Articles / Debian

All articles tagged with Debian

April 01, 2009 15:12 Debian: New xulrunner packages fix multiple vulnerabilities

0

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. Security researcher Guido Landi discovered that a XSL stylesheet could be used to crash the browser during a XSL transformation. An attacker could potentially use this crash to run arbitrary code on a victim’s computer. Security researcher Nils reported that a XUL tree method was in some cases triggering garbage collection routines on objects which were still in use. In such cases, the browser would crash when attempting to access a previously destroyed object and this crash could be used by an attacker to run arbitrary code on a victim’s computer. Updated packages are available from security.debian.org.

April 01, 2009 14:52 Debian: New systemtap packages fix local privilege escala...

0

Erik Sjoelund discovered that a race condition in the stap tool shipped by Systemtap, an instrumentation system for Linux 2.6, allows local privilege escalation for members of the stapusr group. Updated packages are available from security.debian.org.

April 01, 2009 14:38 Debian: New webcit packages fix potential remote code exe...

0

Wilfried Goesgens discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution. Updated packages are available from security.debian.org.

March 23, 2009 15:54 Debian: New xulrunner packages fix several vulnerabilities

0

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. Martijn Wargers, Jesse Ruderman and Josh Soref discovered crashes in the layout and Javascript engines, which might allow the execution of arbitrary code. It was discovered that incorrect memory management in the DOM element handling may lead to the execution of arbitrary code. Georgi Guninski discovered a violation of the same-origin policy through RDFXMLDataSource and cross-domain redirects. Updated packages are available from security.debian.org.

March 23, 2009 15:52 Debian: New libpng packages fix several vulnerabilities

0

Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The pnghandletRNS function allows attackers to cause a denial of service (application crash) via a grayscale PNG image. Certain chunk handlers and memory leaks allow attackers to cause a denial of service (crash) via crafted PNG images. libpng allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length “unknown” chunks. The pngcheckkeyword might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords. Updated packages are available from security.debian.org.

March 23, 2009 15:51 New Linux 2.6.26 packages fix several vulnerabilities

0

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. Updated packages are available from security.debian.org.

March 23, 2009 15:50 Debian: New libsoup packages fix arbitrary code execution

0

It was discovered that libsoup, an HTTP library implementation in C, handles large strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

March 23, 2009 15:49 Debian: New glib2.0 packages fix arbitrary code execution

0

Diego Petten discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

March 23, 2009 15:48 Debian: New ghostscript packages fix arbitrary code execu...

0

Two security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. Jan Lieskovsky discovered multiple integer overflows in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. Jan Lieskovsky discovered insufficient upper-bounds checks on certain variable sizes in the ICC library, which allow the execution of arbitrary code via crafted ICC profiles in PostScript files with embedded images. Updated packages are available from security.debian.org.

March 23, 2009 15:47 Debian: New lcms packages fix arbitrary code execution

0

Several security issues have been discovered in lcms, a color management library. Chris Evans discovered that lcms is affected by a memory leak, which could result in a denial of service via specially crafted image files. Chris Evans discovered that lcms is prone to several integer overflows via specially crafted image files, which could lead to the execution of arbitrary code. Chris Evans discovered the lack of upper-gounds check on sizes leading to a buffer overflow, which could be used to execute arbitrary code. Updated packages are available from security.debian.org.

March 23, 2009 15:40 Debian: New weechat packages fix denial of service

0

Sebastien Helleu discovered that an error in the handling of color codes in the weechat IRC client could cause an out-of-bounds read of an internal color array. This can be used by an attacker to crash user clients via a crafted PRIVMSG command. Updated packages are available from security.debian.org.

March 23, 2009 11:42 Debian: New libtk-img packages fix arbitrary code execution

0

Two buffer overflows have been found in the GIF image parsing code of Tk, a cross-platform graphical toolkit, which could lead to the execution of arbitrary code. Updated packages are available from security.debian.org.

March 23, 2009 11:31 Debian: New libsnd packages fix arbitrary code execution

0

Alan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution. Updated packages are available from security.debian.org.

March 16, 2009 00:01 Debian: New psi packages fix denial of service

0

Jesus Olmos Gonzalez discovered that an integer overflow in the PSI Jabber client may lead to remote denial of service. Updated packages are available from security.debian.org.

March 16, 2009 00:00 Debian: New yaws packages fix denial of service

0

It was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header. Updated packages are available from security.debian.org.

March 15, 2009 23:58 Debian: New mldonkey packages fix information disclosure

0

It has been discovered that mldonkey, a client for several P2P networks, allows attackers to download arbitrary files using crafted requests to the HTTP console. Updated packages are available from security.debian.org.

March 15, 2009 23:52 Debian: New curl packages fix arbitrary file access

0

David Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and scp:// URLs - depending on the setup - an untrusted server could use that to expose local files, overwrite local files or even execute arbitrary code via a malicious URL redirect. Updated packages are available from security.debian.org.

March 15, 2009 23:51 Debian: New wesnoth packages fix several vulnerabilities

0

Several security issues have been discovered in wesnoth, a fantasy turn-based strategy game. Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data. Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly. Updated packages are available from security.debian.org.

March 15, 2009 23:49 Debian: New mahara packages fix cross-site scripting

0

It was discovered that mahara, an electronic portfolio, weblog, and resume builder, is prone to cross-site scripting attacks, which allows the injection of arbitrary Java or HTML code. Updated packages are available from security.debian.org.

March 15, 2009 23:47 New znc packages fix privilege escalation

0

It was discovered that znc, an IRC proxy/bouncer, does not properly sanitize input contained in configuration change requests to the webadmin interface. This allows authenticated users to elevate their privileges and indirectly execute arbitrary commands. Updated packages are available from security.debian.org.

Screenshot

Project Spotlight

JFreeSVG

A fast, lightweight SVG generator for Java.

Screenshot

Project Spotlight

PHP MIME Mail decoder class

A PHP class to decode email messages.