Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2005 > Debian - Five Security Advisories

November 2005

Debian - Five Security Advisories

ID: 00988
Ref: 926/05
Date: 07 November 2005:11:15:14
Version: 1
Title: Debian - Five Security Advisories
Abstract:
Vendors affected: Debian
Operating systems affected: Debian
Applications affected: Debian

Title
=====

Debian - Five Security Advisories:
1. New OpenSSL 0.9.6 packages fix cryptographic weakness [DSA 881-1]
2. New OpenSSL packages fix cryptographic weakness [DSA 882-1]
3. New thttpd packages fix insecure temporary file [DSA 883-1]
4. New Horde3 packages fix insecure default installation [DSA 884-1]
5. New OpenVPN packages fix several vulnerabilities [DSA 885-1]


Detail
======

Security advisory summaries:

1. Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
(OpenSSL) library that can allow an attacker to perform active
protocol-version rollback attacks that could lead to the use of the
weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
1.0.

2. Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
(OpenSSL) library that can allow an attacker to perform active
protocol-version rollback attacks that could lead to the use of the
weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
1.0.

3. Javier Fernández-Sanguino Peña from the Debian Security Audit team
discovered that the syslogtocern script from thttpd, a tiny webserver,
uses a temporary file insecurely, allowing a local attacker to craft a
symlink attack to overwrite arbitrary files.

4. Mike O'Connor discovered that the default installation of Horde3 on
Debian includes an administrator account without a password. Already
configured installations will not be altered by this update.

5. Several vulnerabilities have been discovered in OpenVPN, a free
virtual private network daemon.


Security advisory content follows:


1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 881-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
November 4th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : openssl096
Vulnerability : cryptographic weakness
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-2969

Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
(OpenSSL) library that can allow an attacker to perform active
protocol-version rollback attacks that could lead to the use of the
weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
1.0.

The following matrix explains which version in which distribution has
this problem corrected.

oldstable (woody) stable (sarge) unstable (sid)
openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3
openssl 094 0.9.4-6.woody.4 n/a n/a
openssl 095 0.9.5a-6.woody.6 n/a n/a
openssl 096 n/a 0.9.6m-1sarge1 n/a
openssl 097 n/a n/a 0.9.7g-5

We recommend that you upgrade your libssl packages.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge1.dsc
Size/MD5 checksum: 617 ce5f1e232a472723ca68499327b72dbb
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge1.diff.gz
Size/MD5 checksum: 18775 21461483c9dc895530bedc3b973faa07
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz
Size/MD5 checksum: 2184918 1b63bfdca1c37837dddde9f1623498f9

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_alpha.deb
Size/MD5 checksum: 1964914 393db230e3682b76c3c9f36eb42264e6

AMD64 architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_amd64.deb
Size/MD5 checksum: 577924 c07845bb45e5c3b75456f961e336eb13

ARM architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_arm.deb
Size/MD5 checksum: 518534 eea289b8dde19ac6c8c6cf7b30ea4eb1

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_i386.deb
Size/MD5 checksum: 1754964 7b514ad94e57dc9fd6e4842b2946640d

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_ia64.deb
Size/MD5 checksum: 814794 0c604b4b2f703c01173d140b95f61cd6

HP Precision architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_hppa.deb
Size/MD5 checksum: 587272 01cbb27d7021792fd6570b2f466ce41a

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_m68k.deb
Size/MD5 checksum: 476638 64e57e89c2efbe43db0ee00ae686413b

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_mips.deb
Size/MD5 checksum: 576718 a05286b7d56e76bb6863987f9428cfa8

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_mipsel.deb
Size/MD5 checksum: 568608 11f1592d26bc34ed8b2ecae3af730e04

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_powerpc.deb
Size/MD5 checksum: 582352 48a678cc33b6b253be1dff5d8d7d23da

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_s390.deb
Size/MD5 checksum: 602274 4b926097074513294652c4bef75f1f4f

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_sparc.deb
Size/MD5 checksum: 1458254 29c66b77c695f27f4f38dbdfbd51d320


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDaz/2W5ql+IAeqTIRAtZzAJ40qxSyF8zR3ed1C3WOANCtvwiMzACdHkUf
dUob6n3V6kc0TTwGTrwAjH0=
=l7iw
- -----END PGP SIGNATURE-----




2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 882-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
November 4th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : openssl095
Vulnerability : cryptographic weakness
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-2969

Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
(OpenSSL) library that can allow an attacker to perform active
protocol-version rollback attacks that could lead to the use of the
weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
1.0.

