[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#824239: [DLA] fixes for dla-20,38,53,54

Control: retitle -1 [DLA] fixes for 2014/dla-*
--

more fixes:
* mention -2 for 25,58,72
* add reference to -2 for 91,120
* 59 and 115 created from upload log
* mention 59-1 instead of dsa in 63
* fix typo on 72,75

-- 
victory
no need to CC me :-)

Index: english/security/2014/dla-25.data
===================================================================
--- english/security/2014/dla-25.data	(revision 204)
+++ english/security/2014/dla-25.data	(working copy)
@@ -1,5 +1,5 @@
-<define-tag pagetitle>DLA-25-1 python2.6</define-tag>
-<define-tag report_date>2014-7-31</define-tag>
+<define-tag pagetitle>DLA-25-2 python2.6</define-tag>
+<define-tag report_date>2014-8-5</define-tag>
 <define-tag secrefs>CVE-2011-1015 CVE-2011-1521 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-4238 CVE-2014-1912</define-tag>
 <define-tag packages>python2.6</define-tag>
 <define-tag isvulnerable>yes</define-tag>
Index: english/security/2014/dla-25.wml
===================================================================
--- english/security/2014/dla-25.wml	(revision 204)
+++ english/security/2014/dla-25.wml	(working copy)
@@ -1,5 +1,12 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
+<p>A regression has been identified in the python2.6 update of DLA-25-1,
+which may cause python applications to abort if they were running during
+the upgrade but they had not already imported the 'os' module, and do so
+after the upgrade. This update fixes this upgrade scenario.</p>
+
+<p>For reference, the original advisory text follows.</p>
+
 <p>Multiple vulnerabilities were discovered in python2.6. The more
 relevant are:</p>
 
@@ -18,7 +25,7 @@
 
 </ul>
 
-<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in python2.6 version 2.6.6-8+deb6u1</p>
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in python2.6 version 2.6.6-8+deb6u2</p>
 </define-tag>
 
 # do not modify the following line
Index: english/security/2014/dla-59.data
===================================================================
--- english/security/2014/dla-59.data	(nonexistent)
+++ english/security/2014/dla-59.data	(working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-59-1 bash</define-tag>
+<define-tag report_date>2014-9-24</define-tag>
+<define-tag secrefs>CVE-2014-6271</define-tag>
+<define-tag packages>bash</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-59.wml
===================================================================
--- english/security/2014/dla-59.wml	(nonexistent)
+++ english/security/2014/dla-59.wml	(working copy)
@@ -0,0 +1,23 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo></p>
+
+<ul>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-6271";>CVE-2014-6271</a>:
+
+<p>GNU Bash through 4.3 processes trailing strings after function definitions 
+in the values of environment variables, which allows remote attackers to 
+execute arbitrary code via a crafted environment, as demonstrated by vectors 
+involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and 
+mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified 
+DHCP clients, and other situations in which setting the environment occurs 
+across a privilege boundary from Bash execution, aka "ShellShock."</p></li>
+
+</ul>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in bash version 4.1-3+deb6u1</p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-59.data"
+# $Id: $
Index: english/security/2014/dla-58.data
===================================================================
--- english/security/2014/dla-58.data	(revision 204)
+++ english/security/2014/dla-58.data	(working copy)
@@ -1,5 +1,5 @@
-<define-tag pagetitle>DLA-58-1 apt</define-tag>
-<define-tag report_date>2014-9-23</define-tag>
+<define-tag pagetitle>DLA-58-2 apt</define-tag>
+<define-tag report_date>2014-10-14</define-tag>
 <define-tag secrefs>CVE-2014-6273</define-tag>
 <define-tag packages>apt</define-tag>
 <define-tag isvulnerable>yes</define-tag>
Index: english/security/2014/dla-58.wml
===================================================================
--- english/security/2014/dla-58.wml	(revision 204)
+++ english/security/2014/dla-58.wml	(working copy)
@@ -1,5 +1,10 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
+<p>This update fixes a regression introduced in 0.8.10.3+squeeze5 where
+apt would send invalid HTTP requests when sending If-Range queries.</p>
+
+<p>For reference, the original advisory text follows.</p>
+
 <p>The Google Security Team discovered a buffer overflow vulnerability in
 the HTTP transport code in apt-get. An attacker able to
 man-in-the-middle a HTTP request to an apt repository can trigger the
@@ -8,19 +13,19 @@
 
 <p>The following regression fixes were included in this update:</p>
 
- <p>* Fix regression from the previous update in DLA-53-1 when the custom
-   apt configuration option for Dir::state::lists is set to a relative
-   path (#762160).</p>
+ <p>* Fix regression from the previous update in <a href="dla-53">DLA-53-1</a>
+   when the custom apt configuration option for Dir::state::lists is set to a
+   relative path (#762160).</p>
 
  <p>* Fix regression in the reverificaiton handling of cdrom: sources that
    may lead to incorrect hashsum warnings. Affected users need to run
    "apt-cdrom add" again after the update was applied.</p>
 
