headers
Andreas Barth | 12 Feb 23:19

debian-volatile: end of support for Sarge

Hi,

we have decided to end-of-life support for Sarge in volatile. The key
for the archive signature has already expired some time ago, and as we
didn't hear massive complaints, we assume that people running volatile
applications already upgraded to Etch some time ago. Packages etc will
still be around for some time, but will be removed without further
announcement from the database, dist-files and pool whenever we have
time for that.

Cheers,
Andi
Permalink | Reply | 0 comments |
headers
Andreas Barth | 12 Feb 23:14

[VUA 42-1] Updated clamav package fixes security flaw

----------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 42-1     http://volatile.debian.org
debian-volatile <at> lists.debian.org                 Stephen Gran, Andi Barth
February 12th, 2008                              
----------------------------------------------------------------------------

Package              : clamav
Version              : etch: 0.92.1~dfsg-1volatile1
Importance           : high
CVE IDs              : CVE-2007-6595, CVE-2008-0318

The following security flaws were found and fixed in clamav:

CVE-2007-6595: symlink attack allows to overwrite arbitrary files by
  local users via cli_gentempfd in libclamav/others.c or in sigtool
  with utf16-decode enabled.
CVE-2008-0318: integer overflow in libclamav/pe.c

For etch, an updated ClamAV package is available in etch/volatile as
version 0.92.1~dfsg-1volatile1.

For sarge, we decided to end-of-live support in volatile, and recommend
that you upgrade your system to etch as soon as possible (we already have
the key for the packages-files expired since some time and didn't receive
complaints, so we don't expect that is still much in use).

Upgrade Instructions
---------------------
You can get the updated packages at
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andreas Barth | 13 Feb 20:55

Service update: Lenny, Sarge

Hi,

we just added a Lenny suite. That doesn't mean that we will publish
programms for Lenny soon (we consider only packages that cannot go to
Lenny due to the freeze as possible candidates, and as Lenny isn't
frozen at all yet, we have an empty candidate list by definition). This
will however allow to add volatile to installers, etc and test it.
Please also note that we still need to create a suite key for Lenny, for
the moment we just use the etch key. We will create the suite key when
most parts of Lenny are frozen.

As to Sarge, we got a few requests to still publish clamav for Sarge -
and as we value our users, we decided to do so.

We however want to still encourage people to upgrade to Etch, also
security support is going to end soonish, and we don't promise to update
clamav another time - we will decide this when it is necessary to
decide, and we know how much effort it will be. As the sarge volatile
key expired quite some time ago, we decided to use the etch key for now.

Cheers,
Andi
--

-- 
  http://home.arcor.de/andreas-barth/
Permalink | Reply | 0 comments |
headers
Andreas Barth | 13 Feb 21:34

[VUA 42-2] Updated clamav package fixes security flaw

----------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 42-2     http://volatile.debian.org
debian-volatile <at> lists.debian.org                 Stephen Gran, Andi Barth
February 13th, 2008                              
----------------------------------------------------------------------------

Package              : clamav
Version              : etch: 0.92.1~dfsg-1volatile1, sarge: 0.92.1dfsg-0volatile1
Importance           : high
CVE IDs              : CVE-2007-6595, CVE-2008-0318

The following security flaws were found and fixed in clamav:

CVE-2007-6595: symlink attack allows to overwrite arbitrary files by
  local users via cli_gentempfd in libclamav/others.c or in sigtool
  with utf16-decode enabled.
CVE-2008-0318: integer overflow in libclamav/pe.c

By popular request, we add an update for sarge for clamav as well.
The etch version has already been published with VUA42-1.

However, we still want to encourage you to upgrade your systems to Etch - we
don't promise whether any next version of clamav will have a sarge release as
well.  Additionally, our sarge apt key has expired, so we used the etch apt key
to sign the release file.

Upgrade Instructions
---------------------
You can get the updated packages at
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andreas Barth | 17 Feb 00:24

[VUA 43-1] Updated bcm43xx-fwcutter package

---------------------------------------------------------------------------
Debian Volatile Update Announcement VUA 43-1     http://volatile.debian.org
debian-volatile <at> lists.debian.org                                 Andi Barth
February 16, 2008
---------------------------------------------------------------------------

Package              : bcm43xx-fwcutter
Version              : 1:006-3~volatile1
Importance           : low
CVE IDs              : -

bcm43xx-fwcutter is a utility for extracting Broadcom 43xx firmware. It needs
to download a file from the internet to do so. Since the release of etch, the
URL has changed. This update adjusts the URL to the current location.

Upgrade Instructions
--------------------

You can get the updated packages at

http://volatile.debian.org/debian-volatile/pool/volatile/contrib/b/bcm43xx-fwcutter

and install them with dpkg, or add 

 deb http://volatile.debian.org/debian-volatile etch/volatile main
 deb-src http://volatile.debian.org/debian-volatile etch/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.  See
http://www.debian.org/volatile/volatile-mirrors for the full list of
mirrors.  The archive signing keys can be downloaded from
(Continue reading)

Permalink | Reply | 0 comments |

Gmane