The OVAL Repository
5.10
2015-09-03T10:41:04.386-04:00
DSA-2901-3 -- wordpress -- security update
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wordpress
Several vulnerabilities were discovered in Wordpress, a web blogging tool.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2950-2 -- openssl -- security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openssl
Multiple vulnerabilities have been discovered in OpenSSL.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2896-2 -- openssl -- security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openssl
A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Heartbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker. This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2895-2 -- prosody -- security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
prosody
A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-compressed XML elements (attack known as zip bomb) over XMPP streams and consume all the resources of the server.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2873-2 -- file -- several vulnerabilities
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
file
Several vulnerabilities have been found in file, a file type classification tool.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2850-2 -- libyaml -- heap-based buffer overflow
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libyaml
Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2901-2 -- wordpress -- security update
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wordpress
Several vulnerabilities were discovered in Wordpress, a web blogging tool.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2675-2 -- libxvmc -- several vulnerabilities
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libxvmc
Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2891-3 -- mediawiki, mediawiki-extensions -- security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
mediawiki-extensions
Several vulnerabilities were discovered in MediaWiki, a wiki engine.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2891-2 -- mediawiki, mediawiki-extensions -- security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
mediawiki-extensions
Several vulnerabilities were discovered in MediaWiki, a wiki engine.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2808-2 -- openjpeg -- several vulnerabilities
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openjpeg
Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service via application crash or high memory consumption, possible code execution through heap buffer overflows, information disclosure, or yet another heap buffer overflow that only appears to affect OpenJPEG 1.3.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2826-2 -- denyhosts -- remote denial of ssh service
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
denyhosts
Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited by a malicious user to forge crafted login names in order to make denyhosts ban arbitrary IP addresses.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2798-2 -- curl -- unchecked ssl certificate host name
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
curl
Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2765-2 -- davfs2 -- privilege escalation
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
davfs2
Davfs2, a filesystem client for WebDAV, calls the function systeminsecurely while is setuid root. This might allow a privilege escalation.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3115-1 -- pyyaml security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
pyyaml
Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in Python-YAML, a YAML parser and emitter for Python. An attacker able to load specially crafted YAML input into an application using python-yaml could cause the application to crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3110-1 -- mediawiki security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
A flaw was discovered in mediawiki, a wiki engine: thumb.php outputs wikitext messages as raw HTML, potentially leading to cross-site scripting (XSS).
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2831-2 -- puppet -- insecure temporary files
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
puppet
An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3102-1 -- libyaml security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libyaml
Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and emitter library. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3101-1 -- c-icap security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
c-icap
Several vulnerabilities were found in c-icap, an ICAP server implementation, which could allow a remote attacker to cause c-icap to crash, or have other, unspecified impacts.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3107-2 -- subversion regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
subversion
Evgeny Kotkov discovered a NULL pointer dereference while processing REPORT requests in mod_dav_svn, the Subversion component which is used to serve repositories with the Apache web server. A remote attacker could abuse this vulnerability for a denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3142-1 -- eglibc -- security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
eglibc
Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3095-1 -- xorg-server security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
xorg-server
Ilja van Sprundel of IOActive discovered several security issues in the X.org X server, which may lead to privilege escalation or denial of service.
Sergey Artykhov
DRAFT
INTERIM
Maria Mikhno
ACCEPTED
ACCEPTED
DSA-3112-1 -- sox security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
sox
Michele Spagnuolo of the Google Security Team dicovered two heap-based buffer overflows in SoX, the Swiss Army knife of sound processing programs. A specially crafted wav file could cause an application using SoX to crash or, possibly, execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3104-1 -- bsd-mailx security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
bsd-mailx
It was discovered that bsd-mailx, an implementation of the <q>mail</q> command, had an undocumented feature which treats syntactically valid email addresses as shell commands to execute.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3108-1 -- ntp security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
ntp
Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3098-1 -- graphviz security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
graphviz
Joshua Rogers discovered a format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing tools. An attacker could use this flaw to cause graphviz to crash or possibly execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3109-1 -- firebird2.5 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
firebird2.5
Dmitry Kovalenko discovered that the Firebird database server is prone to a denial of service vulnerability. An unauthenticated remote attacker could send a malformed network packet to a firebird server, which would cause the server to crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2795-2 -- lighttpd -- several vulnerabilities
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
lighttpd
Several vulnerabilities have been discovered in the lighttpd web server.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3100-1 -- mediawiki security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
A flaw was discovered in mediawiki, a wiki engine: cross-domain-policy mangling allows an article editor to inject code into API consumers that deserialize PHP representations of the page from the API.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3105-1 -- heirloom-mailx security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
heirloom-mailx
Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the <q>mail</q> command.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3111-1 -- cpio security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
cpio
Michal Zalewski discovered an out of bounds write issue in cpio, a tool for creating and extracting cpio archive files. In the process of fixing that issue, the cpio developers found and fixed additional range checking and null pointer dereference issues.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3090-1 -- iceweasel security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3114-1 -- mime-support security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mime-support
Timothy D. Morgan discovered that run-mailcap, an utility to execute programs via entries in the mailcap file, is prone to shell command injection via shell meta-characters in filenames. In specific scenarios this flaw could allow an attacker to remotely execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3081-1 -- libvncserver security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libvncserver
