[Full-disclosure] [SECURITY] [DSA 2880-1] python2.7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2880-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 17, 2014 http://www.debian.org/security/faq - - Package: python2.7 CVE ID : CVE-2013-4238 CVE-2014-1912 Multiple security issues were discovered in Python: CVE-2013-4238 Ryan Sleevi that NULL charactors in the subject alternate names of SSL cerficates were parsed incorrectly. CVE-2014-1912 Ryan Smith-Roberts discovered a buffer overflow in the socket.recvfrom_into() function. For the stable distribution (wheezy), these problems have been fixed in version 2.7.3-6+deb7u2. For the unstable distribution (sid), these problems have been fixed in version 2.7.6-7. We recommend that you upgrade your python2.7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTJzmwAAoJEBDCk7bDfE42f1oQAIibzpSPb7x6o+NV/eKmrvbC evP9W3zuj5y1UJkQKr7OMkzJk9dO9Y9HLKvOop25fK8btnTPL1Hml42WSmZyhMiF 0NnU8jPGIVqVhIbK9ngdTqIZ2UNtJr5FUkpd69k//bYBX69WpWxtIgVdR2327RsO GC6yZfitIzSDAvTNKXn0K0EpAOAydQDn4M8TZA1J9+kDew1DbWKS5xl69CWxSgjk FLI2WY1amwATZ9yj5qEV+Q2jhTSATyVXTW6ZwOyIjC9KmPaT7a3fZrQlSZeyjbeD jUnoShPvr9KjxSo9ZSfk5HFjQXDytmqUBCcyBc33ESiRX/O52UBjNPCDY9C65XER Z8eoVIFONa/sYxFnAnGLXyKPS3tL+PiE0W++aflPoyzueH184UvNUbyZtcOtn5b/ T7oAhbXIwJFrw7tQh8GP+woKaCmR1kpekE0i5qllGT2O0440wK6m0xJZoySwlLXs EK6EYEbcTznWkQiDCLWbSXFP5YMJpHGV6hL78gkkKaIzvWxsTyteHOSYfMUl4AzP b6WC5uGG469t5ASCS/8mMde/DtRIpDLhqicPXTQRP5/AyIyx5ddCrvtXmsdPYB5Z a2QSpmxup9P4F3D+eT5N5tUf95WmBVtMOXkiHrlQzWvOOr+1vYKtt0+psLf3YFoN RmYnAuiSJVQnuJuVsS6a =sf1t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2878-1] virtualbox security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2878-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 13, 2014 http://www.debian.org/security/faq - - Package: virtualbox CVE ID : CVE-2013-5892 CVE-2014-0404 CVE-2014-0406 CVE-2014-0407 Debian Bug : 735410 Matthew Daley discovered multiple vulnerabilities in VirtualBox, a x86 virtualisation solution, resulting in denial of service, privilege escalation and an information leak. For the oldstable distribution (squeeze), these problems have been fixed in version 3.2.10-dfsg-1+squeeze2 of the virtualbox-ose source package. For the stable distribution (wheezy), these problems have been fixed in version 4.1.18-dfsg-2+deb7u2. For the testing distribution (jessie), these problems have been fixed in version 4.3.6-dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 4.3.6-dfsg-1. We recommend that you upgrade your virtualbox packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTIcvtAAoJEBDCk7bDfE42e/kQAIL6all431PYZuXa4JK5MctA cQfqs5Zh+Q8FaEl3s0mrly4qAiV26m1/9irSL1jcW8TgWe5CpQFoEqUFLqDTDwEO KDVo0JzKJNp+3egopoGZ4jsSu1qu716fj7BKLrpQZflGrXNnKeOU4S3ssz1IjluQ N+goKvrbFZyHTY/vYPhVHoIQxDN7ZaK1G2KWzVgJV2iS4a8IY+jMdGEc5/ICVnfq La0/EokIZ3JskCwV50SEaVV4XI7a4GkpjLX9+RwfEkZ6OXaZ8NrLAQtuBRCD4RyP LhFqtVORBTpXy4hS9VCWjjjr0jJV3wx2nNmRPE5a7Nnrj1YYEoMcDqc/nL4mH721 0Fwe64L/T1FVmiijXszX4sqKA6OvDiP++uPfWWpMg6F24gmC29YkrHmX8ktI/5I1 87XeeFDHdn9xuSCMRddl0Oztw+0iDR6+UXtgTz896k331p5FYE05W4S/U0vDGSHV BSE//pgJJgHjboGAZpvhNS3qPKb/AGxAxfqxJjiAqMrgObddqd6pZpRDWPOG1HOh bVVffFHbjbVwkcPKIZey3PSbhv9v+pBUx/4Wq/3FgVIr+X3PGwSMm7FLP49m+nbi vT/rF9FCDgxJELKfelygrzYavi52O80XU4xOdhDCpwRRTxy72Jh3GwwG/dgAtj68 joj53dPlRUpBp+TNpie1 =y9Jn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2874-1] mutt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2874-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 12, 2014 http://www.debian.org/security/faq - - Package: mutt CVE ID : CVE-2014-0467 Debian Bug : 708731 Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the mutt mailreader. Malformed RFC2047 header lines could result in denial of service or potentially the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1.5.20-9+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 1.5.21-6.2+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.5.22-2. We recommend that you upgrade your mutt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTIIBQAAoJEBDCk7bDfE42lGQP+wXTo5lcib+GNUh4hkE4FMi7 BpB/RhIx5EfS8f3vUvGxQInn+usA61H17sBKLaMkpgT+4jksNbLo8n6IIt3uDik9 GyVE8tEsPXEJQ/qqurVBU7qEbrFbi1azRv0yQVcWdFA5K+1kFVzkejOFFKOxFxXI U7Wuix91hx+36dQm2gjY6/WjZtQ/ccyjAzxCeE2DX2SJGNLnmAPSaxuotUN+UWCn 5Ybin/arUglttiMXhfv12vHoibSKghShWE6r16NyoQRRcKePv8o6OnLKEyu8Vh8L oBd3MghG891kP9n3aFnj2lCAjwExx0d4AzL5CGmiAg1UoJUPGQRB6omR9+pOYpCB xsu3+zooh2/rq4M3cKg9e9FM5hyKF4JpwrQKOT55SXnnjviN7oFgi6mdSPPZGn4S uMcXA1mMRzJ1IdSlDskQ+w12sLrrP61C90ecsRJ9hDyI9Zjj5LPXlLUk0P6HeAvY hItFG9DqPVaSTbFTn2MyGeY455PCNstVciejaJDuI2pB1GEFcwtzXt6jQHYtd1Mb v2/PNaqjGiVcz6g58RdPiIUIrV71X+YEHiU8tjxvd8/tUGNmDriOKefcH+T4Ey6k 51BgyXH6gRbiow6XD45fcKEkxeewiV4YLnlSZn2McaGwGFplttQPTTRdUns3fbqx IkrdpnS3ekH3bMpFijcg =bmJF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2875-1] cups-filters security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2875-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 12, 2014 http://www.debian.org/security/faq - - Package: cups-filters CVE ID : CVE-2013-6474 CVE-2013-6475 CVE-2013-6476 Florian Weimer of the Red Hat Product Security Team discovered multiple vulnerabilities in the pdftoopvp CUPS filter, which could result in the execution of aribitrary code if a malformed PDF file is processed. For the stable distribution (wheezy), these problems have been fixed in version 1.0.18-2.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.0.47-1. We recommend that you upgrade your cups-filters packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTIIBvAAoJEBDCk7bDfE42beMQAIFlzlbPj6Zh5RIc48TWHcyj tKJIrrqJSRU2IT9DkO39GFJwM8kOkBQw8nBp6WAPPx5NQMn2KISGH/VYYVeAWSMq thtLUJnB1KgRXjSZBZylTJx7JkdOhICNQhn50mPwHCpk3zExii+c7rvRJdOEia8B 6lfin2YVNzN07R7Q4WhQvyUDL34hWe5mAw6rMfT6zJV3IugE8mkCCr0+JXBH+3FO XywheotTVtJWaT8VCbAZ0Lu8er7WjQJ5LQ3YBNww8uGazBH5ZHRAnZG/A9VlVzpz 6+/7f1ZOmNGELcmHhdT66e0xWuNeV5ae8+7mwWF/ql/72W0h0+gsH9z8ge70vDKp 1JPPnplSAT3C8a9LaPtVfLctG7Hd2v6cxVFANPRrHvtAY+Ydwuj2T9uZc9TTHc4d eMFPGRSEbrhsEOZUheJwH7OMPZUeTZyhfcYenXzRkEzf70nmvQYco+4ukJGaHct6 DEDZyxfk4klkYTL89CWQLltdlz7hffMNiIalHRVe4RqcwnhRILqy5rQEUV1m3As2 llWhBlKy0yKMRqY9bLIXOGFzze3Pz05bSpVVpvW70XcO+ZlJJFetHFio8ydZJIDQ y56F7SdAH9a90w1IDhPi5pX0RCuezgkN2olzxkXU51Fvlvw0ynv9ex+phyt4CpUS M7aRe7tjtV1C9m7musJw =wuXA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2876-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2876-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 12, 2014 http://www.debian.org/security/faq - - Package: cups CVE ID : CVE-2013-6474 CVE-2013-6475 CVE-2013-6476 Florian Weimer of the Red Hat Product Security Team discovered multiple vulnerabilities in the pdftoopvp CUPS filter, which could result in the execution of aribitrary code if a malformed PDF file is processed. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.4-7+squeeze4. For the stable distribution (wheezy) and the unstable distribution (sid) the filter is now part of the cups-filters source package. We recommend that you upgrade your cups packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTIICHAAoJEBDCk7bDfE42ykQP/33q8OPEizgpQ++PXq6RvnLK hVXyN9T6xUuVFw3VVAsyWTigK86BnnXAww1cDpIH157iGw7vC7ih2t+KOPndBH3K eUE6wUpq+KYV/3iw74hMHjCQk+Nc8Al0njMofht8J5Qtw3+w0QPV0naKDqZc5yAm 6H2SFNnOgS6APqNvPwgPSrk3OiJFMmCybjNeDuf3/h83I2DDA5LVhzSdQOCnQ8TM oZNYgmVS6//sAejoJkXQHXC1VvNKJmFUmH0G06DeB0j4/rJxj0p+/GrjCLhhW1ym i313NzJaus0oQaGIAQmyvtF4pcCjiBdo+Ea8XG2LAl9drW35YAPabzQQVGxc2mBp O2LI7bWFYKuB18ZvQDe4c6pjHuloAZ5agcht1qjWu9YwNOUo/6nw4Dgi4mGpv6F7 URO3+S49yLscu4Lxs7/uitou8EIKaRdNR3bHPwNmw/YJoz29BNQs2BDdtjPq05/i 53RD+4IIiuj8cadA9V1CFml5A8PaYlyO+XD6vFEIP+uiDKWGdOYSB5Hszo8bNCJq hFgcsTENel8u2nwbhehER3XYhn+aTn4IwXI7zjzZ3/fas8Aou34McZ2sEiwB0wDq 1985auB9bJP0PaMuFjBlaeonb2svYZCBk4qWuBVaEgtqKrUYFeFY3+HblaXvHat0 Rlk83y2bQfqtFfDURTji =FIwh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2871-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2871-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 10, 2014 http://www.debian.org/security/faq - - Package: wireshark CVE ID : CVE-2014-2281 CVE-2014-2283 CVE-2014-2299 Multiple vulnerabilities were discovered in Wireshark: CVE-2014-2281 Moshe Kaplan discovered that the NFS dissector could be crashed, resulting in denial of service. CVE-2014-2283 It was discovered that the RLC dissector could be crashed, resulting in denial of service. CVE-2014-2299 Wesley Neelen discovered a buffer overflow in the MPEG file parser, which could lead to the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 1.2.11-6+squeeze14. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy10. For the unstable distribution (sid), these problems have been fixed in version 1.10.6-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTHdDvAAoJEBDCk7bDfE42/QkP/2eQjKXDl6z651I+OciMif8X PJbZ50T6linCsT7BqWaBv6GCxlSsU60+Yh7nHVfCJ0JY5NjWp0fOyLu3a7yD9SH/ 7UEgJB0OVWSE54wIUO0Boi0qRth4l6+f/t4y/1gjwGGadv7cjhJRzhm6blMyUj61 XPqI/Sswm1ux/BVteLc2ffpsGNL4XcCNUH92is68r3R+YcrXoqFewVwI7/BRusNb sq0Au+gkL3LD/owxf4yHWB/DSYHauVnto3zGqcdErAREFk6jA+OZgqjKrrmsrQa+ Jc3EFSWwJ71T1ko45Td8rz2AHRmipXpLrhL+1cPCmIkKUnVQMDNsz5JMWmJUzGmC sJdNPdKrI6vTA2J03rW/dyl0fo9hSzJSkzxziDY0yrOX/GIiSRRb6ZS6CsOYDSNc UCmX/UCrrW0rpG5HI3XdUnOWqTWfy1YuWpbLb2Wll0mtF79n7jbzBZJscF+B+p7o XMCEdddAIGJQR8yU01MWkE8FmNxdOihn9CajS9xHqxT0rM8d1kJFzzaROOY9bkbF T10/mJ3IdXVVKNfQENXxsRpFAd/tUl2Q52Rc9GMmV4aNT+KQbK33JCMFPBgSQQ5k zDnAMlnTSMzvd4QkM/1wceAL8KqdDRwCdrYxDpuEDHz9ixXWqeUF5KEIUVmBpFO3 5VZ8C8h5dSBQ3FififjZ =HE9d -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2872-1] udisks security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2872-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 10, 2014 http://www.debian.org/security/faq - - Package: udisks CVE ID : CVE-2014-0004 Florian Weimer discovered a buffer overflow in udisks's mount path parsing code which may result in privilege escalation. For the oldstable distribution (squeeze), this problem has been fixed in version 1.0.1+git20100614-3squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1.0.4-7wheezy1. For the unstable distribution (sid), this problem has been fixed in version 1.0.5-1. We recommend that you upgrade your udisks packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTHdGQAAoJEBDCk7bDfE42m3IP/1Pyh4so7zS2D0cnwmNGWgWS yt926+ocgJAL9IPpxbUP2P0ZLOqRE048DwlUXnobnpUxoD855KPcP2ki1Fn/EHZ+ 8OYhnfJYTl6NR86VcbKhpzvpYTHJGVSrelm34qKBem8pnTBOe1K+MAcFqsattUht E1BLQ/VkC6NHCsh0pw0o0wEANaA4qk4KW4gjSg9qoNQXSMkjyj7oJf0BbVRdpVku mG8b4qzb+RhVtZrA2OkE0JpJxdbkFaM/vH3tFD4a1Mo7j4BE+0PtLvlj/2Klx5BV xSQKRHnED9DPwhREzwFUW9PnSEHY+s1CE44Z9F3FGWW80I4RQUKcepYsbT2kPuZM M83SXnajTfyQaLl/JtH9T6j13ksm2yy38ooYuC/IAUkKY7e7JDv9sCp/dddijhwo 23DUmwRkPqLbzmi1qvkyUuJmX97Np3q3477Ou/uJ/20r6bmO3nQR2D9C5rub/Zg0 3lzdbrMc6XWnFT/zq2YQV/pUeDhJD/pQHW+EFsHOPIAxixjk5tHbNBNUuLvSZzQh GR4qSWqCrRgj3W0ivgnYuNmQ8OIM0qJhW9FuygwLR8w7P1sZZhc4ZxURRpaOalen Wrm4pu2w0HsdUxAJab7SzJnuL8s3N+Yy+ZzXupyR5/JLYBlTrxAC6rwbdbdv0fZu yVnpDVF6hgVh1B3aEQhV =xZKX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2864-1] postgresql-8.4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2864-1 secur...@debian.org http://www.debian.org/security/Christoph Berg February 20, 2014 http://www.debian.org/security/faq - - Package: postgresql-8.4 Vulnerability : several CVE ID : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 Various vulnerabilities were discovered in PostgreSQL: * Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) * Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) * Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) * Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) * Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) * Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) * Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) * Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) For the oldstable distribution (squeeze), these problems have been fixed in version 8.4.20-0squeeze1. For the unstable distribution (sid), these problems have been fixed in version 9.3.3-1 of the postgresql-9.3 package. We recommend that
