Articles / Debian

All articles tagged with Debian

May 04, 2009 08:45 Debian: New wireshark packages fix several vulnerabilities

0

Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service or the execution of arbitrary code. A format string vulnerability was discovered in the PROFINET dissector. The dissector for the Check Point High-Availability Protocol could be forced to crash. Malformed Tektronix files could lead to a crash. Updated packages are available from security.debian.org.

May 04, 2009 08:39 Debian: New freetype packages fix arbitrary code execution

0

Tavis Ormandy discovered several integer overflows in FreeType, a library to process and access font files, resulting in heap- or stack-based buffer overflows leading to application crashes or the execution of arbitrary code via a crafted font file. Updated packages are available from security.debian.org.

May 04, 2009 08:35 Debian: New mysql-dfsg-5.0 packages fix multiple vulnerab...

0

Multiple vulnerabilities have been identified affecting MySQL, a relational database server, and its associated interactive client application. Kay Roepke reported that the MySQL server would not properly handle an empty bit-string literal in an SQL statement, allowing an authenticated remote attacker to cause a denial of service (a crash) in mysqld. Thomas Henlich reported that the MySQL commandline client application did not encode HTML special characters when run in HTML output mode (that is, “mysql –html …”). This could potentially lead to cross-site scripting or unintended script privilege escalation if the resulting output is viewed in a browser or incorporated into a web site. Updated packages are available from security.debian.org.

May 04, 2009 08:33 Debian: New mplayer packages fix arbitrary code execution

0

Several vulnerabilities have been discovered in mplayer, a movie player for Unix-like systems. It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that multiple buffer overflows could lead to the execution of arbitrary code. It was discovered that watching a malformed TwinVQ file could lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

May 04, 2009 08:32 Debian: New ffmpeg-debian packages fix arbitrary code exe...

0

Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that using a crafted STR file can lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

May 04, 2009 08:30 Debian: New libdbd-pg-perl packages fix potential code ex...

0

Two vulnerabilities have been discovered in libdbd-pg-perl, the DBI driver module for PostgreSQL database access (DBD::Pg). A heap-based buffer overflow may allow attackers to execute arbitrary code through applications which read rows from the database using the pg_getline and getline functions. (More common retrieval methods, such as selectall_arrayref and fetchrow_array, are not affected.) A memory leak in the routine which unquotes BYTEA values returned from the database allows attackers to cause a denial of service. Updated packages are available from security.debian.org.

April 28, 2009 14:59 New apt packages fix several vulnerabilities

0

Two vulnerabilities have been discovered in APT, the well-known dpkg frontend. In time zones where daylight savings time occurs at midnight, the apt cron.daily script fails, stopping new security updates from being applied automatically. A repository that has been signed with an expired or revoked OpenPGP key would still be considered valid by APT. Updated packages are available from security.debian.org.

April 28, 2009 14:15 Debian: New mahara packages fix cross-site scripting

0

It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting (XSS) attacks because of missing input sanitization of the introduction text field in user profiles and any text field in a user view. Updated packages are available from security.debian.org.

April 28, 2009 14:04 Debian: New git-core packages fix privilege escalation

0

Peter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. Updated packages are available from security.debian.org.

April 28, 2009 14:03 Debian: New slurm-llnl packages fix privilege escalation

0

It was discovered that the Simple Linux Utility for Resource Management (SLURM), a cluster job management and scheduling system, did not drop the supplemental groups. These groups may be system groups with elevated privileges, which may allow a valid SLURM user to gain elevated privileges. Updated packages are available from security.debian.org.

April 20, 2009 13:04 Debian: New php-json-ext packages fix denial of service

0

It was discovered that php-json-ext, a JSON serialiser for PHP, is prone to a denial of service attack, when receiving a malformed string via the json_decode function. Updated packages are available from security.debian.org.

April 20, 2009 13:02 Debian: New ejabberd packages fix cross-site scripting

0

It was discovered that ejabberd, a distributed, fault-tolerant Jabber/XMPP server, does not sufficiently sanitise MUC logs, allowing remote attackers to perform cross-site scripting (XSS) attacks. Updated packages are available from security.debian.org.

April 20, 2009 13:00 Debian: New cups packages fix arbitrary code execution

0

It was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. Updated packages are available from security.debian.org.

April 20, 2009 12:39 Debian: New udev packages fix privilege escalation

0

Sebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. Updated packages are available from security.debian.org.

April 20, 2009 11:01 Debian: New clamav packages fix several vulnerabilities

0

Several vulnerabilities have been discovered in the ClamAV anti-virus toolkit. Attackers can cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. Updated packages are available from security.debian.org.

