Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Mandriva | Distributions | Gentoo >>


Community

Support

Debian Planet

Debian Security Notices


  • DSA-3273 tiff - security update
    William Robinet and Michal Zalewski discovered multiple vulnerabilitiesin the TIFF library and its tools, which may result in denial ofservice or the execution of arbitrary code if a malformed TIFF fileis processed.


  • DSA-3272 ipsec-tools - security update
    Javantea discovered a NULL pointer dereference flaw in racoon, theInternet Key Exchange daemon of ipsec-tools. A remote attacker can usethis flaw to cause the IKE daemon to crash via specially crafted UDPpackets, resulting in a denial of service.


  • DSA-3271 nbd - security update
    Tuomas Räsänen discovered that unsafe signal handling in nbd-server, theserver for the Network Block Device protocol, could allow remoteattackers to cause a deadlock in the server process and thus a denial ofservice.




  • DSA-3268 ntfs-3g - security update
    Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver forFUSE, does not scrub the environment before executing mount or umountwith elevated privileges. A local user can take advantage of this flawto overwrite arbitrary files and gain elevated privileges by accessingdebugging features via the environment that would not normally be safefor unprivileged users.



  • DSA-3266 fuse - security update
    Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does notscrub the environment before executing mount or umount with elevatedprivileges. A local user can take advantage of this flaw to overwritearbitrary files and gain elevated privileges by accessing debuggingfeatures via the environment that would not normally be safe forunprivileged users.



  • DSA-3264 icedove - security update
    Multiple security issues have been found in Icedove, Debian's version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,buffer overflows and use-after-frees may lead to the execution ofarbitrary code, privilege escalation or denial of service.


  • DSA-3263 proftpd-dfsg - security update
    Vadim Melihow discovered that in proftpd-dfsg, an FTP server, themod_copy module allowed unauthenticated users to copy files around onthe server, and possibly to execute arbitrary code.


  • DSA-3262 xen - security update
    Jason Geffner discovered a buffer overflow in the emulated floppydisk drive, resulting in the potential execution of arbitrary code.This only affects HVM guests.



  • DSA-3260 iceweasel - security update
    Multiple security issues have been found in Iceweasel, Debian's versionof the Mozilla Firefox web browser: Multiple memory safety errors,buffer overflows and use-after-frees may lead to the execution ofarbitrary code, privilege escalation or denial of service.



  • DSA-3258 quassel - security update
    It was discovered that the fix forCVE-2013-4422 in quassel, adistributed IRC client, was incomplete. This could allow remoteattackers to inject SQL queries after a database reconnection (e.g.when the backend PostgreSQL server is restarted).


  • DSA-3257 mercurial - security update
    Jesse Hertz of Matasano Security discovered that Mercurial, adistributed version control system, is prone to a command injectionvulnerability via a crafted repository name in a clone command.


  • DSA-3256 libtasn1-6 - security update
    Hanno Boeck discovered a heap-based buffer overflow flaw in the wayLibtasn1, a library to manage ASN.1 structures, decoded certainDER-encoded input. A specially crafted DER-encoded input could cause anapplication using the Libtasn1 library to crash, or potentially toexecute arbitrary code.


  • DSA-3255 zeromq3 - security update
    It was discovered that libzmq, a lightweight messaging kernel, issusceptible to a protocol downgrade attack on sockets using the ZMTP v3protocol. This could allow remote attackers to bypass ZMTP v3 securitymechanisms by sending ZMTP v2 or earlier headers.


  • DSA-3254 suricata - security update
    Kostya Kortchinsky of the Google Security Team discovered a flaw in theDER parser used to decode SSL/TLS certificates in suricata. A remoteattacker can take advantage of this flaw to cause suricata to crash.


  • DSA-3253 pound - security update
    Pound, a HTTP reverse proxy and load balancer, had several issuesrelated to vulnerabilities in the Secure Sockets Layer (SSL) protocol.


  • DSA-3252 sqlite3 - security update
    Michal Zalewski discovered multiple vulnerabilities in SQLite, whichmay result in denial of service or the execution of arbitrary code.


  • DSA-3251 dnsmasq - security update
    Nick Sampanis discovered that dnsmasq, a small caching DNS proxy andDHCP/TFTP server, did not properly check the return value of thesetup_reply() function called during a TCP connection, which is usedthen as a size argument in a function which writes data on the client'sconnection. A remote attacker could exploit this issue via a speciallycrafted DNS request to cause dnsmasq to crash, or potentially to obtainsensitive information from process memory.


  • DSA-3250 wordpress - security update
    Multiple security issues have been discovered in Wordpress, a weblogmanager, that could allow remote attackers to upload files with invalidor unsafe names, mount social engineering attacks or compromise a sitevia cross-site scripting, and inject SQL commands.


  • DSA-3249 jqueryui - security update
    Shadowman131 discovered that jqueryui, a JavaScript UI library fordynamic web applications, failed to properly sanitize its titleoption. This would allow a remote attacker to inject arbitrary codethrough cross-site scripting.



  • DSA-3247 ruby2.1 - security update
    It was discovered that the Ruby OpenSSL extension, part of the interpreterfor the Ruby language, did not properly implement hostname matching, inviolation of RFC 6125. This could allow remote attackers to perform aman-in-the-middle attack via crafted SSL certificates.


  • DSA-3246 ruby1.9.1 - security update
    It was discovered that the Ruby OpenSSL extension, part of the interpreterfor the Ruby language, did not properly implement hostname matching, inviolation of RFC 6125. This could allow remote attackers to perform aman-in-the-middle attack via crafted SSL certificates.


  • DSA-3245 ruby1.8 - security update
    It was discovered that the Ruby OpenSSL extension, part of the interpreterfor the Ruby language, did not properly implement hostname matching, inviolation of RFC 6125. This could allow remote attackers to perform aman-in-the-middle attack via crafted SSL certificates.



  • DSA-3243 libxml-libxml-perl - security update
    Tilmann Haak from xing.com discovered that XML::LibXML, a Perl interfaceto the libxml2 library, did not respect the expand_entities parameter todisable processing of external entities in some circumstances. This mayallow attackers to gain read access to otherwise protected resources,depending on how the library is used.




  • DSA-3240 curl - security update
    It was discovered that cURL, an URL transfer library, if configured touse a proxy server with the HTTPS protocol, by default could send to theproxy the same HTTP headers it sends to the destination server, possiblyleaking sensitive information.


  • DSA-3239 icecast2 - security update
    Juliane Holzt discovered that Icecast2, a streaming media server, coulddereference a NULL pointer when URL authentication is configured and thestream_auth URL is trigged by a client without setting any credentials.This could allow remote attackers to cause a denial of service (crash).


Debian Forum at linuxquestions.org

Page last modified on September 14, 2006, at 12:07 AM