Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Mandriva | Distributions | Gentoo >>


Community

Support

Debian Planet

Debian Security Notices

  • DSA-3467 tiff - security update
    Several vulnerabilities have been found in tiff, a Tag Image File Formatlibrary. Multiple out-of-bounds read and write flaws could cause anapplication using the tiff library to crash.


  • DSA-3466 krb5 - security update
    Several vulnerabilities were discovered in krb5, the MIT implementationof Kerberos. The Common Vulnerabilities and Exposures project identifiesthe following problems:


  • DSA-3465 openjdk-6 - security update
    Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in breakouts ofthe Java sandbox, information disclosure, denial of service and insecurecryptography.


  • DSA-3464 rails - security update
    Multiple security issues have been discovered in the Ruby on Rails webapplication development framework, which may result in denial of service,cross-site scripting, information disclosure or bypass of inputvalidation.




  • DSA-3461 freetype - security update
    Mateusz Jurczyk discovered multiple vulnerabilities inFreetype. Opening malformed fonts may result in denial of service orthe execution of arbitrary code.


  • DSA-3460 privoxy - security update
    It was discovered that privoxy, a web proxy with advanced filteringcapabilities, contained invalid reads that could enable a remoteattacker to crash the application, thus causing a Denial of Service.


  • DSA-3459 mysql-5.5 - security update
    Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.47. Please see the MySQL 5.5 Release Notes and Oracle'sCritical Patch Update advisory for further details:


  • DSA-3458 openjdk-7 - security update
    Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in breakouts ofthe Java sandbox, information disclosur, denial of service and insecurecryptography.


  • DSA-3457 iceweasel - security update
    Multiple security issues have been found in Iceweasel, Debian's versionof the Mozilla Firefox web browser: Multiple memory safety errors and abuffer overflow may lead to the execution of arbitrary code. In additionthe bundled NSS crypto library addresses the SLOTH attack on TLS 1.2.



  • DSA-3455 curl - security update
    Isaac Boukris discovered that cURL, an URL transfer library, reusedNTLM-authenticated proxy connections without properly making sure thatthe connection was authenticated with the same credentials as set forthe new transfer. This could lead to HTTP requests being sent over theconnection authenticated as a different user.



  • DSA-3453 mariadb-10.0 - security update
    Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.23. Please see the MariaDB 10.0 Release Notes for furtherdetails:


  • DSA-3452 claws-mail - security update
    DrWhax of the Tails project reported that Claws Mail is missingrange checks in some text conversion functions. A remote attackercould exploit this to run arbitrary code under the account of a userthat receives a message from them using Claws Mail.


  • DSA-3451 fuse - security update
    Jann Horn discovered a vulnerability in the fuse (Filesystem inUserspace) package in Debian. The fuse package ships an udev ruleadjusting permissions on the related /dev/cuse character device, makingit world writable.


  • DSA-3450 ecryptfs-utils - security update
    Jann Horn discovered that the setuid-root mount.ecryptfs_private helperin the ecryptfs-utils would mount over any target directory that theuser owns, including a directory in procfs. A local attacker could usethis flaw to escalate his privileges.


  • DSA-3449 bind9 - security update
    It was discovered that specific APL RR data could trigger an INSISTfailure in apl_42.c and cause the BIND DNS server to exit, leading to adenial-of-service.



  • DSA-3447 tomcat7 - security update
    It was discovered that malicious web applications could use theExpression Language to bypass protections of a Security Manager asexpressions were evaluated within a privileged code section.


  • DSA-3446 openssh - security update
    The Qualys Security team discovered two vulnerabilities in the roamingcode of the OpenSSH client (an implementation of the SSH protocolsuite).


  • DSA-3445 pygments - security update
    Javantea discovered that pygments, a generic syntax highlighter, isprone to a shell injection vulnerability allowing a remote attacker toexecute arbitrary code via shell metacharacters in a font name.


  • DSA-3444 wordpress - security update
    Crtc4L discovered a cross-site scripting vulnerability in wordpress, aweb blogging tool, allowing a remote authenticated administrator tocompromise the site.


  • DSA-3443 libpng - security update
    Several vulnerabilities have been discovered in the libpng PNG library.The Common Vulnerabilities and Exposures project identifies thefollowing problems:


  • DSA-3442 isc-dhcp - security update
    It was discovered that a maliciously crafted packet can crash any ofthe isc-dhcp applications. This includes the DHCP client, relay, andserver application. Only IPv4 setups are affected.


  • DSA-3441 perl - security update
    David Golden of MongoDB discovered that File::Spec::canonpath() in Perlreturned untainted strings even if passed tainted input. This defectundermines taint propagation, which is sometimes used to ensure thatunvalidated user input does not reach sensitive code.


  • DSA-3440 sudo - security update
    When sudo is configured to allow a user to edit files under a directorythat they can already write to without using sudo, they can actuallyedit (read and write) arbitrary files. Daniel Svartman reported that aconfiguration like this might be introduced unintentionally if theeditable files are specified using wildcards, for example:


  • DSA-3439 prosody - security update
    Two vulnerabilities were discovered in Prosody, a lightweightJabber/XMPP server. The Common Vulnerabilities and Exposures projectidentifies the following issues:


  • DSA-3438 xscreensaver - security update
    It was discovered that unplugging one of the monitors in a multi-monitorsetup can cause xscreensaver to crash. Someone with physical access toa machine could use this problem to bypass a locked session.


  • DSA-3437 gnutls26 - security update
    Karthikeyan Bhargavan and Gaetan Leurent at INRIA discovered a flaw inthe TLS 1.2 protocol which could allow the MD5 hash function to be usedfor signing ServerKeyExchange and Client Authentication packets during aTLS handshake. A man-in-the-middle attacker could exploit this flaw toconduct collision attacks to impersonate a TLS server or anauthenticated TLS client.


  • DSA-3436 openssl - security update
    Karthikeyan Bhargavan and Gaetan Leurent at INRIA discovered a flaw inthe TLS 1.2 protocol which could allow the MD5 hash function to be usedfor signing ServerKeyExchange and Client Authentication packets during aTLS handshake. A man-in-the-middle attacker could exploit this flaw toconduct collision attacks to impersonate a TLS server or anauthenticated TLS client.


Debian Forum at linuxquestions.org

Page last modified on September 13, 2006, at 11:07 PM