aelius Posted April 3, 2014 Report Posted April 3, 2014 Daca doriti sa fiti notificati atunci cand sunt disponibile update-uri la pachetele de pe Debian, puteti utiliza apticron. Apticron este un script bash ce este rulat din crontab si verifica daca exista upgrade-uri la pachetele instalate. In cazul in care exista, va trimite o notificare detaliata prin email. Este foarte customizabil si util.Instalarea acestuia se face foarte simplu:root@pluto:~# apt-get install apticronReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following NEW packages will be installed: apticron0 upgraded, 1 newly installed, 0 to remove and 70 not upgraded.Need to get 20.1 kB of archives.After this operation, 88.1 kB of additional disk space will be used.Get:1 http://ftp.de.debian.org/debian/ wheezy/main apticron all 1.1.55 [20.1 kB]Fetched 20.1 kB in 0s (120 kB/s) Preconfiguring packages ...Selecting previously unselected package apticron.(Reading database ... 53927 files and directories currently installed.)Unpacking apticron (from .../apticron_1.1.55_all.deb) ...Processing triggers for man-db ...Setting up apticron (1.1.55) ...Creating config file /etc/apticron/apticron.conf with new versionCreating config file /etc/cron.d/apticron with new versionroot@pluto:~#Am editat fisierul '/etc/apticron/apticron.conf' si l-am configurat dupa cum urmeaza:EMAIL="tex@myfuckingdomain.org"SYSTEM="pluto.myfuckingdomain.org"IPADDRESSNUM="1"CUSTOM_SUBJECT="Pluto Server - available update packages"CUSTOM_FROM="system@myfuckingdomain.org"Am sters fisierul '/etc/cron.d/apticron' si am adaugat in loc de el un crontab in '/etc/crontab' care sa ruleze la ora 10.30:root@pluto:~# rm -f /etc/cron.d/apticronroot@pluto:~# echo "30 10 * * * root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi" >> /etc/crontabCam asa arata reportul trimis pe email:apticron report [Thu, 03 Apr 2014 23:24:38 +0100]========================================================================apticron has detected that some packages need upgrading on: pluto.myfuckingdomain.org [ 188.240.xx 94.177.xx 94.177.xx 188.240.xx ]The following packages are currently pending an upgrade: apache2.2-bin 2.2.22-13+deb7u1 apache2.2-common 2.2.22-13+deb7u1 apache2-mpm-prefork 2.2.22-13+deb7u1 apache2-prefork-dev 2.2.22-13+deb7u1 apache2-utils 2.2.22-13+deb7u1 apt 0.9.7.9+deb7u1 apt-utils 0.9.7.9+deb7u1 base-files 7.1wheezy4 curl 7.26.0-1+wheezy8 dropbox 1.6.1 gnupg 1.4.12-7+deb7u3 gpgv 1.4.12-7+deb7u3 libapache2-mod-php5 5.4.4-14+deb7u8 libapache2-mod-rpaf 0.6-7+wheezy1 libapt-inst1.5 0.9.7.9+deb7u1 libapt-pkg4.12 0.9.7.9+deb7u1 libavcodec53 6:0.8.10-1 libavformat53 6:0.8.10-1 libavutil51 6:0.8.10-1 libc6 2.13-38+deb7u1 libc6-dev 2.13-38+deb7u1 libc-bin 2.13-38+deb7u1 libc-dev-bin 2.13-38+deb7u1 libcurl3 7.26.0-1+wheezy8 libcurl3-gnutls 7.26.0-1+wheezy8 libexpat1 2.1.0-1+deb7u1 libexpat1-dev 2.1.0-1+deb7u1 libgnutls26 2.12.20-8+deb7u1 libmysqlclient18 5.5.35-rel33.0-611.wheezy libmysqlclient18.1 5.6.15-25.5-759.wheezy libmysqlclient-dev 5.6.15-25.5-759.wheezy libnet-server-perl 2.006-1+deb7u1 libperconaserverclient18 5.5.36-rel34.2-648.wheezy libpq5 9.1.12-0wheezy1 libpq-dev 9.1.12-0wheezy1 libpython2.7 2.7.3-6+deb7u2 librsvg2-2 2.36.1-2 librsvg2-common 2.36.1-2 libssl-doc 1.0.1e-2+deb7u4 libswscale2 6:0.8.10-1 linux-image-3.2.0-4-amd64 3.2.54-2 linux-libc-dev 3.2.54-2 locales 2.13-38+deb7u1 memcached 1.4.13-0.2+deb7u1 multiarch-support 2.13-38+deb7u1 mutt 1.5.21-6.2+deb7u2 openssl 1.0.1e-2+deb7u4 percona-server-client-5.5 5.5.36-rel34.2-648.wheezy percona-server-common-5.5 5.5.36-rel34.2-648.wheezy percona-server-server-5.5 5.5.36-rel34.2-648.wheezy php5 5.4.4-14+deb7u8 php5-cli 5.4.4-14+deb7u8 php5-common 5.4.4-14+deb7u8 php5-curl 5.4.4-14+deb7u8 php5-dev 5.4.4-14+deb7u8 php5-fpm 5.4.4-14+deb7u8 php5-gd 5.4.4-14+deb7u8 php5-intl 5.4.4-14+deb7u8 php5-mcrypt 5.4.4-14+deb7u8 php5-mysql 5.4.4-14+deb7u8 php5-sqlite 5.4.4-14+deb7u8 php5-sybase 5.4.4-14+deb7u8 php5-tidy 5.4.4-14+deb7u8 php5-xmlrpc 5.4.4-14+deb7u8 php5-xsl 5.4.4-14+deb7u8 php-pear 5.4.4-14+deb7u8 python2.7 2.7.3-6+deb7u2 python2.7-minimal 2.7.3-6+deb7u2 tzdata 2013i-0wheezy1 wget 1.13.4-3+deb7u1 whois 5.1.1~deb7u1========================================================================Package Details:Reading changelogs...