[ddh-sys] apt-listchanges: changelogs for less
root
root op ddh.nl
Za Dec 12 19:29:54 CET 2009
apache2 (2.2.9-10+lenny6) stable-security; urgency=high
* Security:
- Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
Any configuration which requires renegotiation for per-directory/location
access control or uses "SSLVerifyClient optional" is still vulnerable.
-- Stefan Fritsch <sf op debian.org> Sat, 14 Nov 2009 21:10:47 +0100
apache2 (2.2.9-10+lenny5) stable; urgency=low
* Minor security fixes in mod_proxy_ftp (closes: #545951):
- DoS by malicious ftp server (CVE-2009-3094)
- missing input sanitization: a user could execute arbitrary ftp commands
on the backend ftp server (CVE-2009-3095)
* Fix segfault in legacy ap_r* API which is triggered more often since
the fix for CVE-2009-1891 was applied (closes: #537665).
* Take care to not override existing index.shtml files when upgrading from
before 2.2.8-1 (closes: #517089).
* mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
content-encoding. This prevented apache from sending "304 NOT MODIFIED"
responses for compressed content.
* mod_rewrite: Fix "B" flag breakage (closes: #524268)
* Properly declare that apache2-suexec* replace files in old versions of
apache2.2-common (closes: #528951).
* Remove other_vhosts_access.log on package purge.
-- Stefan Fritsch <sf op debian.org> Mon, 05 Oct 2009 19:07:08 +0200
cups (1.3.8-1+lenny7) stable-security; urgency=high
* Non-maintainer upload by the security team
* Fix several XSS issues in the CUPS admin web interface
Fixes: CVE-2009-2820
Thanks to Aaron Sigel and Marc Deslauriers
-- Steffen Joeris <white op debian.org> Fri, 06 Nov 2009 12:40:48 +1100
gnutls26 (2.4.2-6+lenny2) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-2730: a vulnerability related to NUL bytes in X.509
certificate name fields. (Closes: #541439) GNUTLS-SA-2009-4
-- Giuseppe Iuculano <iuculano op debian.org> Sun, 01 Nov 2009 21:29:06 +0100
libgd2 (2.0.36~rc1~dfsg-3+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-3546: possible buffer overflow or buffer over-read attacks
via crafted files (Closes: #552534)
-- Giuseppe Iuculano <iuculano op debian.org> Mon, 09 Nov 2009 21:46:06 +0100
ntp (1:4.2.4p4+dfsg-8lenny3) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Do not acknowledge incorrect mode 7 requests or mode 7 error responses
anymore as well as adding a wait timer for logging as this might result
in severe DoS and request/response ping-pong on spoofed source addresses
(CVE-2009-3563).
-- Nico Golde <nion op debian.org> Sun, 22 Nov 2009 16:02:57 +0000
openldap (2.4.11-1+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
character in subject Common Name (Closes: #553432)
-- Giuseppe Iuculano <iuculano op debian.org> Mon, 16 Nov 2009 17:37:17 +0100
php5 (5.2.6.dfsg.1-1+lenny4) stable-security; urgency=high
* CVE-2009-2687: DoS via malformed JPEG images with invalid offset fields
(Closes: #535888)
* CVE-2009-2626: remote memory disclosure via ini_* functions
(Closes: #540605)
* CVE-2009-3292: multiple missing checks processing exif image data
* CVE-2009-3291: improper handling of nul character in CommonName fields
of X509 certificates
* max_file_uploads: prevent, by limiting, temporary files exhaustion DoS
* Add an entry to debian/NEWS about the new per-request file uploads limit
-- Raphael Geissert <geissert op debian.org> Sat, 21 Nov 2009 18:28:12 -0600
More information about the ddh-sys
mailing list