The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Lynx 2.7.1 CERT alert

To: security@debian.org
Subject: Lynx 2.7.1 CERT alert
From: David Sewell <dsew@packrat.aml.arizona.edu>
Date: Tue, 15 Jul 1997 17:31:55 -0700
Cc: dsew@packrat.aml.arizona.edu
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 16 Jul 1997 01:31:27 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"10pw21.0.Ns4.lH2pp"@debian>
Resent-sender: debian-private-request@lists.debian.org

>
>                    Debian GNU/Linux - Security Information
>     _________________________________________________________________
>   
>   Debian takes security very seriously. Most security problems brought
>   to our attention are corrected within 48 hours.
>   
>   Experience has shown that "security through obscurity" does not work.
>   Public disclosure allows for more rapid and better solutions to
>   security problems. In that vein, this page addresses Debian's status
>   with respect to various known security holes, which could potentially
>   affect Debian. They are shown roughly in reverse chronological order.
>   The ChangeLog for Debian 1.3 has more information on fixes to the
>   stable distribution.
>   
>   Please send security-related bug reports to security@debian.org
>     _________________________________________________________________
>   
>   Brief description:
>          libdb includes version of snprintf function with bound checking
>          disabled.
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          libdb 1.85.4-4, available in Incoming.
>     _________________________________________________________________
>   
>   Brief description:
>          Vulnerability in XFree86
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          xfree86 3.3. Debian 1.3.1, released July 2, has this package.
>     _________________________________________________________________
>   
>   Brief description:
>          Vulnerability in elm
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          elm-me+ 2.4pl25ME+31-5. Debian 1.3, released June 2, has this
>          package.
>          
>   For more information:
>          Notice
>     _________________________________________________________________
>   
>   Brief description:
>          Buffer overflow in sperl 5.003
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          perl 5.003.07-10. Debian 1.2.11, released Apr 22, has this
>          package.
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          There is a vulnerability in PHP/FI, a NCSA httpd cgi enhancment
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          php 2.0b10-4. Debian 1.2 does not have php, so this package is
>          only in the unstable distribution.
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          It may be possible to make metamail execute arbitrary commands
>          
>   Vulnerable:
>          No, debian's metamail uses a safe bourne shell script
>          
>   For more information:
>          Alan Cox
>     _________________________________________________________________
>   
>   Brief description:
>          amd ignores nodev option
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          upl 102-11. Debian 1.2.10, released Apr 16, has this package.
>          
>   For more information:
>          Linux-security
>     _________________________________________________________________
>   
>   Brief description:
>          inetd passes priviledged groups on to subprocesses
>          
>   Vulnerable:
>          Yes
>          
>   Fixed in:
>          netbase 2.11-1
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          tftpd allows retrieval of files with ".." in their path
>          
>   Vulnerable:
>          No
>          
>   For more information:
>          linux-security
>     _________________________________________________________________
>   
>   Brief description:
>          sendmail 8.8.5 follows hardlinks when writing
>          /var/tmp/dead.letter
>          
>   Vulnerable:
>          Yes, but sendmail is not installed by default
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          SuperProbe (of XFree86) contains a number of buffer overflows
>          
>   Vulnerable:
>          No. SuperProbe is not setuid in Debian.
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          The imapd, pop2d and pop3d servers allow remote,
>          unauthenticated root access.
>          
>   Vulnerable:
>          No.
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          The "screen" program overflows when copying the gcos field.
>          
>   Vulnerable:
>          The overflow exists, but screen surrenders its root privileges
>          before the faulty code is executed..
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          INN 1.5 parsecontrol
>          
>   Vulnerable:
>          
>        x86:
>                No.
>                
>        m68k:
>                No.
>                
>        Others:
>                Package not provided.
>                
>   For more information:
>          Nothing yet.
>     _________________________________________________________________
>   
>   Brief description:
>          NLSPATH buffer overflow
>          
>   Vulnerable:
>          Release 1.2 and up are not vulnerable.
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          standard buffer overrun(s) in minicom
>          
>   Vulnerable:
>          No, minicom is not setuid or setgid.
>          
>   For more information:
>          BugTraq
>     _________________________________________________________________
>   
>   Brief description:
>          doom startmouse creates replaceable /tmp/gpmscript
>          
>   Vulnerable:
>          No, Debian has no doom package.
>          
>   For more information:
>          Alan Cox
>     _________________________________________________________________
>   
>   Brief description:
>          user X startup scripts sometimes create exploitable file in
>          /tmp
>          
>   Vulnerable:
>          No
>          
>   For more information:
>          Alan Cox
>     _________________________________________________________________
>   
>   Brief description:
>          rlogin doesn't check $TERM's length.
>          
>   Vulnerable:
>          Fixed in 1.2.7.
>          
>   For more information:
>          CERT
>     _________________________________________________________________
>   
>   Brief description:
>          bliss virus
>          
>   Vulnerable:
>          Yes, but easy to disinfect with the
>          --bliss-uninfect-files-please argument to an infected program.
>          
>   For more information:
>          Try the BugTraq archives.
>     _________________________________________________________________
>   
>   Brief description:
>          GNU tar sometimes unintentionally creates setuid-root
>          executables.
>          
>   Vulnerable:
>          Not by default - but if the "nobody" user has uid 65535, yes.
>          
>   For more information:
>          Try the BugTraq archives.
>     _________________________________________________________________
>   
>   Brief description:
>          talkd does not check hostname length
>          
>   Vulnerable:
>          Fixed in 1.2.7.
>          
>   For more information:
>          CERT
>          
>   Back to the Debian GNU/Linux homepage.
>     _________________________________________________________________
>   
>   Please send questions and inquiries to debian@debian.org.
>   Please send comments on these webpages to webmaster@debian.org.
>   
>   Last Modified: 2 Jun 1997. Copyright ©1997 SPI; See license terms.
>     _________________________________________________________________


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Re: Uploaded speak-freely 6.1b-3 (source i386) to master
Next by Date: Lynx 2.7.1. CERT alert -- corrected
Previous by thread: Re: Uploaded speak-freely 6.1b-3 (source i386) to master
Next by thread: Lynx 2.7.1. CERT alert -- corrected
Index(es):
- Date
- Thread