Hi folks, So I recently downloaded and installed debsecan on several of my machines. These are all fully up-to-date machines, running either wheezy or jessie. For now I'll just focus on wheezy since it's where our security focus should go.
On this machine, it found 472 vulnerabilities. Quite a few of them fit into the remotely exploitable, high urgency category. Many date back to last year, some as far back as 2012. I've included a few examples at the end. Now, it is possible with some of these that the security-tracker database ought to be updated to reflect that there is not a true vulnerability. However, many of them seem to be existing issues that just got forgotten somehow. I've traced a few through bug reports and such. I wonder: Are we already aware of these issues? Do we have plans to fix them? Do we know what would be helpful to fix them? Thanks, John CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... <http://security-tracker.debian.org/tracker/CVE-2013-1961> - libtiff4 (remotely exploitable, high urgency) CVE-2014-1912 Buffer overflow in the socket.recvfrom_into function... <http://security-tracker.debian.org/tracker/CVE-2014-1912> - python2.6, python2.6-minimal (remotely exploitable, high urgency) CVE-2014-9656 The tt_sbit_decoder_load_image function in... <http://security-tracker.debian.org/tracker/CVE-2014-9656> - libfreetype6 (remotely exploitable, high urgency) CVE-2015-0231 Use-after-free vulnerability in the... <http://security-tracker.debian.org/tracker/CVE-2015-0231> - php5-cgi, php5-gd, php-pear, php5-curl, php5-common, php5-pspell, php5-mcrypt, php5-cli, php5, php5-ldap, php5-imap, php5-mysql, php5-intl (remotely exploitable, high urgency) CVE-2015-1462 ClamAV before 0.98.6 allows remote attackers to have... <http://security-tracker.debian.org/tracker/CVE-2015-1462> - clamav, libclamav6, clamav-freshclam, clamav-base, clamav-daemon (remotely exploitable, high urgency) CVE-2010-5312 Cross-site scripting (XSS) vulnerability in... <http://security-tracker.debian.org/tracker/CVE-2010-5312> - libjs-jquery-ui (remotely exploitable, medium urgency) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
