Articles / Debian

All articles tagged with Debian

March 03, 2011 15:44 Debian: Security update for pango

0

It was discovered that pango did not check for memory allocation failures, causing a NULL pointer dereference with an adjustable offset. This can lead to application crashes and potentially arbitrary code execution. Updated packages are available from security.debian.org.

March 03, 2011 15:41 Debian: Security update for python-webdav

0

It was discovered that python-webdav, a WebDAV server implementation, contains several SQL injection vulnerabilities in the processing of user credentials. Updated packages are available from security.debian.org.

March 03, 2011 15:09 Debian: Security update for samba

0

Volker Lendecke discovered that missing range checks in Samba’s file descriptor handling could lead to memory corruption, resulting in denial of service. Updated packages are available from security.debian.org.

March 03, 2011 14:49 Debian: Security update for avahi

0

It was discovered that avahi, an implementation of the zeroconf protocol, can be crashed remotely by a single UDP packet, which may result in a denial of service. Updated packages are available from Updated packages are available from security.debian.org.

March 03, 2011 10:32 Debian: Security update for pam-pgsql

0

It was discovered that pam-pgsql, a PAM module to authenticate using a PostgreSQL database, was vulnerable to a buffer overflow in supplied IP-addresses. Updated packages are available from security.debian.org.

February 23, 2011 08:51 Debian: Security update for phpCAS

0

Several vulnerabilties have been discovered in phpCAS, a CAS client library for PHP. The Moodle course management system includes a copy of phpCAS. Updated packages are available from security.debian.org.

February 23, 2011 08:47 Debian: Security update for asterisk

0

Matthew Nicholson discovered a buffer overflow in the SIP channel driver of Asterisk, an open source PBX and telephony toolkit, which could lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

February 23, 2011 08:46 Debian: Security update for mailman

0

Two cross site scripting vulnerabilities were been discovered in Mailman, a web-based mailing list manager. These allowed an attacker to retreive session cookies via inserting crafted JavaScript into confirmation messages and in the list admin interface. Updated packages are available from security.debian.org.

February 23, 2011 08:42 Debian: Security update for telepathy-gabble

0

It was discovered that telepathy-gabble, the Jabber/XMMP connection manager for the Telepathy framework, is processing google:jingleinfo updates without validating their origin. This may allow an attacker to trick telepathy-gabble into relaying streamed media data through a server of his choice and thus intercept audio and video calls. Updated packages are available from security.debian.org.

February 23, 2011 08:40 Debian: Security update for openafs

0

Two vulnerabilities were discovered the distributed filesystem AFS. Andrew Deason discovered that a double free in the Rx server process could lead to denial of service or the execution of arbitrary code. It was discovered that insufficient error handling in the kernel module could lead to denial of service. Updated packages are available from security.debian.org.

February 23, 2011 08:37 Debian: Security update for phpmyadmin

0

It was discovered that phpMyAdmin, a a tool to administer MySQL over the web, when the bookmarks feature is enabled, allowed to create a bookmarked query which would be executed unintentionally by other users. Updated packages are available from security.debian.org.

February 16, 2011 08:12 Debian: Security update for OpenSSL

0

Neel Mehta discovered that an incorrectly formatted ClientHello handshake message could cause OpenSSL to parse past the end of the message. This allows an attacker to crash an application using OpenSSL by triggering an invalid memory access. Additionally, some applications may be vulnerable to expose contents of a parsed OCSP nonce extension. Updated packages are available from security.debian.org.

February 16, 2011 08:12 Debian: Security update for Django

0

Several vulnerabilities were discovered in the django web development framework. For several reasons the internal CSRF protection was not used to validate ajax requests in the past. However, it was discovered that this exception can be exploited with a combination of browser plugins and redirects and thus is not sufficient. It was discovered that the file upload form is prone to cross-site scripting attacks via the file name. Updated packages are available from security.debian.org.

February 16, 2011 08:09 Debian: Security update for Apache Tomcat

0

Several vulnerabilities were discovered in the Tomcat Servlet and JSP engine. It was discovered that the SecurityManager insufficiently restricted the working directory. It was discovered that the HTML manager interface is affected by cross-site scripting. It was discovered that NIO connector performs insufficient validation of the HTTP headers, which could lead to denial of service. Updated packages are available from security.debian.org.

February 16, 2011 08:08 Debian: Security update for vlc

0

Dan Rosenberg discovered that insufficient input validation in VLC’s processing of Matroska/WebM containers could lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

February 09, 2011 09:49 Debian: PostgreSQL security update

0

It was discovered that PostgreSQL’s intarray contrib module does not properly handle integers with a large number of digits, leading to a server crash and potentially arbitary code execution. Updated packages are available from security.debian.org.

February 03, 2011 13:45 Debian: Subversion vulnerabilities

0

It was discovered that Subversion incorrectly handled certain ‘partial access’ privileges in rare scenarios. Remote authenticated users could use this flaw to obtain sensitive information (revision properties). It was discovered that the Subversion mod_dav_svn module for Apache did not properly handle a named repository as a rule scope. Remote authenticated users could use this flaw to bypass intended restrictions. It was discovered that the Subversion mod_dav_svn module for Apache incorrectly handled the walk function. Remote authenticated users could use this flaw to cause the service to crash, leading to a denial of service. It was discovered that Subversion incorrectly handled certain memory operations. Remote authenticated users could use this flaw to consume large quantities of memory and cause the service to crash, leading to a denial of service. Updated packages are available from security.debian.org.

