1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
<< Mandriva | Distributions | Gentoo >>
Debian Security Notices
- DSA-3409 putty - security update
A memory-corrupting integer overflow in the handling of the ECH (erasecharacters) control sequence was discovered in PuTTY's terminalemulator. A remote attacker can take advantage of this flaw to mount adenial of service or potentially to execute arbitrary code.
- DSA-3408 gnutls26 - security update
It was discovered that GnuTLS, a library implementing the TLS and SSLprotocols, incorrectly validates the first byte of padding in CBC modes.A remote attacker can possibly take advantage of this flaw to perform apadding oracle attack.
- DSA-3407 dpkg - security update
Hanno Boeck discovered a stack-based buffer overflow in the dpkg-debcomponent of dpkg, the Debian package management system. This flaw couldpotentially lead to arbitrary code execution if a user or an automatedsystem were tricked into processing a specially crafted Debian binarypackage (.deb) in the old style Debian binary package format.
- DSA-3406 nspr - security update
It was discovered that incorrect memory allocation in the NetScapePortable Runtime library might result in denial of service or theexecution of arbitrary code.
- DSA-3405 smokeping - security update
Tero Marttila discovered that the Debian packaging for smokepinginstalled it in such a way that the CGI implementation of Apache httpd(mod_cgi) passed additional arguments to the smokeping_cgi program,potentially leading to arbitrary code execution in response to craftedHTTP requests.
- DSA-3404 python-django - security update
Ryan Butterfield discovered a vulnerability in the date template filterin python-django, a high-level Python web development framework. Aremote attacker can take advantage of this flaw to obtain any secret inthe application's settings.
- DSA-3403 libcommons-collections3-java - security update
This update backports changes from the commons-collections 3.2.2 releasewhich disable the deserialisation of the functors classes unless thesystem property org.apache.commons.collections.enableUnsafeSerializationis set to true. This fixes a vulnerability in unsafe applicationsdeserialising objects from untrusted sources without sanitising theinput data. Classes considered unsafe are: CloneTransformer, ForClosure,InstantiateFactory, InstantiateTransformer, InvokerTransformer,PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
- DSA-3402 symfony - security update
Several vulnerabilities have been discovered in symfony, a framework tocreate websites and web applications. The Common Vulnerabilities andExposures project identifies the following problems:
- DSA-3400 lxc - security update
Roman Fiedler discovered a directory traversal flaw in LXC, the LinuxContainers userspace tools. A local attacker with access to a LXCcontainer could exploit this flaw to run programs inside the containerthat are not confined by AppArmor or expose unintended files in the hostto the container.
- DSA-3399 libpng - security update
Several vulnerabilities have been discovered in the libpng PNG library.The Common Vulnerabilities and Exposures project identifies thefollowing problems:
- DSA-3397 wpa - security update
Several vulnerabilities have been discovered in wpa_supplicant andhostapd. The Common Vulnerabilities and Exposures project identifies thefollowing problems:
- DSA-3395 krb5 - security update
Several vulnerabilities were discovered in krb5, the MIT implementationof Kerberos. The Common Vulnerabilities and Exposures project identifiesthe following problems:
- DSA-3393 iceweasel - security update
Multiple security issues have been found in Iceweasel, Debian's versionof the Mozilla Firefox web browser: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code, information disclosure ordenial of service.
- DSA-3392 freeimage - security update
Pengsu Cheng discovered that FreeImage, a library for graphic imageformats, contained multiple integer underflows that could lead to adenial of service: remote attackers were able to trigger a crash bysupplying a specially crafted image.
- DSA-3391 php-horde - security update
It was discovered that the web-based administration interface in theHorde Application Framework did not guard against Cross-Site RequestForgery (CSRF) attacks. As a result, other, malicious web pages couldcause Horde applications to perform actions as the Horde user.
- DSA-3390 xen - security update
It was discovered that the code to validate level 2 page table entriesis bypassed when certain conditions are satisfied. A malicious PV guestadministrator can take advantage of this flaw to gain privileges via acrafted superpage mapping.
- DSA-3389 elasticsearch - end-of-life
Security support for elasticsearch in jessie is hereby discontinued. Theproject no longer releases information on fixed security issues whichallow backporting them to released versions of Debian and activelydiscourages from doing so.
- DSA-3387 openafs - security update
John Stumpo discovered that OpenAFS, a distributed file system, doesnot fully initialize certain network packets before transmitting them.This can lead to a disclosure of the plaintext of previously processedpackets.