VARIoT IoT vulnerabilities database
| VAR-200907-0162 | CVE-2009-2452 | Citrix Licensing Vulnerabilities in unknown details |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in Citrix Licensing 11.5 have unknown impact and attack vectors, related to "underlying components of the License Management Console.".
The impact of this vulnerability is currently unknown.
Very few details are available regarding this issue. We will update this BID as more information emerges.
Citrix Licensing 11.5 is vulnerable. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the latest version of the Licensing Server.
https://www.citrix.com/site/SS/downloads/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX120742
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0554 | CVE-2009-1480 | index.php Pragyan CMS In SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors. Pragyan CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Pragyan CMS 2.6.4 is vulnerable; other versions may also be affected
| VAR-200905-0178 | CVE-2009-1605 | SumatraPDF Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: 5.4 Severity: HIGH |
Heap-based buffer overflow in the loadexponentialfunc function in mupdf/pdf_function.c in MuPDF in the mupdf-20090223-win32 package, as used in SumatraPDF 0.9.3 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: some of these details are obtained from third party information. MuPDF is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
MuPDF "loadexponentialfunc()" Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA34916
VERIFY ADVISORY:
http://secunia.com/advisories/34916/
DESCRIPTION:
c has discovered a vulnerability in MuPDF, which can be exploited by
malicious people to potentially compromise an application using the
library.
The vulnerability is caused due to a boundary error within the
"loadexponentialfunc()" function in pdf_function.c.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed in the MuPDF library included in the
mupdf-20090223-win32 package. Other versions may also be affected.
SOLUTION:
Do not process untrusted PDF files using the library.
PROVIDED AND/OR DISCOVERED BY:
c
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/fulldisclosure/2009-04/0258.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0190 | CVE-2009-1558 | Cisco Linksys WVC54GCA Wireless camcorder adm/file.cgi Vulnerable to directory traversal |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is prone to multiple directory-traversal vulnerabilities because the software fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings ('../') to download arbitrary files with the privileges of the server process. Information obtained may aid in further attacks.
Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware 1.00R22 and 1.00R24 are affected; other versions may also be vulnerable. The Linksys WVC54GCA is a wireless network camera
| VAR-200904-0218 | CVE-2009-0064 | Symantec Brightmail Gateway Appliance of Control Center Vulnerability gained in |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allow remote authenticated users to gain privileges, and possibly obtain sensitive information or hijack sessions of arbitrary users, via vectors involving (1) administrative scripts or (2) console functions. Symantec Brightmail Gateway is prone to a remote privilege-escalation vulnerability.
Remote authorized attackers who have access to the targeted host's local network can exploit this issue to gain elevated access. Successful exploits may compromise the affected computer and may aid in other attacks.
Versions prior to Brightmail Gateway 8.0.1 are vulnerable. Brightmail Gateway is Symantec's information security management platform. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
Symantec Brightmail Gateway Control Center Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA34885
VERIFY ADVISORY:
http://secunia.com/advisories/34885/
DESCRIPTION:
Some vulnerabilities have been reported in Symantec Brightmail
Gateway, which can be exploited by malicious people to conduct
cross-site scripting attacks and by malicious users to bypass certain
security restrictions.
1) Certain unspecified input passed to the Control Center is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
SOLUTION:
Update to version 8.0.1 or later.
PROVIDED AND/OR DISCOVERED BY:
Marian Ventuneac, Perot Systems
ORIGINAL ADVISORY:
SYM09-005:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0191 | CVE-2009-1559 | Cisco Linksys WVC54GCA On wireless camcorder adm/file.cgi Vulnerable to absolute path traversal |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Absolute path traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R24 and possibly 1.00R22 allows remote attackers to read arbitrary files via an absolute pathname in the this_file parameter. NOTE: traversal via a .. (dot dot) is probably also possible. Wvc54gca is prone to a directory traversal vulnerability. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is prone to multiple directory-traversal vulnerabilities because the software fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings ('../') to download arbitrary files with the privileges of the server process. Information obtained may aid in further attacks.
Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware 1.00R22 and 1.00R24 are affected; other versions may also be vulnerable. The Linksys WVC54GCA is a wireless network camera
| VAR-200905-0155 | CVE-2009-1632 |
Ipsec-tools Certificate validation and NAT-Traversal Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0796, VAR-E-200904-0795 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c. IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets.
A successful attack allows a remote attacker to cause the application to crash or to consume excessive memory, denying further service to legitimate users.
Versions prior to IPsec-Tools 0.7.2 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200905-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: IPSec Tools: Denial of Service
Date: May 24, 2009
Bugs: #267135
ID: 200905-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple errors in the IPSec Tools racoon daemon might allow remote
attackers to cause a Denial of Service.
Background
==========
The IPSec Tools are a port of KAME's IPsec utilities to the Linux-2.6
IPsec implementation. They include racoon, an Internet Key Exchange
daemon for automatically keying IPsec connections.
* Multiple memory leaks exist in (1) the eay_check_x509sign()
function in racoon/crypto_openssl.c and (2) racoon/nattraversal.c
(CVE-2009-1632).
Impact
======
A remote attacker could send specially crafted fragmented ISAKMP
packets without a payload or exploit vectors related to X.509
certificate authentication and NAT traversal, possibly resulting in a
crash of the racoon daemon.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All IPSec Tools users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.7.2"
References
==========
[ 1 ] CVE-2009-1574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1574
[ 2 ] CVE-2009-1632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1632
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200905-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA-1804-1 security@debian.org
http://www.debian.org/security/ Nico Golde
May 20th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : ipsec-tools
Vulnerability : null pointer dereference, memory leaks
Problem type : remote
Debian-specific: no
Debian bug : 527634 528933
CVE ID : CVE-2009-1574 CVE-2009-1632
Several remote vulnerabilities have been discovered in racoon, the Internet Key
Exchange daemon of ipsec-tools. The The Common Vulnerabilities and Exposures
project identified the following problems:
Neil Kettle discovered a NULL pointer dereference on crafted fragmented packets
that contain no payload. This results in the daemon crashing which can be used
for denial of service attacks (CVE-2009-1574).
For the oldstable distribution (etch), this problem has been fixed in
version 0.6.6-3.1etch3.
For the stable distribution (lenny), this problem has been fixed in
version 0.7.1-1.3+lenny2.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 1:0.7.1-1.5.
We recommend that you upgrade your ipsec-tools packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3.dsc
Size/MD5 checksum: 722 8b561cf84ac9c46ec07b037ce3ad06f1
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3.diff.gz
Size/MD5 checksum: 49875 7444fb4ad448ccfffe878801a2b88d2e
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_amd64.deb
Size/MD5 checksum: 343790 9cee9f8c479a3a2952d2913d7bdc4c5d
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_amd64.deb
Size/MD5 checksum: 89184 5ccd4554eec28da6d933dc20a8a39393
arm architecture (ARM)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_arm.deb
Size/MD5 checksum: 325706 9ce7988b74bccee252be7dac7ac8b5f7
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_arm.deb
Size/MD5 checksum: 89748 513ded0e4a33200710444e1bf4ab67d8
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_hppa.deb
Size/MD5 checksum: 353066 c56644b426ae945ca420d4ca37fc3f2a
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_hppa.deb
Size/MD5 checksum: 94092 80b46b6fd60e857c84c588432b098957
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_i386.deb
Size/MD5 checksum: 330258 b905d30958bd5c51d355f286f81b8be1
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_i386.deb
Size/MD5 checksum: 85046 294ccbc4b51e4942edaeec7cd746dfa3
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_ia64.deb
Size/MD5 checksum: 113356 111f0daa2075584c100efc9c11ecef73
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_ia64.deb
Size/MD5 checksum: 468296 bd4d69b5e0d4ee39ec564e1304f7649c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_mips.deb
Size/MD5 checksum: 89018 b6af57d65d43a7433132bee9657ba608
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_mips.deb
Size/MD5 checksum: 344558 aba2d85d5196c2a46555ad9e478d338a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_mipsel.deb
Size/MD5 checksum: 346856 97e04d97bdd55f852392d7461bad7f4d
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_mipsel.deb
Size/MD5 checksum: 90308 9e780cda3df3384d0f1e33637d003f21
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_powerpc.deb
Size/MD5 checksum: 91048 98174626d8ad1fba940c81001c337a4f
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_powerpc.deb
Size/MD5 checksum: 337266 9f636e6d8904103b0096a4eed99e9cae
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_s390.deb
Size/MD5 checksum: 341586 b42ddbad323dcdbd775d502f786ab449
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_s390.deb
Size/MD5 checksum: 90750 62d4c3e618a6c69d532b8d8d33bb27b9
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_sparc.deb
Size/MD5 checksum: 85710 9f1f526be4f2df4eb64d46023d87c6b3
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_sparc.deb
Size/MD5 checksum: 317136 38e50e9d97b46b51d12429b9ea727858
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2.diff.gz
Size/MD5 checksum: 49472 4bc8ba2bd520a7514f2c33021c64e8ce
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1.orig.tar.gz
Size/MD5 checksum: 1039057 ddff5ec5a06b804ca23dc41268368853
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2.dsc
Size/MD5 checksum: 1144 46d3f28156ee183512a451588ef414e4
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_alpha.deb
Size/MD5 checksum: 428532 052c13540da3fab19fdca83e9a389a39
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_alpha.deb
Size/MD5 checksum: 114088 78065dd99d3732291e8d499383af17d9
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_amd64.deb
Size/MD5 checksum: 409514 a421f12270f5b22639d67be8d2cc8b4e
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_amd64.deb
Size/MD5 checksum: 104612 9ec93c697cf64232728d0dd5658efac8
arm architecture (ARM)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_arm.deb
Size/MD5 checksum: 104604 78fa45a7e0503e4ee87e7508294cb0b0
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_arm.deb
Size/MD5 checksum: 381692 f1943edf9599189d16a2f936fa971abc
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_armel.deb
Size/MD5 checksum: 387510 63ebe895d019d2362a0a11a0de0842c6
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_armel.deb
Size/MD5 checksum: 104268 6c224349c910ffce5bb892f2a06dc243
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_i386.deb
Size/MD5 checksum: 375004 5a43cbb6106d576ab686e9e4eb78c245
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_i386.deb
Size/MD5 checksum: 99098 6c81df8c4653265f10ad6abf68091329
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_ia64.deb
Size/MD5 checksum: 131288 dfa8646655028ae53bddad7f41e9f3a4
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_ia64.deb
Size/MD5 checksum: 544150 8e274b6b73125efe0fa8392398e0c5ea
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_mips.deb
Size/MD5 checksum: 103502 5bd00dfdef0862a63bb666ed949e26ef
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_mips.deb
Size/MD5 checksum: 388820 46fc10315192943b912126fe68ffeea9
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_mipsel.deb
Size/MD5 checksum: 104216 a271cb33c891084479ed441945672f14
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_mipsel.deb
Size/MD5 checksum: 390562 352f78906e08ddb861053dfed30640bf
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_powerpc.deb
Size/MD5 checksum: 403162 0210fa37088d78ee9aa53395aa0148e8
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_powerpc.deb
Size/MD5 checksum: 109438 26f043be5fb248d33b605d1987fa472a
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_s390.deb
Size/MD5 checksum: 107474 aa6203b0e9e6dacbe39520be6b849eea
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_s390.deb
Size/MD5 checksum: 399386 e965abdcf32838fff7753e789e703205
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_sparc.deb
Size/MD5 checksum: 102486 57b2e115a15e08518f00158c1fe36cf2
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_sparc.deb
Size/MD5 checksum: 373916 7e2278ac7b4f0b352814ad2f55b1213a
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoUDnMACgkQHYflSXNkfP8LtgCdF9LmW/TOn9JDPTVGlt+7dccI
3MYAoJVcwmqHztsGgCgBps9hyqzrQJ5l
=84V/
-----END PGP SIGNATURE-----
.
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1632
_______________________________________________________________________
Updated Packages:
Corporate 4.0:
4ccc0eafc222a8a5976a0e9eebbc7499 corporate/4.0/i586/ipsec-tools-0.6.5-2.4.20060mlcs4.i586.rpm
f244df60a927a7aa4a539c2e8d9c699a corporate/4.0/i586/libipsec0-0.6.5-2.4.20060mlcs4.i586.rpm
95443caad35eb54d1f291f7368aac511 corporate/4.0/i586/libipsec0-devel-0.6.5-2.4.20060mlcs4.i586.rpm
0e9a4820ef81a4917d9c0a9c5befa27b corporate/4.0/SRPMS/ipsec-tools-0.6.5-2.4.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
a1ccfd8a891340f52aa2f64d69e46e47 corporate/4.0/x86_64/ipsec-tools-0.6.5-2.4.20060mlcs4.x86_64.rpm
44ed76407c8633fcea7f4a3ab94f1842 corporate/4.0/x86_64/lib64ipsec0-0.6.5-2.4.20060mlcs4.x86_64.rpm
d7a3ecf831ecfcbc1319558303a1be17 corporate/4.0/x86_64/lib64ipsec0-devel-0.6.5-2.4.20060mlcs4.x86_64.rpm
0e9a4820ef81a4917d9c0a9c5befa27b corporate/4.0/SRPMS/ipsec-tools-0.6.5-2.4.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
f43aaba27d5ff88b38db39ebeaaaf5cd mnf/2.0/i586/ipsec-tools-0.2.5-0.7.M20mdk.i586.rpm
fb19d1e75fd8f08ce9dc1586cdf9fa3b mnf/2.0/i586/libipsec-tools0-0.2.5-0.7.M20mdk.i586.rpm
2db168e39d44b361bab9ada981edaa90 mnf/2.0/SRPMS/ipsec-tools-0.2.5-0.7.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKETmdmqjQ0CJFipgRAloWAJ9wHsc3F9b0lI8E87n8+gT7j4t+jACg8OD2
obN0TVwX9QBtElK0wQeibi8=
=dlxS
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ===========================================================
Ubuntu Security Notice USN-785-1 June 09, 2009
ipsec-tools vulnerabilities
CVE-2009-1574, CVE-2009-1632
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
racoon 1:0.6.5-4ubuntu1.3
Ubuntu 8.04 LTS:
racoon 1:0.6.7-1.1ubuntu1.2
Ubuntu 8.10:
racoon 1:0.7-2.1ubuntu1.8.10.1
Ubuntu 9.04:
racoon 1:0.7-2.1ubuntu1.9.04.1
In general, a standard system upgrade is sufficient to effect the
necessary changes. (CVE-2009-1574)
It was discovered that ipsec-tools did not properly handle memory usage
when verifying certificate signatures or processing nat-traversal
keep-alive messages. A remote attacker could send specially crafted packets
to the server and exhaust available memory, leading to a denial of service
| VAR-200905-0196 | CVE-2009-1574 |
Ipsec-tools Service disruption in packet processing (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0796, VAR-E-200904-0795 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attackers to cause a denial of service (crash) via crafted fragmented packets without a payload, which triggers a NULL pointer dereference. Ipsec-tools of racoon/isakmp_frag.c Has a deficiency in handling fragmented packets with no payload, resulting in denial of service (DoS) There is a vulnerability that becomes a condition.Service operation disruption to a third party (DoS) There is a possibility of being put into a state. IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets.
Versions prior to IPsec-Tools 0.7.2 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-12-16-1 Time Capsule and AirPort Base Station
(802.11n) Firmware 7.5.2
Time Capsule and AirPort Base Station (802.11n) Firmware 7.5.2 is
now available and addresses the following:
CVE-ID: CVE-2008-4309
Available for: AirPort Extreme Base Station with 802.11n,
AirPort Express Base Station with 802.11n, Time Capsule
Impact: A remote attacker may terminate the operation of the SNMP
service
Description: An integer overflow exists in the
netsnmp_create_subtree_cache function. By default, the
'WAN SNMP' configuration option is disabled, and the SNMP service is
accessible only to other devices on the local network. This issue is
addressed by applying the Net-SNMP patches.
CVE-ID: CVE-2009-2189
Available for: AirPort Extreme Base Station with 802.11n,
AirPort Express Base Station with 802.11n, Time Capsule
Impact: Receiving a large number of IPv6 Router Advertisement (RA)
and Neighbor Discovery (ND) packets from a system on the local
network may cause the base station to restart
Description: A resource consumption issue exists in the base
station's handling of Router Advertisement (RA) and Neighbor
Discovery (ND) packets. A system on the local network may send a
large number of RA and ND packets that could exhaust the base
station's resources, causing it to restart unexpectedly. This issue
is addressed by rate limiting incoming ICMPv6 packets. Credit to
Shoichi Sakane of the KAME project, Kanai Akira of Internet Multifeed
Co., Shirahata Shin and Rodney Van Meter of Keio University, and
Tatuya Jinmei of Internet Systems Consortium, Inc. for reporting this
issue.
CVE-ID: CVE-2010-0039
Available for: AirPort Extreme Base Station with 802.11n,
AirPort Express Base Station with 802.11n, Time Capsule
Impact: An attacker may be able to query services behind an AirPort
Base Station or Time Capsule's NAT from the source IP of the router,
if any system behind the NAT has a portmapped FTP server
Description: The AirPort Extreme Base Station and Time Capsule's
Application-Level Gateway (ALG) rewrites incoming FTP traffic,
including PORT commands, to appear as if it is the source. An
attacker with write access to an FTP server inside the NAT may issue
a malicious PORT command, causing the ALG to send attacker-supplied
data to an IP and port behind the NAT. As the data is resent from the
Base Station, it could potentially bypass any IP-based restrictions
for the service. This issue is addressed by not rewriting inbound
PORT commands via the ALG. Credit to Sabahattin Gucukoglu for
reporting this issue. This issue is addressed
through improved validation of fragmented ISAKMP packets.
CVE-ID: CVE-2010-1804
Available for: AirPort Extreme Base Station with 802.11n,
AirPort Express Base Station with 802.11n, Time Capsule
Impact: A remote attacker may cause the device to stop processing
network traffic
Description: An implementation issue exists in the network bridge.
Sending a maliciously crafted DHCP reply to the device may cause it
to stop responding to network traffic. This issue affects devices
that have been configured to act as a bridge, or are configured in
Network Address Translation (NAT) mode with a default host enabled.
By default, the device operates in NAT mode, and no default host is
configured. This update addresses the issue through improved handling
of DHCP packets on the network bridge. Credit to Stefan R. Filipek
for reporting this issue.
Installation note for Firmware version 7.5.2
Firmware version 7.5.2 is installed into Time Capsule or AirPort Base
Station with 802.11n via AirPort Utility, provided with the device.
It is recommended that AirPort Utility 5.5.2 be installed before
upgrading to Firmware version 7.5.2.
AirPort Utility 5.5.2 may be obtained through Apple's Software
Download site: http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJNCWXyAAoJEGnF2JsdZQeevTQH/0856gTUzzmL371/nSkhn3qq
MCPQVaEMe8O/jy96nlskwzp3X0X0QmXePok1enp6QhDhHm0YL3a4q7YHd4zjm6mM
JUoVR4JJRSKOb1bVdEXqo+qG/PH7/5ywfrGas+MjOshMa3gnhYVee39N7Xtz0pHD
3ZllZRwGwad1sQLL7DhJKZ92z6t2GfHoJyK4LZNemkQAL1HyUu7Hj9SlljcVB+Ub
xNnpmBXJcCZzp4nRQM+fbLf6bdZ1ua5DTc1pXC8vETtxyHc53G/vLCu8SKBnTBlK
JmkpGwG5fXNuYLL8ArFUuEu3zhE7kfdeftUrEez3YeL2DgU9iB8m8RkuuSrVJEY=
=WPH8
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200905-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: IPSec Tools: Denial of Service
Date: May 24, 2009
Bugs: #267135
ID: 200905-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple errors in the IPSec Tools racoon daemon might allow remote
attackers to cause a Denial of Service.
Background
==========
The IPSec Tools are a port of KAME's IPsec utilities to the Linux-2.6
IPsec implementation. They include racoon, an Internet Key Exchange
daemon for automatically keying IPsec connections.
* Multiple memory leaks exist in (1) the eay_check_x509sign()
function in racoon/crypto_openssl.c and (2) racoon/nattraversal.c
(CVE-2009-1632).
