2002-1387} - traceroute-nanog 6.3.0-1 [24 Feb 2003] DSA-253 openssl - information leak {CAN-2003-0078} - openssl 0.9.7a-1 [21 Feb 2003] DSA-252 slocate - buffer overflow {CAN-2003-0056} - slocate 2.7-1 [14 Feb 2003] DSA-251 w3m - missing HTML quoting {CAN-2002-1335 CAN-2002-1348} - w3m 0.3.2.2-1 [12 Feb 2003] DSA-250 w3mmee-ssl - missing HTML quoting {CAN-2002-1335 CAN-2002-1348} NOTE: not in sid/sarge [11 Feb 2003] DSA-249 w3mmee - missing HTML quoting {CAN-2002-1335 CAN-2002-1348} - w3mmee 0.3.p24.17-3 [31 Jan 2003] DSA-248 hypermail - buffer overflows {CAN-2003-0057} - hypermail 2.1.6-1 [30 Jan 2003] DSA-247 courier-ssl - missing input sanitizing {CAN-2003-0040} - courier 0.40.2-3 [29 Jan 2003] DSA-246 tomcat - information exposure, cross site scripting {CAN-2003-0042 CAN-2003-0043 CAN-2003-0044} NOTE: tomcat not in sid/sarge NOTE: tomcat4 not affected [28 Jan 2003] DSA-245 dhcp3 - ignored counter boundary {CAN-2003-0039} - dhcp3 1.1.2-1 [27 Jan 2003] DSA-244 noffle - buffer overflows {CAN-2003-0037} - noffle 1.1.2-1 [24 Jan 2003] DSA-243 kdemultimedia - several vulnerabilities {CAN-2002-1393} - kdemultimedia 4:3.1 [24 Jan 2003] DSA-242 kdebase - several vulnerabilities {CAN-2002-1393} - kdebase 4:3.1 [24 Jan 2003] DSA-241 kdeutils - several vulnerabilities {CAN-2002-1393} - kdeutils 4:3.1 [23 Jan 2003] DSA-240 kdegames - several vulnerabilities {CAN-2002-1393} - kdegames 4:3.1 [23 Jan 2003] DSA-239 kdesdk - several vulnerabilities {CAN-2002-1393} - kdesdk 4:3.1 [23 Jan 2003] DSA-238 kdepim - several vulnerabilities {CAN-2002-1393} - kdepim 4:3.1 [22 Jan 2003] DSA-237 kdenetwork - several vulnerabilities {CAN-2002-1393} - kdenetwork 4:3.1 [22 Jan 2003] DSA-236 kdelibs - several vulnerabilities {CAN-2002-1393} - kdelibs 4:3.1 [22 Jan 2003] DSA-235 kdegraphics - several vulnerabilities {CAN-2002-1393} - kdegraphics 4:3.1 [22 Jan 2003] DSA-234 kdeadmin - several vulnerabilities {CAN-2002-1393} - kdeadmin 4:3.1 [21 Jan 2003] DSA-233 cvs - doubly freed memory {CAN-2003-0015} - cvs 1.11.2-5.1 [20 Jan 2003] DSA-232 cupsys - several vulnerabilities {CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 CAN-2002-1384} - cupsys 1.1.18-1 [17 Jan 2003] DSA-231 dhcp3 - stack overflows {CAN-2003-0026} - dhcp3 3.0+3.0.1rc11-1 [16 Jan 2003] DSA-230 bugzilla - insecure permissions, spurious backup files NOTE: not in testing due to 3 newer security holes {CAN-2003-0012} - bugzilla 2.16.2 {CAN-2003-0013} - bugzilla 2.16.2 [15 Jan 2003] DSA-229 imp - SQL injection {CAN-2003-0025} NOTE: I think imp3 is ok. [14 Jan 2003] DSA-228 libmcrypt - buffer overflows and memory leak {CAN-2003-0031 CAN-2003-0032} - libmcrypt 2.5.5-1 [13 Jan 2003] DSA-227 openldap2 - buffer overflows and other bugs {CAN-2002-1378 CAN-2002-1379 CAN-2002-1508} - openldap2 2.0.27-3 [10 Jan 2003] DSA-226 xpdf-i - integer overflow {CAN-2002-1384} - xpdf 2.01-2 [09 Jan 2003] DSA-225 tomcat4 - source disclosure {CAN-2002-1394} ! tomcat4 4.1.16-1 # NOTE another RC (unreproducible?) bug and missing deps (#263201) # NOTE