--- Changes for curl (curl libcurl3 libcurl3-gnutls) ---curl (7.26.0-1+wheezy8) wheezy-security; urgency=high * Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015 http://curl.haxx.se/docs/adv_20140129.html * Set urgency=high accordingly -- Alessandro Ghedini <ghedo@debian.org> Wed, 29 Jan 2014 19:01:03 +0100curl (7.26.0-1+wheezy7) stable-security; urgency=high * Fix GnuTLS checking of a certificate CN or SAN name field when the digital signature verification is turned off as per CVE-2013-6422 http://curl.haxx.se/docs/adv_20131217.html * Set urgency=high accordingly -- Alessandro Ghedini <ghedo@debian.org> Wed, 11 Dec 2013 18:00:59 +0100--- Changes for gnupg (gnupg gpgv) ---gnupg (1.4.12-7+deb7u3) wheezy-security; urgency=high * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See <http://www.cs.tau.ac.il/~tromer/acoustic/>. [CVE-2013-4576] -- Thijs Kinkhorst <thijs@debian.org> Sat, 14 Dec 2013 09:18:28 +0100--- Changes for gnutls26 (libgnutls26) ---gnutls26 (2.12.20-8+deb7u1) wheezy-security; urgency=high * 38_CVE-2014-0092.diff by Nikos Mavrogiannopoulos: Fix certificate validation issue. CVE-2014-0092 -- Andreas Metzler <ametzler@debian.org> Sat, 01 Mar 2014 07:44:51 +0100gnutls26 (2.12.20-8) wheezy-security; urgency=high * 26_fix_rejection-of-v1-intermedi.diff pulled and unfuzzed from GIT 3.x: A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior). CVE-2014-1959 / GNUTLS-SA-2014-1 -- Andreas Metzler <ametzler@debian.org> Sat, 15 Feb 2014 18:27:37 +0100--- Changes for linux (linux-image-3.2.0-4-amd64 linux-libc-dev) ---linux (3.2.54-2) wheezy; urgency=high * [arm] Ignore ABI change in omap_dsp_get_mempool_base (fixes FTBFS) -- dann frazier <dannf@debian.org> Sat, 01 Feb 2014 13:08:46 +0000linux (3.2.54-1) wheezy; urgency=high * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.54 - NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk() - USB: mos7840: fix tiocmget error handling - ALSA: 6fire: Fix probe of multiple cards - can: c_can: Fix RX message handling, handle lost message before EOB - dm mpath: fix race condition between multipath_dtr and pg_init_done - ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea() - KVM: IOMMU: hva align mapping page size - crypto: s390 - Fix aes-cbc IV corruption - audit: printk USER_AVC messages when audit isn't enabled - audit: fix info leak in AUDIT_GET requests - audit: use nlmsg_len() to get message payload length - PM / hibernate: Avoid overflow in hibernate_preallocate_memory() - blk-core: Fix memory corruption if blkcg_init_queue fails - block: fix a probe argument to blk_register_region - SUNRPC: Fix a data corruption issue when retransmitting RPC calls - mwifiex: correct packet length for packets from SDIO interface - vsprintf: check real user/group id for %pK - ipc, msg: fix message length check for negative values - hwmon: (lm90) Fix max6696 alarm handling - rtlwifi: rtl8192cu: Fix more pointer arithmetic errors - setfacl removes part of ACL when setting POSIX ACLs to Samba - nfsd: make sure to balance get/put_write_access - nfsd4: fix xdr decoding of large non-write compounds (regression in 3.2.49) - NFSv4 wait on recovery for async session errors - powerpc/signals: Mark VSX not saved with small contexts - iscsi-target: fix extract_param to handle buffer length corner case - iscsi-target: chap auth shouldn't match username with trailing garbage - configfs: fix race between dentry put and lookup - [powerpc] signals: Improved mark VSX not saved with small contexts fix - mac80211: don't attempt to reorder multicast frames - Staging: zram: Fix access of NULL pointer - Staging: zram: Fix memory leak by refcount mismatch - irq: Enable all irqs unconditionally in irq_resume - tracing: Allow events to have NULL strings - [armhf/omap] Staging: tidspbridge: disable driver - cpuset: Fix memory allocator deadlock - crypto: authenc - Find proper IV address in ablkcipher callback - crypto: scatterwalk - Set the chain pointer indication bit - [s390] crypto: s390 - Fix aes-xts parameter corruption - crypto: ccm - Fix handling of zero plaintext when computing mac - net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST (fixes regression in 3.2.17) - hpsa: do not discard scsi status on aborted commands - hpsa: return 0 from driver probe function on success, not 1 - [arm] 7912/1: check stack pointer in get_wchan - [arm] 7913/1: fix framepointer check in unwind_frame - ALSA: memalloc.h - fix wrong truncation of dma_addr_t - dm snapshot: avoid snapshot space leak on crash - dm table: fail dm_table_create on dm_round_up overflow - hwmon: (w83l786ng) Fix fan speed control mode setting and reporting - hwmon: (w83l768ng) Fix fan speed control range - futex: fix handling of read-only-mapped hugepages - KVM: Improve create VCPU parameter (CVE-2013-4587) - [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367) - net: Fix "ip rule delete table 256" (Closes: #724783) - 6lowpan: Uncompression of traffic class field was incorrect - ipv4: fix possible seqlock deadlock - inet: prevent leakage of uninitialized memory to user in recv syscalls - net: rework recvmsg handler msg_name and msg_namelen logic - net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct sockaddr_storage) - inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions - ipv6: fix leaking uninitialized port number of offender sockaddr - net: core: Always propagate flag changes to interfaces - packet: fix use after free race in send path when dev is released - inet: fix possible seqlock deadlocks - ipv6: fix possible seqlock deadlock in ip6_finish_output2 - ftrace: Check module functions being traced on reload - ftrace: Fix function graph with loading of modules - mmc: block: fix a bug of error handling in MMC driver [ Ben Hutchings ] * SCSI: virtio_scsi: fix memory leak on full queue condition (Closes: #730138) * drm, agp: Update to 3.4.76: - drm/radeon: fix asic gfx values for scrapper asics - drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook - drm/radeon: fixup bad vram size on SI [ dann frazier ] * ath9k_htc: properly set MAC address and BSSID mask (CVE-2013-4579) * KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) * x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (CVE-2014-1438) * hamradio/yam: fix info leak in ioctl (CVE-2014-1446) -- dann frazier <dannf@debian.org> Wed, 29 Jan 2014 13:42:01 -0700linux (3.2.53-2) wheezy; urgency=high * [sparc] Ignore insignificant ABI changes (fixes FTBFS) * [powerpc] Update CPU device backport to work after 'powerpc/sysfs: Disable writing to PURR in guest mode' in 3.2.52 (fixes FTBFS) * exec/ptrace: Fix typo in backport of 'fix get_dumpable() incorrect tests' (CVE-2013-2929) (Closes: #732208) * net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) -- Ben Hutchings <ben@decadent.org.uk> Tue, 17 Dec 2013 03:24:07 +0000linux (3.2.53-1) wheezy; urgency=medium * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.52 - 8139cp: Add dma_mapping_error checking - ipv6: drop packets with multiple fragmentation headers - ipv6: Don't depend on per socket memory for neighbour discovery messages - HID: hidraw: correctly deallocate memory on device disconnect - xen-gnt: prevent adding duplicate gnt callbacks - usb: config->desc.bLength may not exceed amount of data returned by the device - USB: cdc-wdm: fix race between interrupt handler and tasklet - [powerpc] Handle unaligned ldbrx/stdbrx - intel-iommu: Fix leaks in pagetable freeing - ath9k: fix rx descriptor related race condition - ath9k: avoid accessing MRC registers on single-chain devices - rculist: list_first_or_null_rcu() should use list_entry_rcu() - USB: mos7720: fix big-endian control requests - of: Fix missing memory initialization on FDT unflattening - fuse: postpone end_page_writeback() in fuse_writepage_locked() - fuse: invalidate inode attributes on xattr modification - fuse: hotfix truncate_pagecache() issue - hdpvr: register the video node at the end of probe - hdpvr: fix iteration over uninitialized lists in hdpvr_probe() - fuse: readdir: check for slash in names - crypto: api - Fix race condition in larval lookup - sd: Fix potential out-of-bounds access - ocfs2: fix the end cluster offset of FIEMAP - mm/huge_memory.c: fix potential NULL pointer dereference - sched/fair: Fix small race where child->se.parent,cfs_rq might point to