Several vulnerabilities have been discovered in libvncserver, a library to implement VNC server functionality. These vulnerabilities might result in the execution of arbitrary code or denial of service in both the client and the server side.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3086-1 -- tcpdump security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
tcpdump
Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service, leaking sensitive information from memory or, potentially, execution of arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2987-2 -- openjdk-7 regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openjdk-7
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DEPRECATED: DSA-3107-1 -- subversion security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
subversion
Evgeny Kotkov discovered a NULL pointer dereference while processing REPORT requests in mod_dav_svn, the Subversion component which is used to serve repositories with the Apache web server. A remote attacker could abuse this vulnerability for a denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
Maria Mikhno
DEPRECATED
DEPRECATED
DSA-3093-1 -- linux security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
linux
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3078-1 -- libksba security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libksba
An integer underflow flaw, leading to a heap-based buffer overflow, was found in the ksba_oid_to_str() function of libksba, an X.509 and CMS (PKCS#7) library. By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could cause an application using libksba to crash (denial of service), or potentially, execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3083-1 -- mutt security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mutt
A flaw was discovered in mutt, a text-based mailreader. A specially crafted mail header could cause mutt to crash, leading to a denial of service condition.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3091-1 -- getmail4 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
getmail4
Several vulnerabilities have been discovered in getmail4, a mail retriever with support for POP3, IMAP4 and SDPS, that could allow man-in-the-middle attacks.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3080-1 -- openjdk-7 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openjdk-7
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3075-1 -- drupal7 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
drupal7
Two vulnerabilities were discovered in Drupal, a fully-featured content management framework.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3097-1 -- unbound security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
unbound
Florian Maury from ANSSI discovered that unbound, a validating, recursive, and caching DNS resolver, was prone to a denial of service vulnerability. An attacker crafting a malicious zone and able to emit (or make emit) queries to the server can trick the resolver into following an endless series of delegations, leading to resource exhaustion and huge network usage.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3084-1 -- openvpn security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openvpn
Dragana Damjanovic discovered that an authenticated client could crash an OpenVPN server by sending a control packet containing less than four bytes as payload.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2984-2 -- acpi-support regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
acpi-support
CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3092-1 -- icedove security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
icedove
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3076-1 -- wireshark security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wireshark
Multiple vulnerabilities were discovered in the dissectors/parsers for SigComp UDVM, AMQP, NCP and TN5250, which could result in denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3103-1 -- libyaml-libyaml-perl security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libyaml-libyaml-perl
Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and emitter library. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DEPRECATED: DSA-3074-1 -- php5 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
Francisco Alonso of Red Hat Product Security found an issue in the file utility, whose code is embedded in PHP, a general-purpose scripting language. When checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
Maria Mikhno
DEPRECATED
DEPRECATED
DSA-3025-2 -- apt regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
apt
CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download
command (CVE-2014-0490).]]>
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3064-1 -- php5 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. It has been decided to follow the stable 5.4.x releases for the Wheezy PHP packages. Consequently the vulnerabilities are addressed by upgrading PHP to a new upstream version 5.4.34, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3094-1 -- bind9 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
bind9
It was discovered that BIND, a DNS server, is prone to a denial of service vulnerability.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3050-3 -- iceweasel security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, denial of service, the bypass of the same-origin policy or a loss of privacy.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3059-1 -- dokuwiki security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
dokuwiki
Two vulnerabilities have been discovered in dokuwiki. Access control in the media manager was insufficiently restricted and authentication could be bypassed when using Active Directory for LDAP authentication.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3106-1 -- jasper security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
jasper
Jose Duart of the Google Security Team discovered a double free flaw (<a href="https://security-tracker.debian.org/tracker/CVE-2014-8137">CVE-2014-8137</a>) and a heap-based buffer overflow flaw (<a href="https://security-tracker.debian.org/tracker/CVE-2014-8138">CVE-2014-8138</a>) in JasPer, a library for manipulating JPEG-2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3061-1 -- icedove security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
icedove
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3088-1 -- qemu-kvm security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
qemu-kvm
Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu-kvm, a full virtualization solution on x86 hardware. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3077-1 -- openjdk-6 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openjdk-6
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3082-1 -- flac security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
flac
Michele Spagnuolo, of Google Security Team, and Miroslav Lichvar, of Red Hat, discovered two issues in flac, a library handling Free Lossless Audio Codec media: by providing a specially crafted FLAC file, an attacker could execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3099-1 -- dbus security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
dbus
Simon McVittie discovered that the fix for <a href="https://security-tracker.debian.org/tracker/CVE-2014-3636">CVE-2014-3636</a> was incorrect, as it did not fully address the underlying denial-of-service vector. This update starts the D-Bus daemon as root initially, so that it can properly raise its file descriptor count.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3066-1 -- qemu security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
qemu
Several vulnerabilities were discovered in qemu, a fast processor emulator.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DEPRECATED: DSA-3050-2 -- xulrunner update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, denial of service, the bypass of the same-origin policy or a loss of privacy.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
Maria Mikhno
DEPRECATED
DEPRECATED
DSA-3079-1 -- ppp security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
ppp
A vulnerability was discovered in ppp, an implementation of the Point-to-Point Protocol: an integer overflow in the routine responsible for parsing user-supplied options potentially allows a local attacker to gain root privileges.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3008-2 -- php5 regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3065-1 -- libxml-security-java security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libxml-security-java