The following matrix explains which version in which distribution has
this problem corrected.

oldstable (woody) stable (sarge) unstable (sid)
openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3
openssl 094 0.9.4-6.woody.4 n/a n/a
openssl 095 0.9.5a-6.woody.6 n/a n/a
openssl 096 n/a 0.9.6m-1sarge1 n/a
openssl 097 n/a n/a 0.9.7g-5

We recommend that you upgrade your libssl packages.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.6.dsc
Size/MD5 checksum: 631 06d702bf602bdf36e76ccf1d293e2755
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.6.diff.gz
Size/MD5 checksum: 39425 bbc79b4a3b51c3407642a909924636b3
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_alpha.deb
Size/MD5 checksum: 497428 d7f43468426f4937d9f6f4f200b62ac4

ARM architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_arm.deb
Size/MD5 checksum: 402790 3b6d0893487c55369771219423b8acf0

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_i386.deb
Size/MD5 checksum: 400034 11c30a4af4fb8f00848aff98caf4a721

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_m68k.deb
Size/MD5 checksum: 377034 5bc6aa7ce2c912bf6b306db88044e58d

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_mips.deb
Size/MD5 checksum: 412864 ca4c4ace9a42844cfd93320f6438895a

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_mipsel.deb
Size/MD5 checksum: 407678 ca10a64a6c760d2e45f2a1cdfa33ed1e

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_powerpc.deb
Size/MD5 checksum: 425740 106ba99bf991c3e8864d414be25a92e4

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_sparc.deb
Size/MD5 checksum: 412474 1abb2a98b00c638cf88cead55ec5959f


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDa087W5ql+IAeqTIRAnAZAKCOLyaJHACQRNsDAQCT9v1uDUh/PQCdE21J
P2lza1cE34ISntH0x71nruA=
=vSg3
- -----END PGP SIGNATURE-----




3.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 883-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
November 4th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : thttpd
Vulnerability : insecure temporary file
Problem type : local
Debian-specific: no
CVE ID : CVE-2005-3124

Javier Fernández-Sanguino Peña from the Debian Security Audit team
discovered that the syslogtocern script from thttpd, a tiny webserver,
uses a temporary file insecurely, allowing a local attacker to craft a
symlink attack to overwrite arbitrary files.

For the old stable distribution (woody) this problem has been fixed in
version 2.21b-11.3.

For the stable distribution (sarge) this problem has been fixed in
version 2.23beta1-3sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.23beta1-4.

We recommend that you upgrade your thttpd package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.dsc
Size/MD5 checksum: 545 ba3c0bb15f6212db97bcf6d6524d4780
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3.diff.gz
Size/MD5 checksum: 12672 47c8093a645102ea2f328455195e763c
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b.orig.tar.gz
Size/MD5 checksum: 127157 9c1512664cf70c286331243ab622173e

Alpha architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_alpha.deb
Size/MD5 checksum: 67624 465efe17c6bf662b1b191b91c8cd8491
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_alpha.deb
Size/MD5 checksum: 27940 3830272b2dae0993fa96b4bb014feb09

ARM architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_arm.deb
Size/MD5 checksum: 54272 fd2de8fb819e11c5a0a91ad4546d3b07
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_arm.deb
Size/MD5 checksum: 23384 9a02e239a4d792547e088b2e7047d08a

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_i386.deb
Size/MD5 checksum: 51996 5c6c5f4bda6ecf89c095595ae7d47e0a
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_i386.deb
Size/MD5 checksum: 23732 b86b4669f89ea162f965430181004097

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_ia64.deb
Size/MD5 checksum: 78060 ae4c37cfeb4bb00aabe86fb53ac8d320
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_ia64.deb
Size/MD5 checksum: 29732 3f7102053a50f0c67edc8d566e3707e8

HP Precision architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_hppa.deb
Size/MD5 checksum: 59244 1b007a6734c854b6a313e3a48c59b5d3
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_hppa.deb
Size/MD5 checksum: 25618 1c4087f8fa972c8ec9364fb422b1f399

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_m68k.deb
Size/MD5 checksum: 49632 f1cc7d708bbcf9fc34fe5382b8370bd3
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_m68k.deb
Size/MD5 checksum: 23386 4b6af55203f640969e0ca8fadd3ebf7d

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_mips.deb
Size/MD5 checksum: 58302 e6c7222513bd7b96a09fb53f16447552
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mips.deb
Size/MD5 checksum: 24670 2f575c075a755b452ee27749cab8e72d