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All IPSec Tools users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-firewall/ipsec-tools-0.7.2"
References
==========
[ 1 ] CVE-2009-1574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1574
[ 2 ] CVE-2009-1632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1632
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200905-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA-1804-1 security@debian.org
http://www.debian.org/security/ Nico Golde
May 20th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : ipsec-tools
Vulnerability : null pointer dereference, memory leaks
Problem type : remote
Debian-specific: no
Debian bug : 527634 528933
CVE ID : CVE-2009-1574 CVE-2009-1632
Several remote vulnerabilities have been discovered in racoon, the Internet Key
Exchange daemon of ipsec-tools. This results in the daemon crashing which can be used
for denial of service attacks (CVE-2009-1574).
Various memory leaks in the X.509 certificate authentication handling and the
NAT-Traversal keepalive implementation can result in memory exhaustion and
thus denial of service (CVE-2009-1632).
For the oldstable distribution (etch), this problem has been fixed in
version 0.6.6-3.1etch3.
For the stable distribution (lenny), this problem has been fixed in
version 0.7.1-1.3+lenny2.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 1:0.7.1-1.5.
We recommend that you upgrade your ipsec-tools packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3.dsc
Size/MD5 checksum: 722 8b561cf84ac9c46ec07b037ce3ad06f1
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3.diff.gz
Size/MD5 checksum: 49875 7444fb4ad448ccfffe878801a2b88d2e
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_amd64.deb
Size/MD5 checksum: 343790 9cee9f8c479a3a2952d2913d7bdc4c5d
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_amd64.deb
Size/MD5 checksum: 89184 5ccd4554eec28da6d933dc20a8a39393
arm architecture (ARM)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_arm.deb
Size/MD5 checksum: 325706 9ce7988b74bccee252be7dac7ac8b5f7
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_arm.deb
Size/MD5 checksum: 89748 513ded0e4a33200710444e1bf4ab67d8
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_hppa.deb
Size/MD5 checksum: 353066 c56644b426ae945ca420d4ca37fc3f2a
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_hppa.deb
Size/MD5 checksum: 94092 80b46b6fd60e857c84c588432b098957
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_i386.deb
Size/MD5 checksum: 330258 b905d30958bd5c51d355f286f81b8be1
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_i386.deb
Size/MD5 checksum: 85046 294ccbc4b51e4942edaeec7cd746dfa3
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_ia64.deb
Size/MD5 checksum: 113356 111f0daa2075584c100efc9c11ecef73
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_ia64.deb
Size/MD5 checksum: 468296 bd4d69b5e0d4ee39ec564e1304f7649c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_mips.deb
Size/MD5 checksum: 89018 b6af57d65d43a7433132bee9657ba608
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_mips.deb
Size/MD5 checksum: 344558 aba2d85d5196c2a46555ad9e478d338a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_mipsel.deb
Size/MD5 checksum: 346856 97e04d97bdd55f852392d7461bad7f4d
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_mipsel.deb
Size/MD5 checksum: 90308 9e780cda3df3384d0f1e33637d003f21
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_powerpc.deb
Size/MD5 checksum: 91048 98174626d8ad1fba940c81001c337a4f
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_powerpc.deb
Size/MD5 checksum: 337266 9f636e6d8904103b0096a4eed99e9cae
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_s390.deb
Size/MD5 checksum: 341586 b42ddbad323dcdbd775d502f786ab449
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_s390.deb
Size/MD5 checksum: 90750 62d4c3e618a6c69d532b8d8d33bb27b9
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.6.6-3.1etch3_sparc.deb
Size/MD5 checksum: 85710 9f1f526be4f2df4eb64d46023d87c6b3
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.6.6-3.1etch3_sparc.deb
Size/MD5 checksum: 317136 38e50e9d97b46b51d12429b9ea727858
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2.diff.gz
Size/MD5 checksum: 49472 4bc8ba2bd520a7514f2c33021c64e8ce
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1.orig.tar.gz
Size/MD5 checksum: 1039057 ddff5ec5a06b804ca23dc41268368853
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2.dsc
Size/MD5 checksum: 1144 46d3f28156ee183512a451588ef414e4
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_alpha.deb
Size/MD5 checksum: 428532 052c13540da3fab19fdca83e9a389a39
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_alpha.deb
Size/MD5 checksum: 114088 78065dd99d3732291e8d499383af17d9
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_amd64.deb
Size/MD5 checksum: 409514 a421f12270f5b22639d67be8d2cc8b4e
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_amd64.deb
Size/MD5 checksum: 104612 9ec93c697cf64232728d0dd5658efac8
arm architecture (ARM)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_arm.deb
Size/MD5 checksum: 104604 78fa45a7e0503e4ee87e7508294cb0b0
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_arm.deb
Size/MD5 checksum: 381692 f1943edf9599189d16a2f936fa971abc
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_armel.deb
Size/MD5 checksum: 387510 63ebe895d019d2362a0a11a0de0842c6
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_armel.deb
Size/MD5 checksum: 104268 6c224349c910ffce5bb892f2a06dc243
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_i386.deb
Size/MD5 checksum: 375004 5a43cbb6106d576ab686e9e4eb78c245
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_i386.deb
Size/MD5 checksum: 99098 6c81df8c4653265f10ad6abf68091329
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_ia64.deb
Size/MD5 checksum: 131288 dfa8646655028ae53bddad7f41e9f3a4
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_ia64.deb
Size/MD5 checksum: 544150 8e274b6b73125efe0fa8392398e0c5ea
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_mips.deb
Size/MD5 checksum: 103502 5bd00dfdef0862a63bb666ed949e26ef
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_mips.deb
Size/MD5 checksum: 388820 46fc10315192943b912126fe68ffeea9
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_mipsel.deb
Size/MD5 checksum: 104216 a271cb33c891084479ed441945672f14
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_mipsel.deb
Size/MD5 checksum: 390562 352f78906e08ddb861053dfed30640bf
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_powerpc.deb
Size/MD5 checksum: 403162 0210fa37088d78ee9aa53395aa0148e8
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_powerpc.deb
Size/MD5 checksum: 109438 26f043be5fb248d33b605d1987fa472a
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_s390.deb
Size/MD5 checksum: 107474 aa6203b0e9e6dacbe39520be6b849eea
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_s390.deb
Size/MD5 checksum: 399386 e965abdcf32838fff7753e789e703205
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/ipsec-tools/ipsec-tools_0.7.1-1.3+lenny2_sparc.deb
Size/MD5 checksum: 102486 57b2e115a15e08518f00158c1fe36cf2
http://security.debian.org/pool/updates/main/i/ipsec-tools/racoon_0.7.1-1.3+lenny2_sparc.deb
Size/MD5 checksum: 373916 7e2278ac7b4f0b352814ad2f55b1213a
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoUDnMACgkQHYflSXNkfP8LtgCdF9LmW/TOn9JDPTVGlt+7dccI
3MYAoJVcwmqHztsGgCgBps9hyqzrQJ5l
=84V/
-----END PGP SIGNATURE-----
.
Updated packages are available that brings ipsec-tools to version
0.7.2 for Mandriva Linux 2008.1/2009.0/2009.1 which provides numerous
bugfixes over the previous 0.7.1 version, and also corrects this
issue. ipsec-tools for Mandriva Linux Corporate Server 4 has been
patched to address this issue.
Additionally the flex package required for building ipsec-tools has
been fixed due to ipsec-tools build problems and is also available
with this update.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1574
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
8256debb7fe84394de70499907060de6 2008.0/i586/flex-2.5.33-2.1mdv2008.0.i586.rpm
c03c0f9fe8f564ea777b82789ac95f41 2008.0/i586/ipsec-tools-0.7.2-0.1mdv2008.0.i586.rpm
9da2195c693a7fe40f7afb3c5806aaca 2008.0/i586/libipsec0-0.7.2-0.1mdv2008.0.i586.rpm
29dcc9414a59cba30ce801b9fef416a6 2008.0/i586/libipsec-devel-0.7.2-0.1mdv2008.0.i586.rpm
b3ceeee8a3a36388d02426b77a45d862 2008.0/SRPMS/flex-2.5.33-2.1mdv2008.0.src.rpm
b0cb7993f29eac3d5f170c7cd3cf0cb5 2008.0/SRPMS/ipsec-tools-0.7.2-0.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
36c5d0eb92197c814b90c814d21d3372 2008.0/x86_64/flex-2.5.33-2.1mdv2008.0.x86_64.rpm
7a976c988badcb9fae93509acfe99aa2 2008.0/x86_64/ipsec-tools-0.7.2-0.1mdv2008.0.x86_64.rpm
85b8ed6e328b048c13eb503bfee8dcdc 2008.0/x86_64/lib64ipsec0-0.7.2-0.1mdv2008.0.x86_64.rpm
a22f34f1cfac38c9029eb032e3257285 2008.0/x86_64/lib64ipsec-devel-0.7.2-0.1mdv2008.0.x86_64.rpm
b3ceeee8a3a36388d02426b77a45d862 2008.0/SRPMS/flex-2.5.33-2.1mdv2008.0.src.rpm
b0cb7993f29eac3d5f170c7cd3cf0cb5 2008.0/SRPMS/ipsec-tools-0.7.2-0.1mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. ===========================================================
Ubuntu Security Notice USN-785-1 June 09, 2009
ipsec-tools vulnerabilities
CVE-2009-1574, CVE-2009-1632
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
racoon 1:0.6.5-4ubuntu1.3
Ubuntu 8.04 LTS:
racoon 1:0.6.7-1.1ubuntu1.2
Ubuntu 8.10:
racoon 1:0.7-2.1ubuntu1.8.10.1
Ubuntu 9.04:
racoon 1:0.7-2.1ubuntu1.9.04.1
In general, a standard system upgrade is sufficient to effect the
necessary changes. (CVE-2009-1574)
It was discovered that ipsec-tools did not properly handle memory usage
when verifying certificate signatures or processing nat-traversal
keep-alive messages
| VAR-200904-0235 | CVE-2009-0164 | CUPS In DNS Vulnerabilities that induce rebinding attacks |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks. CUPS is prone to an insufficient 'Host' header validation weakness.
An attacker can use this weakness to carry out certain attacks such as DNS rebinding against the vulnerable server.
I.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These and other updates are available via Software
Update or via Apple Downloads.
IV. References
* Apple Security Update 2009-002 -
<http://support.apple.com/kb/HT3549>
* Safari 3.2.3 - <http://support.apple.com/kb/HT3550>
* Apple Downloads - <http://support.apple.com/downloads/>
* Software Update -
<https://support.apple.com/kb/HT1338?viewlocale=en_US>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-133A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV
HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/
Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy
J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV
vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ
xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA==
=dQ2L
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA35074
VERIFY ADVISORY:
http://secunia.com/advisories/35074/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A vulnerability in Apache when handling FTP proxy requests can be
exploited by malicious people to conduct cross-site scripting
attacks.
For more information:
SA31384
2) A boundary error in the handling of Compact Font Format (CFF)
fonts in Apple Type Services can be exploited to cause a heap-based
buffer overflow when specially crafted document is downloaded or
viewed.
Successful exploitation allows execution of arbitrary code.
3) A vulnerability in BIND can potentially be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33404
4) An error in the parsing of Set-Cookie headers in CFNetwork can
result in applications using CFNetwork sending sensitive information
in unencrypted HTTP requests.
5) An unspecified error in the processing of HTTP headers in
CFNetwork can be exploited to cause a heap-based buffer overflow when
visiting a malicious web site.
Successful exploitation allows execution of arbitrary code.
6) Multiple errors exist in the processing of PDF files in
CoreGraphics, which can be exploited to corrupt memory and execute
arbitrary code via a specially crafted PDF file.
7) An integer underflow error in the processing of PDF files in
CoreGraphics can be exploited to cause a heap-based buffer overflow
when specially crafted PDF files is opened.
Successful exploitation allows execution of arbitrary code.
8) Multiple vulnerabilities in the processing of JBIG2 streams within
PDF files in CoreGraphics can be exploited by malicious people to
compromise a user's system.
For more information:
SA34291
9) Multiple vulnerabilities in cscope can be exploited by malicious
people to compromise a user's system.
For more information:
SA34978:
10) A boundary error in the handling of disk images can be exploited
to cause a stack-based buffer overflow when a specially crafted disk
image is mounted.
11) Multiple unspecified errors in the handling of disk images can be
exploited to cause memory corruptions when a specially crafted disk
image is mounted.
Successful exploitation of vulnerabilities #10 and #11 allows
execution of arbitrary code.
12) Multiple vulnerabilities in enscript can be exploited by
malicious people to compromise a vulnerable system.
For more information:
SA13968
SA32137
13) Multiple vulnerabilities in the Flash Player plugin can be
exploited by malicious people to compromise a user's system.
For more information:
SA34012
14) An error in Help Viewer when loading Cascading Style Sheets
referenced in URL parameters can be exploited to invoke arbitrary
AppleScript files.
15) A vulnerability exists due to Help Viewer not validating that
full paths to HTML documents are within registered help books, which
can be exploited to invoke arbitrary AppleScript files.
Successful exploitation of vulnerabilities #14 and #15 allows
execution of arbitrary code.
16) An error in iChat can result in AIM communication configured for
SSL to be sent in plaintext.
17) An error in the handling of certain character encodings in ICU
can be exploited to bypass filters on websites that attempt to
mitigate cross-site scripting.
18) Some vulnerabilities in IPSec can be exploited by malicious users
and malicious people to cause a DoS (Denial of Service).
For more information:
SA31450
SA31478
19) Multiple vulnerabilities in Kerberos can be exploited by
malicious people to potentially disclose sensitive information, cause
a DoS (Denial of Service), or potentially compromise a vulnerable
system.
For more information:
SA34347
20) An error in the handling of workqueues within the kernel can be
exploited by malicious, local users to cause a DoS or execute
arbitrary code with Kernel privileges.
21) An error in Launch Services can cause Finder to repeatedly
terminate and relaunch when a specially crafted Mach-O is
downloaded.
22) A vulnerability in libxml can be exploited by malicious people to
cause a DoS (Denial of Service) or potentially compromise an
application using the library.
For more information:
SA31558
23) A vulnerability in Net-SNMP can be exploited by malicious people
to cause a DoS (Denial of Service).
For more information:
SA32560
24) A vulnerability in Network Time can be exploited by malicious
people to conduct spoofing attacks.
For more information:
SA33406
25) A vulnerability in Network Time can be exploited by malicious
people to potentially compromise a user's system.
For more information:
SA34608
26) A vulnerability in Networking can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA31745
27) A vulnerability in OpenSSL can be exploited by malicious people
to conduct spoofing attacks.
For more information:
SA33338
28) Some vulnerabilities in PHP can be exploited by malicious people
to cause a DoS (Denial of Service) or potentially compromise a
vulnerable system, and by malicious, local users to bypass certain
security restrictions.
For more information:
SA32964
29) An unspecified error in QuickDraw Manager can be exploited to
cause a memory corruption and potentially execute arbitrary code via
a specially crafted PICT image.
30) An integer underflow error in the handling of PICT images in
QuickDraw Manager can be exploited to cause a heap-based buffer
overflow via a specially crafted PICT file.
Successful exploitation allows execution of arbitrary code.
31) Multiple vulnerabilities in ruby can be exploited by malicious
people to bypass certain security restrictions, cause a DoS (Denial
of Service), and conduct spoofing attacks.
For more information:
SA31430
SA31602
32) An error in the use of the OpenSSL library in ruby can cause
revoked certificates to be accepted.
33) A vulnerability in Safari when handling "feed:" URLs can be
exploited to compromise a user's system.
For more information:
SA35056
34) Multiple unspecified errors in Spotlight can be exploited to
cause memory corruptions and execute arbitrary code when a specially
crafted Office document is downloaded.
35) An error when invoking the "login" command can result in
unexpected high privileges.
36) A boundary error in telnet can be exploited to cause a
stack-based buffer overflow when connecting to a server with an
overly long canonical name in its DNS address record.
Successful exploitation may allow execution of arbitrary code.
37) A vulnerability in WebKit when handling SVGList objects can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA35056
38) Multiple vulnerabilities in FreeType can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise applications using the library.
For more information:
SA20100
SA25350
SA34723
39) A vulnerability in xterm can be exploited by malicious people to
compromise a user's system.
For more information:
SA33318
40) Multiple vulnerabilities in libpng can be exploited by malicious
people to cause a DoS (Denial of Service) or to potentially
compromise an application using the library.
For more information:
SA29792
SA33970
SOLUTION:
Update to Mac OS X v10.5.7 or apply Security Update 2009-002.
Security Update 2009-002 (Server Tiger PPC):
http://support.apple.com/downloads/DL819/SecUpdSrvr2009-002PPC.dmg
Security Update 2009-002 (Tiger Intel):
http://support.apple.com/downloads/DL817/SecUpd2009-002Intel.dmg
Security Update 2009-002 (Server Universal):
http://support.apple.com/downloads/DL816/SecUpdSrvr2009-002Univ.dmg
Mac OS X Server 10.5.7 Update:
http://support.apple.com/downloads/DL828/MacOSXServerUpd10.5.7.dmg
Mac OS X Server Combo 10.5.7:
http://support.apple.com/downloads/DL829/MacOSXServerUpdCombo10.5.7.dmg
Security Update 2009-002 (Tiger PPC):
http://support.apple.com/downloads/DL818/SecUpd2009-002PPC.dmg
Mac OS X 10.5.7 Update:
http://support.apple.com/downloads/DL826/MacOSXUpd10.5.7.dmg
Mac OS X 10.5.7 Combo Update:
http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) Charlie Miller of Independent Security Evaluators
4) Andrew Mortensen of the University of Michigan
5) Moritz Jodeit, n.runs AG
7) Barry K. Nathan
8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC
10) Tiller Beauchamp, IOActive
14, 15) Brian Mastenbrook
17) Chris Weber of Casaba Security
20) An anonymous researcher working with Verisign iDefense VCP
30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries
of Carnegie Mellon University Computing Services
38) Tavis Ormandy of the Google Security Team
OTHER REFERENCES:
SA13968:
http://secunia.com/advisories/13968/
SA20100:
http://secunia.com/advisories/20100/
SA25350:
http://secunia.com/advisories/25350/
SA29792:
http://secunia.com/advisories/29792/
SA31384:
http://secunia.com/advisories/31384/
SA31430:
http://secunia.com/advisories/31430/
SA31450:
http://secunia.com/advisories/31450/
SA31478:
http://secunia.com/advisories/31478/
SA31558:
http://secunia.com/advisories/31558/
SA31602:
http://secunia.com/advisories/31602/
SA31745:
http://secunia.com/advisories/31745/
SA32137:
http://secunia.com/advisories/32137/
SA32560:
http://secunia.com/advisories/32560/
SA32964:
http://secunia.com/advisories/32964/
SA33318:
http://secunia.com/advisories/33318/
SA33338:
http://secunia.com/advisories/33338/
SA33404:
http://secunia.com/advisories/33404/
SA33406:
http://secunia.com/advisories/33406/
SA33970:
http://secunia.com/advisories/33970/
SA34012:
http://secunia.com/advisories/34012/
SA34291:
http://secunia.com/advisories/34291/
SA34347:
http://secunia.com/advisories/34347/
SA34608:
http://secunia.com/advisories/34608/
SA34723:
http://secunia.com/advisories/34723/
SA34978:
http://secunia.com/advisories/34978/
SA35056:
http://secunia.com/advisories/35056/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200904-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: CUPS: Multiple vulnerabilities
Date: April 23, 2009
Bugs: #263070
ID: 200904-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple errors in CUPS might allow for the remote execution of
arbitrary code or DNS rebinding attacks.
Background
==========
CUPS, the Common Unix Printing System, is a full-featured print server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-print/cups < 1.3.10 >= 1.3.10
Description
===========
The following issues were reported in CUPS:
* iDefense reported an integer overflow in the _cupsImageReadTIFF()
function in the "imagetops" filter, leading to a heap-based buffer
overflow (CVE-2009-0163).
* Braden Thomas and Drew Yao of Apple Product Security reported that
CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166,
found earlier in xpdf and poppler.
