-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1510-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
February 27, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : gs-esp / gs-gpl
Vulnerability : buffer overflow
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-0411

Chris Evans discovered a buffer overflow in the color space handling
code of the Ghostscript PostScript/PDF interpreter, which might result
in the execution of arbitrary code if a user is tricked into processing
a malformed file.

For the stable distribution (etch), this problem has been fixed in version
8.54.dfsg.1-5etch1 of gs-gpl and 8.15.3.dfsg.1-1etch1 of gs-esp.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1509-1 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
February 25, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : koffice
Vulnerability : several
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-4352 CVE-2007-5392 CVE-2007-5393
Debian Bug : 450631

Several vulnerabilities have been discovered in xpdf code that is
embedded in koffice, an integrated office suite for KDE. These flaws
could allow an attacker to execute arbitrary code by inducing the user
to import a specially crafted PDF document.

The Common Vulnerabilities and Exposures project identifies the
following problems:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1508-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
February 25, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : diatheke
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id : CVE-2008-0932
Debian Bug : 466449

Dan Dennison discovered that Diatheke, a CGI program to make a bible
website, performs insufficient sanitising of a parameter, allowing a
remote attacker to execute arbitrary shell commands as the web server
user.

For the stable distribution (etch), this problem has been fixed in version
1.5.9-2etch1.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1507-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
February 24, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : turba2
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-0807
Debian Bug : 464058

Peter Paul Elfferich discovered that turba2, a contact management component
for horde framework did not correctly check access rights before allowing
users to edit addresses. This could result in valid users being able to
alter private address records.

For the stable distribution (etch), this problem has been fixed in version
2.1.3-1etch1.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1506-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 24, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-0412 CVE-2008-0413 CVE-2008-0414 CVE-2008-0415
CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591
CVE-2008-0592 CVE-2008-0593 CVE-2008-0594

Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-0412

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1505 security@debian.org
http://www.debian.org/security/ dann frazier
February 22, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : alsa-driver
Vulnerability : kernel memory leak
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-4571

Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module.
Local users could exploit this issue to obtain sensitive information from
the kernel (CVE-2007-4571).

For the stable distribution (etch), this problem has been fixed in
version 1.0.13-5etch1. This issue was already fixed for the version
of ALSA provided by linux-2.6 in DSA 1479.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1502-1 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
February 22, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : wordpress
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-3238 CVE-2007-2821 CVE-2008-0193 CVE-2008-0194

Several remote vulnerabilities have been discovered in wordpress, a weblog
manager.

The Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2007-3238

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1501-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
February 21, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : dspam
Vulnerability : programming error
Problem type : local
Debian-specific: yes
CVE Id(s) : CVE-2007-6418
Debian Bug : 448519

Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam,
a statistical spam filter, included a database password on the command line
when using the MySQL backend. This allowed a local attacker to read the
contents of the dspam database, such as emails.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1500-1 security@debian.org
http://www.debian.org/security/ Steve Kemp
February 21, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : splitvt
Vulnerability : privilege escalation
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-0162

Mike Ashton discovered that splitvt, a utility to run two programs in a
split screen, did not drop group privileges prior to executing 'xprop'.
This could allow any local user to gain the privileges of group utmp.

For the stable distribution (etch), this problem has been fixed in version
1.6.5-9etch1.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.6-4.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1499-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
February 19, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : pcre3
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-0674

It was discovered that specially crafted regular expressions involving
codepoints greater than 255 could cause a buffer overflow in the PCRE
library (CVE-2008-0674).

For the stable distribution (etch), this problem has been fixed in
version 6.7+7.4-3.

For the old stable distribution (sarge), this problem has been fixed in
version 4.5+7.4-2.