invalid ones - HID: zeroplus: validate output report details (CVE-2013-2889) - HID: LG: validate HID output report details (CVE-2013-2893) - HID: validate feature and input report details (CVE-2013-2897) - HID: logitech-dj: validate output report details (CVE-2013-2895) - nilfs2: fix issue with race condition of competition between segments for dirty blocks - powerpc: Fix parameter clobber in csum_partial_copy_generic() - powerpc: Restore registers on error exit from csum_partial_copy_generic() - net: sctp: fix smatch warning in sctp_send_asconf_del_ip - net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit (CVE-2013-4350) - ip: generate unique IP identificator if local fragmentation is allowed - ipv6: udp packets following an UFO enqueued packet need also be handled by UFO (CVE-2013-4387) - esp_scsi: Fix tag state corruption when autosensing. - [sparc] Fix not SRA'ed %o5 in 32-bit traced syscall - perf: Use css_tryget() to avoid propping up css refcount - Revert "zram: use zram->lock to protect zram_free_page() in swap free notify path" (regression in 3.2.49) - macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS - sfc: Fix efx_rx_buf_offset() for recycled pages - cgroup: fail if monitored file and event_control are in different cgroup - perf: Fix perf_cgroup_switch for sw-events - Revert "sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()" (regression in 3.2.34) - iscsi: don't hang in endless loop if no targets present - cpqarray: fix info leak in ida_locked_ioctl() (CVE-2013-2147) - cciss: fix info leak in cciss_ioctl32_passthru() (CVE-2013-2147) - staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.53 - tcp: must unclone packets before mangling them - tcp: do not forget FIN in tcp_shifted_skb() (fixes regression in 2.6.39) - net: do not call sock_put() on TIMEWAIT sockets - net: heap overflow in __audit_sockaddr() - proc connector: fix info leaks - ipv6: restrict neighbor entry creation to output flow (fixes regression in 3.2.39) - farsync: fix info leak in ioctl - connector: use nlmsg_len() to check message length - wanxl: fix info leak in ioctl - net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race (fixes regression in 3.2) - net: fix cipso packet validation when !NETLABEL - zram: allow request end to coincide with disksize - perf: Fix perf ring buffer memory ordering - inet: fix possible memory corruption with UDP_CORK and UFO (CVE-2013-4470) - tracing: Fix potential out-of-bounds in trace_get_user() - include/linux/fs.h: disable preempt when acquire i_size_seqcount write lock - jfs: fix error path in ialloc - random: run random_int_secret_init() run after all late_initcalls - mac80211: drop spoofed packets in ad-hoc mode - libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures - [powerpc] KVM: PPC: Book3S HV: Fix typo in saving DSCR - compiler/gcc4: Add quirk for 'asm goto' miscompilation bug - ext4: fix memory leak in xattr - [hppa] fix interruption handler to respect pagefault_disable() - dm snapshot: fix data corruption (CVE-2013-4299) - ecryptfs: Fix memory leakage in keystore.c - target/pscsi: fix return value check - Fix a few incorrectly checked [io_]remap_pfn_range() calls (CVE-2013-4511) - uml: check length in exitcode_proc_write() (CVE-2013-4512) - aacraid: missing capable() check in compat ioctl - staging: wlags49_h2: buffer overflow setting station name - Staging: bcm: info leak in ioctl - lib/scatterlist.c: don't flush_kernel_dcache_page on slab page * [armel/orion5x] i2c: mv64xxx: work around signals causing I2C transactions to be aborted * [armel/orion5x] I2C: mv64xxx: fix race between FSM/interrupt and process context (Closes: #622325) * aufs: Set version to 3.2.x-debian * drm: fix DRM_IOCTL_MODE_GETFB handle-leak * drm, agp: Update to 3.4.72: - drm/edid: add quirk for Medion MD30217PG - drm/ttm: fix the tt_populated check in ttm_tt_destroy() - drm/radeon: fix LCD record parsing - drm/radeon: fix endian bugs in hw i2c atom routines - drm/radeon: update line buffer allocation for dce4.1/5 - drm/radeon: update line buffer allocation for dce6 - drm/radeon: fix resume on some rs4xx boards (v2) - drm/radeon: fix handling of variable sized arrays for router objects - drm/radeon/atom: workaround vbios bug in transmitter table on rs880 (v2) - drm/i915/dp: increase i2c-over-aux retry interval on AUX DEFER - drm/radeon: disable tests/benchmarks if accel is disabled - drm/radeon: fix hw contexts for SUMO2 asics - drm: Prevent overwriting from userspace underallocating core ioctl structs - drm/radeon/atom: workaround vbios bug in transmitter table on rs780 - drm/ttm: Handle in-memory region copies - drm/i915: flush cursors harder - drm/nouveau: when bailing out of a pushbuf ioctl, do not remove previous fence - drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL - radeon: workaround pinning failure on low ram gpu * [rt] Update to 3.2.53-rt75: - genirq: Set the irq thread policy without checking CAP_SYS_NICE - hwlat-detector: Don't ignore threshold module - mm/memcontrol: Don't call schedule_work_on in preemption disabled context - drm: remove preempt_disable() from drm_calc_vbltimestamp_from_scanoutpos() * net: clamp ->msg_namelen instead of returning an error (fixes regression in 3.2.53) * rds: prevent BUG_ON triggered on congestion update to loopback (CVE-2012-2372) * HID: multitouch: validate indexes details (CVE-2013-2897) * exec/ptrace: fix get_dumpable() incorrect tests (CVE-2013-2929) * crypto: ansi_cprng - Fix off by one error in non-block size request (CVE-2013-4345) * KVM: perform an invalid memslot step for gpa base change * KVM: Fix iommu map/unmap to handle memory slot moves (CVE-2013-4592) * [armhf] 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS (CVE-2013-6282) * libertas: potential oops in debugfs (CVE-2013-6378) * aacraid: prevent invalid pointer dereference (CVE-2013-6380) * [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381) * xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382) -- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Dec 2013 07:23:56 +0000--- Changes for memcached ---memcached (1.4.13-0.2+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Add 06_CVE-2011-4971.patch patch. CVE-2011-4971: Fix remote denial of service. Sending a specially crafted packet cause memcached to segfault. (Closes: #706426) * Add 07_CVE-2013-7239.patch patch. CVE-2013-7239: SASL authentication allows wrong credentials to access memcache. (Closes: #733643) -- Salvatore Bonaccorso <carnil@debian.org> Mon, 30 Dec 2013 17:47:44 +0100--- Changes for mutt ---mutt (1.5.21-6.2+deb7u2) wheezy-security; urgency=high * Non-maintainer upload. * Fix buffer overrun caused by not updating a string length after address expansion. Fixes: CVE-2014-0467 Closes: #708731 -- Evgeni Golov <evgeni@debian.org> Tue, 11 Mar 2014 18:31:30 +0100--- Changes for postgresql-9.1 (libpq5 libpq-dev) ---postgresql-9.1 (9.1.12-0wheezy1) wheezy-security; urgency=high * New upstream security/bugfix release. + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) + Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) + Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) + Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) + Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066) + Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) * The upstream tarballs no longer contain a plain HISTORY file, but point to the html documentation. Note the location of these files in our changelog.gz file. -- Christoph Berg <christoph.berg@credativ.de> Thu, 20 Feb 2014 13:34:54 +0100postgresql-9.1 (9.1.11-0wheezy1) stable; urgency=low * New upstream bug fix release: - Fix "VACUUM"'s tests to see whether it can update relfrozenxid In some cases "VACUUM" (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). - Fix initialization of "pg_clog" and "pg_subtrans" during hot standby startup This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. - See HISTORY/changelog.gz for details about other bug fixes. -- Martin Pitt <mpitt@debian.org> Thu, 05 Dec 2013 06:28:57 +0100postgresql-9.1 (9.1.10-0wheezy1) stable; urgency=low * New upstream bug fix release. See HISTORY/changelog.gz for details. (No security or critical issues this time.) -- Martin Pitt <mpitt@debian.org> Tue, 15 Oct 2013 11:49:53 +0200--- Changes for apache2 (apache2.2-bin apache2.2-common apache2-mpm-prefork apache2-prefork-dev