Articles / Debian

All articles tagged with Debian

August 22, 2012 09:25 Debian: Security update for Puppet

0

Several security vulnerabilities have been found in Puppet, a centralized configuration management. Authenticated clients could read arbitrary files on the puppet master. Authenticated clients could delete arbitrary files on the puppet master. The report of the most recent Puppet run was stored with world- readable permissions, resulting in information disclosure. Agent hostnames were insufficiently validated.

Updated packages are available from security.debian.org.

August 22, 2012 09:24 Debian: Security update for OpenJDK

0

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform. Multiple errors in the CORBA implementation could lead to breakouts of the Java sandbox Missing input sanitising in the font manager could lead to the execution of arbitrary code. The SynthLookAndFeel Swing class could be abused to break out of the Java sandbox.

Several temporary files were created insecurely, resulting in local information disclosure. Certificate revocation lists were incorrectly implemented. Validation errors in the bytecode verifier of the Hotspot VM could lead to breakouts of the Java sandbox.

Missing input sanitising in the XML parser could lead to denial of service through an infinite loop.

Updated packages are available from security.debian.org.

August 13, 2012 10:55 Debian: Security update for Zend Framework

0

An XML External Entities inclusion vulnerability was discovered in Zend Framework, a PHP library. This vulnerability may allow attackers to access to local files, depending on how the framework is used. Updated packages are available from security.debian.org.

August 13, 2012 10:55 Debian: Security update for mod_security

0

Qualys Vulnerability & Malware Research Labs discovered a vulnerability in ModSecurity, a security module for the Apache webserver. In situations where both ‘Content:Disposition: attachment’ and ‘Content-Type: multipart’ were present in HTTP headers, the vulernability could allow an attacker to bypass policy and execute cross-site script (XSS) attacks through properly crafted HTML documents. Updated packages are available from security.debian.org.

August 03, 2012 16:50 Debian: Security update for libspring-2.5-java

0

It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests. Updated packages are available from security.debian.org.

August 03, 2012 16:49 Debian: Security update for bcfg2

0

It was discovered that malicious clients can trick the server component of the Bcfg2 configuration management system to execute commands with root privileges. Updated packages are available from security.debian.org.

August 01, 2012 05:59 Debian: Security update for python-crypto

0

It was discovered that that the ElGamal code in PythonCrypto, a collection of cryptographic algorithms and protocols for Python used insecure insufficient prime numbers in key generation, which lead to a weakened signature or public key space, allowing easier brute force attacks on such keys. Updated packages are available from security.debian.org.

August 01, 2012 05:58 Debian: Security update for dhcpcd

0

It was discovered that dhcpcd, a DHCP client, was vulnerable to a stack overflow. A malformed DHCP message could crash the client, causing a denial of service, and potentially remote code execution through properly designed malicous DHCP packets. Updated packages are available from security.debian.org.

August 01, 2012 05:50 Debian: Security update for Xen

0

Several vulnerabilities were discovered in Xen, a hypervisor. Xen does not properly handle uncanonical return addresses on Intel amd64 CPUs, allowing amd64 PV guests to elevate to hypervisor privileges. Xen does not properly handle SYSCALL and SYSENTER instructions in PV guests, allowing unprivileged users inside a guest system to crash the guest system.

Updated packages are available from security.debian.org.

July 27, 2012 05:01 Debian: Security update for Mantis

0

Several vulnerabilities were discovered in Mantis, am issue tracking system. Mantis installation in which the private_bug_view_threshold configuration option has been set to an array value do not properly enforce bug viewing restrictions. Copy/clone bug report actions fail to leave an audit trail. The delete_bug_threshold/bugnote_allow_user_edit_delete access check can be bypassed by users who have write access to the SOAP API.

Mantis performed access checks incorrectly when moving bugs between projects. A SOAP client sending a null password field can authenticate as the Mantis administrator. Mantis does not check the delete_attachments_threshold permission when a user attempts to delete an attachment from an issue.

Updated packages are available from security.debian.org.

July 27, 2012 04:59 Debian: Security update for Icedove

0

Several vulnerabilities have been discovered in icedove, the Debian version of the Mozilla Thunderbird mail/news client. There were miscellaneous memory safety hazards and a use-after-free issues. Updated packages are available from security.debian.org.

July 27, 2012 04:57 Debian: Security update for Quagga

0

It was discovered that Quagga, a routing daemon, contains a vulnerability in processing the ORF capability in BGP OPEN messages. A malformed OPEN message from a previously configured BGP peer could cause bgpd to crash, causing a denial of service. Updated packages are available from security.debian.org.

July 16, 2012 05:21 Debian: Security update for MySQL

0

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.1.63, which includes additional changes, such as performance improvements and corrections for data loss defects. Updated packages are available from security.debian.org.

July 13, 2012 08:08 Debian: Security update for openconnect

0

A buffer overflow was discovered in OpenConnect, a client for the Cisco AnyConnect VPN, which could result in denial of service. Updated packages are available from security.debian.org.

July 09, 2012 10:01 Debian: Security update for asterisk

0

Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.

Updated packages are available from security.debian.org.