February 03, 2011 13:43 Debian: freetype security update

0

Two buffer overflows were found in the Freetype font library, which could lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

January 28, 2011 13:28 Debian: Security update for OpenOffice.org

0

Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. A directory traversal vulnerability has been discovered in the way OpenOffice.org processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. Dan Rosenberg discovered a vulnerability in OpenOffice.org’s RTF parsing functionality. Opening a maliciously crafted RTF document can cause an out-of-bounds memory read into previously allocated heap memory. Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file.

Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager() function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem() function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. A heap based buffer overflow has been discovered with unknown impact. A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. Updated packages are available from security.debian.org.

January 28, 2011 13:25 Debian: Security update for hplip

0

Sebastian Krahmer discovered a buffer overflow in the SNMP discovery code of the HP Linux Printing and Imaging System, which could result in the execution of arbitrary code. Updated packages are available from security.debian.org.

January 28, 2011 13:20 Debian: Security update for dbus

0

Rémi Denis-Courmont discovered that dbus, a message bus application, is not properly limiting the nesting level when examining messages with extensive nested variants. This allows an attacker to crash the dbus system daemon due to a call stack overflow via crafted messages. Updated packages are available from security.debian.org.

January 20, 2011 05:21 Debian: Security update for tor

0

The developers of Tor, an anonymizing overlay network for TCP, found three security issues during a security audit. A heap overflow allowed the execution of arbitrary code, a denial of service vulnerability was found in the zlib compression handling and some key memory was incorrectly zeroed out before being freed. Updated packages are available from security.debian.org.

January 20, 2011 05:20 Debian: Security update for mydms

0

D. Fabian and L. Weichselbaum discovered a directory traversal vulnerability in MyDMS, a open-source document management system based on PHP and MySQL. Updated packages are available from security.debian.org.

January 20, 2011 05:19 Debian: Security update for libsmi

0

Andres Lopez Luksenberg discovered a buffer overflow in the OID parser of libsmi, a library to access SMI MIB data. Updated packages are available from security.debian.org.

January 20, 2011 05:17 Debian: Security update for wireshark

0

It was discovered that a buffer overflow in the ENTTEC dissector may lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

January 20, 2011 04:48 Debian: New mysql-dfsg-5.0 packages fix several vulnerabi...

0

Several vulnerabilities have been discovered in the MySQL database server. It was discovered that MySQL allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column, by creating temporary tables while using InnoDB, or by using the HANDLER interface and performing “alternate reads from two indexes on a table”. It was discovered that MySQL incorrectly handled use of EXPLAIN with certain queries. It was discovered that MySQL incorrectly handled propagation during evaluation of arguments to extreme-value functions. It was discovered that MySQL incorrectly handled materializing a derived table that required a temporary table for grouping. It was discovered that MySQL incorrectly handled certain user-variable assignment expressions that are evaluated in a logical expression context. It was discovered that MySQL incorrectly handled pre-evaluation of LIKE predicates during view preparation. It was discovered that MySQL incorrectly handled using GROUP_CONCAT() and WITH ROLLUP together. It was discovered that MySQL incorrectly handled certain queries using a mixed list of numeric and LONGBLOB arguments to the GREATEST() or LEAST() functions. It was discovered that MySQL incorrectly handled improper WKB data passed to the PolyFromWKB() function. Updated packages are available from security.debian.org.

January 12, 2011 09:51 Debian: New dpkg packages fix directory traversal

0

Jakub Wilk discovered that the dpkg-source component of dpkg, the Debian package management system, doesn’t correctly handle paths in patches of source packages, which could make it traverse directories. Raphaël Hertzog additionally discovered that symbolic links in the .pc directory are followed, which could make it traverse directories too. Updated packages are available from security.debian.org.

January 05, 2011 11:03 Debian: New phpmyadmin packages fix several vulnerabilities

0

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. Cross site scripting was possible in search, that allowed a remote attacker to inject arbitrary web script or HTML. Cross site scripting was possible in errors, that allowed a remote attacker to inject arbitrary web script or HTML. Display of PHP’s phpinfo() function was available to world, but only if this functionality had been enabled (defaults to off). This may leak some information about the host system. Updated packages are available from security.debian.org.

January 05, 2011 11:02 Debian: Security update for wordpress

0

Vladimir Kolesnikov discovered a SQL injection vulnerability in wordpress, a weblog manager. An authenticated users could execute arbitrary SQL commands via the Send Trackbacks field. Updated packages are available from security.debian.org.

December 29, 2010 08:11 Debian: Security update for libxml2

0

Yang Dingning discovered a double free in libxml’s Xpath processing, which might allow the execution of arbitrary code. Updated packages are available from security.debian.org.

Screenshot

Project Spotlight

JFreeSVG

A fast, lightweight SVG generator for Java.

Screenshot

Project Spotlight

PHP MIME Mail decoder class

A PHP class to decode email messages.