1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
<< Mandriva | Distributions | Gentoo >>
Debian Security Notices
- DSA-4695 firefox-esr - security update
Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode or a timing attack on cryptographic keys.
- DSA-4694 unbound - security update
Two vulnerabiliites have been discovered in Unbound, a recursive-onlycaching DNS server; a traffic amplification attack against third partyauthoritative name servers (NXNSAttack) and insufficient sanitisationof replies from upstream servers could result in denial of service viaan infinite loop.
- DSA-4693 drupal7 - security update
Several vulnerabilities were discovered in Drupal, a fully-featuredcontent management framework, which could result in an open redirect orcross-site scripting.
- DSA-4692 netqmail - security update
Georgi Guninski and the Qualys Research Labs discovered multiplevulnerabilities in qmail (shipped in Debian as netqmail with additionalpatches) which could result in the execution of arbitrary code, bypassof mail address verification and a local information leak whether a fileexists or not.
- DSA-4691 pdns-recursor - security update
Two vulnerabilities have been discovered in PDNS Recursor, a resolvingname server; a traffic amplification attack against third partyauthoritative name servers (NXNSAttack) and insufficient validation ofNXDOMAIN responses lacking an SOA.
- DSA-4690 dovecot - security update
Several vulnerabilities were discovered in the Dovecot email server,which could cause crashes in the submission, submission-login or lmtpservices, resulting in denial of service.
- DSA-4688 dpdk - security update
Multiple vulnerabilities were discovered in the vhost code of DPDK,a set of libraries for fast packet processing, which could resultin denial of service or the execution of arbitrary code by maliciousguests/containers.
- DSA-4687 exim4 - security update
It was discovered that exim4, a mail transport agent, suffers from aauthentication bypass vulnerability in the spa authentication driver.The spa authentication driver is not enabled by default.
- DSA-4686 apache-log4j1.2 - security update
It was discovered that the SocketServer class included inapache-log4j1.2, a logging library for java, is vulnerable todeserialization of untrusted data. An attacker can take advantage ofthis flaw to execute arbitrary code in the context of the loggerapplication by sending a specially crafted log event.
- DSA-4685 apt - security update
Shuaibing Lu discovered that missing input validation in the ar/tarimplementations of APT, the high level package manager, could result indenial of service when processing specially crafted deb files.
- DSA-4684 libreswan - security update
Stephan Zeisberg discovered that the libreswan IPsec implementationcould be forced into a crash/restart via a malformed IKEv1 InformationalExchange packet, resulting in denial of service.
- DSA-4683 thunderbird - security update
Multiple security issues have been found in Thunderbird which couldresult in spoofing the displayed sender email address, denial of serviceor potentially the execution of arbitrary code.
- DSA-4682 squid - security update
Multiple security issues were discovered in the Squid proxy cachingserver, which could result in the bypass of security filters, informationdisclosure, the execution of arbitrary code or denial of service.
- DSA-4680 tomcat9 - security update
Several vulnerabilities were discovered in the Tomcat servlet and JSPengine, which could result in HTTP request smuggling, code executionin the AJP connector (disabled by default in Debian) or a man-in-the-middleattack against the JMX interface.
- DSA-4679 keystone - security update
A vulnerability was found in the EC2 credentials API of Keystone, theOpenStack identity service: Any user authenticated within a limitedscope (trust/oauth/application credential) could create an EC2 credentialwith an escalated permission, such as obtaining admin whilethe user is on a limited viewer role.
- DSA-4678 firefox-esr - security update
Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode or information disclosure.
- DSA-4677 wordpress - security update
Several vulnerabilities were discovered in Wordpress, a web bloggingtool. They allowed remote attackers to perform various Cross-SideScripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, createfiles on the server, disclose private information, create openredirects, poison cache, and bypass authorization access and inputsanitation.
- DSA-4676 salt - security update
Several vulnerabilities were discovered in salt, a powerful remoteexecution manager, which could result in retrieve of user tokens fromthe salt master, execution of arbitrary commands on salt minions,arbitrary directory access to authenticated users or arbitrary codeexecution on salt-api hosts.
- DSA-4675 graphicsmagick - security update
Several vulnerabilities have been discovered in GraphicsMagick, a set ofcommand-line applications to manipulate image files, which could resultin information disclosure, denial of service or the execution ofarbitrary code if malformed image files are processed.
- DSA-4674 roundcube - security update
It was discovered that roundcube, a skinnable AJAX based webmailsolution for IMAP servers, did not correctly process and sanitizerequests. This would allow a remote attacker to perform either aCross-Site Request Forgery (CSRF) forcing an authenticated user to belogged out, or a Cross-Side Scripting (XSS) leading to execution ofarbitrary code.