Impact
======
A remote attacker might send or entice a user to send a specially
crafted print job to CUPS, possibly resulting in the execution of
arbitrary code with the privileges of the configured CUPS user -- by
default this is "lp", or a Denial of Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All CUPS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-1.3.10"
References
==========
[ 1 ] CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
[ 3 ] CVE-2009-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
[ 4 ] CVE-2009-0164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0164
[ 5 ] CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200904-20.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-200904-0217 | CVE-2009-0063 | Symantec Brightmail Gateway Appliance of Control Center Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Control Center in Symantec Brightmail Gateway Appliance before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Symantec Brightmail Gateway is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Versions prior to Brightmail Gateway 8.0.1 are vulnerable. Brightmail Gateway is Symantec's information security management platform. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
Symantec Brightmail Gateway Control Center Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA34885
VERIFY ADVISORY:
http://secunia.com/advisories/34885/
DESCRIPTION:
Some vulnerabilities have been reported in Symantec Brightmail
Gateway, which can be exploited by malicious people to conduct
cross-site scripting attacks and by malicious users to bypass certain
security restrictions.
1) Certain unspecified input passed to the Control Center is not
properly sanitised before being returned to the user.
2) An error when processing unspecified console functions can be
exploited by a Control Center user to gain administrative
privileges.
SOLUTION:
Update to version 8.0.1 or later.
PROVIDED AND/OR DISCOVERED BY:
Marian Ventuneac, Perot Systems
ORIGINAL ADVISORY:
SYM09-005:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090423_01
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0571 | No CVE | SAP cFolders Multiple Cross-Site Scripting and HTML Injection Vulnerabilities |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
cFolders (Collaboration Folders) is SAP's web-based information collaboration sharing application. Cfolders does not properly validate the p_current_role parameter submitted by the col_table_filter.htm and me_ov.htm pages, and a remote attacker can perform a cross-site scripting attack by submitting a malicious request to the above page; in addition, if a malicious LINK field is submitted to the hyp_de_create.htm page or Submitting a file with a malicious file name in the document upload area can also result in infusion and execution of malicious code. SAP cFolders is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible
| VAR-200905-0193 | CVE-2009-1561 |
Cisco Linksys WRT54GC Router administration.cgi Vulnerable to cross-site request forgery
Related entries in the VARIoT exploits database: VAR-E-200904-0438 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in administration.cgi on the Cisco Linksys WRT54GC router with firmware 1.05.7 allows remote attackers to hijack the intranet connectivity of arbitrary users for requests that change the administrator password via the sysPasswd and sysConfirmPasswd parameters. The Linksys WRT54GC router is prone to an access-validation vulnerability because of a lack of authentication when users access specific administration applications.
Successful attacks will lead to a compromise of the vulnerable device, which may lead to further attacks.
Linksys WRT54GC running firmware 1.05.7 is vulnerable; other versions may also be affected. Cisco Linksys WRT54GC is a small business/home wireless broadband router produced by Cisco. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
Linksys WRT54GC "administration.cgi" Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA34805
VERIFY ADVISORY:
http://secunia.com/advisories/34805/
DESCRIPTION:
Gabriel Lima has reported a vulnerability in Linksys WRT54GC, which
can be exploited by malicious people to bypass certain security
restrictions.
The vulnerability is caused due to the router allowing unrestricted
access to the administration.cgi web interface script. This can be
exploited to change the administrator's password by sending a
specially crafted HTTP request to the affected script.
SOLUTION:
Restrict internal network access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Gabriel Lima
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/bugtraq/2009-04/0198.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0824 | CVE-2009-0195 | Xpdf and CUPS Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, and probably other products, allows remote attackers to execute arbitrary code via a PDF file with crafted JBIG2 symbol dictionary segments. CUPS and Xpdf are prone to a remote buffer-overflow vulnerability because they fail to properly bounds-check user-supplied input before copying it into a finite-sized buffer.
Exploiting this issue may allow remote attackers to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
The following are vulnerable; other applications or versions may also be affected:
Xpdf 3.02pl2 and earlier
CUPS 1.3.9 and earlier
NOTE: This vulnerability may already be covered in BID 34568 (Xpdf JBIG2 Processing Multiple Security Vulnerabilities). We will update (or possibly retire) this BID as more information emerges. ===========================================================
Ubuntu Security Notice USN-973-1 August 17, 2010
koffice vulnerabilities
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166,
CVE-2009-0195, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181, CVE-2009-3606, CVE-2009-3608,
CVE-2009-3609
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
kword 1:1.6.3-7ubuntu6.1
In general, a standard system update will make all the necessary changes.
Details follow:
Will Dormann, Alin Rad Pop, Braden Thomas, and Drew Yao discovered that the
Xpdf used in KOffice contained multiple security issues in its JBIG2
decoder. (CVE-2009-0146,
CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181)
It was discovered that the Xpdf used in KOffice contained multiple security
issues when parsing malformed PDF documents. (CVE-2009-3606, CVE-2009-3608, CVE-2009-3609)
KOffice in Ubuntu 9.04 uses a very old version of Xpdf to import PDFs into
KWord. Upstream KDE no longer supports PDF import in KOffice and as a
result it was dropped in Ubuntu 9.10. While an attempt was made to fix the
above issues, the maintenance burden for supporting this very old version
of Xpdf outweighed its utility, and PDF import is now also disabled in
Ubuntu 9.04.
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.6.3-7ubuntu6.1.diff.gz
Size/MD5: 622105 556aa62c50d527e60c1dff7b0f0aa0b1
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.6.3-7ubuntu6.1.dsc
Size/MD5: 2089 d42a7716e78fc690d256f8045017e7fa
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.6.3.orig.tar.gz
Size/MD5: 63221967 497a644adaf5d6531a0e32d14f88e5f5
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kivio-data_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 682598 78a5406815a35440ac4480c2532f28ef
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-data_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 735930 9d775bfa37c32d0ab934c25c721d6456
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-doc-html_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 519734 7c05c1818b4baaa8167b6f84bbcab085
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-doc_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 18982 465a569fb8bbd06f80e8b19e6acc1695
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 21100 780be3fc6108770d271d89cac4869b10
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kpresenter-data_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 1903802 bdb13a770966f7a5b2978f510ba58f10
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/krita-data_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 28310364 0d115fe0dfc641efe2e04508324bd72a
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kword-data_1.6.3-7ubuntu6.1_all.deb
Size/MD5: 1776368 f7781ed87a7c8c5ee1ba7636c519076d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/karbon_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 1059936 fa5f33b7cd8d1d291834ad81768a55b3
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kchart_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 1363098 1ea1bd16846af1b718392fcc80f55456
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kexi_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 3634792 de50ca28c4ffe99f5c43369be2c28c53
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kformula_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 1022466 2680eb3b5eb1fe0b939dcc4d8698df93
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kivio_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 586680 af2f128a08ad516dab5e0d9181c8fa05
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-dbg_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 54301774 04ffb99c1da2e2d54a0320d4eb23a8bd
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-dev_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 394472 2dd7347dda792d9a1a50831b20861f94
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-libs_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 2614706 1f4f29ae856d74a751d47d6a2c2e6317
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koshell_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 177638 bbcf8e0ef85478569dd212be191cf3d6
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kplato_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 939900 81b0c652c71a1cae573a984bc8192e9c
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kpresenter_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 1332666 2cb497195e47d739e5c73eca50ba7f3a
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/krita_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 3307610 4453ddce6e47950727883a37ed0cb02a
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kspread_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 2750674 14831989300bcb63f368291710a46510
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kthesaurus_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 314700 a68a9a2cc5299b957ef823971226117a
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kugar_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 443182 d7b8296294f89bb2df6c69ac554e9d16
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kword_1.6.3-7ubuntu6.1_amd64.deb
Size/MD5: 2504138 0f58ca14ca066713c273c159f6e1295d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/karbon_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 975268 1a3b2bb23cdf4fd7ae942e53672706f1
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kchart_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 1306222 c812ef558f13e43eb448aa56d6797ed4
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kexi_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 3563484 9a47762bf756eef0defe1a690017b361
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kformula_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 1015886 5f39c46934ad9dfb55b36acd135d5b59
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kivio_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 527296 e4d1682301bf58d5df51792162671e1e
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-dbg_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 53049888 7baa946b92618169cdee4eab005e2533
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-dev_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 409804 ff440307934403aa404a2416a6fc00a2
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koffice-libs_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 2423308 2933a46777c6be5dd6e588afb056ce83
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/koshell_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 174422 65acfb083c6dcde10f29c22d7cb2891d
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kplato_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 868786 b0f68c2390f2761fed67ed9cee032add
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kpresenter_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 1234468 b6f06fa397725d1b915683aa8850c600
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/krita_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 3037920 00a2c6161359ed7a982186ae9f82af06
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kspread_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 2634754 9a631d806d414d56e03293e108cdd19a
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kthesaurus_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 312056 e51b7691be77c0ee20224ff524f120ac
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kugar_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 430552 fe51a92f6d4db43d4c9c12c8ddda16ed
http://security.ubuntu.com/ubuntu/pool/main/k/koffice/kword_1.6.3-7ubuntu6.1_i386.deb
Size/MD5: 2362696 92d4dc922ef2a920dd580b41493f7226
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/k/koffice/karbon_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 975296 dfe1b44a9c29a543fe6d76b5f0bdfbc2
http://ports.ubuntu.com/pool/main/k/koffice/kchart_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 1309438 05e8ca4579040c084f38a5a174055325
http://ports.ubuntu.com/pool/main/k/koffice/kexi_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 3579118 2e344131f0aaf4231c21af2fb8298833
http://ports.ubuntu.com/pool/main/k/koffice/kformula_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 1014884 c46aad3850fe256baf9ea38262d3a0d4
http://ports.ubuntu.com/pool/main/k/koffice/kivio_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 529176 d0ed2edaf57e2e02e73a22f15b86fdc6
http://ports.ubuntu.com/pool/main/k/koffice/koffice-dbg_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 53089422 ad89de6273a8f796239423c5b4b478e8
http://ports.ubuntu.com/pool/main/k/koffice/koffice-dev_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 394468 c410cb7ac1bfffabf2b2c0b0119e829c
http://ports.ubuntu.com/pool/main/k/koffice/koffice-libs_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 2438608 66fd9a1471e34c9a5baac9d6ec2b3bd4
http://ports.ubuntu.com/pool/main/k/koffice/koshell_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 174116 1d6410c4f8dddddc24d80666f8278c0c
http://ports.ubuntu.com/pool/main/k/koffice/kplato_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 865740 78ffc8a66fe0c555e35c71d4f8734a91
http://ports.ubuntu.com/pool/main/k/koffice/kpresenter_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 1240814 1c4d13855664db29a2e1923e929ceecc
http://ports.ubuntu.com/pool/main/k/koffice/krita_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 3036992 498218cbda6e3d3abac07ce88c6e0c2c
http://ports.ubuntu.com/pool/main/k/koffice/kspread_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 2650892 5950f9bc22ab50db430eac56d9f04697
http://ports.ubuntu.com/pool/main/k/koffice/kthesaurus_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 312060 005610b199a0d8ce05d1def703c890bb
http://ports.ubuntu.com/pool/main/k/koffice/kugar_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 432602 75b05844e99f7e2ad4ab6e20e5bed539
http://ports.ubuntu.com/pool/main/k/koffice/kword_1.6.3-7ubuntu6.1_lpia.deb
Size/MD5: 2371784 607adbbcfd28fbe1a2750fc004418c14
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/k/koffice/karbon_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 1068778 523593d94079fba3e0364f908a1a1a57
http://ports.ubuntu.com/pool/main/k/koffice/kchart_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 1364554 258dc9b33e6d270ff719c91e3ef37db9
http://ports.ubuntu.com/pool/main/k/koffice/kexi_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 3709952 28d37bcb119b836c3a4e92407738fa7f
http://ports.ubuntu.com/pool/main/k/koffice/kformula_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 1027620 5e2309d118d267e9b692fec5ee16a0db
http://ports.ubuntu.com/pool/main/k/koffice/kivio_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 587256 bead26a9cc80d7bea3c00416b178377c
http://ports.ubuntu.com/pool/main/k/koffice/koffice-dbg_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 55955530 ed06d8fe4737caa802c47e83dbb466e1
http://ports.ubuntu.com/pool/main/k/koffice/koffice-dev_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 394498 c30a126fa23c2506750e211a4b126fa9
http://ports.ubuntu.com/pool/main/k/koffice/koffice-libs_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 2619418 5370a9dcf9f00cc78da20ee4adfb4c8b
http://ports.ubuntu.com/pool/main/k/koffice/koshell_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 180344 141e38c24581f2c8f023e57fca067cb4
http://ports.ubuntu.com/pool/main/k/koffice/kplato_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 903470 8abaab749117c77c22446495e59e309c
http://ports.ubuntu.com/pool/main/k/koffice/kpresenter_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 1321174 cac2871f1847863b4b2ebf565b25df19
http://ports.ubuntu.com/pool/main/k/koffice/krita_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 3394952 44a59865f180b3d5500dc0cd4e0b906e
http://ports.ubuntu.com/pool/main/k/koffice/kspread_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 2718124 479211cb5a9018ba6fa4000a280c77e1
http://ports.ubuntu.com/pool/main/k/koffice/kthesaurus_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 320612 9e2c1960e9fc010e6dcc25a0cb1574b4
http://ports.ubuntu.com/pool/main/k/koffice/kugar_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 454328 61ee3edf596ea67f4faa0974cd46be30
http://ports.ubuntu.com/pool/main/k/koffice/kword_1.6.3-7ubuntu6.1_powerpc.deb
Size/MD5: 2512304 43c6105b4fae1f63b48c449365e95087
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/k/koffice/karbon_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 962916 ad7e5830f033940223ed825226496183
http://ports.ubuntu.com/pool/main/k/koffice/kchart_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 1304972 050e2196a5c5ccb31c89741a9b0f2b6d
http://ports.ubuntu.com/pool/main/k/koffice/kexi_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 3410504 ec1e27da573bd6b2464edc8b45ba0814
http://ports.ubuntu.com/pool/main/k/koffice/kformula_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 1013536 ef4bda5f39caed0b5ca4144e49c1097a
http://ports.ubuntu.com/pool/main/k/koffice/kivio_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 528266 7d60ee9ce5489fce6aa0f87d8178ca0c
http://ports.ubuntu.com/pool/main/k/koffice/koffice-dbg_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 51732154 137a826d403b455408b815aea0f2104a
http://ports.ubuntu.com/pool/main/k/koffice/koffice-dev_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 394506 4cfc6172b52148a1f9de20997657c590
http://ports.ubuntu.com/pool/main/k/koffice/koffice-libs_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 2354854 8c1e19804067a2aa70409e334917070e
http://ports.ubuntu.com/pool/main/k/koffice/koshell_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 172078 77aa57456966572fd5e151fc3fdbf72c
http://ports.ubuntu.com/pool/main/k/koffice/kplato_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 855470 aba0765689e839609756f3eb27693058
http://ports.ubuntu.com/pool/main/k/koffice/kpresenter_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 1223480 94ba8198733e21a488c0d6da4493b1c2
http://ports.ubuntu.com/pool/main/k/koffice/krita_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 3002516 1a884308c7fb75403d49cf1ff73fe79f
http://ports.ubuntu.com/pool/main/k/koffice/kspread_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 2565326 1fa53d14437814a657c1fe81d7269a02
http://ports.ubuntu.com/pool/main/k/koffice/kthesaurus_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 311270 97d7cca2e2a75f15288e8725fd4b905e
http://ports.ubuntu.com/pool/main/k/koffice/kugar_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 426002 0c83afb3dbd67a10c11cc7d310e81511
http://ports.ubuntu.com/pool/main/k/koffice/kword_1.6.3-7ubuntu6.1_sparc.deb
Size/MD5: 2311632 c449bd3fa59e22f9e32a884ffc3f81cf
. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603).
Additionally the kdegraphics package was rebuild to make
kdegraphics-kpdf link correctly to the new poppler libraries and are
also provided. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn. NOTE:
the JBIG2Stream.cxx vector may overlap CVE-2009-1179. (CVE-2009-0800)
The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10
does not properly initialize memory for IPP request packets, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via a scheduler request with two
consecutive IPP_TAG_UNSUPPORTED tags. (CVE-2009-1183)
Two integer overflow flaws were found in the CUPS pdftops filter. (CVE-2009-3608, CVE-2009-3609)
This update corrects the problems.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
6b17f59f63c062c017c78d459dd2d89a 2008.0/i586/cups-1.3.10-0.1mdv2008.0.i586.rpm
9bc5298d9895c356227fdda3a0ddb2c0 2008.0/i586/cups-common-1.3.10-0.1mdv2008.0.i586.rpm
e3583883df8532fc8c496866dac713f8 2008.0/i586/cups-serial-1.3.10-0.1mdv2008.0.i586.rpm
fac1fcb839ad53322a447d4d39f769e3 2008.0/i586/libcups2-1.3.10-0.1mdv2008.0.i586.rpm
3d65afc590fb8520d68b2a3e8e1da696 2008.0/i586/libcups2-devel-1.3.10-0.1mdv2008.0.i586.rpm
9e09ed22a2522ee45e93e0edc146193f 2008.0/i586/libpoppler2-0.6-3.5mdv2008.0.i586.rpm
7427b1f56387e84db5a15aad85b424d2 2008.0/i586/libpoppler-devel-0.6-3.5mdv2008.0.i586.rpm
67937a584d365d6b00ef688c88e8d7c5 2008.0/i586/libpoppler-glib2-0.6-3.5mdv2008.0.i586.rpm
410dc85c2c7b71ab316be5607c556682 2008.0/i586/libpoppler-glib-devel-0.6-3.5mdv2008.0.i586.rpm
64d6e14be8d93c7651ce5dc3e2ebc5bf 2008.0/i586/libpoppler-qt2-0.6-3.5mdv2008.0.i586.rpm
cc9af7e314b6eaa6a8f946fa2c27f298 2008.0/i586/libpoppler-qt4-2-0.6-3.5mdv2008.0.i586.rpm
0c6d3a6b5211e8506a89144b8c3a3cfb 2008.0/i586/libpoppler-qt4-devel-0.6-3.5mdv2008.0.i586.rpm
c985516638ed4d8f792daa13bd506023 2008.0/i586/libpoppler-qt-devel-0.6-3.5mdv2008.0.i586.rpm
8d05619dcef538092696ce70998abd20 2008.0/i586/php-cups-1.3.10-0.1mdv2008.0.i586.rpm
0bae2a3525b796882d2cc87853945e5a 2008.0/i586/poppler-0.6-3.5mdv2008.0.i586.rpm
f3b53f5fafa8af4d754a5985e5f93830 2008.0/SRPMS/cups-1.3.10-0.1mdv2008.0.src.rpm
11b021f4e5d21d199728b9a0a37a8230 2008.0/SRPMS/poppler-0.6-3.5mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
8249475feb3bdc74ea7060944baed6aa 2008.0/x86_64/cups-1.3.10-0.1mdv2008.0.x86_64.rpm
83951504acb783cfdb8ec4fe48d31e1e 2008.0/x86_64/cups-common-1.3.10-0.1mdv2008.0.x86_64.rpm
fa8a91e8e3bc8f11c19ab460d1f690fe 2008.0/x86_64/cups-serial-1.3.10-0.1mdv2008.0.x86_64.rpm
e061fdbeded2d97bb3ca6b34d33cb384 2008.0/x86_64/lib64cups2-1.3.10-0.1mdv2008.0.x86_64.rpm
893235ea8cf23295ae961ea2de0b9903 2008.0/x86_64/lib64cups2-devel-1.3.10-0.1mdv2008.0.x86_64.rpm
9844640563afdef4a870e2ed12e58136 2008.0/x86_64/lib64poppler2-0.6-3.5mdv2008.0.x86_64.rpm
06ea824a6a2cd9360a9e75a14718192a 2008.0/x86_64/lib64poppler-devel-0.6-3.5mdv2008.0.x86_64.rpm
bb0eb04fa906a352e6738d08f116f89b 2008.0/x86_64/lib64poppler-glib2-0.6-3.5mdv2008.0.x86_64.rpm
43d6a85dfdad7e969655ee4e2a377370 2008.0/x86_64/lib64poppler-glib-devel-0.6-3.5mdv2008.0.x86_64.rpm
eef29dde4b9e80d4c360e953cbe9110b 2008.0/x86_64/lib64poppler-qt2-0.6-3.5mdv2008.0.x86_64.rpm
c74dc9f245091f451441d8b88f0beed3 2008.0/x86_64/lib64poppler-qt4-2-0.6-3.5mdv2008.0.x86_64.rpm
60345458274afc6ff480317fc408ec52 2008.0/x86_64/lib64poppler-qt4-devel-0.6-3.5mdv2008.0.x86_64.rpm
0a880b9c0d655c10f5757882e30911f1 2008.0/x86_64/lib64poppler-qt-devel-0.6-3.5mdv2008.0.x86_64.rpm
eb6fde793ac0d7ea86df42aa22637807 2008.0/x86_64/php-cups-1.3.10-0.1mdv2008.0.x86_64.rpm
7f475f07368ed9158008f2891dce2cd6 2008.0/x86_64/poppler-0.6-3.5mdv2008.0.x86_64.rpm
f3b53f5fafa8af4d754a5985e5f93830 2008.0/SRPMS/cups-1.3.10-0.1mdv2008.0.src.rpm
11b021f4e5d21d199728b9a0a37a8230 2008.0/SRPMS/poppler-0.6-3.5mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHXsgmqjQ0CJFipgRAu1fAKCINX1H5StX89GjMDWzGrEM1UiHeACeMLSY
a3mQtrfvoibfn29OFAfdSn0=
=lTbL
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: October 06, 2013
Bugs: #263028, #290430, #290464, #308017, #338878, #352581,
#459866, #480366
ID: 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, some of which may
allow execution of arbitrary code.