James Forshaw discovered that, in Apache Santuario XML Security for Java, CanonicalizationMethod parameters were incorrectly validated: by specifying an arbitrary weak canonicalization algorithm, an attacker could spoof XML signatures.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3070-1 -- kfreebsd-9 security update
Debian GNU/kFreeBSD 7.0
kfreebsd-9
Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or information disclosure.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3085-1 -- wordpress security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wordpress
Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at <a href="https://wordpress.org/news/2014/11/wordpress-4-0-1/">https://wordpress.org/news/2014/11/wordpress-4-0-1/</a>
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3063-1 -- quassel security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
quassel
An out-of-bounds read vulnerability was discovered in Quassel-core, one of the components of the distributed IRC client Quassel. An attacker can send a crafted message that crash to component causing a denial of services or disclosure of information from process memory.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3096-1 -- pdns-recursor security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
pdns-recursor
Florian Maury from ANSSI discovered a flaw in pdns-recursor, a recursive DNS server : a remote attacker controlling maliciously-constructed zones or a rogue server could affect the performance of pdns-recursor, thus leading to resource exhaustion and a potential denial-of-service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3074-2 -- php5 regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
Francisco Alonso of Red Hat Product Security found an issue in the file utility, whose code is embedded in PHP, a general-purpose scripting language. When checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3021-2 -- file regression update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
file
Multiple security issues have been found in file, a tool to determine a file type. These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3058-1 -- torque security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
torque
Chad Vizino reported a vulnerability in torque, a PBS-derived batch processing queueing system. A non-root user could exploit the flaw in the tm_adopt() library call to kill any process, including root-owned ones on any node in a job.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3073-1 -- libgcrypt11 security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libgcrypt11
Daniel Genkin, Itamar Pipman and Eran Tromer discovered that Elgamal encryption subkeys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side-channel attack.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3087-1 -- qemu security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
qemu
Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu, a fast processor emulator. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3072-1 -- file security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
file
Francisco Alonso of Red Hat Product Security found an issue in the file utility: when checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3068-1 -- konversation security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
konversation
It was discovered that Konversation, an IRC client for KDE, could be crashed when receiving malformed messages using FiSH encryption.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3071-1 -- nss security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
nss
In nss, a set of libraries designed to support cross-platform development of security-enabled client and server applications, Tyson Smith and Jesse Schwartzentruber discovered a use-after-free vulnerability that allows remote attackers to execute arbitrary code by triggering the improper removal of an NSSCertificate structure from a trust domain.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3089-1 -- jasper security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
jasper
Josh Duart of the Google Security Team discovered heap-based buffer overflow flaws in JasPer, a library for manipulating JPEG-2000 files, which could lead to denial of service (application crash) or the execution of arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3060-1 -- linux security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
linux
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3113-1 -- unzip security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
unzip
CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the getZip64Data() function (CVE-2014-8141), which may lead to the execution of arbitrary code.]]>
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3062-1 -- wget security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wget
HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation may override content of user's files or permit remote code execution with the user privilege.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3069-1 -- curl security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
curl
Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL, an URL transfer library, has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3067-1 -- qemu-kvm security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
qemu-kvm
Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3056-1 libtasn1-3 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libtasn1-3
Several vulnerabilities were discovered in libtasn1-3, a library that manages ASN1 (Abstract Syntax Notation One) structures. An attacker could use those to cause a denial-of-service via out-of-bounds access or NULL pointer dereference.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3048-1 apt - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
apt
Guillem Jover discovered that the changelog retrieval functionality in apt-get used temporary files in an insecure way, allowing a local user to cause arbitrary files to be overwritten.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3047-1 rsyslog - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
rsyslog
Mancha discovered a vulnerability in rsyslog, a system for log processing. This vulnerability is an integer overflow that can be triggered by malformed messages to a server, if this one accepts data from untrusted sources, provoking message loss, denial of service and, potentially, remote code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3054-1 mysql-5.5 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mysql-5.5
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.40. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3040-1 rsyslog - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
rsyslog
Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog, a system for log processing. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3042-1 exuberant-ctags - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
exuberant-ctags
Stefano Zacchiroli discovered a vulnerability in exuberant-ctags, a tool to build tag file indexes of source code definitions: Certain JavaScript files cause ctags to enter an infinite loop until it runs out of disk space, resulting in denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3038-1 libvirt - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libvirt
Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3051-1 drupal7 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
drupal7
Stefan Horst discovered a vulnerability in the Drupal database abstraction API, which may result in SQL injection.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3045-1 qemu - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
qemu
Several vulnerabilities were discovered in qemu, a fast processor emulator.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3057-1 libxml2 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libxml2
Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. (<a href="https://security-tracker.debian.org/tracker/CVE-2014-3660">CVE-2014-3660</a>)
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3043-1 tryton-server - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
tryton-server
tryton-server - security update
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3052-1 wpa - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wpa
Jouni Malinen discovered an input sanitization issue in the wpa_cli and hostapd_cli tools included in the wpa package. A remote wifi system within range could provide a crafted string triggering arbitrary code execution running with privileges of the affected wpa_cli or hostapd_cli process.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3039-1 chromium-browser - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