April 20, 2009 10:57 Debian: New imp4 packages fix cross-site scripting

0

Several vulnerabilities have been found in imp4, a webmail component for the horde framework. It was discovered that imp4 suffers from a cross-site scripting (XSS) attack via the user field in an IMAP session, which allows attackers to inject arbitrary HTML code. It was discovered that imp4 is prone to several cross-site scripting (XSS) attacks via several vectors in the mail code allowing attackers to inject arbitrary HTML code. Updated packages are available from security.debian.org.

April 20, 2009 10:55 Debian: New openjdk-6 packages fix arbitrary code execution

0

Several vulnerabilities have been identified in OpenJDK, an implementation of the Java SE platform. Creation of large, temporary fonts could use up available disk space, leading to a denial of service condition. Several vulnerabilities existed in the embedded LittleCMS library, exploitable through crafted images: a memory leak, resulting in a denial of service condition, heap-based buffer overflows, potentially allowing arbitrary code execution, and a null-pointer dereference, leading to denial of service. The LDAP server implementation did not properly close sockets if an error was encountered, leading to a denial-of-service condition. The LDAP client implementation allowed malicious LDAP servers to execute arbitrary code on the client. The HTTP server implementation contained an unspecified denial of service vulnerability. Updated packages are available from security.debian.org.

April 20, 2009 10:54 Debian: New openafs packages potential code execution

0

Two vulnerabilities were discovered in the client part of OpenAFS, a distributed file system. An attacker with control of a file server or the ability to forge RX packets may be able to execute arbitrary code in kernel mode on an OpenAFS client, due to a vulnerability in XDR array decoding. An attacker with control of a file server or the ability to forge RX packets may crash OpenAFS clients because of wrongly handled error return codes in the kernel module. Updated packages are available from security.debian.org.

April 20, 2009 10:53 Debian: New roundup packages fix privilege escalation

0

It was discovered that roundup, an issue tracker with a command-line, web and email interface, allows users to edit resources in unauthorized ways, including granting themselves admin rights. Updated packages are available from security.debian.org.

April 20, 2009 10:52 Debian: New multipath-tools packages fix denial of service

0

It was discovered that multipathd of multipath-tools, a tool-chain to manage disk multipath device maps, uses insecure permissions on its unix domain control socket which enables local attackers to issue commands to multipathd prevent access to storage devices or corrupt file system data. Updated packages are available from security.debian.org.

April 20, 2009 10:51 Debian: New krb5 packages fix several vulnerabilities

0

Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information. Under certain conditions the SPNEGO GSS-API mechanism references a null pointer which crashes the application using the library. An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program. Under certain conditions the the ASN.1 decoder of the MIT krb5 implementation frees an uninitialized pointer which could lead to denial of service and possibly arbitrary code execution. Updated packages are available from security.debian.org.

April 20, 2009 10:48 Debian: New horde3 packages fix several vulnerabilities

0

Several vulnerabilities have been found in horde3, the horde web application framework. Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. Updated packages are available from security.debian.org.

April 20, 2009 10:47 Debian: New tunapie packages fix several vulnerabilities

0

Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. Updated packages are available from security.debian.org.

April 20, 2009 10:21 Debian: New openssl packages fix denial of service

0

It was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate. Updated packages are available from security.debian.org.

April 20, 2009 10:20 Debian: New moodle packages fix file disclosure

0

Christian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn’t check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. Updated packages are available from security.debian.org.

April 20, 2009 09:48 Debian: New icu packages fix cross site scripting

0

It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to cross- site scripting attacks. Updated packages are available from security.debian.org.

April 01, 2009 15:20 Debian: New openswan packages fix denial of service

0

Two vulnerabilities have been discovered in openswan, an IPSec implementation for linux. Dmitry E. Oboukhov discovered that the livetest tool is using temporary files insecurely, which could lead to a denial of service attack. Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet. Updated packages are available from security.debian.org.

April 01, 2009 15:19 Debian: New strongswan packages fix denial of service

0

Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. Updated packages are available from security.debian.org.

April 01, 2009 15:17 Debian: New nss-ldapd packages fix information disclosure

0

Leigh James that discovered that nss-ldapd, an NSS module for using LDAP as a naming service, by default creates the configuration file /etc/nss-ldapd.conf world-readable which could leak the configured LDAP password if one is used for connecting to the LDAP server. Updated packages are available from security.debian.org.

April 01, 2009 15:14 Debian: New auth2db packages fix SQL injection

0

It was discovered that auth2db, an IDS logger, log viewer and alert generator, is prone to an SQL injection vulnerability, when used with multibyte character encodings. Updated packages are available from security.debian.org.

Screenshot

Project Spotlight

JFreeSVG

A fast, lightweight SVG generator for Java.

Screenshot

Project Spotlight

PHP MIME Mail decoder class

A PHP class to decode email messages.