Background
==========
Poppler is a cross-platform PDF rendering library originally based on
Xpdf.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.22.2-r1 >= 0.22.2-r1
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.22.2-r1"
References
==========
[ 1 ] CVE-2009-0146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0147
[ 3 ] CVE-2009-0165
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0165
[ 4 ] CVE-2009-0166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0166
[ 5 ] CVE-2009-0195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0195
[ 6 ] CVE-2009-0799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0799
[ 7 ] CVE-2009-0800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0800
[ 8 ] CVE-2009-1179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1179
[ 9 ] CVE-2009-1180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1180
[ 10 ] CVE-2009-1181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1181
[ 11 ] CVE-2009-1182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1182
[ 12 ] CVE-2009-1183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1183
[ 13 ] CVE-2009-1187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1187
[ 14 ] CVE-2009-1188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1188
[ 15 ] CVE-2009-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603
[ 16 ] CVE-2009-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604
[ 17 ] CVE-2009-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605
[ 18 ] CVE-2009-3606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606
[ 19 ] CVE-2009-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607
[ 20 ] CVE-2009-3608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608
[ 21 ] CVE-2009-3609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609
[ 22 ] CVE-2009-3938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938
[ 23 ] CVE-2010-3702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3702
[ 24 ] CVE-2010-3703
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3703
[ 25 ] CVE-2010-3704
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3704
[ 26 ] CVE-2010-4653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4653
[ 27 ] CVE-2010-4654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4654
[ 28 ] CVE-2012-2142
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2142
[ 29 ] CVE-2013-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1788
[ 30 ] CVE-2013-1789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1789
[ 31 ] CVE-2013-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1790
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
======================================================================
3) Vendor's Description of Software
"Xpdf is an open source viewer for Portable Document Format (PDF)
files. (These are also sometimes also called 'Acrobat' files, from the
name of Adobe's PDF software.) The Xpdf project also includes a PDF
text extractor, PDF-to-PostScript converter, and various other
utilities.".
Product Link:
http://www.foolabs.com/xpdf/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Xpdf, which can be
exploited by malicious people to potentially compromise a user's
system.
The vulnerability is caused due to a boundary error while decoding
JBIG2 symbol dictionary segments.
======================================================================
5) Solution
Apply xpdf-3.02pl3.patch.
======================================================================
6) Time Table
26/03/2009 - Vendor notified.
26/03/2009 - vendor-sec notified.
27/03/2009 - Vendor response.
17/04/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0195 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-17/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it
| VAR-200904-0651 | No CVE | MiniWeb Source Code Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
MiniWeb is prone to a vulnerability that lets attackers access source code because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable computer in the context of the webserver process. Information obtained may aid in further attacks.
We don't know which versions of MiniWeb are affected. We will update this BID when further details are available.
| VAR-200904-0652 | No CVE | MiniWeb Remote Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
MiniWeb is prone to a remote buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
| VAR-200904-0819 | CVE-2009-1182 | Xpdf and poppler contain multiple vulnerabilities in the processing of JBIG2 data |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. Xpdf is prone to multiple security vulnerabilities. Failed exploit attempts will likely cause denial-of-service conditions.
These issues affect multiple applications on multiple platforms that use the affected library.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: cups
Announcement ID: SUSE-SA:2009:024
Date: Wed, 22 Apr 2009 13:00:00 +0000
Affected Products: openSUSE 10.3
openSUSE 11.0
openSUSE 11.1
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP2
SUSE Linux Enterprise Server 10 SP2
SLE 11
Vulnerability Type: remote code execution
Severity (1-10): 8 (critical)
SUSE Default Package: yes
Cross-References: CVE-2009-0146, CVE-2009-0147, CVE-2009-0163
CVE-2009-0165, CVE-2009-0166, CVE-2009-0799
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183
Content of This Advisory:
1) Security Vulnerability Resolved:
fixed remotely exploitable overflows
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Common Unix Printing System, CUPS, is a printing server for unix-like
operating systems. It allows a local user to print documents as well as
remote users via port 631/tcp.
The first one can be triggered by a specially crafted tiff file. This
file could lead to an integer overflow in the 'imagetops' filter which
caused an heap overflow later.
This bug is probably exploitable remotely by users having remote access
to the CUPS server and allows the execution of arbitrary code with the
privileges of the cupsd process. (CVE-2009-0163)
The second issue affects the JBIG2 decoding of the 'pdftops' filter.
The JBIG2 decoding routines are vulnerable to various software failure
types like integer and buffer overflows and it is believed to be exploit-
able remotely to execute arbitrary code with the privileges of the cupsd
process.
(CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182,
CVE-2009-1183)
2) Solution or Work-Around
none
3) Special Instructions and Notes
none
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debuginfo-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debugsource-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-client-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-devel-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-libs-1.3.9-7.2.1.i586.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debuginfo-1.3.7-25.8.i586.rpm
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debugsource-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-client-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-devel-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-libs-1.3.7-25.8.i586.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/i586/cups-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-client-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-devel-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-libs-1.2.12-22.21.i586.rpm
Power PC Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debuginfo-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debugsource-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-client-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-devel-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-64bit-1.3.9-7.2.1.ppc.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debuginfo-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debugsource-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-client-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-devel-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-64bit-1.3.7-25.8.ppc.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/ppc/cups-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-client-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-devel-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-64bit-1.2.12-22.21.ppc.rpm
x86-64 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debuginfo-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debugsource-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-client-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-devel-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-32bit-1.3.9-7.2.1.x86_64.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debuginfo-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debugsource-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-client-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-devel-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-32bit-1.3.7-25.8.x86_64.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-client-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-devel-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-32bit-1.2.12-22.21.x86_64.rpm
Sources:
openSUSE 11.1:
http://download.opensuse.org/update/11.1/rpm/src/cups-1.3.9-7.2.1.src.rpm
openSUSE 11.0:
http://download.opensuse.org/update/11.0/rpm/src/cups-1.3.7-25.8.src.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/src/cups-1.2.12-22.21.src.rpm
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux POS 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux Desktop 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE SLES 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE Linux Enterprise Server 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SUSE Linux Enterprise Desktop 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SLES 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLED 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLE 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLES 11 DEBUGINFO
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSe8qrney5gA9JdPZAQI4aQf/e938Hr+O1QYi9y5cm9ycOcaFHWx0oZED
yyOc4lUYZrb7qjmErPHfpoMR9c2XZlmESwKY0RZjddxe+vINDrOcMuI4nrp12ObP
uYvSAAz3xgpXzVtW5B/90ihHJAqHAnwOsdO8adt6PtKCt7T2gMPuQV0RSz3BRy//
qtBHDNyTBRPK7ex/YKUyQAbNENQUa3r9BaHpTHWjscfCoQch4Wz5hmLKv/n7eYdj
CFetsr6zu3hn3isKD8EPTIMbkpaYBMxp53UnNiRmVRy0Gb7zlBz5ByYQaYY+YKf/
OZ+ZHRTuDsNbAT03QtkvML3yqr3Yobb39DFa+cSsH2c9xTdwWdzSAg==
=ZnS5
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Additionally the kdegraphics package was rebuild to make
kdegraphics-kpdf link correctly to the new poppler libraries and are
also provided. (CVE-2009-0165). Xpdf is an open source viewer for Portable Document Format (PDF) files. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: October 06, 2013
Bugs: #263028, #290430, #290464, #308017, #338878, #352581,
#459866, #480366
ID: 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, some of which may
allow execution of arbitrary code.
Background
==========
Poppler is a cross-platform PDF rendering library originally based on
Xpdf.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.22.2-r1 >= 0.22.2-r1
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.22.2-r1"
References
==========
[ 1 ] CVE-2009-0146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0147
[ 3 ] CVE-2009-0165
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0165
[ 4 ] CVE-2009-0166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0166
[ 5 ] CVE-2009-0195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0195
[ 6 ] CVE-2009-0799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0799
[ 7 ] CVE-2009-0800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0800
[ 8 ] CVE-2009-1179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1179
[ 9 ] CVE-2009-1180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1180
[ 10 ] CVE-2009-1181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1181
[ 11 ] CVE-2009-1182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1182
[ 12 ] CVE-2009-1183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1183
[ 13 ] CVE-2009-1187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1187
[ 14 ] CVE-2009-1188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1188
[ 15 ] CVE-2009-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603
[ 16 ] CVE-2009-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604
[ 17 ] CVE-2009-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605
[ 18 ] CVE-2009-3606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606
[ 19 ] CVE-2009-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607
[ 20 ] CVE-2009-3608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608
[ 21 ] CVE-2009-3609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609
[ 22 ] CVE-2009-3938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938
[ 23 ] CVE-2010-3702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3702
[ 24 ] CVE-2010-3703
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3703
[ 25 ] CVE-2010-3704
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3704
[ 26 ] CVE-2010-4653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4653
[ 27 ] CVE-2010-4654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4654
[ 28 ] CVE-2012-2142
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2142
[ 29 ] CVE-2013-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1788
[ 30 ] CVE-2013-1789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1789
[ 31 ] CVE-2013-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1790
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
This update upgrades KDE in Mandriva Linux 2008.0 to version 3.5.10,
which brings many bugfixes, overall improvements and many security
fixes.
For the old stable distribution (etch), these problems have been fixed in version
3.01-9.1+etch6.
For the stable distribution (lenny), these problems have been fixed in version
3.02-1.4+lenny1.
For the unstable distribution (sid), these problems will be fixed in a
forthcoming version.
We recommend that you upgrade your xpdf packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.dsc
Size/MD5 checksum: 974 9c04059981f8b036d7e6e39c7f0aeb21
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.diff.gz
Size/MD5 checksum: 46835 c69a67b9ff487403e7c3ff819c6ff734
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
Size/MD5 checksum: 599778 e004c69c7dddef165d768b1362b44268
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 62834 dd8f37161c3b2430cb1cd65c911e9f86
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 1278 d6da8e00b02ab3f17ec44b90fff6bb30
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 920352 83b7d74d9ebae9b26da91de7c91d3502
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 1687294 9862913548fff9bfda37a6fe075df5b0
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 809202 171520d7642019943bfe7166876f5da5
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 1493308 9575f135e9ec312f9e6d7d2517dd8f5b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 803714 6db06ffcba7f6d7576ed356e7989557d
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 1468616 9afde01dda379acd4e7edfbccc7c7b2d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 1773794 c9012a9d3919ec40dcea1264ac27a6fe
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 963060 565daaf6f15ff7593d560ef7a2f94364
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 796992 5270bef04f1c2e924b813dffe6050d89
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 1458826 b2f3cbaac0ffcce0bb8d7e656bf11b02
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 1217142 afeaf9bfc66ebb69767703bfb30bbd4c
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 2218472 6545e9b6f58a84c0daa76baa8a0db629
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 946638 5323268be89e54c5c8eb7ae13f0eab14
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 1721268 0b710c0bcc6ffefe29f683ab09d3cbe8
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 1554798 eadd6236b778761086d436dd8db986e4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 849204 d22f5d59f03d6484e149d7536a25a517
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 1401814 0e3f588c64e8fa9a102ebcae29c4d807
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 767392 4b7c1a868f2f909c2dce25087da77817
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 1394680 8b17e2339e2a908a610271eb678495b1
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 763618 f3897333018702ee926e41ca5f58dc92
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
Size/MD5 checksum: 1266 faeebc4dfc74129ca708a6345bb483f7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02.orig.tar.gz
Size/MD5 checksum: 674912 599dc4cc65a07ee868cf92a667a913d2
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
Size/MD5 checksum: 42280 362f72e95494f51a19eeb898b9a527ac
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 67664 b5f063bf32cbeaf1aaeec315dc8aff0a
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 1268 f67780458dac3c38cd59bfde186f9a3b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1896344 f65f591413c25a23ea2aaccba2b5b634
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1018434 cb679c93bbc428ea852bd4ef3103e42d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 1709514 1e1277251a6dd0bb0a551997efd39175
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 921892 fb7de1db5e3885365c3ad74c3646ab57
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 1667088 58ddefe40598d6fe4a5016145163ef45
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 907908 881594298fe547cefa3d528c519d369f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 886242 51d55f7c4de41c5d4051f41fde9b7389
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 1602392 bc996edfad6d1995cb4ef2f4c7760b51
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1076286 fa3ac4a1001abf3e892bb1397b06ff17
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1985520 e95263d094e2c8d6aa72ee1edb9105f3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 876656 441042932886fa29adae731338f6b5bd
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 1611730 52516381da25dbb0c1145e2b7cdf692a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 1380222 0ffaee560534c9d69df433340679c8fc
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 2519970 eb4f4e5c173557fa8ae713f123cbb193
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1894924 58b336b114ef5c8fb9fc6244411b4cf4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1040834 ae8ed06ea2ed07e3a064c6bd28e80933
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1026954 eac8167230b8fa208cdbc5b196f0c624
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1872050 8f2e99ce5a102d099ba22543f246d5bd
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 1788584 7d1466cc8770bd92f299c1cc772f64e7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 968838 7cc8568d6b74348300066e42b27f90c2
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 871666 1dde93a4cc0a28b90f92c05f0d181079
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 1598270 201ad07e4853843dce22f22daa41fd35
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 863662 446f2d8fe6483d3741648c4db1ff5b82
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 1586262 52861c00f406c35db8a6e6f3269cc37d
These files will probably be moved into the stable distribution on
its next update.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:055
http://www.mandriva.com/security/
_______________________________________________________________________
Package : poppler
Date : March 4, 2010
Affected: 2008.0
_______________________________________________________________________
Problem Description:
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799). NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603). NOTE: this may overlap CVE-2009-0791
(CVE-2009-3605). NOTE:
some of these details are obtained from third party information
(CVE-2009-3607).
This update provides fixes for that vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3938
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
0b4c544fea742c847cb56b9fbc33f412 2008.0/i586/libpoppler3-0.8.7-2.4mdv2008.0.i586.rpm
b991aecb282a882f6ee5640bcc832e5d 2008.0/i586/libpoppler-devel-0.8.7-2.4mdv2008.0.i586.rpm
afe27149192bdca20b911965febc5ee2 2008.0/i586/libpoppler-glib3-0.8.7-2.4mdv2008.0.i586.rpm
379d7bdd3dde6cbf9bd43c7b9e2723c3 2008.0/i586/libpoppler-glib-devel-0.8.7-2.4mdv2008.0.i586.rpm
d7f58c500ff93f75998e1a0ba8e05c9e 2008.0/i586/libpoppler-qt2-0.8.7-2.4mdv2008.0.i586.rpm
64a5f31e3feb593c1ce0be10a24aec43 2008.0/i586/libpoppler-qt4-3-0.8.7-2.4mdv2008.0.i586.rpm
5e3182c22daabbf93056b8a94545fbd9 2008.0/i586/libpoppler-qt4-devel-0.8.7-2.4mdv2008.0.i586.rpm
9eaa15826e2ab184de24cf0b1aeda2e6 2008.0/i586/libpoppler-qt-devel-0.8.7-2.4mdv2008.0.i586.rpm
53fa179984dc9c0442292a77bab496b0 2008.0/i586/poppler-0.8.7-2.4mdv2008.0.i586.rpm
c8146a94a038650fc5a1704196b1b087 2008.0/SRPMS/poppler-0.8.7-2.4mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
ebde9bf055ba6854f7348da4dd2ba7b4 2008.0/x86_64/lib64poppler3-0.8.7-2.4mdv2008.0.x86_64.rpm
c200ff892641cebd5e49ebc2d05fb1c0 2008.0/x86_64/lib64poppler-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
6ee35af2904995be70a1d83adc2a2d86 2008.0/x86_64/lib64poppler-glib3-0.8.7-2.4mdv2008.0.x86_64.rpm
a4ad93d7caf1bfaa25f1e511da8c9208 2008.0/x86_64/lib64poppler-glib-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
86205b42fd719dd722799de7f215d021 2008.0/x86_64/lib64poppler-qt2-0.8.7-2.4mdv2008.0.x86_64.rpm
523f9debc4c5db056eb5484aa066960e 2008.0/x86_64/lib64poppler-qt4-3-0.8.7-2.4mdv2008.0.x86_64.rpm
79a6a65ada1a4e4573d9ca50ea1995f0 2008.0/x86_64/lib64poppler-qt4-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
ea0e41c890b571f6bbc217983aa2f3ec 2008.0/x86_64/lib64poppler-qt-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
2086f89f02c674a8428f9d88d9e3c8d2 2008.0/x86_64/poppler-0.8.7-2.4mdv2008.0.x86_64.rpm
c8146a94a038650fc5a1704196b1b087 2008.0/SRPMS/poppler-0.8.7-2.4mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security
| VAR-200904-0809 | CVE-2009-1180 | Xpdf and poppler contain multiple vulnerabilities in the processing of JBIG2 data |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. Xpdf is prone to multiple security vulnerabilities. Failed exploit attempts will likely cause denial-of-service conditions.
These issues affect multiple applications on multiple platforms that use the affected library.
The updated packages have been patched to correct these issues.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: cups
Announcement ID: SUSE-SA:2009:024
Date: Wed, 22 Apr 2009 13:00:00 +0000
Affected Products: openSUSE 10.3
openSUSE 11.0
openSUSE 11.1
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP2
SUSE Linux Enterprise Server 10 SP2
SLE 11
Vulnerability Type: remote code execution
Severity (1-10): 8 (critical)
SUSE Default Package: yes
Cross-References: CVE-2009-0146, CVE-2009-0147, CVE-2009-0163
CVE-2009-0165, CVE-2009-0166, CVE-2009-0799
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183
Content of This Advisory:
1) Security Vulnerability Resolved:
fixed remotely exploitable overflows
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Common Unix Printing System, CUPS, is a printing server for unix-like
operating systems. It allows a local user to print documents as well as
remote users via port 631/tcp.
The first one can be triggered by a specially crafted tiff file. This
file could lead to an integer overflow in the 'imagetops' filter which
caused an heap overflow later.
This bug is probably exploitable remotely by users having remote access
to the CUPS server and allows the execution of arbitrary code with the
privileges of the cupsd process. (CVE-2009-0163)
The second issue affects the JBIG2 decoding of the 'pdftops' filter.
The JBIG2 decoding routines are vulnerable to various software failure
types like integer and buffer overflows and it is believed to be exploit-
able remotely to execute arbitrary code with the privileges of the cupsd
process.
(CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182,
CVE-2009-1183)
2) Solution or Work-Around
none
3) Special Instructions and Notes
none
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debuginfo-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debugsource-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-client-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-devel-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-libs-1.3.9-7.2.1.i586.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debuginfo-1.3.7-25.8.i586.rpm
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debugsource-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-client-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-devel-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-libs-1.3.7-25.8.i586.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/i586/cups-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-client-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-devel-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-libs-1.2.12-22.21.i586.rpm
Power PC Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debuginfo-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debugsource-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-client-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-devel-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-64bit-1.3.9-7.2.1.ppc.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debuginfo-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debugsource-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-client-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-devel-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-64bit-1.3.7-25.8.ppc.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/ppc/cups-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-client-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-devel-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-64bit-1.2.12-22.21.ppc.rpm
x86-64 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debuginfo-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debugsource-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-client-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-devel-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-32bit-1.3.9-7.2.1.x86_64.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debuginfo-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debugsource-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-client-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-devel-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-32bit-1.3.7-25.8.x86_64.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-client-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-devel-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-32bit-1.2.12-22.21.x86_64.rpm
Sources:
openSUSE 11.1:
http://download.opensuse.org/update/11.1/rpm/src/cups-1.3.9-7.2.1.src.rpm
openSUSE 11.0:
http://download.opensuse.org/update/11.0/rpm/src/cups-1.3.7-25.8.src.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/src/cups-1.2.12-22.21.src.rpm
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux POS 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux Desktop 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE SLES 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE Linux Enterprise Server 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SUSE Linux Enterprise Desktop 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SLES 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLED 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLE 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLES 11 DEBUGINFO
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSe8qrney5gA9JdPZAQI4aQf/e938Hr+O1QYi9y5cm9ycOcaFHWx0oZED
yyOc4lUYZrb7qjmErPHfpoMR9c2XZlmESwKY0RZjddxe+vINDrOcMuI4nrp12ObP
uYvSAAz3xgpXzVtW5B/90ihHJAqHAnwOsdO8adt6PtKCt7T2gMPuQV0RSz3BRy//
qtBHDNyTBRPK7ex/YKUyQAbNENQUa3r9BaHpTHWjscfCoQch4Wz5hmLKv/n7eYdj
CFetsr6zu3hn3isKD8EPTIMbkpaYBMxp53UnNiRmVRy0Gb7zlBz5ByYQaYY+YKf/
OZ+ZHRTuDsNbAT03QtkvML3yqr3Yobb39DFa+cSsH2c9xTdwWdzSAg==
=ZnS5
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ===========================================================
Ubuntu Security Notice USN-973-1 August 17, 2010
koffice vulnerabilities
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166,
CVE-2009-0195, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181, CVE-2009-3606, CVE-2009-3608,
CVE-2009-3609
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
kword 1:1.6.3-7ubuntu6.1
In general, a standard system update will make all the necessary changes.
Details follow:
Will Dormann, Alin Rad Pop, Braden Thomas, and Drew Yao discovered that the
Xpdf used in KOffice contained multiple security issues in its JBIG2
decoder. (CVE-2009-3606, CVE-2009-3608, CVE-2009-3609)
KOffice in Ubuntu 9.04 uses a very old version of Xpdf to import PDFs into
KWord. Upstream KDE no longer supports PDF import in KOffice and as a
result it was dropped in Ubuntu 9.10. While an attempt was made to fix the
above issues, the maintenance burden for supporting this very old version
of Xpdf outweighed its utility, and PDF import is now also disabled in
Ubuntu 9.04. Xpdf is an open source viewer for Portable Document Format (PDF) files. A denial of service attack vulnerability exists in the JBIG2 decoder of Xpdf. (CVE-2009-0165).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:055
http://www.mandriva.com/security/
_______________________________________________________________________
Package : poppler
Date : March 4, 2010
Affected: 2008.0
_______________________________________________________________________
Problem Description:
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799). NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603). NOTE: this may overlap CVE-2009-0791
(CVE-2009-3605). NOTE:
some of these details are obtained from third party information
(CVE-2009-3607).
This update provides fixes for that vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3938
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
0b4c544fea742c847cb56b9fbc33f412 2008.0/i586/libpoppler3-0.8.7-2.4mdv2008.0.i586.rpm
b991aecb282a882f6ee5640bcc832e5d 2008.0/i586/libpoppler-devel-0.8.7-2.4mdv2008.0.i586.rpm
afe27149192bdca20b911965febc5ee2 2008.0/i586/libpoppler-glib3-0.8.7-2.4mdv2008.0.i586.rpm
379d7bdd3dde6cbf9bd43c7b9e2723c3 2008.0/i586/libpoppler-glib-devel-0.8.7-2.4mdv2008.0.i586.rpm
d7f58c500ff93f75998e1a0ba8e05c9e 2008.0/i586/libpoppler-qt2-0.8.7-2.4mdv2008.0.i586.rpm
64a5f31e3feb593c1ce0be10a24aec43 2008.0/i586/libpoppler-qt4-3-0.8.7-2.4mdv2008.0.i586.rpm
5e3182c22daabbf93056b8a94545fbd9 2008.0/i586/libpoppler-qt4-devel-0.8.7-2.4mdv2008.0.i586.rpm
9eaa15826e2ab184de24cf0b1aeda2e6 2008.0/i586/libpoppler-qt-devel-0.8.7-2.4mdv2008.0.i586.rpm
53fa179984dc9c0442292a77bab496b0 2008.0/i586/poppler-0.8.7-2.4mdv2008.0.i586.rpm
c8146a94a038650fc5a1704196b1b087 2008.0/SRPMS/poppler-0.8.7-2.4mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
ebde9bf055ba6854f7348da4dd2ba7b4 2008.0/x86_64/lib64poppler3-0.8.7-2.4mdv2008.0.x86_64.rpm
c200ff892641cebd5e49ebc2d05fb1c0 2008.0/x86_64/lib64poppler-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
6ee35af2904995be70a1d83adc2a2d86 2008.0/x86_64/lib64poppler-glib3-0.8.7-2.4mdv2008.0.x86_64.rpm
a4ad93d7caf1bfaa25f1e511da8c9208 2008.0/x86_64/lib64poppler-glib-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
86205b42fd719dd722799de7f215d021 2008.0/x86_64/lib64poppler-qt2-0.8.7-2.4mdv2008.0.x86_64.rpm
523f9debc4c5db056eb5484aa066960e 2008.0/x86_64/lib64poppler-qt4-3-0.8.7-2.4mdv2008.0.x86_64.rpm
79a6a65ada1a4e4573d9ca50ea1995f0 2008.0/x86_64/lib64poppler-qt4-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
ea0e41c890b571f6bbc217983aa2f3ec 2008.0/x86_64/lib64poppler-qt-devel-0.8.7-2.4mdv2008.0.x86_64.rpm
2086f89f02c674a8428f9d88d9e3c8d2 2008.0/x86_64/poppler-0.8.7-2.4mdv2008.0.x86_64.rpm
c8146a94a038650fc5a1704196b1b087 2008.0/SRPMS/poppler-0.8.7-2.4mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security.
For the old stable distribution (etch), these problems have been fixed in version
3.01-9.1+etch6.
For the stable distribution (lenny), these problems have been fixed in version
3.02-1.4+lenny1.
For the unstable distribution (sid), these problems will be fixed in a
forthcoming version.
We recommend that you upgrade your xpdf packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.dsc
Size/MD5 checksum: 974 9c04059981f8b036d7e6e39c7f0aeb21
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.diff.gz
Size/MD5 checksum: 46835 c69a67b9ff487403e7c3ff819c6ff734
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
Size/MD5 checksum: 599778 e004c69c7dddef165d768b1362b44268
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 62834 dd8f37161c3b2430cb1cd65c911e9f86
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 1278 d6da8e00b02ab3f17ec44b90fff6bb30
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 920352 83b7d74d9ebae9b26da91de7c91d3502
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 1687294 9862913548fff9bfda37a6fe075df5b0
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 809202 171520d7642019943bfe7166876f5da5
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 1493308 9575f135e9ec312f9e6d7d2517dd8f5b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 803714 6db06ffcba7f6d7576ed356e7989557d
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 1468616 9afde01dda379acd4e7edfbccc7c7b2d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 1773794 c9012a9d3919ec40dcea1264ac27a6fe
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 963060 565daaf6f15ff7593d560ef7a2f94364
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 796992 5270bef04f1c2e924b813dffe6050d89
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 1458826 b2f3cbaac0ffcce0bb8d7e656bf11b02
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 1217142 afeaf9bfc66ebb69767703bfb30bbd4c
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 2218472 6545e9b6f58a84c0daa76baa8a0db629
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 946638 5323268be89e54c5c8eb7ae13f0eab14
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 1721268 0b710c0bcc6ffefe29f683ab09d3cbe8
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 1554798 eadd6236b778761086d436dd8db986e4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 849204 d22f5d59f03d6484e149d7536a25a517
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 1401814 0e3f588c64e8fa9a102ebcae29c4d807
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 767392 4b7c1a868f2f909c2dce25087da77817
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 1394680 8b17e2339e2a908a610271eb678495b1
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 763618 f3897333018702ee926e41ca5f58dc92
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
Size/MD5 checksum: 1266 faeebc4dfc74129ca708a6345bb483f7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02.orig.tar.gz
Size/MD5 checksum: 674912 599dc4cc65a07ee868cf92a667a913d2
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
Size/MD5 checksum: 42280 362f72e95494f51a19eeb898b9a527ac
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 67664 b5f063bf32cbeaf1aaeec315dc8aff0a
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 1268 f67780458dac3c38cd59bfde186f9a3b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1896344 f65f591413c25a23ea2aaccba2b5b634
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1018434 cb679c93bbc428ea852bd4ef3103e42d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 1709514 1e1277251a6dd0bb0a551997efd39175
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 921892 fb7de1db5e3885365c3ad74c3646ab57
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 1667088 58ddefe40598d6fe4a5016145163ef45
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 907908 881594298fe547cefa3d528c519d369f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 886242 51d55f7c4de41c5d4051f41fde9b7389
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 1602392 bc996edfad6d1995cb4ef2f4c7760b51
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1076286 fa3ac4a1001abf3e892bb1397b06ff17
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1985520 e95263d094e2c8d6aa72ee1edb9105f3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 876656 441042932886fa29adae731338f6b5bd
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 1611730 52516381da25dbb0c1145e2b7cdf692a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 1380222 0ffaee560534c9d69df433340679c8fc
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 2519970 eb4f4e5c173557fa8ae713f123cbb193
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1894924 58b336b114ef5c8fb9fc6244411b4cf4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1040834 ae8ed06ea2ed07e3a064c6bd28e80933
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1026954 eac8167230b8fa208cdbc5b196f0c624
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1872050 8f2e99ce5a102d099ba22543f246d5bd
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 1788584 7d1466cc8770bd92f299c1cc772f64e7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 968838 7cc8568d6b74348300066e42b27f90c2
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 871666 1dde93a4cc0a28b90f92c05f0d181079
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 1598270 201ad07e4853843dce22f22daa41fd35
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 863662 446f2d8fe6483d3741648c4db1ff5b82
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 1586262 52861c00f406c35db8a6e6f3269cc37d
These files will probably be moved into the stable distribution on
its next update.
Additionally the kdegraphics package was rebuild to make
kdegraphics-kpdf link correctly to the new poppler libraries and are
also provided
| VAR-200904-0818 | CVE-2009-0147 | Xpdf and poppler contain multiple vulnerabilities in the processing of JBIG2 data |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. Xpdf and poppler contain multiple vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Xpdf is an open source viewer for Portable Document Format (PDF) files. ===========================================================
Ubuntu Security Notice USN-759-1 April 16, 2009
poppler vulnerabilities
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libpoppler1 0.5.1-0ubuntu7.5
libpoppler1-glib 0.5.1-0ubuntu7.5
Ubuntu 8.04 LTS:
libpoppler-glib2 0.6.4-1ubuntu3.2
libpoppler2 0.6.4-1ubuntu3.2
Ubuntu 8.10:
libpoppler-glib3 0.8.7-1ubuntu0.2
libpoppler3 0.8.7-1ubuntu0.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Will Dormann, Alin Rad Pop, Braden Thomas, and Drew Yao discovered that
poppler contained multiple security issues in its JBIG2 decoder. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603).
Additionally the kdegraphics package was rebuild to make
kdegraphics-kpdf link correctly to the new poppler libraries and are
also provided. NOTE:
the JBIG2Stream.cxx vector may overlap CVE-2009-1179. (CVE-2009-1183)
Two integer overflow flaws were found in the CUPS pdftops filter. An
attacker could create a malicious PDF file that would cause pdftops
to crash or, potentially, execute arbitrary code as the lp user if
the file was printed. (CVE-2009-3608, CVE-2009-3609)
This update corrects the problems.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
6b17f59f63c062c017c78d459dd2d89a 2008.0/i586/cups-1.3.10-0.1mdv2008.0.i586.rpm
9bc5298d9895c356227fdda3a0ddb2c0 2008.0/i586/cups-common-1.3.10-0.1mdv2008.0.i586.rpm
e3583883df8532fc8c496866dac713f8 2008.0/i586/cups-serial-1.3.10-0.1mdv2008.0.i586.rpm
fac1fcb839ad53322a447d4d39f769e3 2008.0/i586/libcups2-1.3.10-0.1mdv2008.0.i586.rpm
3d65afc590fb8520d68b2a3e8e1da696 2008.0/i586/libcups2-devel-1.3.10-0.1mdv2008.0.i586.rpm
9e09ed22a2522ee45e93e0edc146193f 2008.0/i586/libpoppler2-0.6-3.5mdv2008.0.i586.rpm
7427b1f56387e84db5a15aad85b424d2 2008.0/i586/libpoppler-devel-0.6-3.5mdv2008.0.i586.rpm
67937a584d365d6b00ef688c88e8d7c5 2008.0/i586/libpoppler-glib2-0.6-3.5mdv2008.0.i586.rpm
410dc85c2c7b71ab316be5607c556682 2008.0/i586/libpoppler-glib-devel-0.6-3.5mdv2008.0.i586.rpm
64d6e14be8d93c7651ce5dc3e2ebc5bf 2008.0/i586/libpoppler-qt2-0.6-3.5mdv2008.0.i586.rpm
cc9af7e314b6eaa6a8f946fa2c27f298 2008.0/i586/libpoppler-qt4-2-0.6-3.5mdv2008.0.i586.rpm
0c6d3a6b5211e8506a89144b8c3a3cfb 2008.0/i586/libpoppler-qt4-devel-0.6-3.5mdv2008.0.i586.rpm
c985516638ed4d8f792daa13bd506023 2008.0/i586/libpoppler-qt-devel-0.6-3.5mdv2008.0.i586.rpm
8d05619dcef538092696ce70998abd20 2008.0/i586/php-cups-1.3.10-0.1mdv2008.0.i586.rpm
0bae2a3525b796882d2cc87853945e5a 2008.0/i586/poppler-0.6-3.5mdv2008.0.i586.rpm
f3b53f5fafa8af4d754a5985e5f93830 2008.0/SRPMS/cups-1.3.10-0.1mdv2008.0.src.rpm
11b021f4e5d21d199728b9a0a37a8230 2008.0/SRPMS/poppler-0.6-3.5mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
8249475feb3bdc74ea7060944baed6aa 2008.0/x86_64/cups-1.3.10-0.1mdv2008.0.x86_64.rpm
83951504acb783cfdb8ec4fe48d31e1e 2008.0/x86_64/cups-common-1.3.10-0.1mdv2008.0.x86_64.rpm
fa8a91e8e3bc8f11c19ab460d1f690fe 2008.0/x86_64/cups-serial-1.3.10-0.1mdv2008.0.x86_64.rpm
e061fdbeded2d97bb3ca6b34d33cb384 2008.0/x86_64/lib64cups2-1.3.10-0.1mdv2008.0.x86_64.rpm
893235ea8cf23295ae961ea2de0b9903 2008.0/x86_64/lib64cups2-devel-1.3.10-0.1mdv2008.0.x86_64.rpm
9844640563afdef4a870e2ed12e58136 2008.0/x86_64/lib64poppler2-0.6-3.5mdv2008.0.x86_64.rpm
06ea824a6a2cd9360a9e75a14718192a 2008.0/x86_64/lib64poppler-devel-0.6-3.5mdv2008.0.x86_64.rpm
bb0eb04fa906a352e6738d08f116f89b 2008.0/x86_64/lib64poppler-glib2-0.6-3.5mdv2008.0.x86_64.rpm
43d6a85dfdad7e969655ee4e2a377370 2008.0/x86_64/lib64poppler-glib-devel-0.6-3.5mdv2008.0.x86_64.rpm
eef29dde4b9e80d4c360e953cbe9110b 2008.0/x86_64/lib64poppler-qt2-0.6-3.5mdv2008.0.x86_64.rpm
c74dc9f245091f451441d8b88f0beed3 2008.0/x86_64/lib64poppler-qt4-2-0.6-3.5mdv2008.0.x86_64.rpm
60345458274afc6ff480317fc408ec52 2008.0/x86_64/lib64poppler-qt4-devel-0.6-3.5mdv2008.0.x86_64.rpm
0a880b9c0d655c10f5757882e30911f1 2008.0/x86_64/lib64poppler-qt-devel-0.6-3.5mdv2008.0.x86_64.rpm
eb6fde793ac0d7ea86df42aa22637807 2008.0/x86_64/php-cups-1.3.10-0.1mdv2008.0.x86_64.rpm
7f475f07368ed9158008f2891dce2cd6 2008.0/x86_64/poppler-0.6-3.5mdv2008.0.x86_64.rpm
f3b53f5fafa8af4d754a5985e5f93830 2008.0/SRPMS/cups-1.3.10-0.1mdv2008.0.src.rpm
11b021f4e5d21d199728b9a0a37a8230 2008.0/SRPMS/poppler-0.6-3.5mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHXsgmqjQ0CJFipgRAu1fAKCINX1H5StX89GjMDWzGrEM1UiHeACeMLSY
a3mQtrfvoibfn29OFAfdSn0=
=lTbL
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: October 06, 2013
Bugs: #263028, #290430, #290464, #308017, #338878, #352581,
#459866, #480366
ID: 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, some of which may
allow execution of arbitrary code.
Background
==========
Poppler is a cross-platform PDF rendering library originally based on
Xpdf.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.22.2-r1 >= 0.22.2-r1
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.22.2-r1"
References
==========
[ 1 ] CVE-2009-0146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0147
[ 3 ] CVE-2009-0165
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0165
[ 4 ] CVE-2009-0166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0166
[ 5 ] CVE-2009-0195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0195
[ 6 ] CVE-2009-0799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0799
[ 7 ] CVE-2009-0800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0800
[ 8 ] CVE-2009-1179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1179
[ 9 ] CVE-2009-1180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1180
[ 10 ] CVE-2009-1181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1181
[ 11 ] CVE-2009-1182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1182
[ 12 ] CVE-2009-1183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1183
[ 13 ] CVE-2009-1187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1187
[ 14 ] CVE-2009-1188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1188
[ 15 ] CVE-2009-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603
[ 16 ] CVE-2009-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604
[ 17 ] CVE-2009-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605
[ 18 ] CVE-2009-3606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606
[ 19 ] CVE-2009-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607
[ 20 ] CVE-2009-3608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608
[ 21 ] CVE-2009-3609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609
[ 22 ] CVE-2009-3938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938
[ 23 ] CVE-2010-3702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3702
[ 24 ] CVE-2010-3703
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3703
[ 25 ] CVE-2010-3704
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3704
[ 26 ] CVE-2010-4653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4653
[ 27 ] CVE-2010-4654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4654
[ 28 ] CVE-2012-2142
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2142
[ 29 ] CVE-2013-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1788
[ 30 ] CVE-2013-1789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1789
[ 31 ] CVE-2013-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1790
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
This update upgrades KDE in Mandriva Linux 2008.0 to version 3.5.10,
which brings many bugfixes, overall improvements and many security
fixes.
For the old stable distribution (etch), these problems have been fixed in version
3.01-9.1+etch6.
For the stable distribution (lenny), these problems have been fixed in version
3.02-1.4+lenny1.
For the unstable distribution (sid), these problems will be fixed in a
forthcoming version.
