page content
RSS feed Debian security
This is the RSS feed imported from the following address : http://www.debian.org/security/dsa-long.en.rdf
DSA-2473 openoffice.org - buffer overflow
Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution.
16th of May 2012
read more about DSA-2473 openoffice.org - buffer overflowDSA-2472 gridengine - privilege escalation
Dave Love discovered that users who are allowed to submit jobs to a Grid Engine installation can escalate their privileges to root because the environment is not properly sanitized before creating processes.
15th of May 2012
read more about DSA-2472 gridengine - privilege escalationDSA-2471 ffmpeg - several vulnerabilities
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/ demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska, Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of arbitrary code.
13th of May 2012
read more about DSA-2471 ffmpeg - several vulnerabilitiesDSA-2458 iceape - several vulnerabilities
Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey:
13th of May 2012
read more about DSA-2458 iceape - several vulnerabilitiesDSA-2457 iceweasel - several vulnerabilities
Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.
13th of May 2012
read more about DSA-2457 iceweasel - several vulnerabilitiesDSA-2470 wordpress - several vulnerabilities
Several vulnerabilities were identified in WordPress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the wordpress package to the latest upstream version instead of backporting the patches.
11th of May 2012
read more about DSA-2470 wordpress - several vulnerabilitiesDSA-2469 linux-2.6 - privilege escalation/denial of service
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:
10th of May 2012
read more about DSA-2469 linux-2.6 - privilege escalation/denial of serviceDSA-2468 libjakarta-poi-java - unbounded memory allocation
It was discovered that Apache POI, a Java implementation of the Microsoft Office file formats, would allocate arbitrary amounts of memory when processing crafted documents. This could impact the stability of the Java virtual machine.
9th of May 2012
read more about DSA-2468 libjakarta-poi-java - unbounded memory allocationDSA-2467 mahara - insecure defaults
It was discovered that Mahara, the portfolio, weblog, and resume builder, had an insecure default with regards to SAML-based authentication used with more than one SAML identity provider. Someone with control over one IdP could impersonate users from other IdP's.
9th of May 2012
read more about DSA-2467 mahara - insecure defaultsDSA-2466 rails - cross site scripting
Sergey Nartimov discovered that in Rails, a Ruby based framework for web development, when developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML into the document.
9th of May 2012
read more about DSA-2466 rails - cross site scriptingDSA-2465 php5 - several vulnerabilities
De Eindbazen discovered that PHP, when run with mod_cgi, will interpret a query string as command line parameters, allowing to execute arbitrary code.
9th of May 2012
read more about DSA-2465 php5 - several vulnerabilitiesDSA-2422 file - missing bounds checks
The file type identification tool, file, and its associated library, libmagic, do not properly process malformed files in the Composite Document File (CDF) format, leading to crashes.
9th of May 2012
read more about DSA-2422 file - missing bounds checksDSA-2464 icedove - several vulnerabilities
Several vulnerabilities have been discovered in Icedove, an unbranded version of the Thunderbird mail/news client.
8th of May 2012
read more about DSA-2464 icedove - several vulnerabilitiesDSA-2459 quagga - several vulnerabilities
Several vulnerabilities have been discovered in Quagga, a routing daemon.
4th of May 2012
read more about DSA-2459 quagga - several vulnerabilitiesDSA-2462 imagemagick - several vulnerabilities
Several integer overflows and missing input validations were discovered in the ImageMagick image manipulation suite, resulting in the execution of arbitrary code or denial of service.
3rd of May 2012
read more about DSA-2462 imagemagick - several vulnerabilitiesDSA-2463 samba - missing permission checks
Ivano Cristofolini discovered that insufficient security checks in Samba's handling of LSA RPC calls could lead to privilege escalation by gaining the
take ownership
privilege.2nd of May 2012
read more about DSA-2463 samba - missing permission checksDSA-2461 spip - several vulnerabilities
Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site scripting, script code injection and bypass of restrictions.
26th of April 2012
read more about DSA-2461 spip - several vulnerabilitiesDSA-2460 asterisk - several vulnerabilities
Several vulnerabilities were discovered in the Asterisk PBX and telephony toolkit:
25th of April 2012
read more about DSA-2460 asterisk - several vulnerabilitiesDSA-2454 openssl - multiple vulnerabilities
Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues:
24th of April 2012
read more about DSA-2454 openssl - multiple vulnerabilitiesDSA-2456 dropbear - use after free
Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code. Exploitation is limited to users, who have been authenticated through public key authentication and for which command restrictions are in place.
23rd of April 2012
read more about DSA-2456 dropbear - use after freeDSA-2455 typo3-src - missing input sanitization
Helmut Hummel of the TYPO3 security team discovered that TYPO3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions.
20th of April 2012
read more about DSA-2455 typo3-src - missing input sanitizationDSA-2453 gajim - several vulnerabilities
Several vulnerabilities have been discovered in Gajim, a feature-rich Jabber client. The Common Vulnerabilities and Exposures project identifies the following problems:
16th of April 2012
read more about DSA-2453 gajim - several vulnerabilities