chromium-browser
Several vulnerabilities were discovered in the chromium web browser.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3036-1 mediawiki - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
It was discovered that MediaWiki, a wiki engine, did not sufficiently filter CSS in uploaded SVG files, allowing for cross site scripting.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3049-1 wireshark - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wireshark
Multiple vulnerabilities were discovered in the dissectors/parsers for RTP, MEGACO, Netflow, RTSP, SES and Sniffer, which could result in denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3044-1 qemu-kvm - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
qemu-kvm
Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3055-1 pidgin - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
pidgin
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3037-1 icedove - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
icedove
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Icedove), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3022-1 curl - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
curl
Two vulnerabilities have been discovered in cURL, an URL transfer library. They can be use to leak cookie information.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3034-1 iceweasel - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Iceweasel package), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3041-1 xen - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
xen
Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3026-1 dbus - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
dbus
Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3030-1 mantis - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mantis
Multiple SQL injection vulnerabilities have been discovered in the Mantis bug tracking system.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3050-1 iceweasel - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
iceweasel security update
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3046-1 mediawiki - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
It was reported that MediaWiki, a website engine for collaborative work, allowed to load user-created CSS on pages where user-created JavaScript is not allowed. A wiki user could be tricked into performing actions by manipulating the interface from CSS, or JavaScript code being executed from CSS, on security-wise sensitive pages like Special:Preferences and Special:UserLogin. This update removes the separation of CSS and JavaScript module allowance.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3024-1 gnupg - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
gnupg
Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270">CVE-2014-5270</a>).
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3007-1 cacti - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
cacti
Multiple security issues (cross-site scripting, missing input sanitising and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3019-1 procmail - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
procmail
It was reported a heap overflow vulnerability in procmail's formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss, or possibly execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3008-1 php5 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3012-1 eglibc - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
eglibc
Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3035-1 bash - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
bash
Tavis Ormandy discovered that the patch applied to fix <a href="https://security-tracker.debian.org/tracker/CVE-2014-6271">CVE-2014-6271</a> released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (<a href="https://security-tracker.debian.org/tracker/CVE-2014-7169">CVE-2014-7169</a>). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3025-1 apt - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
apt
CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download
command (CVE-2014-0490).]]>
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3023-1 bind9 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
bind9
Jared Mauch reported a denial of service flaw in the way BIND, a DNS server, handled queries for NSEC3-signed zones. A remote attacker could use this flaw against an authoritative name server that served NCES3-signed zones by sending a specially crafted query, which, when processed, would cause named to crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3009-1 python-imaging - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
python-imaging
Andrew Drake discovered that missing input sanitising in the icns decoder of the Python Imaging Library could result in denial of service if a malformed image is processed.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3018-1 iceweasel - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3032-1 bash - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
bash
Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3028-1 icedove - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
icedove
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3015-1 lua5.1 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
lua5.1
A heap-based overflow vulnerability was found in the way Lua, a simple, extensible, embeddable programming language, handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3033-1 nss - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
nss
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library) was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3053-1 openssl - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openssl
Several vulnerabilities have been found in OpenSSL, the Secure Sockets Layer library and toolkit.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3017-1 php-cas - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php-cas
Marvin S. Addison discovered that Jasig phpCAS, a PHP library for the CAS authentication protocol, did not encode tickets before adding them to an URL, creating a possibility for cross site scripting.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3016-1 lua5.2 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
lua5.2
A heap-based overflow vulnerability was found in the way Lua, a simple, extensible, embeddable programming language, handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3003-1 libav - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libav
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at <a href="http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15">http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15</a>
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3021-1 file - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
file
Multiple security issues have been found in file, a tool to determine a file type. These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3005-1 gpgme1.0 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
gpgme1.0
Tomáš Trnka discovered a heap-based buffer overflow within the gpgsm status handler of GPGME, a library designed to make access to GnuPG easier for applications. An attacker could use this issue to cause an application using GPGME to crash (denial of service) or possibly to execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2997-1 reportbug - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
reportbug
Jakub Wilk discovered a remote command execution flaw in reportbug, a tool to report bugs in the Debian distribution. A man-in-the-middle attacker could put shell metacharacters in the version number allowing arbitrary code execution with the privileges of the user running reportbug.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3006-1 xen - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
xen
Multiple security issues have been discovered in the Xen virtualisation solution which may result in information leaks or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2999-1 drupal7 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
drupal7
A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive. More information can be found at <a href="https://www.drupal.org/SA-CORE-2014-004">https://www.drupal.org/SA-CORE-2014-004</a>.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2998-1 openssl - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openssl
Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade. Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed (<a href="https://security-tracker.debian.org/tracker/CVE-2014-3512">CVE-2014-3512</a>).