[Full-disclosure] [SECURITY] [DSA 2865-1] postgresql-9.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2865-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 20, 2014 http://www.debian.org/security/faq - - Package: postgresql-9.1 Vulnerability : several CVE ID : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067 Various vulnerabilities were discovered in PostgreSQL: * Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) * Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) * Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) * Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) * Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) * Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) * Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) * Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) For the stable distribution (wheezy), these problems have been fixed in version 9.1_9.1.12-0wheezy1. For the unstable distribution (sid), these problems have been fixed in version 9.3.3-1 of the postgresql-9.3 package. We recommend
[Full-disclosure] [SECURITY] [DSA 2858-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2858-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 10, 2014 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several CVE ID : CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482 CVE-2014-1486 CVE-2014-1487 CVE-2014-1490 CVE-2014-1491 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, too-verbose error messages and missing permission checks may lead to the execution of arbitrary code, the bypass of security checks or information disclosure. This update also addresses security issues in the bundled version of the NSS crypto library. This update updates Iceweasel to the ESR24 series of Firefox. For the stable distribution (wheezy), these problems have been fixed in version 24.3.0esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 24.3.0esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlL48qgACgkQXm3vHE4uylpopQCffqocc9xEB/KkQlmKpyGmxAV3 s9YAn0bwPGWgFWQjfwZZoaleLfpg59Li =1aEO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2859-1] pidgin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2859-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 10, 2014 http://www.debian.org/security/faq - - Package: pidgin Vulnerability : several CVE ID : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2013-6477 Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future. CVE-2013-6478 Pidgin could be crashed through overly wide tooltip windows. CVE-2013-6479 Jacob Appelbaum discovered that a malicious server or a man in the middle could send a malformed HTTP header resulting in denial of service. CVE-2013-6481 Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages. CVE-2013-6482 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages. CVE-2013-6483 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages. CVE-2013-6484 It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash. CVE-2013-6485 Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses. CVE-2013-6487 Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages. CVE-2013-6489 Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons. CVE-2013-6490 Yves Younan discovered a buffer overflow when parsing SIMPLE headers. CVE-2014-0020 Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments. For the oldstable distribution (squeeze), no direct backport is provided. A fixed packages will be provided through backports.debian.org shortly For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1. We recommend that you upgrade your pidgin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlL5DAsACgkQXm3vHE4uylpHBACgi35NdKeWengFu5JzJ4NKkj0T w2MAni+6nXq2FQYjbUm+0k1QW5OrgtU+ =wmw4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2857-1] libspring-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2857-1 secur...@debian.org http://www.debian.org/security/ Markus Koschany February 08, 2014 http://www.debian.org/security/faq - - Package: libspring-java Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6429 CVE-2013-6430 It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was incomplete. Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. In addition Jon Passki discovered a possible XSS vulnerability: The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. For the stable distribution (wheezy), these problems have been fixed in version 3.0.6.RELEASE-6+deb7u2. For the testing distribution (jessie), these problems have been fixed in version 3.0.6.RELEASE-11. For the unstable distribution (sid), these problems have been fixed in version 3.0.6.RELEASE-11. We recommend that you upgrade your libspring-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlL2QfYACgkQXm3vHE4uylrKVwCgl0VC2bcFi0cw8M+ENuNdBUtN rdYAnjKXZ48KA8HONA3iDlymTMFYpogz =SI4k -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2855-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2855-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 05, 2014 http://www.debian.org/security/faq - - Package: libav Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2011-3944 CVE-2013-0845 CVE-2013-0846 CVE-2013-0849 CVE-2013-0865 CVE-2013-7010 CVE-2013-7014 CVE-2013-7015 Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. The IDs mentioned above are just a portion of the security issues fixed in this update. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.10 For the stable distribution (wheezy), these problems have been fixed in version 6:0.8.9-1. For the unstable distribution (sid), these problems have been fixed in version 6:9.11-1. We recommend that you upgrade your libav packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLye6kACgkQXm3vHE4uylrI8ACfbD6s1L9JSjxy9tKale/31uwM faUAn245iY8Wf396t+iT1Q7iaP7s8/Xo =bajx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2845-1] mysql-5.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2845-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 17, 2014 http://www.debian.org/security/faq - - Package: mysql-5.1 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0437 This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple unspecified security problems in MySQL: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html For the oldstable distribution (squeeze), these problems have been fixed in version 5.1.73-1. We recommend that you upgrade your mysql-5.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLZULQACgkQXm3vHE4uylqMyACeJrA+pR8CqpcR1m9AP77uXFT0 po0AoL3txJvp63DVJXGPdeuoac7CsnPU =xjyb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2846-1] libvirt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2846-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 17, 2014 http://www.debian.org/security/faq - - Package: libvirt Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6458 CVE-2014-1447 Multiple security issues have been found in Libvirt, a virtualisation abstraction library: CVE-2013-6458 It was discovered that insecure job usage could lead to denial of service against libvirtd. CVE-2014-1447 It was discovered that a race condition in keepalive handling could lead to denial of service against libvirtd. For the stable distribution (wheezy), these problems have been fixed in version 0.9.12.3-1. This bugfix point release also addresses some additional bugfixes. For the unstable distribution (sid), these problems have been fixed in version 1.2.1-1. We recommend that you upgrade your libvirt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLZg3wACgkQXm3vHE4uylo0MgCgn8enbxsu2ks6iM4YGcVwI+xY uwoAoNK2mEZUV+SYCVPBVrrYnthuXqgB =ZkzN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2842-1] libspring-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2842-1 secur...@debian.org http://www.debian.org/security/ Markus Koschany January 13, 2014 http://www.debian.org/security/faq - - Package: libspring-java Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-4152 Debian Bug : 720902 Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: DOMSource StAXSource SAXSource StreamSource For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability. The issue was resolved by disabling external entity processing by default and adding an option to enable it for those users that need to use this feature when processing XML from a trusted source. It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. For the stable distribution (wheezy), this problem has been fixed in version 3.0.6.RELEASE-6+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.0.6.RELEASE-10. We recommend that you upgrade your libspring-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLUDqMACgkQXm3vHE4uylqISQCfXnqq9kcJ+GXQLanlPAX1zDex GK0An0Re0aPbcNQPadcnJvqE8FY39Mgy =I7B1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2841-1] movabletype-opensource security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2841-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 11, 2014 http://www.debian.org/security/faq - - Package: movabletype-opensource Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2014-0977 Debian Bug : 734304 A cross-site scripting vulnerability was discovered in the rich text editor of the Movable Type blogging engine. For the oldstable distribution (squeeze), this problem has been fixed in version 4.3.8+dfsg-0+squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 5.1.4+dfsg-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 5.2.9+dfsg-1. We recommend that you upgrade your movabletype-opensource packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLRifgACgkQXm3vHE4uylrqQwCgs7od6yQXHC55MagOjjx+HNhC nQkAoJH9jVxEbne55TIYoCHXEN5hMMQT =DItV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2837-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2837-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 07, 2014 http://www.debian.org/security/faq - - Package: openssl Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2013-4353 Anton Johannson discovered that an invalid TLS handshake package could crash OpenSSL with a NULL pointer dereference. The oldstable distribution (squeeze) is not affected. