1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
<< Mandriva | Distributions | Gentoo >>
Debian Security Notices
- DSA-3208 freexl - security update
Jodie Cunningham discovered multiple vulnerabilities in freexl, alibrary to read Microsoft Excel spreadsheets, which might result indenial of service or the execution of arbitrary code if a malformed Excelfile is opened.
- DSA-3207 shibboleth-sp2 - security update
A denial of service vulnerability was found in the Shibboleth (anfederated identity framework) Service Provider. When processing certainmalformed SAML message generated by an authenticated attacker, thedaemon could crash.
- DSA-3206 dulwich - security update
Multiple vulnerabilities have been discovered in Dulwich, a Pythonimplementation of the file formats and protocols used by the Git versioncontrol system. The Common Vulnerabilities and Exposures projectidentifies the following problems:
- DSA-3205 batik - security update
Nicolas Gregoire and Kevin Schaller discovered that Batik, a toolkitfor processing SVG images, would load XML external entities bydefault. If a user or automated system were tricked into opening aspecially crafted SVG file, an attacker could possibly obtain accessto arbitrary files or cause resource consumption.
- DSA-3204 python-django - security update
Daniel Chatfield discovered that python-django, a high-level Python webdevelopment framework, incorrectly handled user-supplied redirect URLs.A remote attacker could use this flaw to perform a cross-site scriptingattack.
- DSA-3203 tor - security update
Several denial-of-service issues have been discovered in Tor, aconnection-based low-latency anonymous communication system.
- DSA-3202 mono - security update
Researchers at INRIA and Xamarin discovered several vulnerabilities inmono, a platform for running and developing applications based on theECMA/ISO Standards. Mono's TLS stack contained several problems thathampered its capabilities: those issues could lead to clientimpersonation (via SKIP-TLS), SSLv2 fallback, and encryption weakening(via FREAK).
- DSA-3201 iceweasel - security update
Multiple security issues have been found in Iceweasel, Debian's versionof the Mozilla Firefox web browser. The Common Vulnerabilities andExposures project identifies the following problems:
- DSA-3199 xerces-c - security update
Anton Rager and Jonathan Brossard from the Salesforce.com ProductSecurity Team and Ben Laurie of Google discovered a denial of servicevulnerability in xerces-c, a validating XML parser library for C++. Theparser mishandles certain kinds of malformed input documents, resultingin a segmentation fault during a parse operation. An unauthenticatedattacker could use this flaw to cause an application using thexerces-c library to crash.
- DSA-3197 openssl - security update
Multiple vulnerabilities have been discovered in OpenSSL, a SecureSockets Layer toolkit. The Common Vulnerabilities and Exposures projectidentifies the following issues:
- DSA-3194 libxfont - security update
Ilja van Sprundel, Alan Coopersmith and William Robinet discoveredmultiple issues in libxfont's code to process BDF fonts, which mightresult in privilege escalation.
- DSA-3193 tcpdump - security update
Several vulnerabilities have been discovered in tcpdump, a command-linenetwork traffic analyzer. These vulnerabilities might result in denialof service (application crash) or, potentially, execution of arbitrarycode.
- DSA-3192 checkpw - security update
Hiroya Ito of GMO Pepabo, Inc. reported that checkpw, a passwordauthentication program, has a flaw in processing account names whichcontain double dashes. A remote attacker can use this flaw to cause adenial of service (infinite loop).
- DSA-3191 gnutls26 - security update
Multiple vulnerabilities have been discovered in GnuTLS, a libraryimplementing the TLS and SSL protocols. The Common Vulnerabilities andExposures project identifies the following problems:
- DSA-3189 libav - security update
Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full list of the changes isavailable at
- DSA-3188 freetype - security update
Mateusz Jurczyk discovered multiple vulnerabilities in Freetype. Openingmalformed fonts may result in denial of service or the execution ofarbitrary code.
- DSA-3186 nss - security update
It was discovered that the Mozilla Network Security Service library(nss) incorrectly handled certain ASN.1 lengths. A remote attacker couldpossibly use this issue to perform a data-smuggling attack.
- DSA-3182 libssh2 - security update
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, wasreading and using the SSH_MSG_KEXINIT packet without doing sufficientrange checks when negotiating a new SSH session with a remote server. Amalicious attacker could man in the middle a real server and cause aclient using the libssh2 library to crash (denial of service) orotherwise read and use unintended memory areas in this process.
- DSA-3177 mod-gnutls - security update
Thomas Klute discovered that in mod-gnutls, an Apache module providingSSL and TLS encryption with GnuTLS, a bug caused the server's clientverify mode not to be considered at all, in case the directory'sconfiguration was unset. Clients with invalid certificates were thenable to leverage this flaw in order to get access to that directory.
- DSA-3180 libarchive - security update
Alexander Cherepanov discovered that bsdcpio, an implementation of thecpio program part of the libarchive project, is susceptible to adirectory traversal vulnerability via absolute paths.
- DSA-3179 icedove - security update
Multiple security issues have been found in Icedove, Debian's version ofthe Mozilla Thunderbird mail and news client: Multiple memory safetyerrors and implementation errors may lead to the execution of arbitrarycode or information disclosure.
- DSA-3178 unace - security update
Jakub Wilk discovered that unace, an utility to extract, test and view.ace archives, contained an integer overflow leading to a bufferoverflow. If a user or automated system were tricked into processing aspecially crafted ace archive, an attacker could cause a denial ofservice (application crash) or, possibly, execute arbitrary code.