1825 Monetary Lane Suite #104 Carrollton, TX
Do a presentation at NTLUG.
What is the Linux Installation Project?
Real companies using Linux!
Not just for business anymore.
Providing ready to run platforms on Linux
|
<< Mandriva | Distributions | Gentoo >>
Community
Support
|
Debian Planet
|
Debian Security Notices
- DSA-5865-1 webkit2gtk - security update
The following vulnerabilities have been discovered in the WebKitGTKweb engine: CVE-2025-24143 An anonymous researcher discovered that a maliciously crafted webpage may be able to fingerprint the user. CVE-2025-24150 Johan Carlsson discovered that copying a URL from Web Inspector may lead to command injection. CVE-2025-24158 Q1IQ and P1umer discovered that processing web content may lead to a denial-of-service. CVE-2025-24162 linjy and chluo discovered that processing maliciously crafted web content may lead to an unexpected process crash. https://security-tracker.debian.org/tracker/DSA-5865-1
- DSA-5845-1 tomcat10 - security update
Several problems have been addressed in Tomcat 10, a Java based web server,servlet and JSP engine which may lead to a denial-of-service.
CVE-2024-38286 Apache Tomcat, under certain configurations, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. CVE-2024-52316 Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. CVE-2024-50379 / CVE-2024-56337 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). Some users may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat. https://security-tracker.debian.org/tracker/DSA-5845-1
- DSA-5843-1 rsync - security update
Several vulnerabilities were discovered in rsync, a fast, versatile,remote (and local) file-copying tool. CVE-2024-12084 Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a heap-based buffer overflow vulnerability due to improper handling of attacker-controlled checksum lengths. A remote attacker can take advantage of this flaw for code execution. CVE-2024-12085 Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in the way rsync compares file checksums, allowing a remote attacker to trigger an information leak. CVE-2024-12086 Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw which would result in a server leaking contents of an arbitrary file from the client's machine. CVE-2024-12087 Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path traversal vulnerability in the rsync daemon affecting the --inc-recursive option, which could allow a server to write files outside of the client's intended destination directory. CVE-2024-12088 Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when using the --safe-links option, rsync fails to properly verify if a symbolic link destination contains another symbolic link with it, resulting in path traversal and arbitrary file write outside of the desired directory. CVE-2024-12747 Aleksei Gorban "loqpa" discovered a race condition when handling symbolic links resulting in an information leak which may enable escalation of privileges. https://security-tracker.debian.org/tracker/DSA-5843-1
- DSA-5842-1 openafs - security update
Several vulnerabilities were discovered in OpenAFS, an implementation ofthe AFS distributed filesystem, which may result in theft of credentialsin Unix client PAGs (CVE-2024-10394), fileserver crashes and informationleak on StoreACL/FetchACL (CVE-2024-10396) or buffer overflows in XDRresponses resulting in denial of service and potentially code execution(CVE-2024-10397). https://security-tracker.debian.org/tracker/DSA-5842-1
|