inhoud van de pagina
RSS-feed Debian beveiliging
Dit is de RSS feed geïmporteerd van het volgende adres : http://www.debian.org/security/dsa-long.nl.rdf
Johan Olofsson discovered an authentication bypass vulnerability in Stunnel, a program designed to work as an universal SSL tunnel for network daemons. When Stunnel in server mode is used with the redirect option and certificate-based authentication is enabled with
verify = 2or higher, then only the initial connection is redirected to the hosts specified with
redirect. This allows a remote attacker to bypass authentication.
2 juli 2015meer lezen over DSA-3299 stunnel4 - security update
It was discovered that the Jackrabbit WebDAV bundle was susceptible to a XXE/XEE attack. When processing a WebDAV request body containing XML, the XML parser could be instructed to read content from network resources accessible to the host, identified by URI schemes such as
file. Depending on the WebDAV request, this could not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others.
1 juli 2015meer lezen over DSA-3298 jackrabbit - security update
It was discovered that unattended-upgrades, a script for automatic installation of security upgrades, did not properly authenticate downloaded packages when the force-confold or force-confnew dpkg options were enabled via the DPkg::Options::* apt configuration.
29 juni 2015meer lezen over DSA-3297 unattended-upgrades - security update
Evgeny Sidorov discovered that libcrypto++, a general purpose C++ cryptographic library, did not properly implement blinding to mask private key operations for the Rabin-Williams digital signature algorithm. This could allow remote attackers to mount a timing attack and retrieve the user's private key.
29 juni 2015meer lezen over DSA-3296 libcrypto++ - security update
Several vulnerabilities (cross-site scripting and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems.
24 juni 2015meer lezen over DSA-3295 cacti - security update
Multiple vulnerabilities were discovered in the dissectors for WCCP and GSM DTAP, which could result in denial of service.
23 juni 2015meer lezen over DSA-3294 wireshark - security update
Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/.
20 juni 2015meer lezen over DSA-3293 pyjwt - security update
Bastian Blank from credativ discovered that cinder, a storage-as-a-service system for the OpenStack cloud computing suite, contained a bug that would allow an authenticated user to read any file from the cinder server.
19 juni 2015meer lezen over DSA-3292 cinder - security update
Several vulnerabilities were found in drupal7, a content management platform used to power websites.
18 juni 2015meer lezen over DSA-3291 drupal7 - security update
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, information leaks or data corruption.
18 juni 2015meer lezen over DSA-3290 linux - security update
Alexander Cherepanov discovered that p7zip is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory.
15 juni 2015meer lezen over DSA-3289 p7zip - security update
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4
13 juni 2015meer lezen over DSA-3288 libav - security update
Multiple vulnerabilities were discovered in OpenSSL, a Secure Sockets Layer toolkit.
13 juni 2015meer lezen over DSA-3287 openssl - security update
Multiple security issues have been found in the Xen virtualisation solution:
13 juni 2015meer lezen over DSA-3286 xen - security update
Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.
13 juni 2015meer lezen over DSA-3285 qemu-kvm - security update
Several vulnerabilities were discovered in qemu, a fast processor emulator.
13 juni 2015meer lezen over DSA-3284 qemu - security update
It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server.
9 juni 2015meer lezen over DSA-3283 cups - security update
Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec suite used to establish IPsec protected links.
8 juni 2015meer lezen over DSA-3282 strongswan - security update
This is a notice that the Debian Security Team has changed its PGP/GPG contact key because of a periodic regular key rollover.
7 juni 2015meer lezen over DSA-3281 - Debian Security Team PGP/GPG key change notice
Multiple vulnerabilities have been discovered in PHP:
7 juni 2015meer lezen over DSA-3280 php5 - security update
It was discovered that redis, a persistent key-value database, could execute insecure Lua bytecode by way of the EVAL command. This could allow remote attackers to break out of the Lua sandbox and execute arbitrary code.
6 juni 2015meer lezen over DSA-3279 redis - security update
An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them.
3 juni 2015meer lezen over DSA-3278 libapache-mod-jk - security update
Multiple vulnerabilities were discovered in the dissectors/parsers for LBMR, web sockets, WCP, X11, IEEE 802.11 and Android Logcat, which could result in denial of service.
2 juni 2015meer lezen over DSA-3277 wireshark - security update