apache2-utils) ---apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium Low impact security fixes: * CVE-2013-1862: mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. Closes: #722333 * CVE-2013-1896: mod_dav: denial of service via MERGE request. Closes: #717272 * mod_dav: Fix segfaults in certain error conditions. https://issues.apache.org/bugzilla/show_bug.cgi?id=52559 * Make apache2ctl create the necessary directories even if started with special options for apache2. Closes: #731531 * Adjust paragraph in README.Debian about MaxMemFree not working properly. The issue has been fixed with apr 1.4.5-1. -- Stefan Fritsch <sf@debian.org> Fri, 31 Jan 2014 19:43:07 +0100--- Changes for openssl (libssl-doc openssl) ---openssl (1.0.1e-2+deb7u4) stable; urgency=medium * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533) -- Kurt Roeckx <kurt@roeckx.be> Sat, 01 Feb 2014 21:25:20 +0100openssl (1.0.1e-2+deb7u3) stable-security; urgency=medium * Don't change version number if session established -- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 20:28:20 +0100openssl (1.0.1e-2+deb7u2) stable-security; urgency=medium * The patch we applied for CVE-2013-6450 was causing segfaults, also apply the previous commit checking for NULL in EVP_MD_CTX_destroy() * Fix for TLS record tampering bug CVE-2013-4353 -- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 18:17:13 +0100openssl (1.0.1e-2+deb7u1) stable-security; urgency=medium * Fix CVE-2013-6449 (Closes: #732754) * Fix CVE-2013-6450 * disable rdrand by default. It was used as only source of entropy when available. (Closes: #732710) * Disable Dual EC DRBG. -- Kurt Roeckx <kurt@roeckx.be> Mon, 23 Dec 2013 17:47:19 +0100--- Changes for whois ---whois (5.1.1~deb7u1) proposed-updates; urgency=low * Rebuilt for wheezy. -- Marco d'Itri <md@linux.it> Sat, 11 Jan 2014 03:16:43 +0100whois (5.1.1) unstable; urgency=medium * Added the servers for 29 "new" gTLDs. -- Marco d'Itri <md@linux.it> Sat, 11 Jan 2014 00:51:05 +0100whois (5.1.0) unstable; urgency=low * Added the .ga, .ml, .pf, .xn--l1acc (.???, Mongolia) and .xn--mgba3a4f16a (.?????, Iran) TLD servers. * Added the servers for 54 "new" gTLDs. * Updated the .bw, .gd, .hn, .sb, .xn--j1amh and .xn--mgberp4a5d4ar TLD servers. * Added new RIPE and APNIC ASN allocations. * Removed the .ck TLD server. * Updated one or more translations. * Applied multiple small fixes contributed by Petr Písa? of Red Hat. * Correctly hide the disclaimers for .be and .sx. (Closes: #729366) * Direct queries for private ASN blocks to RIPE. (Closes: #724661) -- Marco d'Itri <md@linux.it> Thu, 26 Dec 2013 10:05:43 +0100whois (5.0.26) unstable; urgency=low * Added the .cf TLD server. * Updated the .bi TLD server. * Added a new ASN allocation. -- Marco d'Itri <md@linux.it> Wed, 17 Jul 2013 00:48:12 +0200whois (5.0.25) unstable; urgency=low * Added the .ax, .bn, .iq, .pw and .rw TLD servers. * Updated one or more translations. -- Marco d'Itri <md@linux.it> Fri, 10 May 2013 05:13:47 +0200whois (5.0.24) unstable; urgency=low * Merged documentation fixes and the whois.conf(5) man page, courtesy of Petr Písa? of Red Hat. * Added a new ASN allocation. * Updated one or more translations. (Closes: #705163) -- Marco d'Itri <md@linux.it> Thu, 18 Apr 2013 03:36:17 +0200--- Changes for apt (apt apt-utils libapt-inst1.5 libapt-pkg4.12) ---apt (0.9.7.9+deb7u1) wheezy; urgency=low * Non-maintainer upload. * Apply patch for large .debs (Closes: #725483) Thanks Mark Hymers for the patch, Vincent Sanders for the review * Apply patch for strict multi-arch checking in single-architecture environments (Closes: #723586) -- Jonathan Wiltshire <jmw@debian.org> Sat, 16 Nov 2013 11:14:39 +0000--- Changes for base-files ---base-files (7.1wheezy4) stable; urgency=low * Changed /etc/debian_version to 7.4, for Debian 7.4 point release. -- Santiago Vila <sanvila@debian.org> Tue, 28 Jan 2014 11:49:40 +0100base-files (7.1wheezy3) stable; urgency=low * Changed /etc/debian_version to 7.3, for Debian 7.3 point release. -- Santiago Vila <sanvila@debian.org> Wed, 04 Dec 2013 12:30:04 +0100--- Changes for dropbox ---dropbox (1.6.1) stable; urgency=low * Initial Release, This package doesn't use a changelog -- Rian Hunter <rian@dropbox.com> Wed, 18 Dec 2013 09:08:46 -0800--- Changes for eglibc (libc6 libc6-dev libc-bin libc-dev-bin locales multiarch-support) ---eglibc (2.13-38+deb7u1) wheezy; urgency=low [ Aurelien Jarno ] * debian/testsuite-checking/compare.sh: disable failing the build on test regressions to ease the pain of ongoing stable/security maintenance. * patches/any/cvs-CVE-2012-44xx.diff: backport overflow fixes in strcoll, addressing CVE-2012-4412 and CVE-2012-4424 (Closes: #687530, #689423). * patches/any/CVE-2013-0242.diff: backport buffer overrun fix in regexp matcher, addressing CVE-2013-0242 (Closes: #699399). * patches/cvs-CVE-2013-1914.diff: backport stack overflow fixes in getaddrinfo(), addressing CVE-2013-1914 (Closes: #704623). * patches/any/cvs-CVE-2013-4237.diff: backport buffer overwrite fix in readdir_r for file systems returning file names longer than NAME_MAX characters, addressing CVE-2013-4237 (Closes: #719558). patches/kfreebsd/local-readdir_r.diff: remove superseded by the CVE patch. * patches/any/cvs-CVE-2013-4332.diff: backport integer overflow fixes in pvalloc, valloc, posix_memalign, memalign and aligned_alloc functions, addressing CVE-2013-4332 (Closes: #722536). * patches/any/cvs-CVE-2013-4458.diff: backport stack (frame) overflow fixes in getaddrinfo() when called with AF_INET6, addressing CVE-2013-4458 (Closes: #727181). * patches/any/cvs-CVE-2013-4788.diff: backport patch to fix PTR_MANGLE ineffectivity for statically linked binaries, addressing CVE-2013-4788 (Closes: #717178). *** Note that static binaries need to be recompiled to take advantage of the fix ***. * patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix a SIGFPE when locale-archive has been corrupted to all zeros (Closes: #718890, #730336). * patches/mips/cvs-prlimit64.diff: patch from upstream to fix getrlimit64 and setrlimit64 with recent 64-bit kernels (Closes: #665897). [ Petr Salinger ] * patches/kfreebsd/local-initgroups-order.diff: always put supplied extra gid as the first entry of group list in setgroups(). Closes: #699593. * inline is not keyword in c89 mode, use __inline. Closes: #704598. * sys_ktimer_settime have 4 parameters. Closes: #712196. -- Aurelien Jarno <aurel32@debian.org> Thu, 05 Dec 2013 23:19:48 +0100--- Changes for expat (libexpat1 libexpat1-dev) ---expat (2.1.0-1+deb7u1) wheezy; urgency=low [ Matthias Klose ] * Don't ship the pkgconfig file in lib64expat1-dev. Closes: #706932. [ Laszlo Boszormenyi (GCS) ] * New maintainer (closes: #660681). -- Andreas Beckmann <anbe@debian.org> Thu, 05 Dec 2013 12:39:53 +0100--- Changes for libapache2-mod-rpaf ---libapache2-mod-rpaf (0.6-7+wheezy1) stable; urgency=low * Restore 030_ipv6.patch, removed by QA upload in 0.6-1 (Closes: #726529) -- Sergey B Kirpichev <skirpichev@gmail.com> Mon, 20 Jan 2014 17:56:07 +0400--- Changes for libav (libavcodec53 libavformat53 libavutil51 libswscale2) ---libav (6:0.8.10-1) stable-security; urgency=low * Imported Upstream version 0.8.9, new releases fixes: - CVE-2013-0855, CVE-2013-0856, CVE-2013-0865, CVE-2013-4358, CVE-2013-7010, CVE-2013-7014 * Too many security related upstream changes to list here, please cf. to upstream changelog: http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9 -- Reinhard Tartler <siretart@tauware.de> Tue, 04 Feb 2014 20:09:57 -0500--- Changes for libnet-server-perl ---libnet-server-perl (2.006-1+deb7u1) wheezy; urgency=low * Team upload. * Add fix-use-of-uninitialized-value-in-pattern-match.patch. Fixes use of uninitialized value in pattern match. This in particular affects munin-nodes under wheezy. Logs are spammed with entries: "Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Net/Server.pm line 600.". (Closes: #693320) -- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 Nov 2013 12:31:37 +0100--- Changes for librsvg (librsvg2-2 librsvg2-common) ---librsvg (2.36.1-2) stable; urgency=low [ Raphaël Geissert ] * Fix CVE-2013-1881: disable loading of external entities. Closes: #724741. [ Josselin Mouette ] * Break libgtk-3-0 (<< 3.4.2-7) which uses the anti-feature that is disabled by the security fix. -- Josselin Mouette <joss@debian.org> Wed, 04 Dec 2013 21:08:25 +0100--- Changes