[ddh-sys] apt-listchanges: changelogs for less

root root op ddh.nl
Za Dec 12 19:29:54 CET 2009

apache2 (2.2.9-10+lenny6) stable-security; urgency=high

  * Security:
    - Reject any client-initiated SSL/TLS renegotiations. This is a partial fix
      for the TLS renegotiation prefix injection attack (CVE-2009-3555).
      Any configuration which requires renegotiation for per-directory/location
      access control or uses "SSLVerifyClient optional" is still vulnerable.

 -- Stefan Fritsch <sf op debian.org>  Sat, 14 Nov 2009 21:10:47 +0100

apache2 (2.2.9-10+lenny5) stable; urgency=low

  * Minor security fixes in mod_proxy_ftp (closes: #545951):
    - DoS by malicious ftp server (CVE-2009-3094)
    - missing input sanitization: a user could execute arbitrary ftp commands
      on the backend ftp server (CVE-2009-3095)
  * Fix segfault in legacy ap_r* API which is triggered more often since
    the fix for CVE-2009-1891 was applied (closes: #537665).
  * Take care to not override existing index.shtml files when upgrading from
    before 2.2.8-1 (closes: #517089).
  * mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
    content-encoding. This prevented apache from sending "304 NOT MODIFIED"
    responses for compressed content.
  * mod_rewrite: Fix "B" flag breakage (closes: #524268)
  * Properly declare that apache2-suexec* replace files in old versions of
    apache2.2-common (closes: #528951).
  * Remove other_vhosts_access.log on package purge.

 -- Stefan Fritsch <sf op debian.org>  Mon, 05 Oct 2009 19:07:08 +0200

cups (1.3.8-1+lenny7) stable-security; urgency=high

  * Non-maintainer upload by the security team
  * Fix several XSS issues in the CUPS admin web interface
    Fixes: CVE-2009-2820
    Thanks to Aaron Sigel and Marc Deslauriers

 -- Steffen Joeris <white op debian.org>  Fri, 06 Nov 2009 12:40:48 +1100

gnutls26 (2.4.2-6+lenny2) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2009-2730: a vulnerability related to NUL bytes in X.509
    certificate name fields. (Closes: #541439) GNUTLS-SA-2009-4

 -- Giuseppe Iuculano <iuculano op debian.org>  Sun, 01 Nov 2009 21:29:06 +0100

libgd2 (2.0.36~rc1~dfsg-3+lenny1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2009-3546: possible buffer overflow or buffer over-read attacks
    via crafted files (Closes: #552534)

 -- Giuseppe Iuculano <iuculano op debian.org>  Mon, 09 Nov 2009 21:46:06 +0100

ntp (1:4.2.4p4+dfsg-8lenny3) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Do not acknowledge incorrect mode 7 requests or mode 7 error responses
    anymore as well as adding a wait timer for logging as this might result
    in severe DoS and request/response ping-pong on spoofed source addresses

 -- Nico Golde <nion op debian.org>  Sun, 22 Nov 2009 16:02:57 +0000

openldap (2.4.11-1+lenny1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
    character in subject Common Name (Closes: #553432)

 -- Giuseppe Iuculano <iuculano op debian.org>  Mon, 16 Nov 2009 17:37:17 +0100

php5 (5.2.6.dfsg.1-1+lenny4) stable-security; urgency=high

  * CVE-2009-2687: DoS via malformed JPEG images with invalid offset fields
      (Closes: #535888)
  * CVE-2009-2626: remote memory disclosure via ini_* functions
      (Closes: #540605)
  * CVE-2009-3292: multiple missing checks processing exif image data
  * CVE-2009-3291: improper handling of nul character in CommonName fields
      of X509 certificates
  * max_file_uploads: prevent, by limiting, temporary files exhaustion DoS
  * Add an entry to debian/NEWS about the new per-request file uploads limit

 -- Raphael Geissert <geissert op debian.org>  Sat, 21 Nov 2009 18:28:12 -0600

More information about the ddh-sys mailing list