Debian Security

DSA-2404 xen-qemu-dm-4.0 - buffer overflow

2012-02-05

Nicolae Mogoraenu discovered a heap overflow in the emulated e1000e network interface card of QEMU, which is used in the xen-qemu-dm-4.0 packages. This vulnerability might enable to malicious guest systems to crash the host system or escalate their privileges.

DSA-2384 cacti - several vulnerabilities

2012-02-04

Several vulnerabilities have been discovered in Cacti, a graphing tool for monitoring data. Multiple cross site scripting issues allow remote attackers to inject arbitrary web script or HTML. An SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands.

DSA-2403 php5 - code injection

2012-02-02

Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code.

DSA-2402 iceape - several vulnerabilities

2012-02-02

Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey:

DSA-2401 tomcat6 - several vulnerabilities

2012-02-02

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine:

DSA-2400 iceweasel - several vulnerabilities

2012-02-02

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.

DSA-2399 php5 - several vulnerabilities

2012-01-31

Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues:

DSA-2398 curl - several vulnerabilities

2012-01-30

Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems:

DSA-2397 icu - buffer underflow

2012-01-29

It was discovered that a buffer overflow in the Unicode library ICU could lead to the execution of arbitrary code.

DSA-2396 qemu-kvm - buffer underflow

2012-01-27

Nicolae Mogoraenu discovered a heap overflow in the emulated e1000e network interface card of KVM, a solution for full virtualization on x86 hardware, which could result in denial of service or privilege escalation.

DSA-2395 wireshark - buffer underflow

2012-01-27

Laurent Butti discovered a buffer underflow in the LANalyzer dissector of the Wireshark network traffic analyzer, which could lead to the execution of arbitrary code (CVE-2012-0068).

DSA-2394 libxml2 - several vulnerabilities

2012-01-27

Many security problems have been fixed in libxml2, a popular library to handle XML data files.

DSA-2393 bip - buffer overflow

2012-01-25

Julien Tinnes reported a buffer overflow in the Bip multiuser IRC proxy which may allow arbitrary code execution by remote users.

DSA-2392 openssl - out-of-bounds read

2012-01-23

Antonio Martin discovered a denial-of-service vulnerability in OpenSSL, an implementation of TLS and related protocols. A malicious client can cause the DTLS server implementation to crash. Regular, TCP-based TLS is not affected by this issue.

DSA-2301 rails - several vulnerabilities

2012-01-23

Several vulnerabilities have been discovered in Rails, the Ruby web application framework. The Common Vulnerabilities and Exposures project identifies the following problems:

DSA-2391 phpmyadmin - several vulnerabilities

2012-01-22

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

DSA-2390 openssl - several vulnerabilities

2012-01-15

Several vulnerabilities were discovered in OpenSSL, an implementation of TLS and related protocols. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

DSA-2389 linux-2.6 - privilege escalation/denial of service/information leak

2012-01-15

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:

DSA-2388 t1lib - several vulnerabilities

2012-01-14

Several vulnerabilities were discovered in t1lib, a Postscript Type 1 font rasterizer library, some of which might lead to code execution through the opening of files embedding bad fonts.

DSA-2387 simplesamlphp - insufficient input sanitation

2012-01-11

timtai1 discovered that simpleSAMLphp, an authentication and federation platform, is vulnerable to a cross site scripting attack, allowing a remote attacker to access sensitive client data.

DSA-2386 openttd - several vulnerabilities

2012-01-10

Several vulnerabilities have been discovered in OpenTTD, a transport business simulation game. Multiple buffer overflows and off-by-one errors allow remote attackers to cause denial of service.

DSA-2385 pdns - packet loop

2012-01-10

Ray Morris discovered that the PowerDNS authoritative server responds to response packets. An attacker who can spoof the source address of IP packets can cause an endless packet loop between a PowerDNS authoritative server and another DNS server, leading to a denial of service.

DSA-2383 super - buffer overflow

2012-01-08

Robert Luberda discovered a buffer overflow in the syslog logging code of Super, a tool to execute scripts (or other commands) as if they were root. The default Debian configuration is not affected.

DSA-2382 ecryptfs-utils - multiple vulnerabilities

2012-01-07

Several problems have been discovered in eCryptfs, a cryptographic filesystem for Linux.

DSA-2381 squid3 - invalid memory deallocation

2012-01-06

It was discovered that the IPv6 support code in Squid does not properly handle certain DNS responses, resulting in deallocation of an invalid pointer and a daemon crash.