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3020-1 acpi-support - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
acpi-support
During a review for EDF, Raphael Geissert discovered that the acpi-support package did not properly handle data obtained from a user's environment. This could lead to program malfunction or allow a local user to escalate privileges to the root user due to a programming error.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3029-1 nginx - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
nginx
Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3027-1 libav - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libav
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at <a href="http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15">http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15</a>
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3001-1 wordpress - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wordpress
Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at <a href="https://wordpress.org/news/2014/08/wordpress-3-9-2/">https://wordpress.org/news/2014/08/wordpress-3-9-2/</a>.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3013-1 s3ql - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
s3ql
Nikolaus Rath discovered that s3ql, a file system for online data storage, used the pickle functionality of the Python programming language in an unsafe way. As a result, a malicious storage backend or man-in-the-middle attacker was able execute arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3014-1 squid3 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
squid3
Matthew Daley discovered that Squid3, a fully featured web proxy cache, did not properly perform input validation in request parsing. A remote attacker could use this flaw to mount a denial of service by sending crafted Range requests.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3011-1 mediawiki - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5241">CVE-2014-5241</a>) and clickjacking between OutputPage and ParserOutput (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5243">CVE-2014-5243</a>). The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, which includes additional changes.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3031-1 apt - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
apt
The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the <q>http</q> apt method binary, or potentially to arbitrary code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3002-1 wireshark - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
wireshark
Multiple vulnerabilities were discovered in the dissectors for Catapult DCT2000, IrDA, GSM Management, RLC ASN.1 BER, which could result in denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3004-1 kde4libs - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
kde4libs
Sebastian Krahmer discovered that Kauth used Policykit insecurely by relying on the process ID. This could result in privilege escalation.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3010-1 python-django - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
python-django
Several vulnerabilities were discovered in Django, a high-level Python web development framework.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-3000-1 krb5 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
krb5
Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2967-1 gnupg - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
gnupg
Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2968-1 gnupg2 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
gnupg2
Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2959-1 chromium-browser - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
chromium-browser
Several vulnerabilities have been discovered in the chromium web browser.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2957-1 mediawiki - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mediawiki
Omer Iqbal discovered that Mediawiki, a wiki engine, parses invalid usernames on Special:PasswordReset as wikitext when $wgRawHtml is enabled. On such wikis this allows an unauthenticated attacker to insert malicious JavaScript, a cross site scripting attack.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2970-1 cacti - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
cacti
Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti, a web frontend for RRDTool.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2963-1 lucene-solr - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
lucene-solr
Multiple vulnerabilities were found in Solr, an open source enterprise search server based on Lucene, resulting in information disclosure or code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2955-1 iceweasel - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iceweasel
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2958-1 apt - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
apt
Jakub Wilk discovered that APT, the high level package manager, did not properly perform authentication checks for source packages downloaded via "apt-get source". This only affects use cases where source packages are downloaded via this command; it does not affect regular Debian package installation and upgrading.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2965-1 tiff - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
tiff
Murray McAllister discovered a heap-based buffer overflow in the gif2tiff command line tool. Executing gif2tiff on a malicious tiff image could result in arbitrary code execution.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2966-1 samba - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
samba
Multiple vulnerabilities were discovered and fixed in Samba, a SMB/CIFS file, print, and login server.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2962-1 nspr - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
nspr
Abhiskek Arya discovered an out of bounds write in the cvt_t() function of the NetScape Portable Runtime Library which could result in the execution of arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2961-1 php5 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2964-1 iodine - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