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 1.0.1f-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLMH74ACgkQXm3vHE4uylpecgCgh/5fGz8KgyptZuxcoZOXQO5S BgUAn0q4B75sgiK0AJM2HiS853RgaBoG =CAfN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2838-1] libxfont security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2838-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 07, 2014 http://www.debian.org/security/faq - - Package: libxfont Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2013-6462 It was discovered that a buffer overflow in the processing of Glyph Bitmap Distribution fonts (BDF) could result in the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.4.1-4. For the stable distribution (wheezy), this problem has been fixed in version 1:1.4.5-3. For the unstable distribution (sid), this problem has been fixed in version 1:1.4.7-1. We recommend that you upgrade your libxfont packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLMNy0ACgkQXm3vHE4uylrHYQCgzgZ09pFCzC24PWsgmTLwIVCs /Z4AnRVfiyi0BPgUFEZG7vCd99nPlWkb =mGL+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2835-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2835-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 05, 2014 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-7100 Debian Bug : 732355 Jan Juergens discovered a buffer overflow in the parser for SMS messages in Asterisk. An additional change was backported, which is fully described in http://downloads.asterisk.org/pub/security/AST-2013-007.html With the fix for AST-2013-007, a new configuration option was added in order to allow the system adminitrator to disable the expansion of dangerous functions (such as SHELL()) from any interface which is not the dialplan. In stable and oldstable this option is disabled by default. To enable it add the following line to the section '[options]' in /etc/asterisk/asterisk.conf (and restart asterisk) live_dangerously = no For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze12. For the stable distribution (wheezy), this problem has been fixed in version 1:1.8.13.1~dfsg1-3+deb7u3. For the testing distribution (jessie), this problem has been fixed in version 1:11.7.0~dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1:11.7.0~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLJihcACgkQXm3vHE4uylowgACeJE6Locz1ZcB6BxRYsgG/K2Zc SpgAn1aJQKXmjoWf3LJ7QYvQyDfwv3Dl =QX8K -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2833-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 01, 2014 http://www.debian.org/security/faq - - Package: openssl Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2013-6449 CVE-2013-6450 Debian Bug : 732754 732710 Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support was susceptible to denial of service and retransmission of DTLS messages was fixed. In addition this updates disables the insecure Dual_EC_DRBG algorithm (which was unused anyway, see http://marc.info/?l=openssl-announcem=138747119822324w=2 for further information) and no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested. For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.0.1e-5. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlLEBDMACgkQXm3vHE4uylpEbACg55hvNWUo8hTUtqMNoOeP986v dG0AoJXsQoWloicwYo4fM8EwkbWxjun+ =KlR6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2829-1] hplip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2829-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 28, 2013 http://www.debian.org/security/faq - - Package: hplip Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0200 CVE-2013-4325 CVE-2013-6402 CVE-2013-6427 Multiple vulnerabilities have been found in the HP Linux Printing and Imaging System: Insecure temporary files, insufficient permission checks in PackageKit and the insecure hp-upgrade service has been disabled. For the oldstable distribution (squeeze), these problems have been fixed in version 3.10.6-2+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 3.12.6-3.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 3.13.11-2. We recommend that you upgrade your hplip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlK/EGkACgkQXm3vHE4uylqQ6ACfcyR1uGDT3b4xshhggjmO5QDd 9qwAoKKPDDDBnBU3u8DWYkE3QhNavERj =gP71 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2825-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2825-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 20, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : local(remote) Debian-specific: no CVE ID : CVE-2013-7113 CVE-2013-7114 Laurent Butti and Garming Sam discored multiple vulnerabilities in the dissectors for NTLMSSPv2 and BSSGP, which could lead to denial of service or the execution of arbitrary code. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy9. For the unstable distribution (sid), these problems have been fixed in version 1.10.4-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlK0XgcACgkQXm3vHE4uylrKjgCfVTOT8kARewE6iV6onlA/gfls 9qkAoLuMZRHe52ZLhignrtWWzF5R7X/F =nXRp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2822-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2822-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 18, 2013 http://www.debian.org/security/faq - - Package: xorg-server Vulnerability : integer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-6424 Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1.7.7-18. For the stable distribution (wheezy), this problem has been fixed in version 1.12.4-6+deb7u2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your xorg-server packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKxvkQACgkQXm3vHE4uylpz4QCffdkLUwzOql3f8KkvHlMhwnnO TSIAn1GEXxcJsCyqhuChrIhq1XmQQbz2 =bzQO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2823-1] pixman security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2823-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 18, 2013 http://www.debian.org/security/faq - - Package: pixman Vulnerability : integer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-6425 Bryan Quigley discovered an integer underflow in Pixman which could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 0.16.4-1+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 0.26.0-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.30.2-2. We recommend that you upgrade your pixman packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKxvq0ACgkQXm3vHE4uylrxHQCfUM5UhvMdwaQFn7fnyHUcSdkv 6XAAoIL9+/pBjy04jZmYhZ4ztyaH0ApE =oi7U -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2819-1] End-of-life announcement for iceape
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2819-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 16, 2013 http://www.debian.org/security/faq - - Package: iceape Security support for Iceape, the Debian-branded version of the Seamonkey suite needed to be stopped before the end of the regular security maintenance life cycle. We recommend to migrate to Iceweasel for the web browser functionality and to Icedove for the e-mail bits. Iceweasel and Icedove are based on the same codebase and will continue to be supported with security updates. Alternatively you can switch to the binaries provided by Mozilla available at http://www.seamonkey-project.org/releases/ Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKvJBMACgkQXm3vHE4uyloALgCfU5PPVJ7Ajg4g1MestH4cEcxl +0cAn3cqG8HvyUNp4ACD9/96gZG5HigR =AbYs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2812-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2812-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 09, 2013 http://www.debian.org/security/faq - - Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-4408 CVE-2013-4475 Two security issues were found in Samba, a SMB/CIFS file, print, and login server: CVE-2013-4408 It was discovered that multiple buffer overflows in the processing of DCE-RPC packets may lead to the execution of arbitrary code. CVE-2013-4475 Hemanth Thummala discovered that ACLs were not checked when opening files with alternate data streams. This issue is only exploitable if the VFS modules vfs_streams_depot and/or vfs_streams_xattr are used. For the oldstable distribution (squeeze), these problems have been fixed in version 3.5.6~dfsg-3squeeze11. For the stable distribution (wheezy), these problems have been fixed in version 3.6.6-6+deb7u2. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKllvwACgkQXm3vHE4uylqeFwCfXK4hwDQUORI/R6IJMZPeD/NE q5gAnibkbRAkNMZetbqYxmu3LZJBQXSD =xqxf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2813-1] gimp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2813-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 09, 2013 http://www.debian.org/security/faq - - Package: gimp Vulnerability : several Problem type : local(remote) Debian-specific: no CVE ID : CVE-2013-1913 CVE-2013-1978 Murray McAllister discovered multiple integer and buffer overflows in the XWD plugin in Gimp, which can result in the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 2.6.10-1+squeeze4. This update also fixes CVE-2012-3403, CVE-2012-3481 and CVE-2012-5576. For the stable distribution (wheezy), these problems have been fixed in version 2.8.2-2+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your gimp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKl0q4ACgkQXm3vHE4uylpoBwCglVv4QNW12srXQk8inB4sTVQf boYAoMbYFCj+ycwu4dAn+0TIl/tnSfQX =Iw3T -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2807-1] links2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2807-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 30, 2013 http://www.debian.org/security/faq - - Package: links2 Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-6050 Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode. For the oldstable distribution (squeeze), this problem has been fixed in version 2.3~pre1-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 2.7-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 2.8-1. For the unstable distribution (sid), this problem has been fixed in version 2.8-1. We recommend that you upgrade your links2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKaEsAACgkQXm3vHE4uylo5GQCeK591/fdk5dWM58+llKUkucPA WpwAoK4GPo5mEtkKRHCrMrL5eo5tDh4h =kVGD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2803-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2803-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 26, 2013 http://www.debian.org/security/faq - - Package: quagga Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2236 CVE-2013-6051 Debian Bug : 730513 726724 Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon: CVE-2013-2236 A buffer overflow was found in the OSPF API-server (exporting the LSDB and allowing announcement of Opaque-LSAs). CVE-2013-6051 bgpd could be crashed through BGP updates. This only affects Wheezy/stable. For the oldstable distribution (squeeze), these problems have been fixed in version 0.99.20.1-0+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 0.99.22.4-1+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 0.99.22.4-1. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKUyFsACgkQXm3vHE4uylouHQCeNCxgOv9G1tH64xIrkFeU4uii rvAAoIzFahZs7T2On3ppR7ivv3Q4YSuQ =6ZKz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2804-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2804-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 26, 2013 http://www.debian.org/security/faq - - Package: drupal7 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6385 CVE-2013-6386 CVE-2013-6387 CVE-2013-6388 CVE-2013-6389 Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting. In order to avoid the remote code execution vulnerability, it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites'files directories (both public and private, in case you have both configured). Please refer to the NEWS file provided with this update and the upstream advisory at https://drupal.org/SA-CORE-2013-003 for further information. For the stable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 7.24-1. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKU0OsACgkQXm3vHE4uyloCQwCfZacV87eOtGiU6pZpNLaIYv2o /zgAniyQJO58YkAKZer+fYjegTt7xGU5 =7KOj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2797-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2797-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 13, 2013 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5590 CVE-2013-5595 CVE-2013-5597 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5604 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, and other implementation errors may lead to the execution of arbitrary code. The Icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.10-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.10-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKD8mcACgkQXm3vHE4uyloeHwCfWWO3MfAFcAEkE8o0vhKz5Yg1 jXIAoLqGrMpnsOHhE3A1PUMl/QxpVKWN =SP2m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2793-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2793-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 09, 2013 http://www.debian.org/security/faq - - Package: libav Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0844 CVE-2013-0850 CVE-2013-0853 CVE-2013-0854 CVE-2013-0857 CVE-2013-0858 CVE-2013-0866 Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. The CVE IDs mentioned above are just a small portion of the security issues fixed in this update. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9 For the stable distribution (wheezy), these problems have been fixed in version 0.8.9-1. For the unstable distribution (sid), these problems have been fixed in version 9.10-1. We recommend that you upgrade your libav packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlJ+RYcACgkQXm3vHE4uylqkTwCfZdzvMgdNka3GaGRdHhNwPhgu kLUAn2ttuJ9K+UKLG4xdJI6sdwi2Y1Tu =I9iq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2749-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2749-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 02, 2013 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5641 CVE-2013-5642 Colin Cuthbertson and Walter Doekes discovered two vulnerabilities in the SIP processing code of Asterisk - an open source PBX and telephony toolkit -, which could result in denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 1:1.6.2.9-2+squeeze11. For the stable distribution (wheezy), these problems have been fixed in version 1.8.13.1~dfsg-3+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIkpL0ACgkQXm3vHE4uylq9kQCfS6ZselcMAH5LwaS6/ybU9Pz+ U/EAn1QPFkiOwRm2w0aOWPQR4rfa80yj =IMS+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2746-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2746-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 29, 2013http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code or cross-site scripting. The Icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.8-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.8-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIfhf8ACgkQXm3vHE4uylqF2QCeK7C4vEufIlumHBA/ElEt8/DK WW8An0Q0dB0o6Q9xLtdKeDzbg7RB/J6c =VAfs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2744-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2744-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 27, 2013http://www.debian.org/security/faq - - Package: tiff Vulnerability : several Problem type : local(remote) Debian-specific: no CVE ID : CVE-2013-4231 CVE-2013-4232 CVE-2013-4244 Pedro Ribeiro and Huzaifa S. Sidhpurwala discovered multiple vulnerabilities in various tools shipped by the tiff library. Processing a malformed file may lead to denial of service or the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 3.9.4-5+squeeze10. For the stable distribution (wheezy), these problems have been fixed in version 4.0.2-6+deb7u2. For the unstable distribution (sid), these problems have been fixed in version 4.0.3-3. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIcvnUACgkQXm3vHE4uyloIbwCgo4OMvqUIR3VslZHxol2C0L+A PrkAnihvG0HIfFVRcNyp0reBbweGymKS =VdI+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2739-1] cacti security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2739-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 21, 2013http://www.debian.org/security/faq - - Package: cacti Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1434 CVE-2013-1435 Two security issues (SQL injection and command line injection via SNMP settings) were found in Cacti, a web interface for graphing of monitoring systems. For the oldstable distribution (squeeze), these problems have been fixed in version 0.8.7g-1+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 0.8.8b+dfsg-2. We recommend that you upgrade your cacti packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIVGbIACgkQXm3vHE4uylreEgCbBAn3yyfWbdhnXbyGYIHh9PFv u3YAnioUU1Bpnb51iQ3n2M27RskKnH3Y =XvPc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2735-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2735-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 07, 2013http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code, cross-site scripting, privilege escalation, bypass of the same-origin policy or the installation of malicious addons. The Iceweasel version in the oldstable distribution (squeeze) is no longer supported with security updates. For the stable distribution (wheezy), these problems have been fixed in version 17.0.8esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.8esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlICVeQACgkQXm3vHE4uylpxcwCg0aSZ2guURbRwOCvlMCEX8SLM 6d8AoJ+EWsZdjm/dtFxRNQ4QYgPrGC92 =tept -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2734-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2734-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 05, 2013http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-4930 CVE-2013-4932 CVE-2013-4933 CVE-2013-4934 CVE-2013-4935 Multiple vulnerabilities were discovered in the dissectors for DVB-CI, GSM A Common and ASN.1 PER and in the Netmon file parser. For the oldstable distribution (squeeze), these problems have been fixed in version 1.2.11-6+squeeze11. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy5. For the unstable distribution (sid), these problems have been fixed in version 1.10.1-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlH/zrkACgkQXm3vHE4uylrlNgCgy3VC5Pp9JIEopwRluMPBrMi4 TX4AoIRxNZdumgDSR7dkg/HfPaMHjcFr =kQHX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2729-1] openafs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2729-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 28, 2013 http://www.debian.org/security/faq - - Package: openafs Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2013-4134 CVE-2013-4135 OpenAFS, the implementation of the distributed filesystem AFS, has been updated to no longer use DES for the encryption of tickets. Additional migration steps are needed to fully set the update into effect. For more information please see the upstream advisory: http://www.openafs.org/security/OPENAFS-SA-2013-003.txt In addition the 'encrypt' option to the 'vos' tool was fixed. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.12.1+dfsg-4+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.6.1-3+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.6.5-1. We recommend that you upgrade your openafs packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlH1iJwACgkQXm3vHE4uylqtOgCdH6R3kV9Z9xA2iwxUJ3beYa8R uysAoOCWxleO/V/Cuov4p83uwY7ya6Fv =we5l -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2727-1] openjdk-6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2727-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 25, 2013 http://www.debian.org/security/faq - - Package: openjdk-6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2459 CVE-2013-2461 CVE-2013-2463 CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 6b27-1.12.6-1~deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 6b27-1.12.6-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 6b27-1.12.6-1. We recommend that you upgrade your openjdk-6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHxlD8ACgkQXm3vHE4uylrAVgCfUvMGB6DZA4/zGvdtcRPDfNoe XUsAniwGJ/tAKzXDVcmn/k6jBUG/qlWi =wlJl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2725-1] tomcat6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2725-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 18, 2013 http://www.debian.org/security/faq - - Package: tomcat6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3544 CVE-2013-2067 Two security issues have been found in the Tomcat servlet and JSP engine: CVE-2012-3544 The input filter for chunked transfer encodings could trigger high resource consumption through malformed CRLF sequences, resulting in denial of service. CVE-2013-2067 The FormAuthenticator module was vulnerable to session fixation. For the oldstable distribution (squeeze), these problems have been fixed in version 6.0.35-1+squeeze3. This update also provides fixes for CVE-2012-2733,CVE-2012-3546,CVE-2012-4431, CVE-2012-4534,CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887, which were all fixed for stable already. For the stable distribution (wheezy), these problems have been fixed in version 6.0.35-6+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your tomcat6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHoLKoACgkQXm3vHE4uylp56QCff9NXUl0J3tcY6bjyROYrMWh5 kekAoJb3+ErnUADVo4tpir+woaK+7lma =bdVm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2722-1] openjdk-7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2722-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 15, 2013 http://www.debian.org/security/faq - - Package: openjdk-7 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2449 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2458 CVE-2013-2459 CVE-2013-2460 CVE-2013-2461 CVE-2013-2463 CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. For the stable distribution (wheezy), these problems have been fixed in version 7u25-2.3.10-1~deb7u1. In addition icedtea-web needed to be updated to 1.4-3~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 7u25-2.3.10-1. We recommend that you upgrade your openjdk-7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHkFUAACgkQXm3vHE4uylpOpQCgt8zoGF/tvtlPfwUoZEZLaxnT T6cAn1bi4j9GS2Ftdgce+Sj301ML6OJd =k1yV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2720-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2720-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 06, 2013 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 CVE-2013-1694 CVE-2013-1697 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, use-after-free vulnerabilities, missing permission checks, incorrect memory handling and other implementaton errors may lead to the execution of arbitrary code, privilege escalation, information disclosure or cross-site request forgery. As already announced for Iceweasel: We're changing the approach for security updates for Icedove in stable-security: Instead of backporting security fixes, we now provide releases based on the Extended Support Release branch. As such, this update introduces packages based on Thunderbird 17 and at some point in the future we will switch to the next ESR branch once ESR 17 has reached it's end of life. Some Icedove extensions currently packaged in the Debian archive are not compatible with the new browser engine. Up-to-date and compatible versions can be retrieved from http://addons.mozilla.org as a short term solution. An updated and compatible version of enigmail is included with this update. The icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.7-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.7-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHYOV0ACgkQXm3vHE4uyloU2wCg4l3I0e41UASWhsFC7D9BSuiH cxIAn24DJFsYpSO7f8p3EH8TcCD800CC =fQYl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2716-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2716-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 26, 2013 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 CVE-2013-1694 CVE-2013-1697 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-free vulnerabilities, missing permission checks, incorrect memory handling and other implementaton errors may lead to the execution of arbitrary code, privilege escalation, information disclosure or cross-site request forgery. The iceweasel version in the oldstable distribution (squeeze) is no longer supported with security updates. For the stable distribution (wheezy), these problems have been fixed in version 17.0.7esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.7esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHK8xwACgkQXm3vHE4uylpwJACcC016haKkOmAV6qUhbcrwaE3r +JkAn2WJZ7PBhyukQ6umlbTNN5GHPUBU =FjcR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2714-1] kfreebsd-9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2714-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 25, 2013 http://www.debian.org/security/faq - - Package: kfreebsd-9 Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2013-2171 Konstantin Belousov and Alan Cox discovered that insufficient permission checks in the memory management of the FreeBSD kernel could lead to privilege escalation. For the stable distribution (wheezy), this problem has been fixed in version 9.0-10+deb70.2. For the unstable distribution (sid), this problem has been fixed in version 9.0-12. We recommend that you upgrade your kfreebsd-9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHJ0doACgkQXm3vHE4uylqjLwCg4KRLRjp4uRk6HFyQq9QwBdPx BjkAoJ8vtwiijYd1MUuQnQocDSD5kNJH =KyCc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2711-1] haproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2711-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 19, 2013 http://www.debian.org/security/faq - - Package: haproxy Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2942 CVE-2013-1912 CVE-2013-2175 Multiple security issues have been found in HAProxy, a load-balancing reverse proxy: CVE-2012-2942 Buffer overflow in the header capture code. CVE-2013-1912 Buffer overflow in the HTTP keepalive code. CVE-2013-2175 Denial of service in parsing HTTP headers. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.8-1+squeeze1. The stable distribution (wheezy) doesn't contain haproxy. For the unstable distribution (sid), these problems have been fixed in version 1.4.24-1. We recommend that you upgrade your haproxy packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHB5iUACgkQXm3vHE4uyloejQCcDLeGSbq/TcynokkvYSZf7tgW ykUAn2IzWLERPgLLKGWdtiazkMZ1hAJh =fAae -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2628-2] nss-pam-ldapd update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2628-2 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 18, 2013 http://www.debian.org/security/faq - - Package: nss-pam-ldapd Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-0288 The security update DSA-2628 for nss-pam-ldapd failed to build on kfreebsd-amd64 and kfreebsd-i386. For the oldstable distribution (squeeze) this problem has been fixed in version 0.7.15+squeeze4. We recommend that you upgrade your nss-pam-ldapd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHAuioACgkQXm3vHE4uylp1SgCfRfaE/82UPlw630fJJY2AiO9G cQgAniRuJHY6scVJcCIszlq69vCLRwIv =swiz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2709-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2709-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 17, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-4074 CVE-2013-4075 CVE-2013-4076 CVE-2013-4077 CVE-2013-4078 CVE-2013-4081 CVE-2013-4082 CVE-2013-4083 Multiple vulnerabilities were discovered in the dissectors for CAPWAP, GMR-1 BCCH, PPP, NBAP, RDP, HTTP, DCP ETSI and in the Ixia IxVeriWave file parser, which could result in denial of service or the execution of arbitrary code. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy4. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlG/PDcACgkQXm3vHE4uylpbFACfUo3vfb+t9jrvuaRSuplNL12N vE8AoOL5VT4XRAWZKQgfzX3ECcU07NiP =fjQs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2699-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2699-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 02, 2013 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0773 CVE-2013-0775 CVE-2013-0776 CVE-2013-0780 CVE-2013-0782 CVE-2013-0783 CVE-2013-0787 CVE-2013-0788 CVE-2013-0793 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800 CVE-2013-0801 CVE-2013-1670 CVE-2013-1674 CVE-2013-1675 CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679 CVE-2013-1680 CVE-2013-1681 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, missing input sanitising vulnerabilities, use-after-free vulnerabilities, buffer overflows and other programming errors may lead to the execution of arbitrary code, privilege escalation, information leaks or cross-site-scripting. We're changing the approach for security updates for Iceweasel, Icedove and Iceape in stable-security: Instead of backporting security fixes, we now provide releases based on the Extended Support Release branch. As such, this update introduces packages based on Firefox 17 and at some point in the future we will switch to the next ESR branch once ESR 17 has reached it's end of life. Some Xul extensions currently packaged in the Debian archive are not compatible with the new browser engine. Up-to-date and compatible versions can be retrieved from http://addons.mozilla.org as a short term solution. A solution to keep packaged extensions compatible with the Mozilla releases is still being sorted out. We don't have the resources to backport security fixes to the Iceweasel release in oldstable-security any longer. If you're up to the task and want to help, please get in touch with t...@security.debian.org. Otherwise, we'll announce the end of security support for Iceweasel, Icedove and Iceape in Squeeze in the next update round. For the stable distribution (wheezy), these problems have been fixed in version 17.0.6esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.6esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGrdIYACgkQXm3vHE4uylpV0ACeO8LQiy/UiTlwEPvuQx/CTJDO CdwAn3eC1sTBLQvklJARBebGvVlpQvNC =xPKt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2700-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2700-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 02, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-3555 CVE-2013-3557 CVE-2013-3558 CVE-2013-3559 CVE-2013-3560 CVE-2013-3562 Multiple vulnerabilities were discovered in the dissectors for GTPv2, ASN.1 BER, PPP CCP, DCP ETSI, MPEG DSM-CC and Websocket, which could result in denial of service or the execution of arbitrary code. The oldstable distribution (squeeze) is not affected. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy3. For the unstable distribution (sid), these problems have been fixed in version 1.8.7-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGrkVgACgkQXm3vHE4uylp3RgCg4t6Gd4/msDGQu2rVCSiW8991 38gAniiM3gXTPngF/l7yY93jTCvJqpby =vH7t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2677-1] libxrender security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2677-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxrender Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1987 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1:0.9.6-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1:0.9.7-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:0.9.7-1+deb7u1. We recommend that you upgrade your libxrender packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNLUACgkQXm3vHE4uyloWLwCdExGEri73mKXnX/jd3atI54Gd fHUAn2jTyN+sW+JIQu7Yrun4m9WUxCQ3 =IgPf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2678-1] mesa security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2678-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: mesa Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1993 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 7.7.1-6. For the stable distribution (wheezy), this problem has been fixed in version 8.0.5-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 8.0.5-6. We recommend that you upgrade your mesa packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNRMACgkQXm3vHE4uylok7wCgoYincClsSUlWB9CfAnyqUs8M GukAoM9LF+Ip0kMPRlU9dBz9xNL82g8I =h7YT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2679-1] xserver-xorg-video-openchrome security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2679-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: xserver-xorg-video-openchrome Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1994 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 0.2.904+svn842-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 0.2.906-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.2.906-2+deb7u1. We recommend that you upgrade your xserver-xorg-video-openchrome packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNWgACgkQXm3vHE4uylrTpgCgiBj+1I/dfil1g/twTYSiZHJL KPwAoIM3x/WBiv691U1KrJCPCkLIozOx =MrEv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2680-1] libxt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2680-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxt Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2002 CVE-2013-2005 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 1:1.0.7-1+squeeze1. For the stable distribution (wheezy), these problems have been fixed in version 1:1.1.3-1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1:1.1.3-1+deb7u1. We recommend that you upgrade your libxt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNcMACgkQXm3vHE4uylqcaQCfV0+rOuDMcV8+rEdK97xsS6Gt JKIAniCBFZA1mxf9P3vInyIRW3CyDyZZ =M7zp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2681-1] libxcursor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2681-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxcursor Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2003 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.1.10-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1:1.1.13-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.1.13-1+deb7u1. We recommend that you upgrade your libxcursor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNiEACgkQXm3vHE4uylqueQCgxNhVeiuAWxZiltTa9qednH80 AxMAoKlzGd4n3R/FqGxQAlxYYyAs89g5 =UP6u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2682-1] libxext security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2682-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxext Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1982 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 2:1.1.2-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 2:1.3.1-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 2:1.3.1-2+deb7u1. We recommend that you upgrade your libxext packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNmgACgkQXm3vHE4uylpVYACfRb+H3PUEGtobBFX3RbsybBZX V6oAn1qWPcdPuXIv/FsB5vTn2PzSBl10 =F/p+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2683-1] libxi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2683-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxi Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1984 CVE-2013-1995 CVE-2013-1998 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 2:1.3-8. For the stable distribution (wheezy), these problems have been fixed in version 2:1.6.1-1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2:1.6.1-1+deb7u1. We recommend that you upgrade your libxi packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNuQACgkQXm3vHE4uylqwkgCg2wpO4xxuZcNIdmhzU77/BkYp fqgAniSSgyOipXL842s19bceNfBljw/y =eaz9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2684-1] libxrandr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2684-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxrandr Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1986 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 2:1.3.0-3+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 2:1.3.2-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 2:1.3.2-2+deb7u1. We recommend that you upgrade your libxrandr packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNzMACgkQXm3vHE4uylrhFQCfYHBP99XPbhQcKTzjTfrgvphm 0RcAni6xpidICEgPNAtfxx5SMapo5Kex =QCny -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2685-1] libxp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2685-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxp Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2062 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.0.0.xsf1-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1:1.0.1-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.0.1-2+deb7u1. We recommend that you upgrade your libxp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeN4AACgkQXm3vHE4uylp7JQCguqKXqXG9GqBhrNDb2B7SIKUe czoAoNnzD4qyJRi9CbqIPR/j2pjDyDRn =umC9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2686-1] libxcb security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2686-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxcb Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2064 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1.6-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1.8.1-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1.8.1-2+deb7u1. We recommend that you upgrade your libxcb packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeN9EACgkQXm3vHE4uylr53gCeMXQ0/KXlRqLQ5Xw4bvtkHa8d ce4AnjyUYH34VDTIq56rV5CVhOkLU+U8 =ucCl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2687-1] libfs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2687-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libfs Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1996 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 2:1.0.2-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 2:1.0.4-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 2:1.0.4-1+deb7u1. We recommend that you upgrade your libfs packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeOBwACgkQXm3vHE4uylo0wwCeKo/LPrrrtxViPOdaHlylBl6W 5PwAnjikx0jhWFqwf/h8sFkhbS14ewyx =UdYB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2688-1] libxres security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2688-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxres Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1988 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 2:1.0.4-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 2:1.0.6-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 2:1.0.6-1+deb7u1. We recommend that you upgrade your libxres packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeOI4ACgkQXm3vHE4uylrwnACfaX+RwOPjFkir3+zBx3EePjiE 6TUAnjP/4FDp6iM2VX38Yed19xBFA4GV =RayP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2689-1] libxtst security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2689-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxtst Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2063 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 2:1.1.0-3+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 2:1.2.1-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 2:1.2.1-1+deb7u1. We recommend that you upgrade your libxtst packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeON8ACgkQXm3vHE4uylp8tQCgz9rbJY7bp51pFHYM0xr0f7/f bMUAoMCn8dSk/F7IQ+3dbVMxVFBkIwEw =ee0F -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2676-1] libxfixes security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2676-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxfixes Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1983 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 4.0.5-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1:5.0-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:5.0-4+deb7u1. We recommend that you upgrade your libxfixes packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNGgACgkQXm3vHE4uylorbACfbKyJ+5tuvzMDW5LOK7C/0Lis V2gAoLMvptDOSkBeG8UalxWLhzVZAMnq =xHEW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2675-1] libxvmc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2675-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxvmc Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1990 CVE-2013-1999 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 2:1.0.5-1+squeeze1. For the stable distribution (wheezy), these problems have been fixed in version 2:1.0.7-1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2:1.0.7-1+deb7u1. We recommend that you upgrade your libxvmc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeNB0ACgkQXm3vHE4uylpi6gCgxvPOGpUp2C1WzBaTKmYo2llz MLoAoKdsBUkUM1qMKN9lyMqFo/L/ZjRo =C2hN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2674-1] libxv security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2674-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxv Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1989 CVE-2013-2066 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 2:1.0.5-1+squeeze1. For the stable distribution (wheezy), these problems have been fixed in version 2:1.0.7-1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2:1.0.7-1+deb7u1. We recommend that you upgrade your libxv packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeM8oACgkQXm3vHE4uylo6EQCfdm8PIgsn9oCKoeT5BQZCxDHW tnEAoKrkpGMgI3p2cciWIj3E5V9XQf5j =9LEf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2673-1] libdmx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2673-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libdmx Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1992 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.1.0-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1.1.2-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1.1.2-1+deb7u1. We recommend that you upgrade your libdmx packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeM1UACgkQXm3vHE4uylpQPgCeO0wyNY7OIfaZAftZgG9SVMFX 0oIAnRjZAaERaUGkQ4GYeR4TI665E0Yp =WBmW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2690-1] libxxf86dga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2690-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxxf86dga Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1991 CVE-2013-2000 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 2:1.1.1-2+squeeze1. For the stable distribution (wheezy), these problems have been fixed in version 2:1.1.3-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2:1.1.3-2+deb7u1. We recommend that you upgrade your libxxf86dga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeOl8ACgkQXm3vHE4uylpDKACdHWUKZzMN3YOgJDpYenbeLOyd UVsAn3mwxkngZVFHuMoEFoifrTn87IHU =exJE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2691-1] libxinerama security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2691-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxinerama Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1985 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1.1-3+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1.1.2-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1.1.2-1+deb7u1. We recommend that you upgrade your libxinerama packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeOpQACgkQXm3vHE4uylrHtQCeNA0Icopuu81Z0jp7MsGGjBY3 YWEAniQIJ+AOY+qt7d8UHcXA55WUpQ0C =ApP3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2692-1] libxxf86vm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2692-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 23, 2013 http://www.debian.org/security/faq - - Package: libxxf86vm Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2001 Ilja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service. For the oldstable distribution (squeeze), this problem will be fixed soon as version 1:1.1.0-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1:1.1.2-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.1.2-1+deb7u1. We recommend that you upgrade your libxxf86vm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGeOvAACgkQXm3vHE4uylr6EgCffVfHl2qmCgS8tN5JmlF54cnE 9xgAoO0I9C9vPBeJ6vSl4qr/zQu9lGYg =N55T -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2667-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2667-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 12, 2013 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1502 CVE-2013-1511 CVE-2013-1532 CVE-2013-1544 CVE-2013-2375 CVE-2013-2376 CVE-2013-2389 CVE-2013-2391 CVE-2013-2392 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.31, which includes additional changes, such as performance improvements and corrections for data loss defects. For the stable distribution (wheezy), these problems have been fixed in version 5.5.31+dfsg-0+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 5.5.31+dfsg-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGP7fUACgkQXm3vHE4uylqlywCfbAjmgJeD8bHXIVIkvMBEKlcb aiMAnj4Jqmct6e52m72Q3jiEGDl6qrIS =orFh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2655-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2655-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 28, 2013 http://www.debian.org/security/faq - - Package: rails Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2932 CVE-2012-3464 CVE-2012-3465 CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 Several cross-site-scripting and denial of service vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development. For the stable distribution (squeeze), these problems have been fixed in version 2.3.5-1.2+squeeze8. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in the version 3.2.6-5 of ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3, version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFUbH8ACgkQXm3vHE4uylpsqQCfX695TQww9jB4MtB0rPE8hzzb ZgAAoIjUMa20xfUcvUe0l88L2tsJ7GSu =Y08N -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2647-1] firebird2.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2647-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 15, 2013 http://www.debian.org/security/faq - - Package: firebird2.1 Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-2492 Debian Bug : 702735 A buffer overflow was discovered in the Firebird database server, which could result in the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 2.1.3.18185-0.ds1-11+squeeze1. For the testing distribution (wheezy), firebird2.1 will be removed in favour of firebird2.5. For the unstable distribution (sid), firebird2.1 will be removed in favour of firebird2.5. We recommend that you upgrade your firebird2.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFDVTAACgkQXm3vHE4uylpaDwCgpIhP8UejIDjtwawUn69ojwoo XlgAniRXVjNCBJH8dkCktheT5y7bT7Te =IbR6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2648-1] firebird2.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2648-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 15, 2013 http://www.debian.org/security/faq - - Package: firebird2.