- <p>* Fix regression from the previous update in DLA-53-1 when file:///
-   sources are used and those are on a different partition than the apt
-   state directory.</p>
+ <p>* Fix regression from the previous update in <a href="dla-53">DLA-53-1</a>
+   when file:/// sources are used and those are on a different partition than
+   the apt state directory.</p>
 
-<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 0.8.10.3+squeeze5</p>
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 0.8.10.3+squeeze6</p>
 </define-tag>
 
 # do not modify the following line
Index: english/security/2014/dla-63.wml
===================================================================
--- english/security/2014/dla-63.wml	(revision 204)
+++ english/security/2014/dla-63.wml	(working copy)
@@ -1,8 +1,8 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
 <p>Tavis Ormandy discovered that the patch applied to fix <a href="https://security-tracker.debian.org/tracker/CVE-2014-6271";>CVE-2014-6271</a>
-released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
-incomplete and could still allow some characters to be injected into
+released in <a href="dla-59">DLA-59-1</a> for bash, the GNU Bourne-Again Shell,
+was incomplete and could still allow some characters to be injected into
 another environment (<a href="https://security-tracker.debian.org/tracker/CVE-2014-7169";>CVE-2014-7169</a>). With this update prefix and suffix
 for environment variable names which contain shell functions are added
 as hardening measure.</p>
Index: english/security/2014/dla-72.data
===================================================================
--- english/security/2014/dla-72.data	(revision 204)
+++ english/security/2014/dla-72.data	(working copy)
@@ -1,7 +1,7 @@
-<define-tag pagetitle>DLA-72-1 rsylog</define-tag>
-<define-tag report_date>2014-10-19</define-tag>
+<define-tag pagetitle>DLA-72-2 rsyslog</define-tag>
+<define-tag report_date>2014-10-20</define-tag>
 <define-tag secrefs>CVE-2014-3634 CVE-2014-3683</define-tag>
-<define-tag packages>rsylog</define-tag>
+<define-tag packages>rsyslog</define-tag>
 <define-tag isvulnerable>yes</define-tag>
 <define-tag fixed>yes</define-tag>
 <define-tag fixed-section>no</define-tag>
Index: english/security/2014/dla-72.wml
===================================================================
--- english/security/2014/dla-72.wml	(revision 204)
+++ english/security/2014/dla-72.wml	(working copy)
@@ -1,6 +1,11 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
+<p>The Wheezy patch left an unresolved symbol in the imklog module of 
+the Squeeze version. rsyslog worked fine except that messages from the 
+kernel couldn't be submitted any longer. This update fixes this issue.</p>
 
+<p>For reference, the original advisory text follows.</p>
+
 <ul>
 
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3634";>CVE-2014-3634</a>
@@ -16,7 +21,7 @@
 
 </ul>
 
-<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in rsylog version 4.6.4-2+deb6u1</p>
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in rsyslog version 4.6.4-2+deb6u2</p>
 </define-tag>
 
 # do not modify the following line
Index: english/security/2014/dla-75.wml
===================================================================
--- english/security/2014/dla-75.wml	(revision 204)
+++ english/security/2014/dla-75.wml	(working copy)
@@ -7,8 +7,8 @@
 
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-4274";>CVE-2014-4274</a>
 
-    <p>Insecure handling of a temporary file that could lead to abritrary
-    execution of code through the creation of a mysql configuration file
+    <p>Insecure handling of a temporary file that could lead to execution
+    of arbitrary code through the creation of a mysql configuration file
     pointing to an attacker-controlled plugin_dir.</p></li>
 
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2013-2162";>CVE-2013-2162</a>
Index: english/security/2014/dla-115.data
===================================================================
--- english/security/2014/dla-115.data	(nonexistent)
+++ english/security/2014/dla-115.data	(working copy)
@@ -0,0 +1,9 @@
+<define-tag pagetitle>DLA-115-1 gosa</define-tag>
+<define-tag report_date>2014-12-18</define-tag>
+<define-tag packages>gosa</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-115.wml
===================================================================
--- english/security/2014/dla-115.wml	(nonexistent)
+++ english/security/2014/dla-115.wml	(working copy)
@@ -0,0 +1,14 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+     <p>Fix XSS issue during login.</p>
+
+     <p>Fix authentication of GOsa² against the underlying LDAP server(s)
+     via the gosa-admin DN (#768509).</p>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gosa
+version 2.6.11-3+squeeze3.</p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-115.data"
+# $Id: $
Index: english/security/2014/dla-120.wml
===================================================================
--- english/security/2014/dla-120.wml	(revision 204)
+++ english/security/2014/dla-120.wml	(working copy)
@@ -1,5 +1,8 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
+<p>This advisory has been superseded by <a href="../2015/dla-120">DLA-120-2</a>.
+For reference, the original advisory text follows.</p>
+
 <p>Ilja van Sprundel of IOActive discovered several security issues in the
 X.org X server, which may lead to privilege escalation or denial of
 service.</p>
Reply to: