RSS-Flux Debian Security
Dieser RSS-Flux wurde von folgender Seite importiert: http://www.debian.org/security/dsa-long.en.rdf
A memory-corrupting integer overflow in the handling of the ECH (erase characters) control sequence was discovered in PuTTY's terminal emulator. A remote attacker can take advantage of this flaw to mount a denial of service or potentially to execute arbitrary code.
1 Dezember 2015lese mehr über DSA-3409 putty - security update
It was discovered that GnuTLS, a library implementing the TLS and SSL protocols, incorrectly validates the first byte of padding in CBC modes. A remote attacker can possibly take advantage of this flaw to perform a padding oracle attack.
1 Dezember 2015lese mehr über DSA-3408 gnutls26 - security update
Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format.
26 November 2015lese mehr über DSA-3407 dpkg - security update
It was discovered that incorrect memory allocation in the NetScape Portable Runtime library might result in denial of service or the execution of arbitrary code.
25 November 2015lese mehr über DSA-3406 nspr - security update
Tero Marttila discovered that the Debian packaging for smokeping installed it in such a way that the CGI implementation of Apache httpd (mod_cgi) passed additional arguments to the smokeping_cgi program, potentially leading to arbitrary code execution in response to crafted HTTP requests.
25 November 2015lese mehr über DSA-3405 smokeping - security update
Ryan Butterfield discovered a vulnerability in the date template filter in python-django, a high-level Python web development framework. A remote attacker can take advantage of this flaw to obtain any secret in the application's settings.
25 November 2015lese mehr über DSA-3404 python-django - security update
This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to
true. This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitising the input data. Classes considered unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
24 November 2015lese mehr über DSA-3403 libcommons-collections3-java - security update
Several vulnerabilities have been discovered in symfony, a framework to create websites and web applications. The Common Vulnerabilities and Exposures project identifies the following problems:
24 November 2015lese mehr über DSA-3402 symfony - security update
It was discovered that rebinding a receiver of a direct method handle may allow a protected method to be accessed.
22 November 2015lese mehr über DSA-3401 openjdk-7 - security update
Roman Fiedler discovered a directory traversal flaw in LXC, the Linux Containers userspace tools. A local attacker with access to a LXC container could exploit this flaw to run programs inside the container that are not confined by AppArmor or expose unintended files in the host to the container.
19 November 2015lese mehr über DSA-3400 lxc - security update
Several vulnerabilities have been discovered in the libpng PNG library. The Common Vulnerabilities and Exposures project identifies the following problems:
18 November 2015lese mehr über DSA-3399 libpng - security update
Tobias Brunner found an authentication bypass vulnerability in strongSwan, an IKE/IPsec suite.
16 November 2015lese mehr über DSA-3398 strongswan - security update
Several vulnerabilities have been discovered in wpa_supplicant and hostapd. The Common Vulnerabilities and Exposures project identifies the following problems:
10 November 2015lese mehr über DSA-3397 wpa - security update
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service.
10 November 2015lese mehr über DSA-3396 linux - security update
Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems:
6 November 2015lese mehr über DSA-3395 krb5 - security update
Multiple vulnerabilities have been discovered in LibreOffice, a full-featured office productivity:
5 November 2015lese mehr über DSA-3394 libreoffice - security update
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, integer overflows, buffer overflows and other implementation errors may lead to the execution of arbitrary code, information disclosure or denial of service.
4 November 2015lese mehr über DSA-3393 iceweasel - security update
Pengsu Cheng discovered that FreeImage, a library for graphic image formats, contained multiple integer underflows that could lead to a denial of service: remote attackers were able to trigger a crash by supplying a specially crafted image.
4 November 2015lese mehr über DSA-3392 freeimage - security update
It was discovered that the web-based administration interface in the Horde Application Framework did not guard against Cross-Site Request Forgery (CSRF) attacks. As a result, other, malicious web pages could cause Horde applications to perform actions as the Horde user.
3 November 2015lese mehr über DSA-3391 php-horde - security update
It was discovered that the code to validate level 2 page table entries is bypassed when certain conditions are satisfied. A malicious PV guest administrator can take advantage of this flaw to gain privileges via a crafted superpage mapping.
2 November 2015lese mehr über DSA-3390 xen - security update
Security support for elasticsearch in jessie is hereby discontinued. The project no longer releases information on fixed security issues which allow backporting them to released versions of Debian and actively discourages from doing so.
1 November 2015lese mehr über DSA-3389 elasticsearch - end-of-life
Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs:
1 November 2015lese mehr über DSA-3388 ntp - security update
John Stumpo discovered that OpenAFS, a distributed file system, does not fully initialize certain network packets before transmitting them. This can lead to a disclosure of the plaintext of previously processed packets.
1 November 2015lese mehr über DSA-3387 openafs - security update