Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Mandriva | Distributions | Gentoo >>


Community

Support

Debian Planet

Debian Security Notices

  • DSA-3626 openssh - security update
    Eddie Harari reported that the OpenSSH SSH daemon allows userenumeration through timing differences when trying to authenticateusers. When sshd tries to authenticate a non-existing user, it will pickup a fixed fake password structure with a hash based on the Blowfishalgorithm. If real users passwords are hashed using SHA256/SHA512, thena remote attacker can take advantage of this flaw by sending largepasswords, receiving shorter response times from the server fornon-existing users.



  • DSA-3624 mysql-5.5 - security update
    Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.50. Please see the MySQL 5.5 Release Notes and Oracle'sCritical Patch Update advisory for further details:


  • DSA-3623 apache2 - security update
    Scott Geary of VendHQ discovered that the Apache HTTPD server used thevalue of the Proxy header from HTTP requests to initialize theHTTP_PROXY environment variable for CGI scripts, which in turn wasincorrectly used by certain HTTP client implementations to configure theproxy for outgoing HTTP requests. A remote attacker could possibly usethis flaw to redirect HTTP requests performed by a CGI script to anattacker-controlled proxy via a malicious HTTP request.


  • DSA-3622 python-django - security update
    It was discovered that Django, a high-level Python web developmentframework, is prone to a cross-site scripting vulnerability in theadmin's add/change related popup.


  • DSA-3621 mysql-connector-java - security update
    A vulnerability was discovered in mysql-connector-java, a Java database(JDBC) driver for MySQL, which may result in unauthorized update, insertor delete access to some MySQL Connectors accessible data as well asread access to a subset of MySQL Connectors accessible data. Thevulnerability was addressed by upgrading mysql-connector-java to the newupstream version 5.1.39, which includes additional changes, such as bugfixes, new features, and possibly incompatible changes. Please see theMySQL Connector/J Release Notes and Oracle's Critical Patch Updateadvisory for further details:


  • DSA-3620 pidgin - security update
    Yves Younan of Cisco Talos discovered several vulnerabilities in theMXit protocol support in pidgin, a multi-protocol instant messagingclient. A remote attacker can take advantage of these flaws to cause adenial of service (application crash), overwrite files, informationdisclosure, or potentially to execute arbitrary code.


  • DSA-3619 libgd2 - security update
    Several vulnerabilities were discovered in libgd2, a library forprogrammatic graphics creation and manipulation. A remote attacker cantake advantage of these flaws to cause a denial-of-service against anapplication using the libgd2 library (application crash), or potentiallyto execute arbitrary code with the privileges of the user running theapplication.


  • DSA-3618 php5 - security update
    Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development.



  • DSA-3616 linux - security update
    Several vulnerabilities have been discovered in the Linux kernel thatmay lead to a privilege escalation, denial of service or informationleaks.


  • DSA-3615 wireshark - security update
    Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP, SPOOLS, IEEE 802.11, UMTS FP, USB,Toshiba, CoSine, NetScreen, WBXML which could result in denial of serviceor potentially the execution of arbitrary code.


  • DSA-3614 tomcat7 - security update
    The TERASOLUNA Framework Development Team discovered a denial of servicevulnerability in Apache Commons FileUpload, a package to make iteasy to add robust, high-performance, file upload capability to servletsand web applications. A remote attacker can take advantage of this flawby sending file upload requests that cause the HTTP server using theApache Commons Fileupload library to become unresponsive, preventing theserver from servicing other requests.


  • DSA-3613 libvirt - security update
    Vivian Zhang and Christoph Anton Mitterer discovered that setting anempty VNC password does not work as documented in Libvirt, avirtualisation abstraction library. When the password on a VNC server isset to the empty string, authentication on the VNC server will bedisabled, allowing any user to connect, despite the documentationdeclaring that setting an empty password for the VNC server prevents allclient connections. With this update the behaviour is enforced bysetting the password expiration to now.


  • DSA-3612 gimp - security update
    Shmuel H discovered that GIMP, the GNU Image Manipulation Program, isprone to a use-after-free vulnerability in the channel and layerproperties parsing process when loading a XCF file. An attacker can takeadvantage of this flaw to potentially execute arbitrary code with theprivileges of the user running GIMP if a specially crafted XCF file isprocessed.


  • DSA-3611 libcommons-fileupload-java - security update
    The TERASOLUNA Framework Development Team discovered a denial of servicevulnerability in Apache Commons FileUpload, a package to make iteasy to add robust, high-performance, file upload capability to servletsand web applications. A remote attacker can take advantage of this flawby sending file upload requests that cause the HTTP server using theApache Commons Fileupload library to become unresponsive, preventing theserver from servicing other requests.


  • DSA-3610 xerces-c - security update
    Brandon Perry discovered that xerces-c, a validating XML parser libraryfor C++, fails to successfully parse a DTD that is deeply nested,causing a stack overflow. A remote unauthenticated attacker can takeadvantage of this flaw to cause a denial of service against applicationsusing the xerces-c library.


  • DSA-3609 tomcat8 - security update
    Multiple security vulnerabilities have been discovered in the Tomcatservlet and JSP engine, which may result in information disclosure, thebypass of CSRF protections, bypass of the SecurityManager or denial ofservice.


  • DSA-3608 libreoffice - security update
    Aleksandar Nikolic discovered that missing input sanitising in the RTFparser in Libreoffice may result in the execution of arbitrary code ifa malformed documented is opened.


  • DSA-3607 linux - security update
    Several vulnerabilities have been discovered in the Linux kernel thatmay lead to a privilege escalation, denial of service or informationleaks.



Debian Forum at linuxquestions.org

Page last modified on September 14, 2006, at 12:07 AM