[secure-testing-announce] [DTSA-5-1] New gaim packages fix multiple remote vulnerabilities

Subject: [secure-testing-announce] [DTSA-5-1] New gaim packages fix multiple remote vulnerabilities
From: joey at kitenet.net (Joey Hess)
Date: Sun Aug 28 20:19:37 2005
Message-id: <[🔎] 20050828201256.B37C26E0C4@dragon.kitenet.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-5-1     http://secure-testing.debian.net
secure-testing-team@lists.alioth.debian.org                          Joey Hess
August 28th, 2005
- -----------------------------------------------------------------------------

Package        : gaim
Vulnerability  : multiple remote vulnerabilities
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2102 CAN-2005-2370 CAN-2005-2103

Multiple security holes were found in gaim:

CAN-2005-2102

  The AIM/ICQ module in Gaim allows remote attackers to cause a denial of
  service (application crash) via a filename that contains invalid UTF-8
  characters.

CAN-2005-2370

  Multiple memory alignment errors in libgadu, as used in gaim and other
  packages, allow remote attackers to cause a denial of service (bus error)
  on certain architectures such as SPARC via an incoming message.

CAN-2005-2103

  Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers
  to cause a denial of service (application crash) and possibly execute
  arbitrary code via an away message with a large number of AIM substitution
  strings, such as %t or %n.

For the testing distribution (etch) this is fixed in version
1:1.4.0-5etch2.

For the unstable distribution (sid) this is fixed in version
1:1.4.0-5.

This upgrade is strongly recommended if you use gaim.

The Debian testing security team does not track security issues for the
stable distribution (woody). If stable is vulnerable, the Debian security
team will make an announcement once a fix is ready.

Upgrade Instructions
- --------------------

To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:

  deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
  deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free

The archive signing key can be downloaded from
http://secure-testing.debian.net/ziyi-2005-7.asc

To install the update, run this command as root:

  apt-get update && apt-get install gaim

For further information about the Debian testing security team, please refer
to http://secure-testing.debian.net/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDEhrI2tp5zXiKP0wRAoAOAKCg7sN6lMnIisZ7YDduNwpjHof9+ACfWcRT
mIolWkSNlIHdwDwVKXYPh10=
=+HKc
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [secure-testing-announce] [DTSA-4-1] New ekg packages fix multiple vulnerabilities
Next by Date: [secure-testing-announce] [DTSA-7-1] New mozilla packages fix frame injection spoofing
Previous by thread: [secure-testing-announce] [DTSA-4-1] New ekg packages fix multiple vulnerabilities
Next by thread: [secure-testing-announce] [DTSA-7-1] New mozilla packages fix frame injection spoofing
Index(es):
- Date
- Thread