We recommend that you upgrade your xpdf packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.dsc
Size/MD5 checksum: 974 9c04059981f8b036d7e6e39c7f0aeb21
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.diff.gz
Size/MD5 checksum: 46835 c69a67b9ff487403e7c3ff819c6ff734
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
Size/MD5 checksum: 599778 e004c69c7dddef165d768b1362b44268
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 62834 dd8f37161c3b2430cb1cd65c911e9f86
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 1278 d6da8e00b02ab3f17ec44b90fff6bb30
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 920352 83b7d74d9ebae9b26da91de7c91d3502
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 1687294 9862913548fff9bfda37a6fe075df5b0
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 809202 171520d7642019943bfe7166876f5da5
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 1493308 9575f135e9ec312f9e6d7d2517dd8f5b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 803714 6db06ffcba7f6d7576ed356e7989557d
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 1468616 9afde01dda379acd4e7edfbccc7c7b2d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 1773794 c9012a9d3919ec40dcea1264ac27a6fe
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 963060 565daaf6f15ff7593d560ef7a2f94364
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 796992 5270bef04f1c2e924b813dffe6050d89
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 1458826 b2f3cbaac0ffcce0bb8d7e656bf11b02
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 1217142 afeaf9bfc66ebb69767703bfb30bbd4c
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 2218472 6545e9b6f58a84c0daa76baa8a0db629
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 946638 5323268be89e54c5c8eb7ae13f0eab14
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 1721268 0b710c0bcc6ffefe29f683ab09d3cbe8
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 1554798 eadd6236b778761086d436dd8db986e4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 849204 d22f5d59f03d6484e149d7536a25a517
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 1401814 0e3f588c64e8fa9a102ebcae29c4d807
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 767392 4b7c1a868f2f909c2dce25087da77817
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 1394680 8b17e2339e2a908a610271eb678495b1
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 763618 f3897333018702ee926e41ca5f58dc92
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
Size/MD5 checksum: 1266 faeebc4dfc74129ca708a6345bb483f7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02.orig.tar.gz
Size/MD5 checksum: 674912 599dc4cc65a07ee868cf92a667a913d2
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
Size/MD5 checksum: 42280 362f72e95494f51a19eeb898b9a527ac
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 67664 b5f063bf32cbeaf1aaeec315dc8aff0a
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 1268 f67780458dac3c38cd59bfde186f9a3b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1896344 f65f591413c25a23ea2aaccba2b5b634
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1018434 cb679c93bbc428ea852bd4ef3103e42d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 1709514 1e1277251a6dd0bb0a551997efd39175
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 921892 fb7de1db5e3885365c3ad74c3646ab57
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 1667088 58ddefe40598d6fe4a5016145163ef45
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 907908 881594298fe547cefa3d528c519d369f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 886242 51d55f7c4de41c5d4051f41fde9b7389
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 1602392 bc996edfad6d1995cb4ef2f4c7760b51
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1076286 fa3ac4a1001abf3e892bb1397b06ff17
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1985520 e95263d094e2c8d6aa72ee1edb9105f3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 876656 441042932886fa29adae731338f6b5bd
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 1611730 52516381da25dbb0c1145e2b7cdf692a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 1380222 0ffaee560534c9d69df433340679c8fc
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 2519970 eb4f4e5c173557fa8ae713f123cbb193
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1894924 58b336b114ef5c8fb9fc6244411b4cf4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1040834 ae8ed06ea2ed07e3a064c6bd28e80933
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1026954 eac8167230b8fa208cdbc5b196f0c624
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1872050 8f2e99ce5a102d099ba22543f246d5bd
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 1788584 7d1466cc8770bd92f299c1cc772f64e7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 968838 7cc8568d6b74348300066e42b27f90c2
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 871666 1dde93a4cc0a28b90f92c05f0d181079
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 1598270 201ad07e4853843dce22f22daa41fd35
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 863662 446f2d8fe6483d3741648c4db1ff5b82
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 1586262 52861c00f406c35db8a6e6f3269cc37d
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKAJvfYrVLjBFATsMRAvL3AJ48hk1Vsp4ZvDGoQfwOunErKHxElQCfepN+
rFYyqIcPRzz8zBGVGObkTr8=
=xhzW
-----END PGP SIGNATURE-----
| VAR-200904-0794 | CVE-2009-0163 | CUPS of TIFF Integer overflow vulnerability in image decoding routine |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow. CUPS is prone to an integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied TIFF image sizes before using them to allocate memory buffers.
Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions.
Versions prior to CUPS 1.3.10 are vulnerable. It is based on the Internet Printing Protocol and provides most PostScript and raster printer services. The _cupsImageReadTIFF() function of CUPS did not correctly validate the image height parameter read from the file when parsing TIFF files and used the height value to calculate the size of the dynamic heap buffer.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: cups
Announcement ID: SUSE-SA:2009:024
Date: Wed, 22 Apr 2009 13:00:00 +0000
Affected Products: openSUSE 10.3
openSUSE 11.0
openSUSE 11.1
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP2
SUSE Linux Enterprise Server 10 SP2
SLE 11
Vulnerability Type: remote code execution
Severity (1-10): 8 (critical)
SUSE Default Package: yes
Cross-References: CVE-2009-0146, CVE-2009-0147, CVE-2009-0163
CVE-2009-0165, CVE-2009-0166, CVE-2009-0799
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183
Content of This Advisory:
1) Security Vulnerability Resolved:
fixed remotely exploitable overflows
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Common Unix Printing System, CUPS, is a printing server for unix-like
operating systems. It allows a local user to print documents as well as
remote users via port 631/tcp.
There were two security vulnerabilities fixed in cups.
The first one can be triggered by a specially crafted tiff file. This
file could lead to an integer overflow in the 'imagetops' filter which
caused an heap overflow later.
This bug is probably exploitable remotely by users having remote access
to the CUPS server and allows the execution of arbitrary code with the
privileges of the cupsd process. (CVE-2009-0163)
The second issue affects the JBIG2 decoding of the 'pdftops' filter.
The JBIG2 decoding routines are vulnerable to various software failure
types like integer and buffer overflows and it is believed to be exploit-
able remotely to execute arbitrary code with the privileges of the cupsd
process.
(CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182,
CVE-2009-1183)
2) Solution or Work-Around
none
3) Special Instructions and Notes
none
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debuginfo-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debugsource-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-client-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-devel-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-libs-1.3.9-7.2.1.i586.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debuginfo-1.3.7-25.8.i586.rpm
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debugsource-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-client-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-devel-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-libs-1.3.7-25.8.i586.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/i586/cups-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-client-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-devel-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-libs-1.2.12-22.21.i586.rpm
Power PC Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debuginfo-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debugsource-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-client-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-devel-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-64bit-1.3.9-7.2.1.ppc.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debuginfo-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debugsource-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-client-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-devel-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-64bit-1.3.7-25.8.ppc.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/ppc/cups-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-client-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-devel-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-64bit-1.2.12-22.21.ppc.rpm
x86-64 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debuginfo-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debugsource-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-client-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-devel-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-32bit-1.3.9-7.2.1.x86_64.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debuginfo-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debugsource-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-client-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-devel-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-32bit-1.3.7-25.8.x86_64.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-client-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-devel-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-32bit-1.2.12-22.21.x86_64.rpm
Sources:
openSUSE 11.1:
http://download.opensuse.org/update/11.1/rpm/src/cups-1.3.9-7.2.1.src.rpm
openSUSE 11.0:
http://download.opensuse.org/update/11.0/rpm/src/cups-1.3.7-25.8.src.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/src/cups-1.2.12-22.21.src.rpm
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux POS 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux Desktop 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE SLES 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE Linux Enterprise Server 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SUSE Linux Enterprise Desktop 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SLES 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLED 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLE 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLES 11 DEBUGINFO
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSe8qrney5gA9JdPZAQI4aQf/e938Hr+O1QYi9y5cm9ycOcaFHWx0oZED
yyOc4lUYZrb7qjmErPHfpoMR9c2XZlmESwKY0RZjddxe+vINDrOcMuI4nrp12ObP
uYvSAAz3xgpXzVtW5B/90ihHJAqHAnwOsdO8adt6PtKCt7T2gMPuQV0RSz3BRy//
qtBHDNyTBRPK7ex/YKUyQAbNENQUa3r9BaHpTHWjscfCoQch4Wz5hmLKv/n7eYdj
CFetsr6zu3hn3isKD8EPTIMbkpaYBMxp53UnNiRmVRy0Gb7zlBz5ByYQaYY+YKf/
OZ+ZHRTuDsNbAT03QtkvML3yqr3Yobb39DFa+cSsH2c9xTdwWdzSAg==
=ZnS5
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
For the stable distribution (lenny), this problem has been fixed in
version 1.3.8-1lenny5.
For the oldstable distribution (etch), this problem has been fixed in
version 1.2.7-4etch7.
For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed soon.
We recommend that you upgrade your cups packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7.dsc
Size/MD5 checksum: 1092 4203af9c21af4d6918245cd45acb06bb
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7.diff.gz
Size/MD5 checksum: 109374 af603a7173c6df4f33b048ffc7115bd8
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz
Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch7_all.deb
Size/MD5 checksum: 46244 44171d0a66210c387b6af8448f6d521d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch7_all.deb
Size/MD5 checksum: 893990 3f5525cb2fc50e8a06352e587737e2dc
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 39294 ced5ae3328348f9d3ae2676353e726bb
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 184844 ecdf10a00e54d73bc9bba1044f42fc22
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 1093362 f5be00bdf1562065aae9ea9fdb6663dc
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 175490 5b2ece54509d960d8a1a3641412937f8
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 86398 7f312dfb4ff21681dff286d99d3896d8
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 1604044 5656d9acd49fba643a50934599675ebc
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 95756 127511aa7fc682dab5e853b608ccba11
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_alpha.deb
Size/MD5 checksum: 72988 5da04efb7c621d273910e5f5fe9ec9c1
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 36358 81cea5176eb873a11c89fccd558da98f
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 86462 6c33916f4c531bba16f777f71f772293
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 1576296 724f40dec3726a6d099c97fc3cafb484
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 142530 0e9faa06043e872626093a03fa17292c
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 162692 bd08c8846a95488ec98fea36e105638b
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 1088628 03b7431460c4d52d15f8525c0b01eddf
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 80736 06d9dd7cd306e846e36047a0eb6f0699
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_amd64.deb
Size/MD5 checksum: 53046 873a9f887cada29675d76f5c652af7a6
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 155368 736f7fc1a145dfac7b96ab591b6b9a27
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 1026102 492569202623c8e389586e0a651c9b3f
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 1569744 19ce598de83cfa70b6a296f38c020478
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 78908 a0f4d02f5b163fe6c6e77df98c63e300
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 85818 603f3fd2de4599fc6d3e593ba6a44dfb
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 35934 d04cdfc9eab65c862c8bd6510c0b22aa
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 132042 aafde83137fe0cb0b63cdce0d2bc62cc
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_arm.deb
Size/MD5 checksum: 48894 9bc3b3af517020ab3e241dc44af05326
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 86874 f26336d906cea5719ec15ba55623eddf
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 1547404 0578f2f01cf6619f255b06dcc37d879b
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 53198 6370e8f2d3a88f69cae3b4d217405bd7
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 79872 966d88b2c851f1a7d67c297313b235b0
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 36468 fda5fad3a8104b0c0ca6ab5d18c03bb5
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 138274 15b7dd0ac05da741dab120e76cba0e4c
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 998516 93de926d94dd735c64a2c803e6720872
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_i386.deb
Size/MD5 checksum: 159824 8b8c0a595a4ba37d4794a0d377247fb9
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 150778 d710b63290ea704ebd42090eba65c107
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 35964 0b95eb26db8e5aef307af45d0508e2c7
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 77146 852fb9411f3a9c75c570b5255b239ca7
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 1551962 a7d22ac657ee679cb1898c0dbb3ed7c1
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 1098270 d0ed45a370230ea5a772df21bd718973
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 57530 668fa4b84cf505ffc086c46c8238fc95
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 86970 5a6f44aaebdb33145898d336f9390885
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_mips.deb
Size/MD5 checksum: 158896 7b13f748738a1ce0f50cd27c9b052431
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 87148 4374d53e7d72231b7d95869e9a646d7d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 1553638 df97fb63a53afbb5b5cb3db635d2c001
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 36062 547f0d21badd989fc99ed4a79730a4da
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 158722 bda554b8ac90a4c5fbea5afd21d9fe16
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 1086238 be75438a8b89e78918011864aeb1ccd2
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 150884 ad6a839515c45736ea3cb7e9251fd427
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 57798 02acf357e72112087b351f205d7e7945
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_mipsel.deb
Size/MD5 checksum: 77458 08e101fe325b65121c170a9e3b58a2b7
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 136872 5d41c0227da9a81a1119fb6e92e65278
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 41324 4966469b5a194add297465f232fd9ff0
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 88666 e395634fa76ee6b77f0b28d00688de14
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 90008 561afd5de88b97d4536b92663a1753b2
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 51900 6af8ba016b886472b40152d75a05103b
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 1576806 ea603f4937cb570ac91805aed0da9aca
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 1144662 5699e8b512dbe453b899dce1b6851138
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_powerpc.deb
Size/MD5 checksum: 163390 1e624e1331ca971921573d289636359c
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 144936 b113d53d52373b603fbd13e6d71e3f35
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 37424 50ffaac85c766351ffd600153c815a74
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 82344 cafef495eebde8fda2463ceaf0f1fae2
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 166894 5a787ff93c3d0f4b9f2fe8fce76c079b
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 1587606 22d74c8ad10a70d7e228ecb7ec79b9c8
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 52516 7f9260ea6a1098d646f73578fc25908b
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 88078 682a40d1a28a38d80a03a0c23f0c788d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_s390.deb
Size/MD5 checksum: 1037346 775f564213a827da9a988d16364eaf39
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 1577988 26d3916b7836cf31435862c1293999e5
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 51838 d70cb8e4492a4c2f35dbe594d7d6ab98
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 996734 bee6e79ee624e7ef4cee635b03bcaa31
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 159594 86f645f83507d10b1d0496724bceb5b0
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 78594 dac07ba42566d31bdb9e71e15e37f248
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 138738 d502a45d67b3398aaac1e3d3ef47134d
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 85948 9a7450a17da56ed2ae6dd39762fb19c9
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch7_sparc.deb
Size/MD5 checksum: 36060 dfcde37f21036a597065ff4b56dd306d
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5.dsc
Size/MD5 checksum: 1833 4c8778e239a30fb22d2f183c32c698f9
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8.orig.tar.gz
Size/MD5 checksum: 4796827 10efe9825c1a1dcd325be47a6cc21faf
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5.diff.gz
Size/MD5 checksum: 184239 dd404146b1e9f016cc820f7892ed17c7
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cups/cupsys-dbg_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52046 19e750bfebc597b8936ae1d23a38b2ee
http://security.debian.org/pool/updates/main/c/cups/libcupsys2-dev_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52060 baf9cc46db611665cb4a36c043a809e4
http://security.debian.org/pool/updates/main/c/cups/cupsys-bsd_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52054 7b1cbcef31f0acef816e190274d4cd73
http://security.debian.org/pool/updates/main/c/cups/cupsys-common_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52058 2b8c19ea46398861298325493814b2bc
http://security.debian.org/pool/updates/main/c/cups/cups-common_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 1175160 462411771388eea81dcd9fe87fcadb76
http://security.debian.org/pool/updates/main/c/cups/libcupsys2_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52048 da9cfa78d4fccba4d4587186e4e91583
http://security.debian.org/pool/updates/main/c/cups/cupsys_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52032 57858f41f804dcef4a205c71c8fafeb9
http://security.debian.org/pool/updates/main/c/cups/cupsys-client_1.3.8-1lenny5_all.deb
Size/MD5 checksum: 52056 fad269c06612a3e92372fb572997a75a
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 107812 9827d33dd669899c6cf507790d8f6bb3
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 1139012 500dac788469d8a0daf3c01183298fa0
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 37814 07beee6caf1c88be556347fb50886d69
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 2089068 ecee5dbe0e6c581e846a0a56429eb931
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 441552 22608af1ebd84479c28a8945d8705c74
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 119304 efd9ca03e7811c3f1691ed2686aab395
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 179132 9d6e0cc2c524fdab73327f039ba11dcd
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_alpha.deb
Size/MD5 checksum: 81544 527042207cf23298fe2a728dcfd0b8bd
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 99738 5900c1a673a43f0f062d017a06a2d207
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 116248 14d66add2b6643e6877f5d4081349bbb
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 167696 fcace181c86f8e192975e0d14405c18c
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 61028 fae73a402bdfb574cd9dbdca629af8a3
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 2067958 5ca93103c3991220029c271281c6cc53
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 400648 aa4ee61e764ca9788998b83bf9c8450f
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 1202144 68786a74a8313af5e2f2cc8c0b09cd59
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_amd64.deb
Size/MD5 checksum: 37344 c73825d780ef41df8dd523e49dc54610
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 1123300 557de9bd954039759021cdd653a885b0
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 55346 89e8b82c7500198e118a52d7be63e520
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 113174 9678ff00559e3421d326772bd24e47ab
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 36472 e334b43b50170f78ddd2196bae49cfde
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 97092 39bfb5fb8b244033b8b1ab9b4c461a9e
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 387380 1521df5af20b47a06dfe901081e496e4
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 2058812 703c4d4d555001f4b9378ff42d286ad8
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_arm.deb
Size/MD5 checksum: 155172 2da281a3625527e9a1f64ea13440d6e1
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 157462 251d9966100467253068527bf3dd4884
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 2082936 095917cf06f73de1700c923859bc6186
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 117950 9acc5533034d20e8e5eb34759abeff8f
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 1131278 96e266e10e8062cf607a85d9bfb755b9
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 98158 148e0a5d454735f799d8aa0033f19b0c
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 386342 2b6c689f6cc9fa89cece3a0c82b5b734
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 37658 85d79d5a990b1cac0c272e1604edbae6
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_armel.deb
Size/MD5 checksum: 55026 61cb844134cad2fc5e65719ab835d5a3
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 102902 806736c35feec38da0bfdfc0c23844cc
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 38148 c7c3d1c5ae4ad0358b17327f6ef4bbd4
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 63122 3d44247130b5797f289b88a5afbc88b1
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 172484 80fe8fef733bca1192084e96e4342d2e
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 2116308 8f1f71be20fe6167f4f3884841f902d6
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 119834 b4f92925d2fd5562844999f57a9e85d4
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 408888 e23953c8c1ecfeca8933cd89ab39fb63
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_hppa.deb
Size/MD5 checksum: 1137570 f98e5e9764760fcd3d03a117a82d5114
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 394064 07dcad9401a227e62ac1d4e2d15bba4e
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 36484 9dbfecd141e6674f8c4c12a7cc472e6e
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 60434 8c4f67ff8e3163e1aa24053c4f746a37
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 164434 8a9cc5328a01e96fb99a5c8dd7790626
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 114848 a4aed79f9fd271ca06be97fdd0c9097b
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 2047160 55f3b312558a1687931b74f55ef81dee
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 99120 5ea77d549d9e0d8ca64a6bdce863b262
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_i386.deb
Size/MD5 checksum: 1085470 6b05ce29e166358a0e33c440baf8a0eb
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 139094 d83b44753709a37f7369d30f7c4e3dd6
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 41278 0764cbd059c3b5788d0d4b15e951d37a
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 123298 582063fb030b59c10fc63697565fd5f4
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 208944 2f54be25c1a99e574c6b34bcb8168139
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 447250 c0962041ae7bc9c479e4d7918f83a4b3
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 1149208 2f3dc846e508a9b73324a992990b8211
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 86012 18608e0c06348e42c6ec026c8ae7df1b
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_ia64.deb
Size/MD5 checksum: 2281350 b6f604d2d4c5fca17487d00deb686a47
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 98564 aadb6e93579960e565df5a18a1aceabc
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 108490 4fd40245789c857a1bd1bcde1786a852
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 2047262 2fe9d6fc13eac81bdc6cf2407e8e4ceb
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 65288 d321bcf5493754afa601cbc344880a91
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 36022 fea292710b43c8258f9b6a3819ed6ca2
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 405434 489e35881d4f007854d9610f075ade1c
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 157718 a3a3e679a6a937417894d9b3c297ece7
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_mips.deb
Size/MD5 checksum: 1170706 9f9c04f5a6aa2b12e333070c2ccd17c9
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 403046 77bae5abe1193c751c95addcaed813f6
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 1155908 a15bc32ece30cf1a7aa83e9ee79feb14
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 2028048 3a651bbf76860fff0ec9effca3670e6a
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 158180 2360289a2cef190bee1e4d1d87ade60d
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 36144 e3d852f522af032d23f30cc966afbb49
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 65220 dc0dae4e3a62acf8ee01e78b57260df3
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 98658 3ddad5f6aada2583031306456693f238
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_mipsel.deb
Size/MD5 checksum: 109970 51e58d9d80b625c46dd174e973a68ed1
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 2121876 5d1efb03d5bc0ad0f4696ddac30ae146
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 1189254 dc75c16994fbd0b77bdec45b3e7dd0bb
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 136088 b755acec71976f62df99ba5d371801fc
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 61144 891c52ce51da7a4fba78da2c93a18686
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 394002 7cc208d17bf4cc4f0f241873a8cf7da1
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 44222 4463b36153fbef74ac4076c57c38840b
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 174122 e5efc8b9432416897aca0204c7f01676
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_powerpc.deb
Size/MD5 checksum: 104598 9c5d0eb2e656980656973276dc3affc0
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 171442 8e5a52ad2952931a74fa270b6934638c
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 101384 e8b6b9b4bb117bcf856f61e41166d5e4
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 2090430 141fd5fbb9eece6a3b312d21871b22db
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 37812 dfaf79a24a794c91aabcaeb2921d11da
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 399542 f9e634c34bcf7203fd17e811e96c9441
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 1188034 d74e382cd278d744ef69fcabdc5aa938
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 60712 0df38401da1b0dc6277144f9b8965354
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_s390.deb
Size/MD5 checksum: 118608 fb635dd413f8756c91e22745b7d3af22
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/cups/cups-client_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 115134 519fc7e05ce934ff21d0bfec0ae98bd0
http://security.debian.org/pool/updates/main/c/cups/cups_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 2062158 3fab14e9340801ccbd8cba85b023f5fe
http://security.debian.org/pool/updates/main/c/cups/cups-bsd_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 37020 34e6d2056a8b1ef3a060849eba2412b7
http://security.debian.org/pool/updates/main/c/cups/libcups2-dev_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 390700 e50f922e87278223fc66c9ff189efe02
http://security.debian.org/pool/updates/main/c/cups/libcups2_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 160894 2493bfe07de7cbe5206abe824dc8fb37
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2-dev_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 57660 2e3c5ad6cb52420d20f0a42a0c4085b7
http://security.debian.org/pool/updates/main/c/cups/cups-dbg_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 1052778 bb27f2fb553e314d5e23abe09d8e479c
http://security.debian.org/pool/updates/main/c/cups/libcupsimage2_1.3.8-1lenny5_sparc.deb
Size/MD5 checksum: 96968 e5f8123f31b9c9fe63417a12fa1d79b4
These files will probably be moved into the stable distribution on
its next update. (CVE-2009-0163)
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn. NOTE:
the JBIG2Stream.cxx vector may overlap CVE-2009-1179. (CVE-2009-0799)
Multiple input validation flaws in the JBIG2 decoder in Xpdf 3.02pl2
and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
other products allow remote attackers to execute arbitrary code via
a crafted PDF file. (CVE-2009-1182)
The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, Poppler before 0.10.6, and other products allows remote
attackers to cause a denial of service (infinite loop and hang)
via a crafted PDF file. An
attacker could create a malicious PDF file that would cause pdftops
to crash or, potentially, execute arbitrary code as the lp user if
the file was printed. (CVE-2009-3608, CVE-2009-3609)
This update corrects the problems.
