[Full-disclosure] [SECURITY] [DSA 2880-1] python2.7 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2880-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 17, 2014 http://www.debian.org/security/faq
- -

Package: python2.7
CVE ID : CVE-2013-4238 CVE-2014-1912

Multiple security issues were discovered in Python:

CVE-2013-4238

Ryan Sleevi that NULL charactors in the subject alternate names of
SSL cerficates were parsed incorrectly.

CVE-2014-1912

Ryan Smith-Roberts discovered a buffer overflow in the 
socket.recvfrom_into() function.

For the stable distribution (wheezy), these problems have been fixed in
version 2.7.3-6+deb7u2.

For the unstable distribution (sid), these problems have been fixed in
version 2.7.6-7.

We recommend that you upgrade your python2.7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTJzmwAAoJEBDCk7bDfE42f1oQAIibzpSPb7x6o+NV/eKmrvbC
evP9W3zuj5y1UJkQKr7OMkzJk9dO9Y9HLKvOop25fK8btnTPL1Hml42WSmZyhMiF
0NnU8jPGIVqVhIbK9ngdTqIZ2UNtJr5FUkpd69k//bYBX69WpWxtIgVdR2327RsO
GC6yZfitIzSDAvTNKXn0K0EpAOAydQDn4M8TZA1J9+kDew1DbWKS5xl69CWxSgjk
FLI2WY1amwATZ9yj5qEV+Q2jhTSATyVXTW6ZwOyIjC9KmPaT7a3fZrQlSZeyjbeD
jUnoShPvr9KjxSo9ZSfk5HFjQXDytmqUBCcyBc33ESiRX/O52UBjNPCDY9C65XER
Z8eoVIFONa/sYxFnAnGLXyKPS3tL+PiE0W++aflPoyzueH184UvNUbyZtcOtn5b/
T7oAhbXIwJFrw7tQh8GP+woKaCmR1kpekE0i5qllGT2O0440wK6m0xJZoySwlLXs
EK6EYEbcTznWkQiDCLWbSXFP5YMJpHGV6hL78gkkKaIzvWxsTyteHOSYfMUl4AzP
b6WC5uGG469t5ASCS/8mMde/DtRIpDLhqicPXTQRP5/AyIyx5ddCrvtXmsdPYB5Z
a2QSpmxup9P4F3D+eT5N5tUf95WmBVtMOXkiHrlQzWvOOr+1vYKtt0+psLf3YFoN
RmYnAuiSJVQnuJuVsS6a
=sf1t
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2878-1] virtualbox security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2878-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 13, 2014 http://www.debian.org/security/faq
- -

Package: virtualbox
CVE ID : CVE-2013-5892 CVE-2014-0404 CVE-2014-0406 CVE-2014-0407
Debian Bug : 735410

Matthew Daley discovered multiple vulnerabilities in VirtualBox, a x86 
virtualisation solution, resulting in denial of service, privilege
escalation and an information leak.

For the oldstable distribution (squeeze), these problems have been fixed in
version 3.2.10-dfsg-1+squeeze2 of the virtualbox-ose source package.

For the stable distribution (wheezy), these problems have been fixed in
version 4.1.18-dfsg-2+deb7u2.

For the testing distribution (jessie), these problems have been fixed in
version 4.3.6-dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.3.6-dfsg-1.

