Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

<< Mandriva | Distributions | Gentoo >>


Community

Support

Debian Planet

Error: It's not possible to reach RSS file http://planet.debian.net/rss20.xml ...

Debian Security Notices


  • DSA-5865-1 webkit2gtk - security update
    The following vulnerabilities have been discovered in the WebKitGTKweb engine:
    CVE-2025-24143
    An anonymous researcher discovered that a maliciously crafted webpage may be able to fingerprint the user.
    CVE-2025-24150
    Johan Carlsson discovered that copying a URL from Web Inspector may lead to command injection.
    CVE-2025-24158
    Q1IQ and P1umer discovered that processing web content may lead to a denial-of-service.
    CVE-2025-24162
    linjy and chluo discovered that processing maliciously crafted web content may lead to an unexpected process crash.
    https://security-tracker.debian.org/tracker/DSA-5865-1




















  • DSA-5845-1 tomcat10 - security update
    Several problems have been addressed in Tomcat 10, a Java based web server,servlet and JSP engine which may lead to a denial-of-service.

    CVE-2024-38286
    Apache Tomcat, under certain configurations, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
    CVE-2024-52316
    Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
    CVE-2024-50379 / CVE-2024-56337
    Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). Some users may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat.
    https://security-tracker.debian.org/tracker/DSA-5845-1




  • DSA-5843-1 rsync - security update
    Several vulnerabilities were discovered in rsync, a fast, versatile,remote (and local) file-copying tool.
    CVE-2024-12084
    Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a heap-based buffer overflow vulnerability due to improper handling of attacker-controlled checksum lengths. A remote attacker can take advantage of this flaw for code execution.
    CVE-2024-12085
    Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in the way rsync compares file checksums, allowing a remote attacker to trigger an information leak.
    CVE-2024-12086
    Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw which would result in a server leaking contents of an arbitrary file from the client's machine.
    CVE-2024-12087
    Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path traversal vulnerability in the rsync daemon affecting the --inc-recursive option, which could allow a server to write files outside of the client's intended destination directory.
    CVE-2024-12088
    Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when using the --safe-links option, rsync fails to properly verify if a symbolic link destination contains another symbolic link with it, resulting in path traversal and arbitrary file write outside of the desired directory.
    CVE-2024-12747
    Aleksei Gorban "loqpa" discovered a race condition when handling symbolic links resulting in an information leak which may enable escalation of privileges.
    https://security-tracker.debian.org/tracker/DSA-5843-1


  • DSA-5842-1 openafs - security update
    Several vulnerabilities were discovered in OpenAFS, an implementation ofthe AFS distributed filesystem, which may result in theft of credentialsin Unix client PAGs (CVE-2024-10394), fileserver crashes and informationleak on StoreACL/FetchACL (CVE-2024-10396) or buffer overflows in XDRresponses resulting in denial of service and potentially code execution(CVE-2024-10397).
    https://security-tracker.debian.org/tracker/DSA-5842-1






Debian Forum at linuxquestions.org

Page last modified on September 14, 2006, at 05:07 AM