Update:
Packages for 2008.0 are being provided due to extended support for
Corporate products.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
6b17f59f63c062c017c78d459dd2d89a 2008.0/i586/cups-1.3.10-0.1mdv2008.0.i586.rpm
9bc5298d9895c356227fdda3a0ddb2c0 2008.0/i586/cups-common-1.3.10-0.1mdv2008.0.i586.rpm
e3583883df8532fc8c496866dac713f8 2008.0/i586/cups-serial-1.3.10-0.1mdv2008.0.i586.rpm
fac1fcb839ad53322a447d4d39f769e3 2008.0/i586/libcups2-1.3.10-0.1mdv2008.0.i586.rpm
3d65afc590fb8520d68b2a3e8e1da696 2008.0/i586/libcups2-devel-1.3.10-0.1mdv2008.0.i586.rpm
9e09ed22a2522ee45e93e0edc146193f 2008.0/i586/libpoppler2-0.6-3.5mdv2008.0.i586.rpm
7427b1f56387e84db5a15aad85b424d2 2008.0/i586/libpoppler-devel-0.6-3.5mdv2008.0.i586.rpm
67937a584d365d6b00ef688c88e8d7c5 2008.0/i586/libpoppler-glib2-0.6-3.5mdv2008.0.i586.rpm
410dc85c2c7b71ab316be5607c556682 2008.0/i586/libpoppler-glib-devel-0.6-3.5mdv2008.0.i586.rpm
64d6e14be8d93c7651ce5dc3e2ebc5bf 2008.0/i586/libpoppler-qt2-0.6-3.5mdv2008.0.i586.rpm
cc9af7e314b6eaa6a8f946fa2c27f298 2008.0/i586/libpoppler-qt4-2-0.6-3.5mdv2008.0.i586.rpm
0c6d3a6b5211e8506a89144b8c3a3cfb 2008.0/i586/libpoppler-qt4-devel-0.6-3.5mdv2008.0.i586.rpm
c985516638ed4d8f792daa13bd506023 2008.0/i586/libpoppler-qt-devel-0.6-3.5mdv2008.0.i586.rpm
8d05619dcef538092696ce70998abd20 2008.0/i586/php-cups-1.3.10-0.1mdv2008.0.i586.rpm
0bae2a3525b796882d2cc87853945e5a 2008.0/i586/poppler-0.6-3.5mdv2008.0.i586.rpm
f3b53f5fafa8af4d754a5985e5f93830 2008.0/SRPMS/cups-1.3.10-0.1mdv2008.0.src.rpm
11b021f4e5d21d199728b9a0a37a8230 2008.0/SRPMS/poppler-0.6-3.5mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
8249475feb3bdc74ea7060944baed6aa 2008.0/x86_64/cups-1.3.10-0.1mdv2008.0.x86_64.rpm
83951504acb783cfdb8ec4fe48d31e1e 2008.0/x86_64/cups-common-1.3.10-0.1mdv2008.0.x86_64.rpm
fa8a91e8e3bc8f11c19ab460d1f690fe 2008.0/x86_64/cups-serial-1.3.10-0.1mdv2008.0.x86_64.rpm
e061fdbeded2d97bb3ca6b34d33cb384 2008.0/x86_64/lib64cups2-1.3.10-0.1mdv2008.0.x86_64.rpm
893235ea8cf23295ae961ea2de0b9903 2008.0/x86_64/lib64cups2-devel-1.3.10-0.1mdv2008.0.x86_64.rpm
9844640563afdef4a870e2ed12e58136 2008.0/x86_64/lib64poppler2-0.6-3.5mdv2008.0.x86_64.rpm
06ea824a6a2cd9360a9e75a14718192a 2008.0/x86_64/lib64poppler-devel-0.6-3.5mdv2008.0.x86_64.rpm
bb0eb04fa906a352e6738d08f116f89b 2008.0/x86_64/lib64poppler-glib2-0.6-3.5mdv2008.0.x86_64.rpm
43d6a85dfdad7e969655ee4e2a377370 2008.0/x86_64/lib64poppler-glib-devel-0.6-3.5mdv2008.0.x86_64.rpm
eef29dde4b9e80d4c360e953cbe9110b 2008.0/x86_64/lib64poppler-qt2-0.6-3.5mdv2008.0.x86_64.rpm
c74dc9f245091f451441d8b88f0beed3 2008.0/x86_64/lib64poppler-qt4-2-0.6-3.5mdv2008.0.x86_64.rpm
60345458274afc6ff480317fc408ec52 2008.0/x86_64/lib64poppler-qt4-devel-0.6-3.5mdv2008.0.x86_64.rpm
0a880b9c0d655c10f5757882e30911f1 2008.0/x86_64/lib64poppler-qt-devel-0.6-3.5mdv2008.0.x86_64.rpm
eb6fde793ac0d7ea86df42aa22637807 2008.0/x86_64/php-cups-1.3.10-0.1mdv2008.0.x86_64.rpm
7f475f07368ed9158008f2891dce2cd6 2008.0/x86_64/poppler-0.6-3.5mdv2008.0.x86_64.rpm
f3b53f5fafa8af4d754a5985e5f93830 2008.0/SRPMS/cups-1.3.10-0.1mdv2008.0.src.rpm
11b021f4e5d21d199728b9a0a37a8230 2008.0/SRPMS/poppler-0.6-3.5mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. ===========================================================
Ubuntu Security Notice USN-760-1 April 16, 2009
cups, cupsys vulnerability
CVE-2009-0163
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libcupsimage2 1.2.2-0ubuntu0.6.06.13
Ubuntu 7.10:
libcupsimage2 1.3.2-1ubuntu7.10
Ubuntu 8.04 LTS:
libcupsimage2 1.3.7-1ubuntu3.4
Ubuntu 8.10:
libcupsimage2 1.3.9-2ubuntu9.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that CUPS did not properly check the height of TIFF images. In Ubuntu 7.10, 8.04 LTS, and 8.10,
attackers would be isolated by the AppArmor CUPS profile.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.13.diff.gz
Size/MD5: 102178 863f0abea416857983fcbc36bbc8fee0
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.13.dsc
Size/MD5: 1060 8b93d82fe6a744f9b6b972e430854e61
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz
Size/MD5: 4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.13_all.deb
Size/MD5: 996 fc3d13dd1774da8483ef9fd49d00f9a6
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 36234 077b33449948a0745fb62ec47a152e0c
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 81898 792f80793ff57dec7fd4fbf3924c9727
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 2286906 7ea898e74d915f8e0075937e65c0319e
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 6092 eaf3a9fc9e865121118e76d50b6e9a34
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 77558 e5fbc40b4db7bb3d32ee25ff39695c15
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 25744 9a465e48530aaedc5a214950a11a775b
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.13_amd64.deb
Size/MD5: 130254 1caa4bb6e80bc39fb5b542896025dd77
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 34768 79497d55cd423ca78c0e726165519fa8
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 77992 4294c7111e56c04ed50593bec7eb0542
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 2254210 703ebb85b86728df092483387bda4534
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 6092 793818da9ca70fd541c52cd8177f3fcd
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 76674 f432e40a80246a572b37a3e6d4d4a73c
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 25750 ee2707b99b13e573d0820f9aa5972ba6
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.13_i386.deb
Size/MD5: 122458 6da0de3ab25d10882d12c758b80d5ff3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 40470 11fb5f90c1e4fbc654c92e3bc5430b56
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 89526 c448a86356ebbf358f39d7145a7c2dab
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 2301522 787625ce48c7c48ccd151639088576c5
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 6098 cc1c61b074d317283149df6f88b16f89
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 79204 6de2beef0271c7f194f2595f42fa1d03
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 25750 3b3cfb5258aa90376f0c403b5ce4f313
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.13_powerpc.deb
Size/MD5: 128220 1889e3958ddd3b4167f814be5e0c5669
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 35398 f6754708625e1aeca20be2caac6805e8
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 78730 359a8aa851331cd328bede00fb583eb4
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 2287820 818ba75da33d934da415eb807ffe7ed5
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 6094 e8ce8e1e2fc8435ad4fe840f21f0a28e
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 76460 4366457c2c3354c3ed39b796aee8fedf
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 25746 135ca59c238b25146cc5045c887625c5
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.13_sparc.deb
Size/MD5: 123946 7520a311cdcb245d7935f93b58d4dbec
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10.diff.gz
Size/MD5: 131553 bd757fd2c0d9ca026aea8060565d80e2
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10.dsc
Size/MD5: 1228 a6021e0ba41e2572bcb732065e804eeb
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2.orig.tar.gz
Size/MD5: 4848424 9e3e1dee4d872fdff0682041198d3d73
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.2-1ubuntu7.10_all.deb
Size/MD5: 1080406 28199baa2db7d4f7770dd33e70a509ad
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 37208 e0ae7c648e1925b2af7591e5984cb337
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 89518 4a40eea92e1e8f6ac48e894379199b2b
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 2034852 0db1c3d8632f7fbd01f6aac0c7f45da9
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 59970 c3b6f5602bfd4d7d5ddf02548fd26ca8
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 46762 94af06d4c34b5192fb1b1a5c920f5252
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 152020 52ada0c420bdb32ed2755ad90d5011a3
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.10_amd64.deb
Size/MD5: 186838 f01269d277410f7017769d68d3459c71
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 36472 d5affc2f40d7c2e9e49bdc782dfcf293
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 86480 80eb13c0582bf503b9bf971f534dd8ed
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 2018496 3d6947a3bcea2baa614c3788965237ee
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 58842 4ef22d7e7df7b849b8208bc21748ec26
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 46236 c32911b38e74b203f4de31c01897d52b
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 145696 fb5ae372221228f37aff28c847a47ff0
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.10_i386.deb
Size/MD5: 183628 36f43b9146a8621757931944c59456a2
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 36674 2a1da18420c0d2c02e4f0b818642c9cc
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 88306 6e4e4edcdfa385fb04d6933b79c49053
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 2021548 e36baf8b1a559266afb503c1008b5663
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 59608 329ddf9d992ecaf21eb18e57dccf4e62
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 47680 89a1ed1d3cb67a07e4d4319dfb71895a
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 142424 5ecc4470690aedfab8556725bf85cfff
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.10_lpia.deb
Size/MD5: 181846 43b58a4c526583c74c89cd4e7922ec79
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 46494 0ca3f3fdde42664d486abc95068f69d5
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 107740 0e3d348f47a0c48894b34a6dcf650e87
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 2099816 114adfec30bc20c02131152ae2653ab3
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 59526 56cf77e54d71cae67dbbad07c160be31
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 51858 eaf13d94845d822200136d4688660269
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 146962 a0ff3d61f23e682f8fc82fbfe29eedb8
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.10_powerpc.deb
Size/MD5: 192602 ddde17c0ec31f8d4d8b05612998cdaab
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 37562 d98f8a2da544ed059f2218c0dfb954fa
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 89616 1698ff4ba7cfe1e4934c118c2c7c2caa
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 2061104 e0eea27213a8408271b51ba9c45125cb
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 58096 33a7b735a3e51428f730a4bf2c1ee09e
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 45558 4aa6f440619a2de5c18873ff9627b432
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 148474 77e142bca5bff88c9ce1c73698622c89
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.10_sparc.deb
Size/MD5: 182656 6b393aae8cd4cefdf02136153359b6c0
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4.diff.gz
Size/MD5: 135945 d143c1a3b17173c2803504ad7b3df4ae
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4.dsc
Size/MD5: 1441 d9658e80896dd1798f22ec35c08f767c
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7.orig.tar.gz
Size/MD5: 4700333 383e556d9841475847da6076c88da467
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.7-1ubuntu3.4_all.deb
Size/MD5: 1144156 67f4f393da17c41d1a61fb78ba94fbe9
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 37526 ee157cf2304860889fc039b4259264e4
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 89976 307967ab122f76fbe9b5175f916789b3
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 1880582 7768e9c295de2d02c278759477278a63
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 60804 f9fb944aa37602a48f65201959c5529e
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 50214 0f9c82dd716941e504477b61cd477d08
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 344932 a2a18fd5df284949c4fb8f0b3b38bea7
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.4_amd64.deb
Size/MD5: 178022 ae2cb50d333a0be48644dce3cf321378
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 36944 72386915883428b08d0dc1208cd680c3
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 88404 5b6566bfcbbd0ee855092683916076c7
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 1863010 ceb126a3d52dce78c5b97301131fdd5d
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 60088 d8747e59074b5267a9bdfacf7bdebafa
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 49868 9e9657da87eb95d41e2aad34239cdf59
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 339346 25f8b9b769c36948c7a4ec4f96e9d3dc
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.4_i386.deb
Size/MD5: 174876 e23f2b31e3588d7af93d1414eb955cbe
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 36662 200d134f978f9359ecd7f5c1ff623738
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 88744 488c36dd36446835be013f69f8db40a5
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 1865232 35485b90317586990a302a8ba5206c22
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 60492 065a9c7b1ec07828808cfed0560b9e22
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 50804 331fd9a149c9ab045d4de7ab8fd17a55
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 337010 720b686c27d1f131e06d667abea73602
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.4_lpia.deb
Size/MD5: 173786 788b5e42061459ff4d0df691c8293ed0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 46924 0c3497bb8000506a197c41cdbf304c2c
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 110822 51331a4f6bfb47a6fffa7f1fb9b890af
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 1949088 25f2d721528a2cca1ca1def205a3624a
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 59930 160fa81dd9360a020cfa367611bd1aca
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 54924 72540e9a996198e47e8af99f34ec2a71
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 341668 606092528cdb687e3078469892e5afe7
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.4_powerpc.deb
Size/MD5: 183760 b4e8c6f93f1abd7cd73c02cba6e54d55
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 38038 a9e53793bb13c13b440772aad110751f
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 91038 2e9d0d7aca0af65bcc2408bbea5b75f3
http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 1897862 cfb3e5e4b34128d0f8183b858616d523
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 57832 7122c3bdc29a3ff7ed0d602e6d93152c
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 48216 03ca0630f77162bac3bcf6a09f95f867
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 341372 97be9c9a5cb106642989cfe7cd39ce3e
http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.4_sparc.deb
Size/MD5: 173700 2937c5f089a4010f2702866b5ad6e9b4
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.1.diff.gz
Size/MD5: 326772 22e42d26d94eae277a0220b206b36267
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.1.dsc
Size/MD5: 2043 140705e4f8af42d5b4ff697d86ff3c20
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9.orig.tar.gz
Size/MD5: 4809771 e6f2d90491ed050e5ff2104b617b88ea
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-common_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 1162718 c4a529b76cb13d183742cfe97b55c752
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-bsd_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 58152 81fa7be3a2a76147f7a67ce4a121ff60
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-client_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 58156 c9c848aebf1ade63952d8389abc5f3bf
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-dbg_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 58152 afd18dbc80d5dd23829a4a1a01e460b7
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 58144 f9bc2310454e4da75f864f2045862658
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsys2-dev_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 58160 b6769b906799fc4ea2c656d80da1d06e
http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-common_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 4520 003e453bfe030642881f1e1da8e8584f
http://security.ubuntu.com/ubuntu/pool/universe/c/cups/libcupsys2_1.3.9-2ubuntu9.1_all.deb
Size/MD5: 58152 0b2a967c1c2d5df741dbc2cb52859d30
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 37292 4f375bc9f49b9da0f73c275457f55d12
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 119760 dd3a1aecde95717fa7e851109a354bee
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 1682898 c26be549839e7a4d248d9522c054bc6b
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 2172590 1d404942c1d17c04bf41d35eff3d8659
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 352194 b9e04638f374857a50fd77b7a2520959
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 173228 28eaba2dd6122d89950208f2116b7c70
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 61314 d13070d0b0f8b825b1b609edee2db1ad
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.1_amd64.deb
Size/MD5: 52320 4e1d19899e19d6a758650e0c10f11ef6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 36218 187077786460ee74332852f687994c6c
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 115352 7b495d086a4c343de6c82a5698a2a4c5
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 1542692 01760cc4d1982888060b395cc7be029a
http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 2139192 8afc727936869202f341828303335278
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 346006 dbde71f046951a7659f74f525cbffcc9
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 170132 ef65c06e253fff0abcfd65d2f5a31fcd
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 60544 25f1d4abca846b06e069454f6f3a8466
http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.1_i386.deb
Size/MD5: 51722 4ef5ec5cbadf9e1cc79382ffa26c810b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 36018 cbc15f20819738099ed26fe7997bcf8d
http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 114518 394dd8bd72ac9c8a3c9ce4e5c6cedeaf
http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 1571906 54f0843c55f62fb00ad3e710fe3d6ff1
http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 2135902 703e6bcb8a0735a384f9aa181ddddec4
http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 342974 e2f3b8d7bf11cc54b2436f7e842ca7b3
http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 168386 adf813126a00c802b60370eddb88de38
http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 60628 20d3b236b59bef41128e3fb5d1c27287
http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.1_lpia.deb
Size/MD5: 52386 3f15a37be429e4d207a4c162c84dcb00
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 43568 9447909b62f47aacdd592ac8996dfea3
http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 138180 6c28c85aa26294fedcc004029523fcae
http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 1663524 93c53f6575c0ca8dcc0afa4d095692f4
http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 2264202 1fed9199064dc8410f81cc8907b704ef
http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 347976 96fd20205d93eea2548bca83b908d113
http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 177408 4261b533aea5c6182ea7691213679598
http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 61260 2d4d1ba36a6de1902218026e64318d6b
http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.1_powerpc.deb
Size/MD5: 57450 2a2998fa82b1fe1ee96e611c4c77206b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 37224 cdbc38869242424d8124616e056dfa66
http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 117622 7bc46aecb0b89365862dc7258d930581
http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 1490668 5381f6465bd5613250cb5c23bb05859d
http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 2200926 ec86a228dd8ae2bcdc90ce2ad895bf0c
http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 344786 b43662d38ca8476b6144b234a963da8a
http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 166278 eb5036c2b7a964e51a33bdb8277792dc
http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 57862 40e5cd934bdba9782656bfcf4e1b7fa9
http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu9.1_sparc.deb
Size/MD5: 49794 ea8318bcbe30647f312d2d997a847936
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200904-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: CUPS: Multiple vulnerabilities
Date: April 23, 2009
Bugs: #263070
ID: 200904-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple errors in CUPS might allow for the remote execution of
arbitrary code or DNS rebinding attacks.