We recommend that you upgrade your virtualbox packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTIcvtAAoJEBDCk7bDfE42e/kQAIL6all431PYZuXa4JK5MctA
cQfqs5Zh+Q8FaEl3s0mrly4qAiV26m1/9irSL1jcW8TgWe5CpQFoEqUFLqDTDwEO
KDVo0JzKJNp+3egopoGZ4jsSu1qu716fj7BKLrpQZflGrXNnKeOU4S3ssz1IjluQ
N+goKvrbFZyHTY/vYPhVHoIQxDN7ZaK1G2KWzVgJV2iS4a8IY+jMdGEc5/ICVnfq
La0/EokIZ3JskCwV50SEaVV4XI7a4GkpjLX9+RwfEkZ6OXaZ8NrLAQtuBRCD4RyP
LhFqtVORBTpXy4hS9VCWjjjr0jJV3wx2nNmRPE5a7Nnrj1YYEoMcDqc/nL4mH721
0Fwe64L/T1FVmiijXszX4sqKA6OvDiP++uPfWWpMg6F24gmC29YkrHmX8ktI/5I1
87XeeFDHdn9xuSCMRddl0Oztw+0iDR6+UXtgTz896k331p5FYE05W4S/U0vDGSHV
BSE//pgJJgHjboGAZpvhNS3qPKb/AGxAxfqxJjiAqMrgObddqd6pZpRDWPOG1HOh
bVVffFHbjbVwkcPKIZey3PSbhv9v+pBUx/4Wq/3FgVIr+X3PGwSMm7FLP49m+nbi
vT/rF9FCDgxJELKfelygrzYavi52O80XU4xOdhDCpwRRTxy72Jh3GwwG/dgAtj68
joj53dPlRUpBp+TNpie1
=y9Jn
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2874-1] mutt security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2874-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 12, 2014 http://www.debian.org/security/faq
- -

Package: mutt
CVE ID : CVE-2014-0467
Debian Bug : 708731

Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the
mutt mailreader. Malformed RFC2047 header lines could result in denial
of service or potentially the execution of arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.5.20-9+squeeze3.

For the stable distribution (wheezy), this problem has been fixed in
version 1.5.21-6.2+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 1.5.22-2.

We recommend that you upgrade your mutt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTIIBQAAoJEBDCk7bDfE42lGQP+wXTo5lcib+GNUh4hkE4FMi7
BpB/RhIx5EfS8f3vUvGxQInn+usA61H17sBKLaMkpgT+4jksNbLo8n6IIt3uDik9
GyVE8tEsPXEJQ/qqurVBU7qEbrFbi1azRv0yQVcWdFA5K+1kFVzkejOFFKOxFxXI
U7Wuix91hx+36dQm2gjY6/WjZtQ/ccyjAzxCeE2DX2SJGNLnmAPSaxuotUN+UWCn
5Ybin/arUglttiMXhfv12vHoibSKghShWE6r16NyoQRRcKePv8o6OnLKEyu8Vh8L
oBd3MghG891kP9n3aFnj2lCAjwExx0d4AzL5CGmiAg1UoJUPGQRB6omR9+pOYpCB
xsu3+zooh2/rq4M3cKg9e9FM5hyKF4JpwrQKOT55SXnnjviN7oFgi6mdSPPZGn4S
uMcXA1mMRzJ1IdSlDskQ+w12sLrrP61C90ecsRJ9hDyI9Zjj5LPXlLUk0P6HeAvY
hItFG9DqPVaSTbFTn2MyGeY455PCNstVciejaJDuI2pB1GEFcwtzXt6jQHYtd1Mb
v2/PNaqjGiVcz6g58RdPiIUIrV71X+YEHiU8tjxvd8/tUGNmDriOKefcH+T4Ey6k
51BgyXH6gRbiow6XD45fcKEkxeewiV4YLnlSZn2McaGwGFplttQPTTRdUns3fbqx
IkrdpnS3ekH3bMpFijcg
=bmJF
-END PGP SIGNATURE-



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2875-1] cups-filters security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2875-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 12, 2014 http://www.debian.org/security/faq
- -

Package: cups-filters
CVE ID : CVE-2013-6474 CVE-2013-6475 CVE-2013-6476

Florian Weimer of the Red Hat Product Security Team discovered multiple
vulnerabilities in the pdftoopvp CUPS filter, which could result in the
execution of aribitrary code if a malformed PDF file is processed.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.18-2.1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.47-1.

