-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0706 -- [Debian]
             New gaim packages fix execution of arbitrary code
                               16 July 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              gaim
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-2927

Ref:                  ESB-2008.0682

Original Bulletin:    http://www.debian.org/security/2008/dsa-1610

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1610-1                  security@debian.org
http://www.debian.org/security/                               Steve Kemp
July 15, 2008                         http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : gaim
Vulnerability  : integer overflow
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-2927

It was discovered that gaim, an multi-protocol instant messaging client,
was vulnerable to several integer overflows in its MSN protocol handlers.
These could allow a remote attacker to execute arbitrary code.

For the stable distribution (etch), this problem has been fixed in version
1:2.0.0+beta5-10etch1.

For the unstable distribution (sid), this package is not present.

We recommend that you upgrade your gaim package.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1.dsc
    Size/MD5 checksum:     1143 7c07047f910aa37b5d3237d2b9c2f746
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5.orig.tar.gz
    Size/MD5 checksum:  9031658 b95158280b54f7c6e61c975ac6a1b2c5
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1.diff.gz
    Size/MD5 checksum:    40297 4481186566917128436fec7894a0849e

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/gaim/gaim-data_2.0.0+beta5-10etch1_all.deb
    Size/MD5 checksum:  5155634 a771c9d07df618edbea2009b81a780eb

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_alpha.deb
    Size/MD5 checksum:  3941786 5ae6eb63afa93956d351b436c4dedce1
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_alpha.deb
    Size/MD5 checksum:   151048 d2963922763948e431374e6035fce786
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_alpha.deb
    Size/MD5 checksum:  1946668 a581acaee78397951203bb9ba75b92a5

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_amd64.deb
    Size/MD5 checksum:   151308 e02d048bb0b276819259b9eafb2da5c1
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_amd64.deb
    Size/MD5 checksum:  3981722 f8dea9c85a995285842b9658b7f22e40
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_amd64.deb
    Size/MD5 checksum:  1783578 68aa76888cdef8f740f45f50661234b1

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_arm.deb
    Size/MD5 checksum:  3755878 f5fab49dc1d45ea2a6b5c57a52402cf9
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_arm.deb
    Size/MD5 checksum:   151974 65cb42b3add06b9e623d14199c4f1955
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_arm.deb
    Size/MD5 checksum:  1562534 cbde10538a351b4f7730a76c3d0d24d7

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_hppa.deb
    Size/MD5 checksum:  3885888 c6ecba97d3da131f507be4bb829f30d0
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_hppa.deb
    Size/MD5 checksum:   151626 bd76b163486f8a778bea8a3cae124d66
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_hppa.deb
    Size/MD5 checksum:  1982362 4c523a86d49a58204ef226d8b003adea

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_i386.deb
    Size/MD5 checksum:  1680010 33ada7f2c9454fe220feac62252ddb6f
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_i386.deb
    Size/MD5 checksum:  3753710 6a1c030a5bd9ed092d108d54b99e64ca
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_i386.deb
    Size/MD5 checksum:   151968 4132986afae49a8640f5e4a2c793da30

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_ia64.deb
    Size/MD5 checksum:  2446022 006e57d747b574fe007531dea875b1e7
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_ia64.deb
    Size/MD5 checksum:   149394 3374fa4ef91014f880840b35d38d31c5
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_ia64.deb
    Size/MD5 checksum:  3734170 690c1bb55de9f185016eff981c4808b9

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_mips.deb
    Size/MD5 checksum:   150720 311032a9ac626069ccc86f84f57e2590
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_mips.deb
    Size/MD5 checksum:  4038460 e64238f554102f276d1318ec1306a576
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_mips.deb
    Size/MD5 checksum:  1477582 b8161f8051c1ef3bfcabae5fda5a8e86

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_powerpc.deb
    Size/MD5 checksum:  1736680 1fd924e136faa010fc72bdd5380bae7b
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_powerpc.deb
    Size/MD5 checksum:   149416 c39f12e2db475a607635cadef7cf2d0d
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_powerpc.deb
    Size/MD5 checksum:  3962580 5f96851de05f64a1004f259163c78a62

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_s390.deb
    Size/MD5 checksum:  3887734 8a70aab0641f3133d09e92236209d599
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_s390.deb
    Size/MD5 checksum:   149390 02297def8b72438af93b378283b3f804
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_s390.deb
    Size/MD5 checksum:  1724846 b2be967dbcbb3fb08d094facfc72feb4

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/g/gaim/gaim-dbg_2.0.0+beta5-10etch1_sparc.deb
    Size/MD5 checksum:  3619054 e7496134eb752f245b5d7cb0be0cf104
  http://security.debian.org/pool/updates/main/g/gaim/gaim_2.0.0+beta5-10etch1_sparc.deb
    Size/MD5 checksum:  1660690 0ef1fe66d2513f3521f76295a4d4fa6b
  http://security.debian.org/pool/updates/main/g/gaim/gaim-dev_2.0.0+beta5-10etch1_sparc.deb
    Size/MD5 checksum:   149410 810e9119e56cc591275761110cfef793


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIfOJZwM/Gs81MDZ0RAp4zAKCRhvwDdZ8CF1klsEWLfTCgRjvIAQCglMGn
W9rLkqrE4rf6YSbRh4jECLk=
=k1RT
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSH0+8Ch9+71yA2DNAQITngP/QF0Z+mTWYGczl2rBMlmvXcb5/qQUjX6p
zok9eadXnLvK8IsXySa5jouOL+v6Ml+cF5BxH9zlTQNEx6+K202RpHcJbhkFrys/
PYaGSnQdf8eNsDpxDkApU6RV/ZpyZWNLTIkJeEKbY+zsOSYeiDOAq996utsfH8ab
7Wos0PtUAng=
=L3mM
-----END PGP SIGNATURE-----