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_mipsel.deb
Size/MD5 checksum: 58424 af4447af28817c182ffe85b2f1ddbaa4
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_mipsel.deb
Size/MD5 checksum: 24744 9b7b47b0e29e90a4805edfb960912db5

PowerPC architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_powerpc.deb
Size/MD5 checksum: 56558 cd91f39ec6a4b76377fb62f93eb31f8d
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_powerpc.deb
Size/MD5 checksum: 23992 7d582bab26cb31d3b9b109008cc5d493

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_s390.deb
Size/MD5 checksum: 54762 72de109e9fd79a02ea9de27619a26923
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_s390.deb
Size/MD5 checksum: 24536 6bd0b8d4676a15c349905b0b70bb7c65

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.21b-11.3_sparc.deb
Size/MD5 checksum: 58326 5e288c30abd19e26ed1121585e83c52c
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.21b-11.3_sparc.deb
Size/MD5 checksum: 30104 dc9d39c3a3aa44f7cb120f1ab4fddc19


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.dsc
Size/MD5 checksum: 614 290db913568006f555f67c0529f2ad7c
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1.diff.gz
Size/MD5 checksum: 14109 d0598767e42a34ad05c9df1c3962b140
http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1.orig.tar.gz
Size/MD5 checksum: 128712 d3d91f6596f53d5e2b27cea8607d5bba

Alpha architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_alpha.deb
Size/MD5 checksum: 59240 f6854853b290fe2ce1a925cbbea3856a
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_alpha.deb
Size/MD5 checksum: 27978 6b4680363644b459e0e47222985f749f

AMD64 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_amd64.deb
Size/MD5 checksum: 56034 9848065d7700f2f6e0a036ee76e8fcf7
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_amd64.deb
Size/MD5 checksum: 26456 befb78e032aa654e5fcfcc7c9fdff21b

ARM architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_arm.deb
Size/MD5 checksum: 53198 6a9c1e8afaa60a7b4b7787729dd97b9b
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_arm.deb
Size/MD5 checksum: 24610 f35f8b0a749694fea536296d2a41e1f0

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_i386.deb
Size/MD5 checksum: 51494 eeb422504ed7247f4bbfd5ed27a89bac
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_i386.deb
Size/MD5 checksum: 24638 85147190249ea9d69c16d8f1dfdfb42e

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_ia64.deb
Size/MD5 checksum: 71954 924db7bf3beb5ce3c0e5018759aef3d6
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_ia64.deb
Size/MD5 checksum: 30276 530abc02e3c392a91bff06fe1d8ce7af

HP Precision architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_hppa.deb
Size/MD5 checksum: 57374 4755b42efc9a48b59b1e745862e01098
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_hppa.deb
Size/MD5 checksum: 26912 557472d5a3e182b86999baa0b89846ba

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_m68k.deb
Size/MD5 checksum: 50132 bcb24b62afb868c5e04b8c1db66e6cc3
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_m68k.deb
Size/MD5 checksum: 24756 4b30d87639b3d6b7ca58537cf16c6953

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_mips.deb
Size/MD5 checksum: 57044 410e480e061a3876b7ff01beaffb571e
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mips.deb
Size/MD5 checksum: 30980 2cda342ba6a04fdbe0a938359eeff813

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_mipsel.deb
Size/MD5 checksum: 57112 fe0268048af2940619a9380d7cd83626
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_mipsel.deb
Size/MD5 checksum: 31126 64e73613ca88afa3fd379b657c80a414

PowerPC architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_powerpc.deb
Size/MD5 checksum: 53442 58c39568158a4c3da81efcaf6a0ab838
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_powerpc.deb
Size/MD5 checksum: 25160 a5ff28da9df6080438012db8014b0212

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_s390.deb
Size/MD5 checksum: 56214 f39998665c2df9236d2902120eb977f9
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_s390.deb
Size/MD5 checksum: 26268 34e822b698803e3e0139430aea707f55

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/t/thttpd/thttpd_2.23beta1-3sarge1_sparc.deb
Size/MD5 checksum: 53298 a8dcaf92cb41b607618b4a271927c250
http://security.debian.org/pool/updates/main/t/thttpd/thttpd-util_2.23beta1-3sarge1_sparc.deb
Size/MD5 checksum: 24718 54c4e9dac68c9b8472dc92fe6966f6e4


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDa5G8W5ql+IAeqTIRAvGgAKCF0lAb2AjYJB4W/gjWdVqucENh6wCfYLYa
Hl49V6DyO77BW4UyQ4LjSSs=
=On/a
- -----END PGP SIGNATURE-----




4.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 884-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
November 7th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : horde3
Vulnerability : design error
Problem type : remote
Debian-specific: yes
CVE ID : CVE-2005-3344
Debian Bugs : 332290 332289

Mike O'Connor discovered that the default installation of Horde3 on
Debian includes an administrator account without a password. Already
configured installations will not be altered by this update.

