Debian 10225 Published by

The following two security updates are available for Debian GNU/Linux:

- [DSA-2103-1] New smbind packages fix sql injection
- [DSA-2104-1] New quagga packages fix denial of service



[SECURITY] [DSA-2103-1] New smbind packages fix sql injection
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2103-1 security@debian.org
Debian -- Security Information Giuseppe Iuculano
September 05, 2010 Debian -- Debian security FAQ
- ------------------------------------------------------------------------

Package : smbind
Vulnerability : sql injection
Problem type : remote
Debian-specific: no
CVE ID : none assigned yet

It was discovered that smbind, a PHP-based tool for managing DNS zones
for BIND, does not properly validating input.
An unauthenticated remote attacker could execute arbitrary SQL commands
or gain access to the admin account.

For the stable distribution (lenny), this problem has been fixed in
version 0.4.7-3+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 0.4.7-5, and will migrate to the testing distribution (squeeze)
shortly.

We recommend that you upgrade your smbind (0.4.7-3+lenny1) package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:


Size/MD5 checksum: 90623 8474d376798773e3fac85564cf6b57cb

Size/MD5 checksum: 12752 d19eaec93f7aec12b7a776d5056ad650

Size/MD5 checksum: 1038 49648258f7ca6f057e8f4ae156f250fb

Architecture independent packages:


Size/MD5 checksum: 94656 25b628ff527d505824d139d5e8d10259


These files will probably be moved into the stable distribution on
its next update.
[SECURITY] [DSA-2104-1] New quagga packages fix denial of service
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2104-1 security@debian.org
Debian -- Security Information Florian Weimer
September 06, 2010 Debian -- Debian security FAQ
- ------------------------------------------------------------------------

Package : quagga
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-2948 CVE-2010-2949
Debian Bug : 594262

Several remote vulnerabilities have been discovered in the BGP
implementation of Quagga, a routing daemon.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2010-2948
When processing a crafted Route Refresh message received
from a configured, authenticated BGP neighbor, Quagga
may crash, leading to a denial of service.

CVE-2010-2949
When processing certain crafted AS paths, Quagga would crash
with a NULL pointer dereference, leading to a denial of
service. In some configurations, such crafted AS paths could
be relayed by intermediate BGP routers.

In addition, this update contains a reliability fix: Quagga will no
longer advertise confederation-related AS paths to non-confederation
peers, and reject unexpected confederation-related AS paths by
resetting the session with the BGP peer which is advertising them.
(Previously, such AS paths would trigger resets of unrelated BGP
sessions.)

For the stable distribution (lenny), these problems have been fixed in
version 0.99.10-1lenny3.

For the unstable distribution (sid) and the testing distribution
(squeeze), these problems have been fixed in version 0.99.17-1.

We recommend that you upgrade your quagga package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:


Size/MD5 checksum: 2424191 c7a2d92e1c42214afef9b2e1cd4b5d06

Size/MD5 checksum: 42826 100dbb936b3b0f0d4fb4947bf384d369

Size/MD5 checksum: 1651 f5b9c26538e9d32008ad0256fe4ad0ed

Architecture independent packages:


Size/MD5 checksum: 661354 f843c6f765a48f7e071a52d3c7834d2f

alpha architecture (DEC Alpha)


Size/MD5 checksum: 1902990 0f85c30d5f719f9c104f5a8977a5d1a0

amd64 architecture (AMD x86_64 (AMD64))


Size/MD5 checksum: 1749952 89a53689c4daf3f0695ea2c21aa93254

arm architecture (ARM)


Size/MD5 checksum: 1449792 3c53e06e4d27ef8cf391533824668b19

armel architecture (ARM EABI)


Size/MD5 checksum: 1457202 e52ae364e20ff137c5e0e5f75bfc1ec1

hppa architecture (HP PA RISC)


Size/MD5 checksum: 1683924 c8172ed22b010569949977f407c282b6

i386 architecture (Intel ia32)


Size/MD5 checksum: 1608678 e7b5fbd36e4466cdecaca46f1f96642b

ia64 architecture (Intel ia64)


Size/MD5 checksum: 2256144 75ebe4e12a3e22ef79e5e3dab2d457bf

mips architecture (MIPS (Big Endian))


Size/MD5 checksum: 1605990 f33ef3d9b31f0da900aba6a20bdd188d

mipsel architecture (MIPS (Little Endian))


Size/MD5 checksum: 1601240 68ff751ff9c022cc06db8d0d66895a6e

powerpc architecture (PowerPC)


Size/MD5 checksum: 1717802 931505a31bdcc1a7732a9a2e9f295a01

s390 architecture (IBM S/390)


Size/MD5 checksum: 1794990 7d52667f3f37553256e87b77450dc309

sparc architecture (Sun SPARC/UltraSPARC)


Size/MD5 checksum: 1671232 3706818c39b51bb45c58a0cf8fdba202


These files will probably be moved into the stable distribution on
its next update.