RSS-Flux Debian Security
Dieser RSS-Flux wurde von folgender Seite importiert: http://www.debian.org/security/dsa-long.en.rdf
Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation.
1 Oktober 2014lese mehr über DSA-3041 xen - security update
Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog, a system for log processing. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack.
30 September 2014lese mehr über DSA-3040 rsyslog - security update
Several vulnerabilities were discovered in the chromium web browser.
28 September 2014lese mehr über DSA-3039 chromium-browser - security update
Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library. The Common Vulnerabilities and Exposures project identifies the following problems:
27 September 2014lese mehr über DSA-3038 libvirt - security update
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Icedove), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
26 September 2014lese mehr über DSA-3037 icedove - security update
It was discovered that MediaWiki, a wiki engine, did not sufficiently filter CSS in uploaded SVG files, allowing for cross site scripting.
26 September 2014lese mehr über DSA-3036 mediawiki - security update
Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.
25 September 2014lese mehr über DSA-3035 bash - security update
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Iceweasel package), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
25 September 2014lese mehr über DSA-3034 iceweasel - security update
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library) was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
25 September 2014lese mehr über DSA-3033 nss - security update
Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.
24 September 2014lese mehr über DSA-3032 bash - security update
The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the
httpapt method binary, or potentially to arbitrary code execution.
23 September 2014lese mehr über DSA-3031 apt - security update
Multiple SQL injection vulnerabilities have been discovered in the Mantis bug tracking system.
20 September 2014lese mehr über DSA-3030 mantis - security update
Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position.
20 September 2014lese mehr über DSA-3029 nginx - security update
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service.
17 September 2014lese mehr über DSA-3028 icedove - security update
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15
17 September 2014lese mehr über DSA-3027 libav - security update
Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon.
16 September 2014lese mehr über DSA-3026 dbus - security update
It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the
apt-get downloadcommand (CVE-2014-0490).
16 September 2014lese mehr über DSA-3025 apt - security update
Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (CVE-2014-5270).
11 September 2014lese mehr über DSA-3024 gnupg - security update
Jared Mauch reported a denial of service flaw in the way BIND, a DNS server, handled queries for NSEC3-signed zones. A remote attacker could use this flaw against an authoritative name server that served NCES3-signed zones by sending a specially crafted query, which, when processed, would cause named to crash.
11 September 2014lese mehr über DSA-3023 bind9 - security update
Two vulnerabilities have been discovered in cURL, an URL transfer library. They can be use to leak cookie information:
10 September 2014lese mehr über DSA-3022 curl - security update
During a review for EDF, Raphael Geissert discovered that the acpi-support package did not properly handle data obtained from a user's environment. This could lead to program malfunction or allow a local user to escalate privileges to the root user due to a programming error.
10 September 2014lese mehr über DSA-3020 acpi-support - security update
Multiple security issues have been found in file, a tool to determine a file type. These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash.
9 September 2014lese mehr über DSA-3021 file - security update
piPiwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail's formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss, or possibly execute arbitrary code.
4 September 2014lese mehr über DSA-3019 procmail - security update
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service.
3 September 2014lese mehr über DSA-3018 iceweasel - security update
Marvin S. Addison discovered that Jasig phpCAS, a PHP library for the CAS authentication protocol, did not encode tickets before adding them to an URL, creating a possibility for cross site scripting.
2 September 2014lese mehr über DSA-3017 php-cas - security update