We recommend that you upgrade your cups-filters packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTIIBvAAoJEBDCk7bDfE42beMQAIFlzlbPj6Zh5RIc48TWHcyj
tKJIrrqJSRU2IT9DkO39GFJwM8kOkBQw8nBp6WAPPx5NQMn2KISGH/VYYVeAWSMq
thtLUJnB1KgRXjSZBZylTJx7JkdOhICNQhn50mPwHCpk3zExii+c7rvRJdOEia8B
6lfin2YVNzN07R7Q4WhQvyUDL34hWe5mAw6rMfT6zJV3IugE8mkCCr0+JXBH+3FO
XywheotTVtJWaT8VCbAZ0Lu8er7WjQJ5LQ3YBNww8uGazBH5ZHRAnZG/A9VlVzpz
6+/7f1ZOmNGELcmHhdT66e0xWuNeV5ae8+7mwWF/ql/72W0h0+gsH9z8ge70vDKp
1JPPnplSAT3C8a9LaPtVfLctG7Hd2v6cxVFANPRrHvtAY+Ydwuj2T9uZc9TTHc4d
eMFPGRSEbrhsEOZUheJwH7OMPZUeTZyhfcYenXzRkEzf70nmvQYco+4ukJGaHct6
DEDZyxfk4klkYTL89CWQLltdlz7hffMNiIalHRVe4RqcwnhRILqy5rQEUV1m3As2
llWhBlKy0yKMRqY9bLIXOGFzze3Pz05bSpVVpvW70XcO+ZlJJFetHFio8ydZJIDQ
y56F7SdAH9a90w1IDhPi5pX0RCuezgkN2olzxkXU51Fvlvw0ynv9ex+phyt4CpUS
M7aRe7tjtV1C9m7musJw
=wuXA
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2876-1] cups security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2876-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 12, 2014 http://www.debian.org/security/faq
- -

Package: cups
CVE ID : CVE-2013-6474 CVE-2013-6475 CVE-2013-6476

Florian Weimer of the Red Hat Product Security Team discovered multiple
vulnerabilities in the pdftoopvp CUPS filter, which could result in the
execution of aribitrary code if a malformed PDF file is processed.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.4-7+squeeze4.

For the stable distribution (wheezy) and the unstable distribution (sid)
the filter is now part of the cups-filters source package.

We recommend that you upgrade your cups packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTIICHAAoJEBDCk7bDfE42ykQP/33q8OPEizgpQ++PXq6RvnLK
hVXyN9T6xUuVFw3VVAsyWTigK86BnnXAww1cDpIH157iGw7vC7ih2t+KOPndBH3K
eUE6wUpq+KYV/3iw74hMHjCQk+Nc8Al0njMofht8J5Qtw3+w0QPV0naKDqZc5yAm
6H2SFNnOgS6APqNvPwgPSrk3OiJFMmCybjNeDuf3/h83I2DDA5LVhzSdQOCnQ8TM
oZNYgmVS6//sAejoJkXQHXC1VvNKJmFUmH0G06DeB0j4/rJxj0p+/GrjCLhhW1ym
i313NzJaus0oQaGIAQmyvtF4pcCjiBdo+Ea8XG2LAl9drW35YAPabzQQVGxc2mBp
O2LI7bWFYKuB18ZvQDe4c6pjHuloAZ5agcht1qjWu9YwNOUo/6nw4Dgi4mGpv6F7
URO3+S49yLscu4Lxs7/uitou8EIKaRdNR3bHPwNmw/YJoz29BNQs2BDdtjPq05/i
53RD+4IIiuj8cadA9V1CFml5A8PaYlyO+XD6vFEIP+uiDKWGdOYSB5Hszo8bNCJq
hFgcsTENel8u2nwbhehER3XYhn+aTn4IwXI7zjzZ3/fas8Aou34McZ2sEiwB0wDq
1985auB9bJP0PaMuFjBlaeonb2svYZCBk4qWuBVaEgtqKrUYFeFY3+HblaXvHat0
Rlk83y2bQfqtFfDURTji
=FIwh
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2871-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2871-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 10, 2014 http://www.debian.org/security/faq
- -

Package: wireshark
CVE ID : CVE-2014-2281 CVE-2014-2283 CVE-2014-2299

Multiple vulnerabilities were discovered in Wireshark:

CVE-2014-2281

Moshe Kaplan discovered that the NFS dissector could be crashed,
resulting in denial of service.