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-5529 CVE-2013-2492 A buffer overflow was discovered in the Firebird database server, which could result in the execution of arbitrary code. In addition, a denial of service vulnerability was discovered in the TraceManager. For the stable distribution (squeeze), these problems have been fixed in version 2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your firebird2.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFDVTMACgkQXm3vHE4uylotqACfe59uT9iU7IWHVw86fEDL+6vf mdsAoOrNpU89y8r0UnZ3bhfwwjekgsIb =YBPm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2644-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2644-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 14, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2478 CVE-2013-2480 CVE-2013-2481 CVE-2013-2483 CVE-2013-2484 CVE-2013-2488 Multiple vulnerabilities were discovered in the dissectors for the MS-MMS, RTPS, RTPS2, Mount, ACN, CIMD and DTLS protocols, which could result in denial of service or the execution of arbitrary code. For the stable distribution (squeeze), these problems have been fixed in version 1.2.11-6+squeeze10. For the unstable distribution (sid), these problems have been fixed in version 1.8.2-5. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFCDkAACgkQXm3vHE4uyloEwgCgzlhBmcOE2bETDSVOxX2ABgXk MfwAnAw02OlPzjvfz9rraywZilRY20YA =OzLs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2638-1] openafs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2638-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 04, 2013 http://www.debian.org/security/faq - - Package: openafs Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-1794 CVE-2013-1795 Multiple buffer overflows were discovered in OpenAFS, the implementation of the distributed filesystem AFS, which might result in denial of service or the execution of arbitrary code. Further information is available at http://www.openafs.org/security. For the stable distribution (squeeze), this problem has been fixed in version 1.4.12.1+dfsg-4+squeeze1. For the unstable distribution (sid), this problem has been fixed in version 1.6.1-3. We recommend that you upgrade your openafs packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlE1ICcACgkQXm3vHE4uylrOlQCg6kwBRETO/tr5SfUk1GrFtubp YPMAnA+FqS0AWVLBYzT69pNaOW4ULfA8 =rU8A -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2636-2] xen regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2636-2 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 03, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4544 CVE-2012-5511 CVE-2012-5634 CVE-2013-0153 A regression in combination with pygrub has been discovered. For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.8. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEzM4MACgkQXm3vHE4uylqZUQCfVbtusWfxuG9ZTo2lgOw6GgL3 45wAoMnsE19oWqrVxOTFhRZAnNG1THLo =QuId -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2636-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2636-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 01, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4544 CVE-2012-5511 CVE-2012-5634 CVE-2013-0153 Debian Bug : Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-4544 Insufficient validation of kernel or ramdisk sizes in the Xen PV domain builder could result in denial of service. CVE-2012-5511 Several HVM control operations performed insufficient validation of input, which could result in denial of service through resource exhaustion. CVE-2012-5634 Incorrect interrupt handling when using VT-d hardware could result in denial of service. CVE-2013-0153 Insufficient restriction of interrupt access could result in denial of service. For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.7. For the testing distribution (wheezy), these problems have been fixed in version 4.1.4-2. For the unstable distribution (sid), these problems have been fixed in version 4.1.4-2. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEw/3YACgkQXm3vHE4uylrX+ACgtVk1Pg/7Op/sVbMAmliP7WM/ G38An2vc8pHv2LM2h3q2Sz2VRKkJhPVV =/k4L -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2628-1] nss-pam-ldapd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2628-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 18, 2013 http://www.debian.org/security/faq - - Package: nss-pam-ldapd Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-0288 Debian Bug : 690319 Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd, which provides NSS and PAM modules for using LDAP as a naming service, can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code. For the stable distribution (squeeze) this problem has been fixed in version 0.7.15+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 0.8.10-3. For the unstable distribution (sid), this problem has been fixed in version 0.8.10-3. We recommend that you upgrade your nss-pam-ldapd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEiW7gACgkQXm3vHE4uyloWqwCcDZWJYLmupXkP8XOAhAY9825R 5rMAoOA3R8aSGzI+t1PAbx1hoUqR5Hgg =/Twb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2624-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2624-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 16, 2013 http://www.debian.org/security/faq - - Package: ffmpeg Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-0858 CVE-2012-2777 CVE-2012-2783 CVE-2012-2784 CVE-2012-2788 CVE-2012-2801 CVE-2012-2803 Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/ demuxers for Shorten, Chines AVS video, VP5, VP6, AVI, AVS and MPEG-1/2 files could lead to the execution of arbitrary code. Most of these issues were discovered by Mateusz Jurczyk and Gynvael Coldwind. For the stable distribution (squeeze), these problems have been fixed in version 4:0.5.10-1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6:0.8.5-1 of the source package libav. We recommend that you upgrade your ffmpeg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEfzSEACgkQXm3vHE4uylrcUACdG519Lt/pqSwMAJVlGWqoSJXe MSoAn3YHmqjoS3YVBocLSOV90w8ESpRg =8ZFy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2625-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2625-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 17, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1582 CVE-2013-1586 CVE-2013-1588 CVE-2013-1590 Multiple vulnerabilities were discovered in the dissectors for the CLNP, DTLS, DCP-ETSI and NTLMSSP protocols, which could result in denial of service or the execution of arbitrary code. For the stable distribution (squeeze), these problems have been fixed in version 1.2.11-6+squeeze9. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEgF2sACgkQXm3vHE4uylo/4QCgkfQkzzKBxisAc6wCTNaGMdeN +2MAn3KVXhdhVK9+tAjjcGxd0lJWQ3Vy =EpbC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2619-1] xen-qemu-dm-4.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2619-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 10, 2013 http://www.debian.org/security/faq - - Package: xen-qemu-dm-4.0 Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-6075 A buffer overflow was found in the e1000e emulation, which could be triggered when processing jumbo frames. For the stable distribution (squeeze), this problem has been fixed in version 4.0.1-2+squeeze3. For the unstable distribution (sid), this problem has been fixed in version 4.1.3-8 of the xen source package. We recommend that you upgrade your xen-qemu-dm-4.0 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEX5CcACgkQXm3vHE4uylo4mgCdFJc+356WLUt64gpK/iA3pTt7 nB0AoOQ24Y1lE7KKo9FOExLXV9YOBqfN =M4Nv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2612-2] ircd-ratbox update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2612-2 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 10, 2013 http://www.debian.org/security/faq - - Package: ircd-ratbox Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2012-6084 This update to the previous ircd-ratbox DSA only raises the version number to ensure that a higher version is used than a previously binNMU on some architectures. For the stable distribution (squeeze), this problem has been fixed in version 3.0.6.dfsg-2+squeeze1. We recommend that you upgrade your ircd-ratbox packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEUEARECAAYFAlEX6JUACgkQXm3vHE4uylpioQCcDQvyJFUkZ53pzs3k7CFDvlL1 v6gAlAkyL/gZnYMKLZiUgbE7m3Stvg0= =J5xk -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2612-1] ircd-ratbox security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2612-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 24, 2013 http://www.debian.org/security/faq - - Package: ircd-ratbox Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2012-6084 It was discovered that a bug in the server capability negotiation code of ircd-ratbox could result in denial of service. For the stable distribution (squeeze), this problem has been fixed in version 3.0.6.dfsg-2squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 3.0.7.dfsg-3. For the unstable distribution (sid), this problem has been fixed in version 3.0.7.dfsg-3. We recommend that you upgrade your ircd-ratbox packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEBqQcACgkQXm3vHE4uylqiNQCeMoOg3cwLxuUxFMx4if6HRZ5n Q1UAoIZ5vDAHxoyDGAx2oY2q++Dc4qNV =O+2l -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2603-1] emacs23 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2603-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 09, 2013 http://www.debian.org/security/faq - - Package: emacs23 Vulnerability : programming error Problem type : local Debian-specific: no CVE ID : CVE-2012-3479 Paul Ling discovered that Emacs insufficiently restricted the evaluation of Lisp code if enable-local-variables is set to safe. For the stable distribution (squeeze), this problem has been fixed in version 23.2+1-7+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 23.4+1-4. For the unstable distribution (sid), this problem has been fixed in version 23.4+1-4. We recommend that you upgrade your emacs23 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDtvmsACgkQXm3vHE4uylpaPgCg0AjfRooP2fgExqr57m9w99/a /ccAn2ebRUVkS3jF5WMBjYjh4LTpWERa =VGZR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2598-1] weechat security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2598-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 05, 2013 http://www.debian.org/security/faq - - Package: weechat Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1428 CVE-2012-5534 Two security issues have been discovered in Weechat a, fast, light and extensible chat client: CVE-2011-1428 X.509 certificates were incorrectly validated. CVE-2012-5534 The hook_process function in the plugin API allowed the execution of arbitrary shell commands. For the stable distribution (squeeze), these problems have been fixed in version 0.3.2-1+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 0.3.8-1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 0.3.9.2-1. We recommend that you upgrade your weechat packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDnYUMACgkQXm3vHE4uylpAmgCgkJdKvmYIbMnVdR8UX7bwS4Gn TbYAoNXrjCm3zkWI/MgxW5H7vfA7ReWF =/ysR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2594-1] virtualbox-ose security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2594-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 30, 2012 http://www.debian.org/security/faq - - Package: virtualbox-ose Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2012-3221 halfdog discovered that incorrect interrupt handling in Virtualbox, a x86 virtualization solution - can lead to denial of service. For the stable distribution (squeeze), this problem has been fixed in version 3.2.10-dfsg-1+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.1.18-dfsg-1.1 of the virtualbox source package. We recommend that you upgrade your virtualbox-ose packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDgPkQACgkQXm3vHE4uylrlygCggMYY4Ripy52U2h601w2d1JMS sUcAn0quBL+QYjChBO3gsqQxgvhHaYgj =PoU2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2595-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2595-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 30, 2012 http://www.debian.org/security/faq - - Package: ghostscript Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-4405 Marc Schoenefeld discovered that an integer overflow in the ICC parsing code of Ghostscript can lead to the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 8.71~dfsg2-9+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 9.05~dfsg-6.1. For the unstable distribution (sid), this problem has been fixed in version 9.05~dfsg-6.1. We recommend that you upgrade your ghostscript packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDgXAkACgkQXm3vHE4uylqfMQCg52omxzpj/M5XDqho6BMF9KjK QmwAn2TFNE3y+A8bv3PUMGti3b1Cj9Z2 =SVWN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2593-1] moin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2593-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 29, 2012 http://www.debian.org/security/faq - - Package: moin Vulnerability : several Problem type : remote Debian-specific: no CVE ID : not available yet It was discovered that missing input validation in the twikidraw and anywikidraw actions can result in the execution of arbitrary code. This security issue in being actively exploited. This update also addresses path traversal in AttachFile. For the stable distribution (squeeze), this problem has been fixed in version 1.9.3-1+squeeze4. For the unstable distribution (sid), this problem has been fixed in version 1.9.5-4. We recommend that you upgrade your moin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDfUv0ACgkQXm3vHE4uylrQvACg3AbeVY1QHMJr2Vwuu7voNuH7 8g0AnR8Cui3FPs+z4tu3WaLaRkn/WvbU =x1Oq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2591-1] mahara security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2591-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 27, 2012 http://www.debian.org/security/faq - - Package: mahara Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2239 CVE-2012-2243 CVE-2012-2244 CVE-2012-2246 CVE-2012-2247 CVE-2012-2253 CVE-2012-6037 Multiple security issues have been found in Mahara - an electronic portfolio, weblog, and resume builder -, which can result in cross-site scripting, clickjacking or arbitrary file execution. For the stable distribution (squeeze), these problems have been fixed in version 1.2.6-2+squeeze6. For the unstable distribution (sid), these problems have been fixed in version 1.5.1-3.1. We recommend that you upgrade your mahara packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDc1IMACgkQXm3vHE4uylqMPgCg5dS6sguZrMHSYcBwOKfBL2N+ j2wAn36pxjwQBWzicqcDoQhMnxzZM+PZ =6mgD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2592-1] elinks security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2592-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 28, 2012 http://www.debian.org/security/faq - - Package: elinks Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2012-4545 Marko Myllynen discovered that elinks, a powerful text-mode browser, incorrectly delegates user credentials during GSS-Negotiate. For the stable distribution (squeeze), this problem has been fixed in version 0.12~pre5-2+squeeze1. Since the initial Squeeze release Xulrunner needed to be updated and the version currently in the archive is incompatible with Elinks. As such, Javascript support needed to be disabled (only a small subset of typical functionality was supported anyway). It will likely be re-enabled in a later point update For the testing distribution (wheezy), this problem has been fixed in version 0.12~pre5-9. For the unstable distribution (sid), this problem has been fixed in version 0.12~pre5-9. We recommend that you upgrade your elinks packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDdEEgACgkQXm3vHE4uyloZXACg4mj3PpAsZfOX7YTOiYCfAAU5 9S8AoKQNPnIs2c9vJwnhDqfPbNGqXJVg =zBUI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2590-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2590-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 26, 2012 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4048 CVE-2012-4296 Bjorn Mork and Laurent Butti discovered crashes in the PPP and RTPS2 dissectors, which could potentially result in the execution of arbitrary code. For the stable distribution (squeeze), these problems have been fixed in version 1.2.11-6+squeeze8. For the unstable distribution (sid), these problems have been fixed in version 1.8.2-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlDbFMQACgkQXm3vHE4uylrx5ACfcXma384Y7fP17yWVBFSySCPl 7QYAoMQKizdcTlqpwhDISMbTkfOhQT4y =udUl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2580-1] libxml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2580-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 02, 2012 http://www.debian.org/security/faq - - Package: libxml2 Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE ID : CVE-2012-5134 Jueri Aedla discovered a buffer overflow in the libxml XML library, which could result in the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze6. For the unstable distribution (sid), this problem has been fixed in version 2.8.0+dfsg1-7. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlC7v+YACgkQXm3vHE4uylrnRwCgoiHd8YRYurlOhNb0+pjQQ1In ZwoAn3nI0j2fPqx8IfpD7fVkK3FAYKEm =a85v -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2561-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2561-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff October 21, 2012 http://www.debian.org/security/faq - - Package: tiff Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE ID : CVE-2012-4447 It was discovered that a buffer overflow in libtiff's parsing of files using PixarLog compression could lead to the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 3.9.4-5+squeeze6. For the testing distribution (wheezy) and the unstable distribution sid), this problem has been fixed in version 3.9.6-9 of the tiff3 source package and in version 4.0.2-4 of the tiff source package. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCEHHIACgkQXm3vHE4uylrbNgCgj1z+KMxqNBioKct5cwa7qD6S P2IAnjjisFo2oDGBS3cH4IECT7CVYxOd =4Wjs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2555-1] libxslt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2555-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff October 05, 2012 http://www.debian.org/security/faq - - Package: libxslt Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2870 CVE-2012-2871 CVE-2012-2893 Nicholas Gregoire and Cris Neckar discovered several memory handling bugs in libxslt, which could lead to denial of service or the execution of arbitrary code if a malformed document is processed. For the stable distribution (squeeze), these problems have been fixed in version 1.1.26-6+squeeze2. For the unstable distribution (sid), these problems have been fixed in version 1.1.26-14. We recommend that you upgrade your libxslt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBvDikACgkQXm3vHE4uylqyxQCgoDea5HoIMlTGsyY7j0lSTC41 6goAn3A9XemdHAAH63KnAXeLJq8xfqvJ =5h/g -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2550-2] asterisk regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2550-2 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 26, 2012 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737 A regression in the SIP handling code was found in DSA-2550-1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze8. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBjJnEACgkQXm3vHE4uylqJsACgoeA/kky6st0av/TqkZFL2ZZh 90YAnAmz1yk9Q8gtRi6vipubwJiY2a/V =+kqj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2553-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2553-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 24, 2012 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1970 CVE-2012-1972 CVE-2012-1973 CVE-2012-1974 CVE-2012-1975 CVE-2012-1976 CVE-2012-3959 CVE-2012-3962 CVE-2012-3969 CVE-2012-3972 CVE-2012-3978 Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. The reported vulnerabilities could lead to the execution of arbitrary code or the bypass of content-loading restrictions via the location object. For the stable distribution (squeeze), these problems have been fixed in version 3.5.16-18. For the testing distribution (wheezy), these problems have been fixed in version 10.0.7esr-2. For the unstable distribution (sid), these problems have been fixed in version 10.0.7esr-2. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBglasACgkQXm3vHE4uyloMjwCcDXD8phU6TcMl7mr924seM/CO 8RYAn0HEKhLsKierDXDn+ErNLzv+u6sp =AIOu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2550-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2550-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 18, 2012 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737 Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation. More detailed information can be found in the Asterisk advisories: http://downloads.asterisk.org/pub/security/AST-2012-010.html http://downloads.asterisk.org/pub/security/AST-2012-011.html http://downloads.asterisk.org/pub/security/AST-2012-012.html http://downloads.asterisk.org/pub/security/AST-2012-013.html For the stable distribution (squeeze), these problems have been fixed in version 1:1.6.2.9-2+squeeze7. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1:1.8.13.1~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBYrLoACgkQXm3vHE4uylqDBgCfTQnp2Z1XZSgJkg1L84SDPnjK muwAoOINdMCYMfcEc8spGQ7wrCWPKGaR =FRM+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2548-1] tor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2548-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 13, 2012 http://www.debian.org/security/faq - - Package: tor Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3518 CVE-2012-3519 CVE-2012-4419 Severel vulnerabilities have been discovered in Tor, an online privacy tool. CVE-2012-3518 Avoid an uninitialised memory read when reading a vote or consensus document that has an unrecognized flavour name. This could lead to a remote, resulting in denial of service. CVE-2012-3519 Try to leak less information about what relays a client is choosing to a side-channel attacker. CVE-2012-4419 By providing specially crafted date strings to a victim tor instance, an attacker can cause it to run into an assertion and shut down Additionally the update to stable includes the following fixes: - - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a potential DoS issue [tor-5934, tor-6007]. For the stable distribution (squeeze), these problems have been fixed in version 0.2.2.39-1. For the unstable distribution, these problems have been fixed in version 0.2.3.22-rc-1. We recommend that you upgrade your tor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBSMjQACgkQXm3vHE4uylq6wgCggMNGWPFQe8JxitNIDSJ7rxS9 87MAn0Z3TVgrowBSSb7iouq9E3Ty9ozG =zQL+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/