inhoud van de pagina
RSS-feed Debian beveiliging
Dit is de RSS feed geïmporteerd van het volgende adres : http://www.debian.org/security/dsa-long.nl.rdf
DSA-2474 ikiwiki - cross-site scripting
Raúl Benencia discovered that ikiwiki, a wiki compiler, does not properly escape the author (and its URL) of certain metadata, such as comments. This might be used to conduct cross-site scripting attacks.
16 mei 2012
meer lezen over DSA-2474 ikiwiki - cross-site scriptingDSA-2473 openoffice.org - buffer overflow
Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution.
16 mei 2012
meer lezen over DSA-2473 openoffice.org - buffer overflowDSA-2472 gridengine - privilege escalation
Dave Love discovered that users who are allowed to submit jobs to a Grid Engine installation can escalate their privileges to root because the environment is not properly sanitized before creating processes.
15 mei 2012
meer lezen over DSA-2472 gridengine - privilege escalationDSA-2471 ffmpeg - several vulnerabilities
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/ demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska, Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of arbitrary code.
13 mei 2012
meer lezen over DSA-2471 ffmpeg - several vulnerabilitiesDSA-2458 iceape - several vulnerabilities
Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey:
13 mei 2012
meer lezen over DSA-2458 iceape - several vulnerabilitiesDSA-2457 iceweasel - several vulnerabilities
Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.
13 mei 2012
meer lezen over DSA-2457 iceweasel - several vulnerabilitiesDSA-2470 wordpress - several vulnerabilities
Several vulnerabilities were identified in WordPress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the wordpress package to the latest upstream version instead of backporting the patches.
11 mei 2012
meer lezen over DSA-2470 wordpress - several vulnerabilitiesDSA-2469 linux-2.6 - privilege escalation/denial of service
Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:
10 mei 2012
meer lezen over DSA-2469 linux-2.6 - privilege escalation/denial of serviceDSA-2468 libjakarta-poi-java - unbounded memory allocation
It was discovered that Apache POI, a Java implementation of the Microsoft Office file formats, would allocate arbitrary amounts of memory when processing crafted documents. This could impact the stability of the Java virtual machine.
9 mei 2012
meer lezen over DSA-2468 libjakarta-poi-java - unbounded memory allocationDSA-2467 mahara - insecure defaults
It was discovered that Mahara, the portfolio, weblog, and resume builder, had an insecure default with regards to SAML-based authentication used with more than one SAML identity provider. Someone with control over one IdP could impersonate users from other IdP's.
9 mei 2012
meer lezen over DSA-2467 mahara - insecure defaultsDSA-2466 rails - cross site scripting
Sergey Nartimov discovered that in Rails, a Ruby based framework for web development, when developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML into the document.
9 mei 2012
meer lezen over DSA-2466 rails - cross site scriptingDSA-2465 php5 - several vulnerabilities
De Eindbazen discovered that PHP, when run with mod_cgi, will interpret a query string as command line parameters, allowing to execute arbitrary code.
9 mei 2012
meer lezen over DSA-2465 php5 - several vulnerabilitiesDSA-2422 file - missing bounds checks
The file type identification tool, file, and its associated library, libmagic, do not properly process malformed files in the Composite Document File (CDF) format, leading to crashes.
9 mei 2012
meer lezen over DSA-2422 file - missing bounds checksDSA-2464 icedove - several vulnerabilities
Several vulnerabilities have been discovered in Icedove, an unbranded version of the Thunderbird mail/news client.
8 mei 2012
meer lezen over DSA-2464 icedove - several vulnerabilitiesDSA-2459 quagga - several vulnerabilities
Several vulnerabilities have been discovered in Quagga, a routing daemon.
4 mei 2012
meer lezen over DSA-2459 quagga - several vulnerabilitiesDSA-2462 imagemagick - several vulnerabilities
Several integer overflows and missing input validations were discovered in the ImageMagick image manipulation suite, resulting in the execution of arbitrary code or denial of service.
3 mei 2012
meer lezen over DSA-2462 imagemagick - several vulnerabilitiesDSA-2463 samba - missing permission checks
Ivano Cristofolini discovered that insufficient security checks in Samba's handling of LSA RPC calls could lead to privilege escalation by gaining the
take ownership
privilege.2 mei 2012
meer lezen over DSA-2463 samba - missing permission checksDSA-2461 spip - several vulnerabilities
Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site scripting, script code injection and bypass of restrictions.
26 april 2012
meer lezen over DSA-2461 spip - several vulnerabilitiesDSA-2460 asterisk - several vulnerabilities
Several vulnerabilities were discovered in the Asterisk PBX and telephony toolkit:
25 april 2012
meer lezen over DSA-2460 asterisk - several vulnerabilitiesDSA-2454 openssl - multiple vulnerabilities
Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues:
24 april 2012
meer lezen over DSA-2454 openssl - multiple vulnerabilitiesDSA-2456 dropbear - use after free
Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code. Exploitation is limited to users, who have been authenticated through public key authentication and for which command restrictions are in place.
23 april 2012
meer lezen over DSA-2456 dropbear - use after freeDSA-2455 typo3-src - missing input sanitization
Helmut Hummel of the TYPO3 security team discovered that TYPO3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions.
20 april 2012
meer lezen over DSA-2455 typo3-src - missing input sanitization