CVE-2014-2283

It was discovered that the RLC dissector could be crashed, resulting 
in denial of service.

CVE-2014-2299

Wesley Neelen discovered a buffer overflow in the MPEG file parser,
which could lead to the execution of arbitrary code.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.2.11-6+squeeze14.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.2-5wheezy10.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.6-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org



-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTHdDvAAoJEBDCk7bDfE42/QkP/2eQjKXDl6z651I+OciMif8X
PJbZ50T6linCsT7BqWaBv6GCxlSsU60+Yh7nHVfCJ0JY5NjWp0fOyLu3a7yD9SH/
7UEgJB0OVWSE54wIUO0Boi0qRth4l6+f/t4y/1gjwGGadv7cjhJRzhm6blMyUj61
XPqI/Sswm1ux/BVteLc2ffpsGNL4XcCNUH92is68r3R+YcrXoqFewVwI7/BRusNb
sq0Au+gkL3LD/owxf4yHWB/DSYHauVnto3zGqcdErAREFk6jA+OZgqjKrrmsrQa+
Jc3EFSWwJ71T1ko45Td8rz2AHRmipXpLrhL+1cPCmIkKUnVQMDNsz5JMWmJUzGmC
sJdNPdKrI6vTA2J03rW/dyl0fo9hSzJSkzxziDY0yrOX/GIiSRRb6ZS6CsOYDSNc
UCmX/UCrrW0rpG5HI3XdUnOWqTWfy1YuWpbLb2Wll0mtF79n7jbzBZJscF+B+p7o
XMCEdddAIGJQR8yU01MWkE8FmNxdOihn9CajS9xHqxT0rM8d1kJFzzaROOY9bkbF
T10/mJ3IdXVVKNfQENXxsRpFAd/tUl2Q52Rc9GMmV4aNT+KQbK33JCMFPBgSQQ5k
zDnAMlnTSMzvd4QkM/1wceAL8KqdDRwCdrYxDpuEDHz9ixXWqeUF5KEIUVmBpFO3
5VZ8C8h5dSBQ3FififjZ
=HE9d
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2872-1] udisks security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2872-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 10, 2014 http://www.debian.org/security/faq
- -

Package: udisks
CVE ID : CVE-2014-0004

Florian Weimer discovered a buffer overflow in udisks's mount path 
parsing code which may result in privilege escalation.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.0.1+git20100614-3squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1.0.4-7wheezy1.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.5-1.

We recommend that you upgrade your udisks packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJTHdGQAAoJEBDCk7bDfE42m3IP/1Pyh4so7zS2D0cnwmNGWgWS
yt926+ocgJAL9IPpxbUP2P0ZLOqRE048DwlUXnobnpUxoD855KPcP2ki1Fn/EHZ+
8OYhnfJYTl6NR86VcbKhpzvpYTHJGVSrelm34qKBem8pnTBOe1K+MAcFqsattUht
E1BLQ/VkC6NHCsh0pw0o0wEANaA4qk4KW4gjSg9qoNQXSMkjyj7oJf0BbVRdpVku
mG8b4qzb+RhVtZrA2OkE0JpJxdbkFaM/vH3tFD4a1Mo7j4BE+0PtLvlj/2Klx5BV
xSQKRHnED9DPwhREzwFUW9PnSEHY+s1CE44Z9F3FGWW80I4RQUKcepYsbT2kPuZM
M83SXnajTfyQaLl/JtH9T6j13ksm2yy38ooYuC/IAUkKY7e7JDv9sCp/dddijhwo
23DUmwRkPqLbzmi1qvkyUuJmX97Np3q3477Ou/uJ/20r6bmO3nQR2D9C5rub/Zg0
3lzdbrMc6XWnFT/zq2YQV/pUeDhJD/pQHW+EFsHOPIAxixjk5tHbNBNUuLvSZzQh
GR4qSWqCrRgj3W0ivgnYuNmQ8OIM0qJhW9FuygwLR8w7P1sZZhc4ZxURRpaOalen
Wrm4pu2w0HsdUxAJab7SzJnuL8s3N+Yy+ZzXupyR5/JLYBlTrxAC6rwbdbdv0fZu
yVnpDVF6hgVh1B3aEQhV
=xZKX
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2864-1] postgresql-8.4 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2864-1   secur...@debian.org
http://www.debian.org/security/Christoph Berg
February 20, 2014  http://www.debian.org/security/faq
- -