iodine
Oscar Reparaz discovered an authentication bypass vulnerability in iodine, a tool for tunneling IPv4 data through a DNS server. A remote attacker could provoke a server to accept the rest of the setup or also network traffic by exploiting this flaw.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2960-1 icedove - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
icedove
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2954-1 dovecot - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
dovecot
It was discovered that the Dovecot email server is vulnerable to a denial of service attack against imap/pop3-login processes due to incorrect handling of the closure of inactive SSL/TLS connections.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2942-1 typo3-src - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
typo3-src
Multiple security issues have been discovered in the Typo3 CMS.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2940-1 libstruts1.2-java - security update
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libstruts1.2-java
The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2946-1 python-gnupg - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
python-gnupg
Multiple vulnerabilities were discovered in the Python wrapper for the Gnu Privacy Guard (GPG). Insufficient sanitising could lead to the execution of arbitrary shell commands.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2935-1 libgadu - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libgadu
It was discovered that malformed responses from a Gadu-Gadu file relay server could lead to denial of service or the execution of arbitrary code in applications linked to the libgadu library.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2943-1 php5 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
php5
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2945-1 chkrootkit - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
chkrootkit
Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit detector, which may allow local attackers to gain root access when /tmp is mounted without the noexec option.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2949-1 linux - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
linux
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2948-1 python-bottle - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
python-bottle
It was discovered that Bottle, a WSGI-framework for Python, performed a too permissive detection of JSON content, resulting a potential bypass of security mechanisms.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2947-1 libav - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libav
Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2936-1 torque - security update
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
torque
John Fitzpatrick from MWR Labs reported a stack-based buffer overflow vulnerability in torque, a PBS-derived batch processing queueing system. An unauthenticated remote attacker could exploit this flaw to execute arbitrary code with root privileges.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2956-1 icinga - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
icinga
Multiple security issues have been found in the Icinga host and network monitoring system (buffer overflows, cross-site request forgery, off-by ones) which could result in the execution of arbitrary code, denial of service or session hijacking.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2950-1 openssl - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
openssl
Multiple vulnerabilities have been discovered in OpenSSL.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2937-1 mod-wsgi - security update
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mod-wsgi
Two security issues have been found in the Python WSGI adapter module for Apache.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2952-1 kfreebsd-9 - security update
Debian GNU/kFreeBSD 7.0
kfreebsd-9
Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or possibly disclosure of kernel memory.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2941-1 lxml - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
lxml
It was discovered that clean_html() function of lxml (pythonic bindings for the libxml2 and libxslt libraries) performed insufficient sanitisation for some non-printable characters. This could lead to cross-site scripting.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2951-1 mupdf - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
mupdf
It was discovered that a buffer overflow in the MuPDF viewer might lead to the execution of arbitrary code.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2944-1 gnutls26 - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
gnutls26
Joonas Kuorilehto discovered that GNU TLS performed insufficient validation of session IDs during TLS/SSL handshakes. A malicious server could use this to execute arbitrary code or perform denial of service.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2939-1 chromium-browser - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
chromium-browser
Several vulnerabilities were discovered in the chromium web browser.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2969-1 libemail-address-perl - security update
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
libemail-address-perl
Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse used significant time on parsing empty quoted strings. A remote attacker able to supply specifically crafted input to an application using Email::Address for parsing, could use this flaw to mount a denial of service attack against the application.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
DSA-2953-1 dpkg - security update
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
dpkg
Multiple vulnerabilities were discovered in dpkg that allow file modification through path traversal when unpacking source packages with specially crafted patch files.