July 06, 2012 10:54 Debian: Security update for PostgreSQL

0

Two vulnerabilities were discovered in PostgreSQL, an SQL database server. The crypt(text, text) function in the pgcrypto contrib module did not handle certain passwords correctly, ignoring characters after the first character which does not fall into the ASCII range. SECURITY DEFINER and SET attributes for a call handler of a procedural language could crash the database server.

Updated packages are available from security.debian.org.

July 06, 2012 10:54 Debian: Security update for php5

0

The Phar extension for PHP does not properly handle crafted tar files, leading to a heap-based buffer overflow. PHP applications processing tar files could crash or, potentially, execute arbitrary code. In addition, this update addresses a regression which caused a crash when accessing a global object that is returned as $this from __get. Updated packages are available from security.debian.org.

July 04, 2012 13:19 Debian: Security update for Iceweasel

0

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. Mozilla developers discovered several memory corruption bugs, which may lead to the execution of arbitrary code. Abhishek Arya discovered a use-after-free problem when working with column layout with absolute positioning in a container that changes size, which may lead to the execution of arbitrary code. Abhishek Arya discovered a heap buffer overflow in utf16 to latin1 character set conersion, allowing to execute arbitray code. Updated packages are available from security.debian.org.

July 04, 2012 13:18 Debian: Security update for nss

0

Kaspar Brand discovered that Mozilla’s Network Security Services (NSS) library did insufficient length checking in the QuickDER decoder, allowing to crash a program using the library. Updated packages are available from security.debian.org.

July 04, 2012 13:17 Debian: Security update for Iceape

0

Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey. Mozilla developers discovered several memory corruption bugs, which may lead to the execution of arbitrary code. Abhishek Arya discovered a use-after-free problem when working with column layout with absolute positioning in a container that changes size, which may lead to the execution of arbitrary code. Abhishek Arya discovered a heap buffer overflow in utf16 to latin1 character set conersion, allowing to execute arbitray code. Updated packages are available from security.debian.org.

July 04, 2012 13:15 Debian: Security update for OpenOffice.org

0

It was discovered that OpenOffice.org would not properly process crafted document files, possibly leading to arbitrary code execution. Those vulnerabilities include integer overflows in PNG image handling and integer overflow in operator new invocation and heap-based buffer overflow inside the MS-ODRAW parser. Updated packages are available from security.debian.org.

June 28, 2012 21:06 Debian: Security update for bind9

0

It was discovered that BIND, a DNS server, can crash while processing resource records containing no data bytes. Both authoritative servers and resolvers are affected. Updated packages are available from security.debian.org.

June 27, 2012 06:16 Debian: Security update for IMP

0

Multiple cross-site scripting (XSS) vulnerabilities were discovered in IMP, the webmail component in the Horde framework. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various crafted parameters. Updated packages are available from security.debian.org.

June 27, 2012 06:15 Debian: Security update for libgdata

0

Vreixo Formoso discovered that libgdata, a library used to access various Google services, wasn’t validating certificates against trusted system root CAs when using an https connection. Updated packages are available from security.debian.org.

June 27, 2012 06:14 Debian: Security update for arpwatch

0

Steve Grubb from Red Hat discovered that a patch for arpwatch (as shipped at least in Red Hat and Debian distributions) in order to make it drop root privileges would fail to do so and instead add the root group to the list of the daemon uses. Updated packages are available from security.debian.org.

June 25, 2012 07:32 Debian: Security update for Nut

0

Sebastian Pohle discovered that upsd, the server of Network UPS Tools (NUT) is vulnerable to a remote denial of service attack. Updated packages are available from security.debian.org.

June 25, 2012 07:22 Debian: Security update for strongSwan

0

An authentication bypass issue was discovered by the Codenomicon CROSS project in strongSwan, an IPsec-based VPN solution. When using RSA-based setups, a missing check in the gmp plugin could allow an attacker presenting a forged signature to successfully authenticate against a strongSwan responder. Updated packages are available from security.debian.org.

June 21, 2012 12:46 Debian: Security update for Request Tracker

0

Several vulnerabilities were discovered in Request Tracker, an issue tracking system. Several cross-site scripting issues have been discovered. Password hashes could be disclosed by privileged users. Several cross-site request forgery vulnerabilities have been found.

The code to support variable envelope return paths allowed the execution of arbitrary code. Disabled groups were not fully accounted as disabled. SQL injection vulnerability, only exploitable by privileged users.

Updated packages are available from security.debian.org.

June 21, 2012 12:45 Debian: Security update for libxml2

0

Jueri Aedla discovered an off-by-one in libxml2, which could result in the execution of arbitrary code. Updated packages are available from security.debian.org.

June 19, 2012 10:49 Debian: Security update for sudo

0

It was discovered that sudo misparsed network masks used in Host and Host_List stanzas. This allowed the execution of commands on hosts, where the user would not be allowed to run the specified command. Updated packages are available from security.debian.org.

Screenshot

Project Spotlight

JFreeSVG

A fast, lightweight SVG generator for Java.

Screenshot

Project Spotlight

PHP MIME Mail decoder class

A PHP class to decode email messages.