RSS-Flux Debian Security
Dieser RSS-Flux wurde von folgender Seite importiert: http://www.debian.org/security/dsa-long.en.rdf
Matthew Daley discovered that squid, a web proxy cache, does not properly perform input validation when parsing requests. A remote attacker could use this flaw to mount a denial of service attack, by sending specially crafted Range requests.
25 Januar 2015lese mehr über DSA-3139 squid - security update
An off-by-one flaw, leading to a heap-based buffer overflow (CVE-2014-8157), and an unrestricted stack memory use flaw (CVE-2014-8158) were found in JasPer, a library for manipulating JPEG-2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
25 Januar 2015lese mehr über DSA-3138 jasper - security update
James Clawson discovered that websvn, a web viewer for Subversion repositories, would follow symlinks in a repository when presenting a file for download. An attacker with repository write access could thereby access any file on disk readable by the user the webserver runs as.
24 Januar 2015lese mehr über DSA-3137 websvn - security update
A vulnerability was discovered in PolarSSL, a lightweight crypto and SSL/TLS library. A remote attacker could exploit this flaw using specially crafted certificates to mount a denial of service against an application linked against the library (application crash), or potentially, to execute arbitrary code.
24 Januar 2015lese mehr über DSA-3136 polarssl - security update
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.41. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:
23 Januar 2015lese mehr über DSA-3135 mysql-5.5 - security update
A vulnerability has been discovered in the web interface of sympa, a mailing list manager. An attacker could take advantage of this flaw in the newsletter posting area, which allows sending to a list, or to oneself, any file located on the server filesystem and readable by the sympa user.
20 Januar 2015lese mehr über DSA-3134 sympa - security update
Multiple use-after-frees were discovered in Privoxy, a privacy-enhancing HTTP proxy.
20 Januar 2015lese mehr über DSA-3133 privoxy - security update
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors and implementation errors may lead to the execution of arbitrary code, information leaks or denial of service.
19 Januar 2015lese mehr über DSA-3132 icedove - security update
John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.
18 Januar 2015lese mehr über DSA-3131 xdg-utils - security update
It was discovered that lsyncd, a daemon to synchronize local directories using rsync, performed insufficient sanitising of filenames which might result in the execution of arbitrary commands.
16 Januar 2015lese mehr über DSA-3130 lsyncd - security update
Two vulnerabilities have been discovered in the RPM package manager.
15 Januar 2015lese mehr über DSA-3129 rpm - security update
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or information leaks.
15 Januar 2015lese mehr über DSA-3128 linux - security update
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors and implementation errors may lead to the execution of arbitrary code, information leaks or denial of service.
14 Januar 2015lese mehr über DSA-3127 iceweasel - security update
It was discovered that libmagic as used by PHP, would trigger an out of bounds memory access when trying to identify a crafted file.
12 Januar 2015lese mehr über DSA-3126 php5 - security update
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:
11 Januar 2015lese mehr über DSA-3125 openssl - security update
Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered a privilege escalation vulnerability in otrs2, the Open Ticket Request System. An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured.
10 Januar 2015lese mehr über DSA-3124 otrs2 - security update
Multiple security issues have been found in binutils, a toolbox for binary file manipulation. These vulnerabilities include multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions, path traversal attack or denial of service.
9 Januar 2015lese mehr über DSA-3123 binutils - security update
Andrey Labunets of Facebook discovered that cURL, an URL transfer library, fails to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to do additional requests in a way that was not intended, or insert additional request headers into the request.
8 Januar 2015lese mehr über DSA-3122 curl - security update
Multiple security issues have been found in file, a tool/library to determine a file type. Processing a malformed file could result in denial of service. Most of the changes are related to parsing ELF files.
8 Januar 2015lese mehr über DSA-3121 file - security update
Multiple security issues have been found in the Mantis bug tracking system, which may result in phishing, information disclosure, CAPTCHA bypass, SQL injection, cross-site scripting or the execution of arbitrary PHP code.
6 Januar 2015lese mehr über DSA-3120 mantis - security update
Andrew Bartlett of Catalyst reported a defect affecting certain applications using the Libevent evbuffer API. This defect leaves applications which pass insanely large inputs to evbuffers open to a possible heap overflow or infinite loop. In order to exploit this flaw, an attacker needs to be able to find a way to provoke the program into trying to make a buffer chunk larger than what will fit into a single size_t or off_t.
6 Januar 2015lese mehr über DSA-3119 libevent - security update
Mike Daskalakis reported a denial of service vulnerability in charon, the IKEv2 daemon for strongSwan, an IKE/IPsec suite used to establish IPsec protected links.
5 Januar 2015lese mehr über DSA-3118 strongswan - security update
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.
31 Dezember 2014lese mehr über DSA-3117 php5 - security update
It was discovered that a memory leak in parsing X.509 certificates may result in denial of service.
30 Dezember 2014lese mehr über DSA-3116 polarssl - security update
Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in Python-YAML, a YAML parser and emitter for Python. An attacker able to load specially crafted YAML input into an application using python-yaml could cause the application to crash.
29 Dezember 2014lese mehr über DSA-3115 pyyaml - security update
Timothy D. Morgan discovered that run-mailcap, an utility to execute programs via entries in the mailcap file, is prone to shell command injection via shell meta-characters in filenames. In specific scenarios this flaw could allow an attacker to remotely execute arbitrary code.
29 Dezember 2014lese mehr über DSA-3114 mime-support - security update
Michele Spagnuolo of the Google Security Team discovered that unzip, an extraction utility for archives compressed in .zip format, is affected by heap-based buffer overflows within the CRC32 verification function (CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the getZip64Data() function (CVE-2014-8141), which may lead to the execution of arbitrary code.
28 Dezember 2014lese mehr über DSA-3113 unzip - security update