RSS-Flux Debian Security
Dieser RSS-Flux wurde von folgender Seite importiert: http://www.debian.org/security/dsa-long.en.rdf
Matthew Daley discovered that Squid3, a fully featured web proxy cache, did not properly perform input validation in request parsing. A remote attacker could use this flaw to mount a denial of service by sending crafted Range requests.
28 August 2014lese mehr über DSA-3014 squid3 - security update
Nikolaus Rath discovered that s3ql, a file system for online data storage, used the pickle functionality of the Python programming language in an unsafe way. As a result, a malicious storage backend or man-in-the-middle attacker was able execute arbitrary code.
27 August 2014lese mehr über DSA-3013 s3ql - security update
Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.
27 August 2014lese mehr über DSA-3012 eglibc - security update
It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and clickjacking between OutputPage and ParserOutput (CVE-2014-5243). The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, which includes additional changes.
23 August 2014lese mehr über DSA-3011 mediawiki - security update
Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems:
22 August 2014lese mehr über DSA-3010 python-django - security update
Andrew Drake discovered that missing input sanitising in the icns decoder of the Python Imaging Library could result in denial of service if a malformed image is processed.
21 August 2014lese mehr über DSA-3009 python-imaging - security update
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems:
21 August 2014lese mehr über DSA-3008 php5 - security update
It was discovered that missing access checks in the Struts ActionForm object could result in the execution of arbitrary code.
21 August 2014lese mehr über DSA-2940 libstruts1.2-java - security update
Multiple security issues (cross-site scripting, missing input sanitising and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems.
20 August 2014lese mehr über DSA-3007 cacti - security update
Multiple security issues have been discovered in the Xen virtualisation solution which may result in information leaks or denial of service.
18 August 2014lese mehr über DSA-3006 xen - security update
Tomáš Trnka discovered a heap-based buffer overflow within the gpgsm status handler of GPGME, a library designed to make access to GnuPG easier for applications. An attacker could use this issue to cause an application using GPGME to crash (denial of service) or possibly to execute arbitrary code.
14 August 2014lese mehr über DSA-3005 gpgme1.0 - security update
Sebastian Krahmer discovered that Kauth used Policykit insecurely by relying on the process ID. This could result in privilege escalation.
11 August 2014lese mehr über DSA-3004 kde4libs - security update
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15
10 August 2014lese mehr über DSA-3003 libav - security update
Multiple vulnerabilities were discovered in the dissectors for Catapult DCT2000, IrDA, GSM Management, RLC ASN.1 BER, which could result in denial of service.
10 August 2014lese mehr über DSA-3002 wireshark - security update
Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/.
9 August 2014lese mehr über DSA-3001 wordpress - security update
Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems:
9 August 2014lese mehr über DSA-3000 krb5 - security update
A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive. More information can be found at https://www.drupal.org/SA-CORE-2014-004.
9 August 2014lese mehr über DSA-2999 drupal7 - security update
Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade. Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed (CVE-2014-3512).
7 August 2014lese mehr über DSA-2998 openssl - security update
Jakub Wilk discovered a remote command execution flaw in reportbug, a tool to report bugs in the Debian distribution. A man-in-the-middle attacker could put shell metacharacters in the version number allowing arbitrary code execution with the privileges of the user running reportbug.
5 August 2014lese mehr über DSA-2997 reportbug - security update
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service.
3 August 2014lese mehr über DSA-2996 icedove - security update
Don A. Bailey from Lab Mouse Security discovered an integer overflow flaw in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code.
3 August 2014lese mehr über DSA-2995 lzo2 - security update