The old stable distribution (woody) does not contain horde3 packages.

For the stable distribution (sarge) this problem has been fixed in
version 3.0.4-4sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 3.0.5-2

We recommend that you verify your horde3 admin account if you have
installed Horde3.

Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1.dsc
Size/MD5 checksum: 627 cc9b46f4b5a4f4a514ecbc51d9eb3a58
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1.diff.gz
Size/MD5 checksum: 6751 b0e7fb95efe86aeb42cfd0b478dd312b
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4.orig.tar.gz
Size/MD5 checksum: 3378143 e2221d409ba1c8841ce4ecee981d7b61

Architecture independent components:

http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge1_all.deb
Size/MD5 checksum: 3432038 671d10d028345c0cfc133cc0504a2d50


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDbxYnW5ql+IAeqTIRAp50AKCu2u8rU/MHoFT+vgl7mRFrEGp8kACgtEBh
NQhwCmoAsCjYCSlFbpsYcrU=
=uGyV
- -----END PGP SIGNATURE-----




5.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 885-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
November 7th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package : openvpn
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-3393 CVE-2005-3409
CERT advisory :
BugTraq ID : 15239
Debian Bug : 336751 337334

Several vulnerabilities have been discovered in OpenVPN, a free
virtual private network daemon. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2005-3393

A format string vulnerability has been discovered that could allow
arbitrary code to be executed on the client.

CVE-2005-3409

A NULL pointer dereferencing has been discovered that could be
exploited to crash the service.

The old stable distribution (woody) does not contain openvpn packages.

For the stable distribution (sarge) these problems have been fixed in
version 2.0-1sarge2.

For the unstable distribution (sid) these problems have been fixed in
version 2.0.5-1.

We recommend that you upgrade your openvpn package.


Upgrade Instructions
- - --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2.dsc
Size/MD5 checksum: 629 1cea04a008a9b888b404c7ec2e5c2ef2
http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2.diff.gz
Size/MD5 checksum: 52800 a48a32ae512664fa21ac2f18b13aca8b
http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0.orig.tar.gz
Size/MD5 checksum: 639201 7401faebc6baee9add32608709c54eec

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_alpha.deb
Size/MD5 checksum: 347438 9dcec8dd6cdf3efcaea58097a526d95d

AMD64 architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_amd64.deb
Size/MD5 checksum: 316598 34e437c2b5c671a0945e23dc314c7d61

ARM architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_arm.deb
Size/MD5 checksum: 296726 7eb2f74d7f6334aa864638b18261e6ed

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_i386.deb
Size/MD5 checksum: 302630 b48bfb10468d6177ca5825382a5b9f3a

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_ia64.deb
Size/MD5 checksum: 395760 ca6d5c797d96fccf4ff785406bc9cd8c

HP Precision architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_hppa.deb
Size/MD5 checksum: 316894 d8a83c52f67b478a7ac2481411b4850c

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_m68k.deb
Size/MD5 checksum: 276658 fb776634c4805ce5b3c98b34c244b8b8

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_mips.deb
Size/MD5 checksum: 317832 400f6f80ece6d8937aca0500a47aaba8

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_mipsel.deb
Size/MD5 checksum: 319656 ea3d192a110f8231ac4146490cd4ab46

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_powerpc.deb
Size/MD5 checksum: 309090 8baabfbe69032a23414ca0e97caec7b9

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_s390.deb
Size/MD5 checksum: 307492 c63d7c1f5ac2f469ecfdee8673da39d4

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openvpn/openvpn_2.0-1sarge2_sparc.deb
Size/MD5 checksum: 295050 913b178ac53ea6676600200c95be4f46


These files will probably be moved into the stable distribution on
its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDbyT/W5ql+IAeqTIRAmb4AKCVbkyBafLC3MaL8JAw22nS0YbhngCgoAkE
Qrs+MSOzJPqkIuaNH0TJlJk=
=wuyZ
- -----END PGP SIGNATURE-----



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |