Recent Changes - Search:

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Mandriva | Distributions | Gentoo >>



Debian Planet

Debian Security Notices

  • DSA-3343 twig - security update
    James Kettle, Alain Tiemblo, Christophe Coevoet and Fabien Potencierdiscovered that twig, a templating engine for PHP, did not correctlyprocess its input. End users allowed to submit twig templates coulduse specially crafted code to trigger remote code execution, even insandboxed templates.

  • DSA-3342 vlc - security update
    Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, amultimedia player and streamer, could dereference an arbitrary pointerdue to insufficient restrictions on a writable buffer. This could allowremote attackers to execute arbitrary code via crafted 3GP files.

  • DSA-3341 conntrack - security update
    It was discovered that in certain configurations, if the relevantconntrack kernel module is not loaded, conntrackd will crash whenhandling DCCP, SCTP or ICMPv6 packets.

  • DSA-3340 zendframework - security update
    Dawid Golunski discovered that when running under PHP-FPM in a threadedenvironment, Zend Framework, a PHP framework, did not properly handleXML data in multibyte encoding. This could be used by remote attackersto perform an XML External Entity attack via crafted XML data.

  • DSA-3339 openjdk-6 - security update
    Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosure,denial of service or insecure cryptography.

  • DSA-3338 python-django - security update
    Lin Hua Cheng discovered that a session could be created when anonymouslyaccessing the django.contrib.auth.views.logout view. This could allowremote attackers to saturate the session store or cause other users'session records to be evicted.

  • DSA-3337 gdk-pixbuf - security update
    Gustavo Grieco discovered a heap overflow in the processing of BMP imageswhich may result in the execution of arbitrary code if a malformed imageis opened.

  • DSA-3336 nss - security update
    Several vulnerabilities have been discovered in nss, the Mozilla NetworkSecurity Service library. The Common Vulnerabilities and Exposures projectidentifies the following problems:

  • DSA-3335 request-tracker4 - security update
    It was discovered that Request Tracker, an extensible trouble-tickettracking system is susceptible to a cross-site scripting attack via theuser and group rights management pages (CVE-2015-5475) and via thecryptography interface, allowing an attacker with a carefully-craftedkey to inject JavaScript into RT's user interface. Installations whichuse neither GnuPG nor S/MIME are unaffected by the second cross-sitescripting vulnerability.

  • DSA-3334 gnutls28 - security update
    Kurt Roeckx discovered that decoding a specific certificate with verylong DistinguishedName (DN) entries leads to double free. A remoteattacker can take advantage of this flaw by creating a specially craftedcertificate that, when processed by an application compiled againstGnuTLS, could cause the application to crash resulting in a denial ofservice.

  • DSA-3333 iceweasel - security update
    Multiple security issues have been found in Iceweasel, Debian's versionof the Mozilla Firefox web browser: Multiple memory safety errors,integer overflows, buffer overflows, use-after-frees and otherimplementation errors may lead to the execution of arbitrary code,bypass of the same-origin policy or denial of service.

  • DSA-3330 activemq - security update
    It was discovered that the Apache ActiveMQ message broker is susceptibleto denial of service through an undocumented, remote shutdown command.

  • DSA-3329 linux - security update
    Several vulnerabilities have been discovered in the Linux kernelthat may lead to a privilege escalation, denial of service orinformation leak.

  • DSA-3327 squid3 - security update
    Alex Rousskov of The Measurement Factory discovered that Squid3, a fullyfeatured web proxy cache, does not correctly handle CONNECT method peerresponses when configured with cache_peer and operating on explicitproxy traffic. This could allow remote clients to gain unrestrictedaccess through a gateway proxy to its backend proxy.

  • DSA-3326 ghostscript - security update
    William Robinet and Stefan Cornelius discovered an integer overflow inGhostscript, the GPL PostScript/PDF interpreter, which may result indenial of service or potentially execution of arbitrary code if aspecially crafted file is opened.

  • DSA-3324 icedove - security update
    Multiple security issues have been found in Icedove, Debian's versionof the Mozilla Thunderbird mail client: multiple memory safety errors,use-after-frees and other implementation errors may lead to theexecution of arbitrary code or denial of service. This update alsoaddresses a vulnerability in DHE key processing commonly known asthe LogJam vulnerability.

  • DSA-3322 ruby-rack - security update
    Tomek Rabczak from the NCC Group discovered a flaw in thenormalize_params() method in Rack, a modular Ruby webserver interface.A remote attacker can use this flaw via specially crafted requests tocause a SystemStackError` and potentially cause a denial of servicecondition for the service.

  • DSA-3321 xmltooling - security update
    The InCommon Shibboleth Training team discovered that XMLTooling, aC++ XML parsing library, did not properly handle an exception whenparsing well-formed but schema-invalid XML. This could allow remoteattackers to cause a denial of service (crash) via crafted XML data.

  • DSA-3320 openafs - security update
    It was discovered that OpenAFS, the implementation of the distributedfilesystem AFS, contained several flaws that could result ininformation leak, denial-of-service or kernel panic.

Debian Forum at

Page last modified on September 14, 2006, at 12:07 AM