There is an important Debian update for PHP today to fix a number of vulnerabilities such as regression and buffer overflows. The crypt_blowfish function also had a bug that did not properly handle 8-bit characters, which could lead to passwords being cracked easier. This is one of the larger security fixes for PHP in the past year, so you should update your PHP package immediately.

Package        : php5

Vulnerability  : several

Problem type   : remote

Debian-specific: no

CVE ID         : CVE-2011-1938 CVE-2011-2483 CVE-2011-4566 CVE-2011-4885

CVE-2012-0057

 

A regression was found in the fix for PHP’s XSLT transformations (CVE-2012-0057). Updated packages are now available to address this regression. …

There is a PHPMyAdmin update today for Debian. It fixes XSS bug in the table tracking feature and an XML import plugin vulnerability.  The stable version of Debian (squeeze) and testing (wheezy) are affected.

Package        : phpmyadmin

Vulnerability  : several

Problem type   : remote

Debian-specific: no

CVE ID         : CVE-2011-1940 CVE-2011-3181 CVE-2011-4107

Debian Bug     : 656247

 

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

 

CVE-2011-4107

 

The XML import plugin allowed a remote attacker to read arbitrary

files via XML data containing external entity references.

 

CVE-2011-1940, CVE-2011-3181

 

Cross site scripting was possible in the table tracking …

If you are running on a server with limited space (e.g. VPS), you might need to manually clear out the Debian apt cache via this command:
apt-get clean

Or, keep the current version of the software:
apt-get autoclean

This will clean the files stored in:
/var/cache/apt/archives/

Debian Lenny EOL in two months. Security support for Debian GNU/Linux 5.0 (code name “lenny”) will end 2/6/2012.  If you are still using Lenny, you should run a distribution update to Squeeze in the next 60 days.

The Debian project released Debian GNU/Linux 6.0 alias “squeeze” on the 6th of February 2011. Users and distributors have been given a one-year timeframe to upgrade their old installations to the current stable release. Hence, the security support for the old release of 5.0 is going to end on the 6th of February 2012 as …

I completed an upgrade of Debian Lenny to Squeeze on a production database server over the weekend. It went quite well and I had zero downtime thanks to my secondary database servers running in-place. One of the biggest benefits to running Squeeze is that MySQL runs at version 5.1.49. Lenny only supports up to MySQL 5.0.

Row-based-replication is safer to replicate data to other servers since all changes are replicated. Prior to MySQL 5.1.14, updates to the mySQL database were not replicated. They were updated via statements (e.g. GRANT, REVOKE). This can potentially cause data-consistency between the master and …

With kernel.org being down for the past few weeks, there isn’t a clear indication of when they’ll be back up. In the meantime, its a good time to check if you are using mirrors.kernel.org on your Linux apt sources so you can continue to get the latest updates. As for developers, many are using github or other repositories to host their code. For instance, Linux Torvalds has released the latest build of Linux 3.1 via Github.

If you encounter the following error in Debian Lenny while installing Sun-Java-6:

This package is an installer package, it does not actually contain the
JDK documentation. You will need to go download one of the
archives:

jdk-6u12-docs.zip jdk-6u12-docs-ja.zip

The quickest way to fix this is to go to the Sun/Oracle Website and download the latest version of the jdk documentation. Place the file in the /tmp folder.
http://java.sun.com/javase/downloads/

Is your Debian install of Tomcat 5.5 not working with your Webapp?

Just a heads up for anyone with problems trying to get webapps working with Debian. I highly recommend installing Tomcat 6.0 from source. It helped clear a number of issues for me. Debian only supports Tomcat 5.5 in their package management system. I could have gone with unstable to get Tomcat 6.0, but I prefer not to deal with their folder organization layout (see below)

Here are a few resources I’ve used to install Tomcat 6.0 in Debian Lenny.

1. How to Install Tomcat 6 in Debian Lenny. This is an excellent step-by-step tutorial. A+ in my book.

2. http://www.mysql.com/downloads/connector/j/ Connector/J, MySQL JDBC Connector download.

3. http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html. Tomcat 6.0 configuration with MySQL Connector/J JDBC.

Upon updating Webmin, I noticed that there is a new package dependency that breaks the updates.

To fix, you will need to get the phpini package from Webmin http://www.webmin.com/standard.html and extract the folder to your Webmin system folder. In Debian, its located in /usr/share/webmin/   This should also apply to any other Webmin packages that are missing from your system.

Scponly is used for chroot to limit server access for SSH and SFTP users. Unfortunately, the Debian package for scponly does not work with Debian 5.0.

If you upgraded from Debian 4 to Debian 5 and are using scponly, you may notice that the clients are unable to connect. Possible error messages include:

• “failed WinSCP compatibility mode” error message
• WinSCP closes unexpectedly after authenticating
• Connection failure after successful authentication
• Client logs two attempts to connect to the /home/username home directory before failing