RSS-Flux Debian Security
Dieser RSS-Flux wurde von folgender Seite importiert: http://www.debian.org/security/dsa-long.en.rdf
Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application.
4 Dezember 2013lese mehr über DSA-2810 ruby1.9.1 - heap overflow
Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:
4 Dezember 2013lese mehr über DSA-2809 ruby1.8 - several vulnerabilities
Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service (CVE-2013-1447) via application crash or high memory consumption, possible code execution through heap buffer overflows (CVE-2013-6045), information disclosure (CVE-2013-6052), or yet another heap buffer overflow that only appears to affect OpenJPEG 1.3 (CVE-2013-6054).
3 Dezember 2013lese mehr über DSA-2808 openjpeg - several vulnerabilities
Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode.
30 November 2013lese mehr über DSA-2807 links2 - integer overflow
It was discovered that nbd-server, the server for the Network Block Device protocol, did incorrect parsing of the access control lists, allowing access to any hosts with an IP address sharing a prefix with an allowed address.
29 November 2013lese mehr über DSA-2806 nbd - privilege escalation
joernchen of Phenoelit discovered two command injection flaws in Sup, a console-based email client. An attacker might execute arbitrary command if the user opens a maliciously crafted email.
27 November 2013lese mehr über DSA-2805 sup-mail - command injection
Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting.
26 November 2013lese mehr über DSA-2804 drupal7 - several vulnerabilities
Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon:
26 November 2013lese mehr über DSA-2803 quagga - several vulnerabilities
Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code.
25 November 2013lese mehr über DSA-2800 nss - buffer overflow
Ivan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request.
21 November 2013lese mehr über DSA-2802 nginx - restriction bypass
Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to upload files to a service that uses HTTP::Body::Multipart could potentially execute commands on the server if these temporary filenames are used in subsequent commands without further checks.
21 November 2013lese mehr über DSA-2801 libhttp-body-perl - design error
Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.
17 November 2013lese mehr über DSA-2798 curl - unchecked ssl certificate host name
Several vulnerabilities have been discovered in the lighttpd web server.
17 November 2013lese mehr über DSA-2795 lighttpd - several vulnerabilities
Several vulnerabilities have been discovered in the chromium web browser.
16 November 2013lese mehr über DSA-2799 chromium-browser - several vulnerabilities
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, and other implementation errors may lead to the execution of arbitrary code.
13 November 2013lese mehr über DSA-2797 icedove - several vulnerabilities
Matt Ezell from Oak Ridge National Labs reported a vulnerability in torque, a PBS-derived batch processing queueing system.
13 November 2013lese mehr über DSA-2796 torque - arbitrary code execution
Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site request forgery on logout, cross-site scripting on author page, and PHP injection.
10 November 2013lese mehr über DSA-2794 spip - several vulnerabilities
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. The CVE IDs mentioned above are just a small portion of the security issues fixed in this update. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9
9 November 2013lese mehr über DSA-2793 libav - several vulnerabilities