-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1566-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
May 02, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : cpio
Vulnerability : programming error
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4476

Dmitry Levin discovered a vulnerability in path handling code used by
the cpio archive utility. The weakness could enable a denial of
service (crash) or potentially the execution of arbitrary code if a
vulnerable version of cpio is used to extract or to list the contents
of a maliciously crafted archive.

For the stable distribution (etch), these problems have been fixed in
version 2.6-18.1+etch1.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1564-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 01, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : wordpress
Vulnerability : multiple
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-3639 CVE-2007-4153 CVE-2007-4154 CVE-2007-0540

Several remote vulnerabilities have been discovered in wordpress,
a weblog manager. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2007-3639

Insufficient input sanitising allowed for remote attackers to
redirect visitors to external websites.

CVE-2007-4153

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1563-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 30, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : asterisk
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1897

Joel R. Voss discovered that the IAX2 module of Asterisk, a free
software PBX and telephony toolkit performs insufficient validation of
IAX2 protocol messages, which may lead to denial of service.

For the stable distribution (etch), this problem has been fixed in
version 1.2.13~dfsg-2etch4.

For the unstable distribution (sid), this problem has been fixed
in version 1.4.19.1~dfsg-1.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1562-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 28, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : iceape
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1380

It was discovered that crashes in the Javascript engine of Iceape,
an unbranded version of the Seamonkey internet suite could
potentially lead to the execution of arbitrary code.

For the stable distribution (etch), this problem has been fixed in
version 1.0.13~pre080323b-0etch3.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.9-2.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1561-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
April 28, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : ldm
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1293
Debian Bug : 469462

Christian Herzog discovered that within the Linux Terminal Server Project,
it was possible to connect to X on any LTSP client from any host on the
network, making client windows and keystrokes visible to that host.

NOTE: most ldm installs are likely to be in a chroot environment exported
over NFS, and will not be upgraded merely by upgrading the server itself.
For example, on the i386 architecture, to upgrade ldm will likely require:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1560-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
April 28, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : kronolith2
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
Debian Bug : 478121

"The-0utl4w" discovered that the Kronolith, calendar component for
the Horde Framework, didn't properly sanitise URL input, leading to
a cross-site scripting vulnerability in the add event screen.

For the stable distribution (etch), this problem has been fixed in
version 2.1.4-1etch1.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your kronolith2 package.