for percona-server-5.5 (libmysqlclient18 percona-server-client-5.5 percona-server-common-5.5 percona-server-server-5.5) ---percona-server-5.5 (5.5.36-rel34.2-648.wheezy) wheezy; urgency=low * Update distribution -- Jenkins User <jenkins@debian> Mon, 24 Mar 2014 12:09:43 -0400percona-server-5.5 (5.5.36-34.2-1) unstable; urgency=low * Update to new upstream release Percona Server 5.5.36-34.2 -- Jenkins User <jenkins@debian> Mon, 24 Mar 2014 12:03:33 -0400--- Changes for percona-xtradb-cluster-5.6 (libmysqlclient18.1 libmysqlclient-dev) ---percona-xtradb-cluster-5.6 (5.6.15-25.5-759.wheezy) wheezy; urgency=low * Update distribution -- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Thu, 20 Mar 2014 06:39:36 -0400percona-xtradb-cluster-5.6 (5.6.15-rel62.0) unstable; urgency=low * Release bump. -- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Thu, 30 Jan 2014 17:00:00 -0300percona-xtradb-cluster-5.6 (5.6.15-rel62.0) unstable; urgency=low * Updated to 5.6.15. -- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Wed, 14 Dec 2013 17:00:00 -0300--- Changes for php5 (libapache2-mod-php5 php5 php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd php5-intl php5-mcrypt php5-mysql php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl php-pear) ---php5 (5.4.4-14+deb7u8) wheezy-security; urgency=low * [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012) -- Ond?ej Surý <ondrej@debian.org> Mon, 17 Feb 2014 10:07:18 +0100php5 (5.4.4-14+deb7u7) wheezy-security; urgency=low * [CVE-2013-6420]: Fix memory corruption in openssl_x509_parse (Closes: #731895) * [CVE-2013-6712]: Fix heap buffer over-read in DateInterval (Closes: #731112) -- Ond?ej Surý <ondrej@debian.org> Thu, 12 Dec 2013 09:28:14 +0100php5 (5.4.4-14+deb7u6) stable; urgency=low [ William Dauchy ] * upstream fix: curl memory leak (Closes: #725868) * upstream fix: allow root to run php-fpm (Closes: #725890) * upstream fix: remove annoying warnings with php-fpm and user usage (Closes: #725972) * upstream fix: memoryleak in function declaration (Closes: #726033) * upstream fix: munmap() is called with the incorrect length (Closes: #726037) * upstream fix: segfault on zend_deactivate (Closes: #726295) * upstream fix: Possible null dereference (Closes: #726320) * upstream fix: Phar::buildFromDirectory creates corrupt archives (Closes: #726379) * upstream fix: segfault while loading extensions (Closes: #726627) * upstream fix: (un)serialize() leaves dangling pointers, causes crashes (Closes: #726633) -- Ond?ej Surý <ondrej@debian.org> Tue, 22 Oct 2013 08:33:07 +0200--- Changes for python2.7 (libpython2.7 python2.7 python2.7-minimal) ---python2.7 (2.7.3-6+deb7u2) stable-security; urgency=low * Fix installation of modules in python2.7-minimal, thanks to Jakub Wilk for the analysis -- Moritz Mühlenhoff <jmm@debian.org> Wed, 12 Mar 2014 23:45:44 +0100python2.7 (2.7.3-6+deb7u1) stable-security; urgency=low * CVE-2014-1912, CVE-2013-4238 -- Moritz Mühlenhoff <jmm@debian.org> Wed, 05 Mar 2014 00:18:28 +0100--- Changes for tzdata ---tzdata (2013i-0wheezy1) stable; urgency=low * New upstream version. * Remove solar87, solar88 and solar89 from the list of timezones, as they have been removed upstream. -- Aurelien Jarno <aurel32@debian.org> Sun, 26 Jan 2014 19:33:55 +0000tzdata (2013h-0wheezy1) stable; urgency=low * New upstream version. -- Aurelien Jarno <aurel32@debian.org> Sat, 07 Dec 2013 15:06:58 +0100--- Changes for wget ---wget (1.13.4-3+deb7u1) stable-proposed-updates; urgency=low * backported TLS Server Name Indication (SNI) to stable (patches/wget-tls-sni) from wget 1.14 http://git.savannah.gnu.org/cgit/wget.git/commit/?id=fd582e454378db9a1e218acf79f24fbe042bed98 closes: #653267 -- Noël Köthe <noel@debian.org> Sat, 1 Feb 2014 20:29:14 +0100========================================================================You can perform the upgrade by issuing the command: apt-get dist-upgradeas root on pluto.myfuckingdomain.org--apticron Quote
aelius Posted April 3, 2014 Author Report Posted April 3, 2014 Pentru a vedea la ce pachete este disponibil un update (fara apticon), puteti utiliza urmatoarele comenzi:Cu aptitude:aptitude search '~U'Cu apt-get:apt-get -s upgrade Quote