Date: Mon, 29 May 2000 20:33:23 -0700 From: Joey Hess <joey@kitenet.net> To: lwn@lwn.net Subject: FWD: security fixes in debian Most of the items listed on last week's LWN security page are actually already fixed in Debian, but not announced, because the packages were only present in our frozen and unstable distributions. (And for other reasons of which I will have more to say about in this week's Debian Weekly News). Here's a summary of what's fixed. qpopper: - Remote shell account hole fixed on the 25th in version 2.53-5. http://bugs.debian.org/64649 - "From " spoofing bug fixed around the 19th in version 2.53-4. http://bugs.debian.org/63730 mailman: - Vulnerability in the archiver fixed on the 29th in version 1.1-6 (the fix was backported from 2.0 beta). http://bugs.debian.org/64841 dump: - Not suid in debian, so not vulnerable. http://www.debian.org/security/2000/20000328 lynx: - Version 2.8.3 has been part of debian since May first. http://bugs.debian.org/59191 gnapster: - Remote users could download arbitrary files. Fixed in version 1.3.3-1 on April 30th. http://bugs.debian.org/63303 openldap: - Temporary file races were fixed in version 1.2.10-3 on April 21st. http://kitenet.net/doc/libopenldap1/changelog.Debian.gz gdm: - Remote buffer overflow with XDMCP listening enabled. Like everyone else, Debian's gdm is not vulnerable by default, and the hole was patched in version 2.0-0.beta4.9 on May 10th. http://bugs.debian.org/63876 xemacs21: - Keystroke sniffing problems were fixed in unstable on April 19th, in version 21.1.9-2, and in frozen in version 21.1.10-1 on May 27th. http://kitenet.net/doc/xemacs21/changelog.Debian.gz Thanks, -- see shy jo