are keeping the fix out of testing # NOTE this is the second unfixed security hole in tomcat4 in testing.. [08 Jan 2003] DSA-224 canna - buffer overflow and more {CAN-2002-1158 CAN-2002-1159} - canna 3.6p1-1 [07 Jan 2003] DSA-223 geneweb - information exposure {CAN-2002-1390} - geneweb 4.09-1 [06 Jan 2003] DSA-222 xpdf - integer overflow {CAN-2002-1384} - xpdf 2.01-2 [03 Jan 2003] DSA-221 mhonarc - cross site scripting {CAN-2002-1388} - mhonarc 2.5.14-1 [02 Jan 2003] DSA-220 squirrelmail - cross site scripting {CAN-2002-1341} - squirrelmail 1:1.3.2-2 ------- These processed by Djoumé SALVETTI <salvetti@crans.org> ----- [31 Dec 2002] DSA-219 dhcpcd - remote command execution {CAN-2002-1403} - dhcpcd 1.3.22pl2-2 [30 Dec 2002] DSA-218 bugzilla - cross site scripting NOTE: not in testing, fixed in unstable (bugzilla 2.16.2-1). [27 Dec 2002] DSA-217 typespeed - buffer overflow {CAN-2002-1389} - typespeed 0.4.2-2 [24 Dec 2002] DSA-216 fetchmail - buffer overflow {CAN-2002-1365} - fetchmail 6.2.0-1 [23 Dec 2002] DSA-215 cyrus-imapd - buffer overflow {CAN-2002-1580} - cyrus-imapd 1.5.19-9.10 [20 Dec 2002] DSA-214 kdnetwork - buffer overflows {CAN-2002-1306} - kdenetwork 2.2.2-14.20 NOTE: there is a typo in the DSA, the name of the package is kdenetwork. [19 Dec 2002] DSA-213 libpng - buffer overflow {CAN-2002-1363} - libpng 1.0.12-7 - libpng3 1.2.5-8 [17 Dec 2002] DSA-212 mysql - multiple problems {CAN-2002-1373 CAN-2002-1374 CAN-2002-1375 CAN-2002-1376} - mysql-dfsg 4.0.7.gamma-1 [13 Dec 2002] DSA-211 micq - denial of service {CAN-2002-1362} NOTE: not in testing nor unstable (was fixed in 0.4.9.4-1) [13 Dec 2002] DSA-210 lynx - CRLF injection {CAN-2002-1405} - lynx 2.8.4.1b-4 NOTE: lynx-ssl not in testing nor unstable. ------- End processed by Djoumé SALVETTI <salvetti@crans.org> ----- Claimed by Djoumé SALVETTI <salvetti@crans.org>, due Thursday: [12 Dec 2002] DSA-209 wget - directory traversal [12 Dec 2002] DSA-208 perl - broken safe compartment [11 Dec 2002] DSA-207 tetex-bin - arbitrary command execution [10 Dec 2002] DSA-206 tcpdump - denial of service [10 Dec 2002] DSA-205 gtetrinet - buffer overflow [05 Dec 2002] DSA-204 kdelibs - arbitrary program execution [04 Dec 2002] DSA-203 smb2www - arbitrary command execution [03 Dec 2002] DSA-202 im - insecure temporary files [02 Dec 2002] DSA-201 freeswan - denial of service [22 Nov 2002] DSA-200 samba - remote exploit [19 Nov 2002] DSA-199 mhonarc - cross site scripting [18 Nov 2002] DSA-198 nullmailer - denial of service [15 Nov 2002] DSA-197 courier - buffer overflow [14 Nov 2002] DSA-196 bind - several vulnerabilities [13 Nov 2002] DSA-195 apache-perl - several vulnerabilities [12 Nov 2002] DSA-194 masqmail - buffer overflows [11 Nov 2002] DSA-193 kdenetwork - buffer overflow [08 Nov 2002] DSA-192 html2ps - arbitrary code execution [07 Nov 2002] DSA-191 squirrelmail - cross site scripting [07 Nov 2002] DSA-190 wmaker - buffer overflow [06 Nov 2002] DSA-189 luxman - local root exploit [05 Nov 2002] DSA-188 apache-ssl - several vulnerabilities [04 Nov 2002] DSA-187 apache - several vulnerabilities [01 Nov 2002] DSA-186 log2mail - buffer overflow [31 Oct 2002] DSA-185 heimdal - buffer overflow [30 Oct 2002] DSA-184 krb4 - buffer overflow [29 Oct 2002] DSA-183 krb5 - buffer overflow [28 Oct 2002] DSA-182 kdegraphics - buffer overflow [22 Oct 2002] DSA-181 libapache-mod-ssl - cross site scripting [21 Oct 2002] DSA-180 nis - information leak Unclaimed: [18 Oct 2002] DSA-179 gnome-gv - buffer overflow [17 Oct 2002] DSA-178 heimdal - remote command execution [17 Oct 2002] DSA-177 pam - serious security violation [16 Oct 2002] DSA-176 gv - buffer overflow [15 Oct 2002] DSA-175 syslog-ng - buffer overflow [14 Oct 2002] DSA-174 heartbeat - buffer overflow [09 Oct 2002] DSA-173 bugzilla - privilege escalation [08 Oct 2002] DSA-172 tkmail - insecure temporary files [07 Oct 2002] DSA-171 fetchmail - buffer overflows [04 Oct 2002] DSA-170 tomcat4 - source code disclosure [25 Sep 2002] DSA-169 htcheck - cross site scripting [18 Sep 2002] DSA-168 php - bypassing safe_mode, CRLF injection [16 Sep 2002] DSA-167 kdelibs - cross site scripting [13 Sep 2002] DSA-166 purity - buffer overflows [12 Sep 2002] DSA-165 postgresql - buffer overflows [10 Sep 2002] DSA-164 cacti - arbitrary code execution [09 Sep 2002] DSA-163 mhonarc - cross site scripting [06 Sep 2002] DSA-162 ethereal - buffer overflow [04 Sep 2002] DSA-161 mantis - privilege escalation [03 Sep 2002] DSA-160 scrollkeeper - insecure temporary file creation [28 Aug 2002] DSA-159 python - insecure temporary files [27 Aug 2002] DSA-158 gaim - arbitrary program execution [23 Aug 2002] DSA-157 irssi-text - denial of service [22 Aug 2002] DSA-156 epic4-script-light - arbitrary script execution [17 Aug 2002] DSA-155 kdelibs - privacy escalation with Konqueror [15 Aug 2002] DSA-154 fam - privilege escalation [14 Aug 2002] DSA-153 mantis - cross site code execution and privilege escalation [13 Aug 2002] DSA-152 l2tpd - missing random seed [13 Aug 2002] DSA-151 xinetd - pipe exposure [13 Aug 2002] DSA-150 interchange - illegal file exposition [13 Aug 2002] DSA-149 glibc - integer overflow [12 Aug 2002] DSA-148 hylafax - buffer overflows and format string vulnerabilities [08 Aug 2002] DSA-147 mailman - cross-site scripting [08 Aug 2002] DSA-146 dietlibc - integer overflow [07 Aug 2002] DSA-145 tinyproxy - doubly freed memory [06 Aug 2002] DSA-144 wwwoffle - improper input handling [05 Aug 2002] DSA-143 krb5 - integer overflow [05 Aug 2002] DSA-142 openafs - integer overflow [01 Aug 2002] DSA-141 mpack - buffer overflow [05 Aug 2002] DSA-140 libpng - buffer overflow [01 Aug 2002] DSA-139 super - format string vulnerability [01 Aug 2002] DSA-138 gallery - remote exploit [30 Jul 2002] DSA-137 mm - insecure temporary files [30 Jul 2002] DSA-136 openssl - multiple remote exploits [02 Jul 2002] DSA-135 libapache-mod-ssl - buffer overflow / DoS [24 Jun 2002] DSA-134 ssh - remote exploit -- see shy jo
Attachment:
signature.asc
Description: Digital signature