Sergey Artykhov
DRAFT
INTERIM
ACCEPTED
ACCEPTED
Debian GNU/Linux is installed
Debian GNU/Linux
Debian GNU/Linux is installed
Maria Mikhno
DRAFT
INTERIM
ACCEPTED
ACCEPTED
Debian GNU/kFreeBSD is installed
Debian GNU/kFreeBSD
Debian GNU/kFreeBSD is installed
Maria Mikhno
DRAFT
INTERIM
ACCEPTED
ACCEPTED
Debian 7 is installed
Debian 7
Debian 7 (wheezy) is installed
Maria Kedovskaya
DRAFT
INTERIM
ACCEPTED
Sergey Artykhov
INTERIM
ACCEPTED
Sergey Artykhov
INTERIM
ACCEPTED
ACCEPTED
Debian 6.0 is installed
Debian 6.0
Debian 6.0 (squeeze) is installed
SecPod Team
DRAFT
INTERIM
Chandan S
ACCEPTED
Sergey Artykhov
INTERIM
ACCEPTED
ACCEPTED
prosody
libxvmc
mediawiki-extensions
openjpeg
denyhosts
davfs2
pyyaml
puppet
libyaml
c-icap
xorg-server
sox
bsd-mailx
ntp
graphviz
firebird2.5
lighttpd
heirloom-mailx
cpio
mime-support
libvncserver
tcpdump
subversion
libksba
mutt
getmail4
openjdk-7
unbound
openvpn
libyaml-libyaml-perl
dokuwiki
openjdk-6
flac
ppp
libxml-security-java
quassel
pdns-recursor
libgcrypt11
konversation
jasper
unzip
wget
libtasn1-3
mysql-5.5
rsyslog
exuberant-ctags
libvirt
qemu
libxml2
tryton-server
wpa
qemu-kvm
pidgin
curl
dbus
mantis
procmail
eglibc
bind9
python-imaging
bash
lua5.1
nss
php-cas
lua5.2
file
gpgme1.0
reportbug
xen
drupal7
acpi-support
nginx
wordpress
s3ql
squid3
wireshark
kde4libs
python-django
krb5
gnupg
gnupg2
mediawiki
cacti
lucene-solr
iceweasel
apt
tiff
samba
nspr
iodine
icedove
dovecot
typo3-src
libstruts1.2-java
python-gnupg
libgadu
php5
chkrootkit
linux
python-bottle
libav
torque
icinga
openssl
mod-wsgi
kfreebsd-9
lxml
mupdf
gnutls26
chromium-browser
libemail-address-perl
/etc
os-release
^NAME="(.*)"$
1
/etc
debian_version
^(\d).*$
1
/etc
debian_version
^(\d\.\d).*$
1
dpkg
0:1.0.1e-2+deb7u10
0:1.0.1e-2+deb7u5
0:1.2.0-5+deb7u1
0:0.8.2-4+deb7u1
0:5.11-2+deb7u2
0:5.04-5+squeeze4
0:0.1.3-1+deb6u2
0:0.1.4-2+deb7u2
0:3.6.1+dfsg-1~deb7u2
0:3.6.1+dfsg-1~deb6u2
2:1.0.7-1+deb7u2
2:1.0.5-1+squeeze2
1:1.19.14+dfsg-0+deb7u1
0:3.5~deb7u1-0
0:1.3+dfsg-4+squeeze2
0:1.3+dfsg-4.7
0:2.6-10+deb7u2
0:2.6-7+deb6u2
0:7.21.0-2.1+squeeze5
0:7.26.0-1+wheezy5
0:1.4.6-1.1+squeeze1
0:1.4.6-1.1+deb7u1
0:3.10-4+deb7u1
0:1.19-0
0:2.7.23-1~deb7u2
0:2.6.2-5+squeeze9
0:0.1.4-2+deb7u5
1:0.1.6-1.1+deb7u1
0:2.13-38+deb7u7
2:1.12.4-6+deb7u5
0:14.4.0-3+deb7u1
0:8.1.2-0.20111106cvs-1+deb7u1
1:4.2.6.p5+dfsg-2+deb7u1
0:2.26.3-14+deb7u2
0:2.5.2.26540.ds4-1~deb7u2
0:1.4.28-2+squeeze1.5
0:1.4.31-4+deb7u2
1:1.19.20+dfsg-0+deb7u2
0:12.5-2+deb7u1
0:2.11+dfsg-0.1+deb7u1
0:31.3.0esr-1~deb7u1
0:3.52-1+deb7u1
0:0.9.9+dfsg-1+deb7u1
0:4.3.0-1+deb7u1
0:7u65-2.5.1-2~deb7u1
0:1.6.17dfsg-4+deb7u7
0:3.2.63-2+deb7u2
0:1.2.0-2+deb7u1
0:1.5.21-6.2+deb7u3
0:4.46.0-1~deb7u1
0:7u71-2.5.3-2~deb7u1