Background
==========
CUPS, the Common Unix Printing System, is a full-featured print server.
* Aaron Siegel of Apple Product Security reported that the CUPS web
interface does not verify the content of the "Host" HTTP header
properly (CVE-2009-0164).
* Braden Thomas and Drew Yao of Apple Product Security reported that
CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166,
found earlier in xpdf and poppler. Furthermore, the web
interface could be used to conduct DNS rebinding attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All CUPS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-1.3.10"
References
==========
[ 1 ] CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
[ 3 ] CVE-2009-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
[ 4 ] CVE-2009-0164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0164
[ 5 ] CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200904-20.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-200904-0798 | CVE-2009-1181 | Xpdf and poppler contain multiple vulnerabilities in the processing of JBIG2 data |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Xpdf and poppler contain multiple vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603). NOTE: this may overlap CVE-2009-0791
(CVE-2009-3605). NOTE:
some of these details are obtained from third party information
(CVE-2009-3607).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3938
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
783eaf3485f688288f070f1a9f911c4d mes5/i586/libpoppler3-0.8.7-2.5mdvmes5.2.i586.rpm
bd06380ed4b45d450389d1770276dccc mes5/i586/libpoppler-devel-0.8.7-2.5mdvmes5.2.i586.rpm
e1945537640307b76bcad253ebb73854 mes5/i586/libpoppler-glib3-0.8.7-2.5mdvmes5.2.i586.rpm
ff93afd4e687dfb8062360f7f7bfd347 mes5/i586/libpoppler-glib-devel-0.8.7-2.5mdvmes5.2.i586.rpm
7f7c3ea25304806c37306ed4f27335e8 mes5/i586/libpoppler-qt2-0.8.7-2.5mdvmes5.2.i586.rpm
ef9780095457b8efb52e961720c58052 mes5/i586/libpoppler-qt4-3-0.8.7-2.5mdvmes5.2.i586.rpm
d9080de0f92bb36a34ad010fe2ad2a4c mes5/i586/libpoppler-qt4-devel-0.8.7-2.5mdvmes5.2.i586.rpm
3d9d5d68cfdb63ff2668040fb0fd0e93 mes5/i586/libpoppler-qt-devel-0.8.7-2.5mdvmes5.2.i586.rpm
ff2f445d1e3942039c5f9b326c64b5e3 mes5/i586/poppler-0.8.7-2.5mdvmes5.2.i586.rpm
29cce020068d6ca7a651a273f9cf8595 mes5/SRPMS/poppler-0.8.7-2.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
e534d6c09ebffd8e9a4f85cb35e15947 mes5/x86_64/lib64poppler3-0.8.7-2.5mdvmes5.2.x86_64.rpm
d71984d177742a10af4168adae141357 mes5/x86_64/lib64poppler-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
709c2fb028305c6038da922d4385a44b mes5/x86_64/lib64poppler-glib3-0.8.7-2.5mdvmes5.2.x86_64.rpm
46bf6bf33ab672b333d52078b37e3bf0 mes5/x86_64/lib64poppler-glib-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
bed66c55ec459b0a845ea4f0adf69c6f mes5/x86_64/lib64poppler-qt2-0.8.7-2.5mdvmes5.2.x86_64.rpm
bfdb0391cff52b910302f6c272223393 mes5/x86_64/lib64poppler-qt4-3-0.8.7-2.5mdvmes5.2.x86_64.rpm
6b0ec4b64459cdf517499703ebd21532 mes5/x86_64/lib64poppler-qt4-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
3f7f2f03348fa025df99564e5cf15665 mes5/x86_64/lib64poppler-qt-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
01bf66ad02b533cf4b6141058df40b62 mes5/x86_64/poppler-0.8.7-2.5mdvmes5.2.x86_64.rpm
29cce020068d6ca7a651a273f9cf8595 mes5/SRPMS/poppler-0.8.7-2.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: cups
Announcement ID: SUSE-SA:2009:024
Date: Wed, 22 Apr 2009 13:00:00 +0000
Affected Products: openSUSE 10.3
openSUSE 11.0
openSUSE 11.1
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP2
SUSE Linux Enterprise Server 10 SP2
SLE 11
Vulnerability Type: remote code execution
Severity (1-10): 8 (critical)
SUSE Default Package: yes
Cross-References: CVE-2009-0146, CVE-2009-0147, CVE-2009-0163
CVE-2009-0165, CVE-2009-0166, CVE-2009-0799
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183
Content of This Advisory:
1) Security Vulnerability Resolved:
fixed remotely exploitable overflows
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The Common Unix Printing System, CUPS, is a printing server for unix-like
operating systems. It allows a local user to print documents as well as
remote users via port 631/tcp.
There were two security vulnerabilities fixed in cups.
The first one can be triggered by a specially crafted tiff file. This
file could lead to an integer overflow in the 'imagetops' filter which
caused an heap overflow later.
This bug is probably exploitable remotely by users having remote access
to the CUPS server and allows the execution of arbitrary code with the
privileges of the cupsd process. (CVE-2009-0163)
The second issue affects the JBIG2 decoding of the 'pdftops' filter.
The JBIG2 decoding routines are vulnerable to various software failure
types like integer and buffer overflows and it is believed to be exploit-
able remotely to execute arbitrary code with the privileges of the cupsd
process.
(CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182,
CVE-2009-1183)
2) Solution or Work-Around
none
3) Special Instructions and Notes
none
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debuginfo-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/debug/update/11.1/rpm/i586/cups-debugsource-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-client-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-devel-1.3.9-7.2.1.i586.rpm
http://download.opensuse.org/update/11.1/rpm/i586/cups-libs-1.3.9-7.2.1.i586.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debuginfo-1.3.7-25.8.i586.rpm
http://download.opensuse.org/debug/update/11.0/rpm/i586/cups-debugsource-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-client-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-devel-1.3.7-25.8.i586.rpm
http://download.opensuse.org/update/11.0/rpm/i586/cups-libs-1.3.7-25.8.i586.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/i586/cups-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-client-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-devel-1.2.12-22.21.i586.rpm
http://download.opensuse.org/update/10.3/rpm/i586/cups-libs-1.2.12-22.21.i586.rpm
Power PC Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debuginfo-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/debug/update/11.1/rpm/ppc/cups-debugsource-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-client-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-devel-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-1.3.9-7.2.1.ppc.rpm
http://download.opensuse.org/update/11.1/rpm/ppc/cups-libs-64bit-1.3.9-7.2.1.ppc.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debuginfo-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/debug/update/11.0/rpm/ppc/cups-debugsource-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-client-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-devel-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-1.3.7-25.8.ppc.rpm
http://download.opensuse.org/update/11.0/rpm/ppc/cups-libs-64bit-1.3.7-25.8.ppc.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/ppc/cups-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-client-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-devel-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-1.2.12-22.21.ppc.rpm
http://download.opensuse.org/update/10.3/rpm/ppc/cups-libs-64bit-1.2.12-22.21.ppc.rpm
x86-64 Platform:
openSUSE 11.1:
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debuginfo-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/debug/update/11.1/rpm/x86_64/cups-debugsource-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-client-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-devel-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-1.3.9-7.2.1.x86_64.rpm
http://download.opensuse.org/update/11.1/rpm/x86_64/cups-libs-32bit-1.3.9-7.2.1.x86_64.rpm
openSUSE 11.0:
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debuginfo-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/debug/update/11.0/rpm/x86_64/cups-debugsource-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-client-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-devel-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-1.3.7-25.8.x86_64.rpm
http://download.opensuse.org/update/11.0/rpm/x86_64/cups-libs-32bit-1.3.7-25.8.x86_64.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-client-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-devel-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-1.2.12-22.21.x86_64.rpm
http://download.opensuse.org/update/10.3/rpm/x86_64/cups-libs-32bit-1.2.12-22.21.x86_64.rpm
Sources:
openSUSE 11.1:
http://download.opensuse.org/update/11.1/rpm/src/cups-1.3.9-7.2.1.src.rpm
openSUSE 11.0:
http://download.opensuse.org/update/11.0/rpm/src/cups-1.3.7-25.8.src.rpm
openSUSE 10.3:
http://download.opensuse.org/update/10.3/rpm/src/cups-1.2.12-22.21.src.rpm
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
Open Enterprise Server
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux POS 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
Novell Linux Desktop 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE SLES 9
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=403675f837530f047eb825dcb7428cf3
SUSE Linux Enterprise Server 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SUSE Linux Enterprise Desktop 10 SP2
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=a777264f13a7d9d882a7d024d831be1f
SLES 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLED 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLE 11
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
SLES 11 DEBUGINFO
http://download.novell.com/index.jsp?search=Search&set_restricted=true&keywords=22d7a0746f9c204f5ecc1395385739f7
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSe8qrney5gA9JdPZAQI4aQf/e938Hr+O1QYi9y5cm9ycOcaFHWx0oZED
yyOc4lUYZrb7qjmErPHfpoMR9c2XZlmESwKY0RZjddxe+vINDrOcMuI4nrp12ObP
uYvSAAz3xgpXzVtW5B/90ihHJAqHAnwOsdO8adt6PtKCt7T2gMPuQV0RSz3BRy//
qtBHDNyTBRPK7ex/YKUyQAbNENQUa3r9BaHpTHWjscfCoQch4Wz5hmLKv/n7eYdj
CFetsr6zu3hn3isKD8EPTIMbkpaYBMxp53UnNiRmVRy0Gb7zlBz5ByYQaYY+YKf/
OZ+ZHRTuDsNbAT03QtkvML3yqr3Yobb39DFa+cSsH2c9xTdwWdzSAg==
=ZnS5
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ===========================================================
Ubuntu Security Notice USN-973-1 August 17, 2010
koffice vulnerabilities
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166,
CVE-2009-0195, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181, CVE-2009-3606, CVE-2009-3608,
CVE-2009-3609
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
kword 1:1.6.3-7ubuntu6.1
In general, a standard system update will make all the necessary changes.
Details follow:
Will Dormann, Alin Rad Pop, Braden Thomas, and Drew Yao discovered that the
Xpdf used in KOffice contained multiple security issues in its JBIG2
decoder. (CVE-2009-0146,
CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181)
It was discovered that the Xpdf used in KOffice contained multiple security
issues when parsing malformed PDF documents. (CVE-2009-3606, CVE-2009-3608, CVE-2009-3609)
KOffice in Ubuntu 9.04 uses a very old version of Xpdf to import PDFs into
KWord. Upstream KDE no longer supports PDF import in KOffice and as a
result it was dropped in Ubuntu 9.10. While an attempt was made to fix the
above issues, the maintenance burden for supporting this very old version
of Xpdf outweighed its utility, and PDF import is now also disabled in
Ubuntu 9.04.
Additionally the kdegraphics package was rebuild to make
kdegraphics-kpdf link correctly to the new poppler libraries and are
also provided. Xpdf is an open source viewer for Portable Document Format (PDF) files. A null pointer dereference vulnerability exists in Xpdf's JBIG2 decoder.
This update provides fixes for that vulnerabilities. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: October 06, 2013
Bugs: #263028, #290430, #290464, #308017, #338878, #352581,
#459866, #480366
ID: 201310-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, some of which may
allow execution of arbitrary code.
Background
==========
Poppler is a cross-platform PDF rendering library originally based on
Xpdf.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.22.2-r1 >= 0.22.2-r1
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.22.2-r1"
References
==========
[ 1 ] CVE-2009-0146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0146
[ 2 ] CVE-2009-0147
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0147
[ 3 ] CVE-2009-0165
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0165
[ 4 ] CVE-2009-0166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0166
[ 5 ] CVE-2009-0195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0195
[ 6 ] CVE-2009-0799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0799
[ 7 ] CVE-2009-0800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0800
[ 8 ] CVE-2009-1179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1179
[ 9 ] CVE-2009-1180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1180
[ 10 ] CVE-2009-1181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1181
[ 11 ] CVE-2009-1182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1182
[ 12 ] CVE-2009-1183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1183
[ 13 ] CVE-2009-1187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1187
[ 14 ] CVE-2009-1188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1188
[ 15 ] CVE-2009-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603
[ 16 ] CVE-2009-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604
[ 17 ] CVE-2009-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605
[ 18 ] CVE-2009-3606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606
[ 19 ] CVE-2009-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607
[ 20 ] CVE-2009-3608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608
[ 21 ] CVE-2009-3609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609
[ 22 ] CVE-2009-3938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938
[ 23 ] CVE-2010-3702
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3702
[ 24 ] CVE-2010-3703
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3703
[ 25 ] CVE-2010-3704
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3704
[ 26 ] CVE-2010-4653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4653
[ 27 ] CVE-2010-4654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4654
[ 28 ] CVE-2012-2142
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2142
[ 29 ] CVE-2013-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1788
[ 30 ] CVE-2013-1789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1789
[ 31 ] CVE-2013-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1790
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
For the old stable distribution (etch), these problems have been fixed in version
3.01-9.1+etch6.
For the stable distribution (lenny), these problems have been fixed in version
3.02-1.4+lenny1.
For the unstable distribution (sid), these problems will be fixed in a
forthcoming version.
We recommend that you upgrade your xpdf packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.dsc
Size/MD5 checksum: 974 9c04059981f8b036d7e6e39c7f0aeb21
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6.diff.gz
Size/MD5 checksum: 46835 c69a67b9ff487403e7c3ff819c6ff734
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
Size/MD5 checksum: 599778 e004c69c7dddef165d768b1362b44268
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 62834 dd8f37161c3b2430cb1cd65c911e9f86
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9.1+etch6_all.deb
Size/MD5 checksum: 1278 d6da8e00b02ab3f17ec44b90fff6bb30
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 920352 83b7d74d9ebae9b26da91de7c91d3502
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_alpha.deb
Size/MD5 checksum: 1687294 9862913548fff9bfda37a6fe075df5b0
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 809202 171520d7642019943bfe7166876f5da5
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_amd64.deb
Size/MD5 checksum: 1493308 9575f135e9ec312f9e6d7d2517dd8f5b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 803714 6db06ffcba7f6d7576ed356e7989557d
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_arm.deb
Size/MD5 checksum: 1468616 9afde01dda379acd4e7edfbccc7c7b2d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 1773794 c9012a9d3919ec40dcea1264ac27a6fe
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_hppa.deb
Size/MD5 checksum: 963060 565daaf6f15ff7593d560ef7a2f94364
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 796992 5270bef04f1c2e924b813dffe6050d89
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_i386.deb
Size/MD5 checksum: 1458826 b2f3cbaac0ffcce0bb8d7e656bf11b02
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 1217142 afeaf9bfc66ebb69767703bfb30bbd4c
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_ia64.deb
Size/MD5 checksum: 2218472 6545e9b6f58a84c0daa76baa8a0db629
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 946638 5323268be89e54c5c8eb7ae13f0eab14
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_mipsel.deb
Size/MD5 checksum: 1721268 0b710c0bcc6ffefe29f683ab09d3cbe8
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 1554798 eadd6236b778761086d436dd8db986e4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_powerpc.deb
Size/MD5 checksum: 849204 d22f5d59f03d6484e149d7536a25a517
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 1401814 0e3f588c64e8fa9a102ebcae29c4d807
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_s390.deb
Size/MD5 checksum: 767392 4b7c1a868f2f909c2dce25087da77817
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 1394680 8b17e2339e2a908a610271eb678495b1
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_sparc.deb
Size/MD5 checksum: 763618 f3897333018702ee926e41ca5f58dc92
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
Size/MD5 checksum: 1266 faeebc4dfc74129ca708a6345bb483f7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02.orig.tar.gz
Size/MD5 checksum: 674912 599dc4cc65a07ee868cf92a667a913d2
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
Size/MD5 checksum: 42280 362f72e95494f51a19eeb898b9a527ac
Architecture independent packages:
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 67664 b5f063bf32cbeaf1aaeec315dc8aff0a
http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb
Size/MD5 checksum: 1268 f67780458dac3c38cd59bfde186f9a3b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1896344 f65f591413c25a23ea2aaccba2b5b634
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_alpha.deb
Size/MD5 checksum: 1018434 cb679c93bbc428ea852bd4ef3103e42d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 1709514 1e1277251a6dd0bb0a551997efd39175
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
Size/MD5 checksum: 921892 fb7de1db5e3885365c3ad74c3646ab57
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 1667088 58ddefe40598d6fe4a5016145163ef45
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_arm.deb
Size/MD5 checksum: 907908 881594298fe547cefa3d528c519d369f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 886242 51d55f7c4de41c5d4051f41fde9b7389
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_armel.deb
Size/MD5 checksum: 1602392 bc996edfad6d1995cb4ef2f4c7760b51
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1076286 fa3ac4a1001abf3e892bb1397b06ff17
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_hppa.deb
Size/MD5 checksum: 1985520 e95263d094e2c8d6aa72ee1edb9105f3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 876656 441042932886fa29adae731338f6b5bd
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_i386.deb
Size/MD5 checksum: 1611730 52516381da25dbb0c1145e2b7cdf692a
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 1380222 0ffaee560534c9d69df433340679c8fc
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_ia64.deb
Size/MD5 checksum: 2519970 eb4f4e5c173557fa8ae713f123cbb193
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1894924 58b336b114ef5c8fb9fc6244411b4cf4
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mips.deb
Size/MD5 checksum: 1040834 ae8ed06ea2ed07e3a064c6bd28e80933
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1026954 eac8167230b8fa208cdbc5b196f0c624
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_mipsel.deb
Size/MD5 checksum: 1872050 8f2e99ce5a102d099ba22543f246d5bd
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 1788584 7d1466cc8770bd92f299c1cc772f64e7
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_powerpc.deb
Size/MD5 checksum: 968838 7cc8568d6b74348300066e42b27f90c2
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 871666 1dde93a4cc0a28b90f92c05f0d181079
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_s390.deb
Size/MD5 checksum: 1598270 201ad07e4853843dce22f22daa41fd35
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 863662 446f2d8fe6483d3741648c4db1ff5b82
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_sparc.deb
Size/MD5 checksum: 1586262 52861c00f406c35db8a6e6f3269cc37d
These files will probably be moved into the stable distribution on
its next update. (CVE-2009-0165)