Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Mandriva | Distributions | Gentoo >>


Community

Support

Debian Planet

Debian Security Notices

  • DSA-3251 dnsmasq - security update
    Nick Sampanis discovered that dnsmasq, a small caching DNS proxy andDHCP/TFTP server, did not properly check the return value of thesetup_reply() function called during a TCP connection, which is usedthen as a size argument in a function which writes data on the client'sconnection. A remote attacker could exploit this issue via a speciallycrafted DNS request to cause dnsmasq to crash, or potentially to obtainsensitive information from process memory.


  • DSA-3250 wordpress - security update
    Multiple security issues have been discovered in Wordpress, a weblogmanager, that could allow remote attackers to upload files with invalidor unsafe names, mount social engineering attacks or compromise a sitevia cross-site scripting, and inject SQL commands.


  • DSA-3249 jqueryui - security update
    Shadowman131 discovered that jqueryui, a JavaScript UI library fordynamic web applications, failed to properly sanitize its titleoption. This would allow a remote attacker to inject arbitrary codethrough cross-site scripting.



  • DSA-3247 ruby2.1 - security update
    It was discovered that the Ruby OpenSSL extension, part of the interpreterfor the Ruby language, did not properly implement hostname matching, inviolation of RFC 6125. This could allow remote attackers to perform aman-in-the-middle attack via crafted SSL certificates.


  • DSA-3246 ruby1.9.1 - security update
    It was discovered that the Ruby OpenSSL extension, part of the interpreterfor the Ruby language, did not properly implement hostname matching, inviolation of RFC 6125. This could allow remote attackers to perform aman-in-the-middle attack via crafted SSL certificates.


  • DSA-3245 ruby1.8 - security update
    It was discovered that the Ruby OpenSSL extension, part of the interpreterfor the Ruby language, did not properly implement hostname matching, inviolation of RFC 6125. This could allow remote attackers to perform aman-in-the-middle attack via crafted SSL certificates.



  • DSA-3243 libxml-libxml-perl - security update
    Tilmann Haak from xing.com discovered that XML::LibXML, a Perl interfaceto the libxml2 library, did not respect the expand_entities parameter todisable processing of external entities in some circumstances. This mayallow attackers to gain read access to otherwise protected resources,depending on how the library is used.




  • DSA-3240 curl - security update
    It was discovered that cURL, an URL transfer library, if configured touse a proxy server with the HTTPS protocol, by default could send to theproxy the same HTTP headers it sends to the destination server, possiblyleaking sensitive information.


  • DSA-3239 icecast2 - security update
    Juliane Holzt discovered that Icecast2, a streaming media server, coulddereference a NULL pointer when URL authentication is configured and thestream_auth URL is trigged by a client without setting any credentials.This could allow remote attackers to cause a denial of service (crash).



  • DSA-3237 linux - security update
    Several vulnerabilities have been discovered in the Linux kernel thatmay lead to a privilege escalation, denial of service or informationleaks.


  • DSA-3236 libreoffice - security update
    It was discovered that missing input sanitising in Libreoffice's filterfor HWP documents may result in the execution of arbitrary code if amalformed document is opened.


  • DSA-3235 openjdk-7 - security update
    Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosureor denial of service.


  • DSA-3234 openjdk-6 - security update
    Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosureor denial of service.


  • DSA-3233 wpa - security update
    The Google security team and the smart hardware research group ofAlibaba security team discovered a flaw in how wpa_supplicant used SSIDinformation when creating or updating P2P peer entries. A remoteattacker can use this flaw to cause wpa_supplicant to crash, exposememory contents, and potentially execute arbitrary code.



  • DSA-3231 subversion - security update
    Several vulnerabilities were discovered in Subversion, a version controlsystem. The Common Vulnerabilities and Exposures project identifies thefollowing problems:


  • DSA-3230 django-markupfield - security update
    James P. Turk discovered that the ReST renderer in django-markupfield,a custom Django field for easy use of markup in text fields, didn'tdisable the ..raw directive, allowing remote attackers to includearbitrary files.


  • DSA-3229 mysql-5.5 - security update
    Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.43. Please see the MySQL 5.5 Release Notes and Oracle'sCritical Patch Update advisory for further details:


  • DSA-3228 ppp - security update
    Emanuele Rocca discovered that ppp, a daemon implementing thePoint-to-Point Protocol, was subject to a buffer overflow whencommunicating with a RADIUS server. This would allow unauthenticatedusers to cause a denial-of-service by crashing the daemon.


  • DSA-3227 movabletype-opensource - security update
    John Lightsey discovered a format string injection vulnerability in thelocalisation of templates in Movable Type, a blogging system. Anunauthenticated remote attacker could take advantage of this flaw toexecute arbitrary code as the web server user.




  • DSA-3224 libx11 - security update
    Abhishek Arya discovered a buffer overflow in the MakeBigReq macroprovided by libx11, which could result in denial of service or theexecution of arbitrary code.




  • DSA-3221 das-watchdog - security update
    Adam Sampson discovered a buffer overflow in the handling of theXAUTHORITY environment variable in das-watchdog, a watchdog daemon toensure a realtime process won't hang the machine. A local user canexploit this flaw to escalate his privileges and execute arbitrarycode as root.


  • DSA-3220 libtasn1-3 - security update
    Hanno Boeck discovered a stack-based buffer overflow in theasn1_der_decoding function in Libtasn1, a library to manage ASN.1structures. A remote attacker could take advantage of this flaw to causean application using the Libtasn1 library to crash, or potentially toexecute arbitrary code.


  • DSA-3219 libdbd-firebird-perl - security update
    Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird,a Perl DBI driver for the Firebird RDBMS, in certain error conditions, dueto the use of the sprintf() function to write to a fixed-size memory buffer.


  • DSA-3218 wesnoth-1.10 - security update
    Ignacio R. Morelle discovered that missing path restrictions in theBattle of Wesnoth game could result in the disclosure of arbitraryfiles in the user's home directory if malicious campaigns/maps areloaded.


  • DSA-3217 dpkg - security update
    Jann Horn discovered that the source package integrity verification indpkg-source can be bypassed via a specially crafted Debian sourcecontrol file (.dsc). Note that this flaw only affects extraction oflocal Debian source packages via dpkg-source but not the installation ofpackages from the Debian archive.




  • DSA-3214 mailman - security update
    A path traversal vulnerability was discovered in Mailman, the mailinglist manager. Installations using a transport script (such aspostfix-to-mailman.py) to interface with their MTA instead of staticaliases were vulnerable to a path traversal attack. To successfullyexploit this, an attacker needs write access on the local file system.


  • DSA-3213 arj - security update
    Multiple vulnerabilities have been discovered in arj, an open sourceversion of the arj archiver. The Common Vulnerabilities and Exposuresproject identifies the following problems:


Debian Forum at linuxquestions.org

Page last modified on September 14, 2006, at 12:07 AM