0:7.14-2+deb7u8
0:1.4.17-3+deb7u2
0:2.2.1-8+deb7u3
0:0.140-5+deb7u1
0:31.3.0-1~deb7u1
0:1.8.2-5wheezy13
0:0.38-3+deb7u3
0:0.9.7.9+deb7u3-0
0:5.4.34-0+deb7u1
1:9.8.4.dfsg.P1-6+nmu2+deb7u3
0:0.0.20120125b-2+deb7u1
0:1.900.1-13+deb7u2
0:31.2.0-1~deb7u1
0:1.1.2+dfsg-6+deb7u6
0:6b33-1.13.5-2~deb7u1
0:1.2.1-6+deb7u1
0:1.6.8-1+deb7u5
0:1.1.2+dfsg-6a+deb7u5
0:31.2.0esr-2~deb7u1
0:2.4.5-5.1+deb7u1
0:5.4.4-14+deb7u13
0:1.4.5-1+deb7u1
0:9.0-10+deb70.8
0:3.6.1+dfsg-1~deb7u5
0:0.8.0-1+deb7u3
0:3.3-3+deb7u1
0:5.4.35-0+deb7u1
0:5.11-2+deb7u4
0:2.4.16+dfsg-1+deb7u4
0:1.5.0-5+deb7u2
0:1.1.2+dfsg-6a+deb7u6
0:5.11-2+deb7u6
0:1.4-1+deb7u1
2:3.14.5-1+deb7u3
0:1.900.1-13+deb7u1
0:3.2.63-2+deb7u1
0:6.0-8+deb7u1
0:1.13.4-3+deb7u2
0:7.26.0-1+wheezy11
0:1.1.2+dfsg-6+deb7u5
0:2.13-2+deb7u1
0:0.9.7.9+deb7u6-0
0:5.8.11-3+deb7u2
0:5.5.40-0+wheezy1
0:5.8.11-3+deb7u1
1:5.9~svn20110310-4+deb7u1
0:0.9.12.3-1+deb7u1
0:7.14-2+deb7u7
0:1.1.2+dfsg-6a+deb7u4
0:2.8.0+dfsg1-7+wheezy2
0:2.2.4-1+deb7u2
0:1.0-3+deb7u1
0:37.0.2062.120-1~deb7u1
1:1.19.19+dfsg-0+deb7u1
0:1.8.2-5wheezy12
0:1.1.2+dfsg-6+deb7u4
0:2.10.10-1~deb7u1
0:24.8.1-1~deb7u1
0:7.26.0-1+wheezy10
0:24.8.1esr-1~deb7u1
0:4.1.4-3+deb7u3
0:1.6.8-1+deb7u4
0:1.2.11-1.2+deb7u1
0:31.2.0esr-1~deb7u1
1:1.19.20+dfsg-0+deb7u1
0:1.4.12-7+deb7u6
0:0.8.8a+dfsg-5+deb7u4
0:3.22-20+deb7u1
0:5.4.4-14+deb7u13
0:2.13-38+deb7u4
0:4.2+dfsg-0.1+deb7u3
0:0.9.7.9+deb7u3-0
1:9.8.4.dfsg.P1-6+nmu2+deb7u2
0:1.1.7-4+deb7u1
0:24.8.0esr-1~deb7u1
0:4.2+dfsg-0.1+deb7u1
0:24.8.0-1~deb7u1
0:5.1.5-4+deb7u1
2:3.14.5-1+deb7u2
0:1.0.1e-2+deb7u13
0:1.3.1-4+deb7u1
0:5.2.1-3+deb7u1
6:0.8.15-1
0:5.11-2+deb7u4
0:1.2.0-1.4+deb7u1
0:6.4.4+deb7u1-0
0:4.1.4-3+deb7u2
0:7.14-2+deb7u6
0:1.0.1e-2+deb7u12
0:0.140-5+deb7u3
0:1.2.1-2.2+wheezy3
6:0.8.16-1
0:3.6.1+dfsg-1~deb7u4
0:1.11.1-3+deb7u1
0:3.1.20-2.2+deb7u2
1:1.19.18+dfsg-0+deb7u1
0:0.9.7.9+deb7u5-0
0:1.8.2-5wheezy11
4:4.8.4-4+deb7u1
0:1.4.5-1+deb7u8
0:1.10.1+dfsg-5+deb7u2
0:1.4.12-7+deb7u4
0:2.0.19-2+deb7u2
0:35.0.1916.153-1~deb7u1
1:1.19.16+dfsg-0+deb7u1
0:0.8.8a+dfsg-5+deb7u3
0:3.6.0+dfsg-1+deb7u1
0:24.6.0esr-1~deb7u1
0:0.9.7.9+deb7u2-0
0:4.0.2-6+deb7u3
2:3.6.6-6+deb7u4
2:4.9.2-1+deb7u2
0:5.4.4-14+deb7u11
0:0.6.0~rc1-12+deb7u1
0:24.6.0-1~deb7u1
1:2.1.7-7+deb7u1
0:4.5.19+dfsg1-5+wheezy3
0:1.2.9-5+deb7u1
0:1.2.9-4+deb6u1
0:0.3.6-1~deb7u1
1:1.11.2-1+deb7u2
0:5.4.4-14+deb7u10
0:0.49-4.1+deb7u2
0:3.2.57-3+deb7u2
0:0.10.11-1+deb7u1
6:0.8.12-1
0:2.4.8+dfsg-9squeeze4
0:2.4.16+dfsg-1+deb7u3
0:1.7.1-7
0:1.0.1e-2+deb7u10
0:3.3-4+deb7u1
0:3.3-2+deb6u1
0:9.0-10+deb70.7
0:2.3.2-1+deb7u1
0:0.9-2+deb7u2
0:2.12.20-8+deb7u2
0:35.0.1916.114-1~deb7u2
0:1.895-1+deb7u1
Debian GNU/Linux
Debian GNU/kFreeBSD
7
6.0
0:1.15.11-0
0:1.16.15-0