Package: postgresql-8.4
Vulnerability  : several
CVE ID : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 
 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067

Various vulnerabilities were discovered in PostgreSQL:

 * Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

   Granting a role without ADMIN OPTION is supposed to prevent the grantee
   from adding or removing members from the granted role, but this
   restriction was easily bypassed by doing SET ROLE first. The security
   impact is mostly that a role member can revoke the access of others,
   contrary to the wishes of his grantor. Unapproved role member additions
   are a lesser concern, since an uncooperative role member could provide
   most of his rights to others anyway by creating views or SECURITY
   DEFINER functions. (CVE-2014-0060)

 * Prevent privilege escalation via manual calls to PL validator functions
   (Andres Freund)

   The primary role of PL validator functions is to be called implicitly
   during CREATE FUNCTION, but they are also normal SQL functions that a
   user can call explicitly. Calling a validator on a function actually
   written in some other language was not checked for and could be
   exploited for privilege-escalation purposes. The fix involves adding a
   call to a privilege-checking function in each validator function.
   Non-core procedural languages will also need to make this change to
   their own validator functions, if any. (CVE-2014-0061)

 * Avoid multiple name lookups during table and index DDL (Robert Haas,
   Andres Freund)

   If the name lookups come to different conclusions due to concurrent
   activity, we might perform some parts of the DDL on a different table
   than other parts. At least in the case of CREATE INDEX, this can be used
   to cause the permissions checks to be performed against a different
   table than the index creation, allowing for a privilege escalation
   attack. (CVE-2014-0062)

 * Prevent buffer overrun with long datetime strings (Noah Misch)

   The MAXDATELEN constant was too small for the longest possible value of
   type interval, allowing a buffer overrun in interval_out(). Although the
   datetime input functions were more careful about avoiding buffer
   overrun, the limit was short enough to cause them to reject some valid
   inputs, such as input containing a very long timezone name. The ecpg
   library contained these vulnerabilities along with some of its own.
   (CVE-2014-0063)

 * Prevent buffer overrun due to integer overflow in size calculations
   (Noah Misch, Heikki Linnakangas)

   Several functions, mostly type input functions, calculated an allocation
   size without checking for overflow. If overflow did occur, a too-small
   buffer would be allocated and then written past. (CVE-2014-0064)

 * Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

   Use strlcpy() and related functions to provide a clear guarantee that
   fixed-size buffers are not overrun. Unlike the preceding items, it is
   unclear whether these cases really represent live issues, since in most
   cases there appear to be previous constraints on the size of the input
   string. Nonetheless it seems prudent to silence all Coverity warnings of
   this type. (CVE-2014-0065)

 * Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

   There are relatively few scenarios in which crypt() could return NULL,
   but contrib/chkpass would crash if it did. One practical case in which
   this could be an issue is if libc is configured to refuse to execute
   unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066)

 * Document risks of make check in the regression testing instructions
   (Noah Misch, Tom Lane)

   Since the temporary server started by make check uses trust
   authentication, another user on the same machine could connect to it as
   database superuser, and then potentially exploit the privileges of the
   operating-system user who started the tests. A future release will
   probably incorporate changes in the testing procedure to prevent this
   risk, but some public discussion is needed first. So for the moment,
   just warn people against using make check when there are untrusted users
   on the same machine. (CVE-2014-0067)

For the oldstable distribution (squeeze), these problems have been fixed in
version 8.4.20-0squeeze1.

For the unstable distribution (sid), these problems have been fixed in
version 9.3.3-1 of the postgresql-9.3 package.

We recommend that 

[Full-disclosure] [SECURITY] [DSA 2865-1] postgresql-9.1 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2865-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 20, 2014  http://www.debian.org/security/faq
- -

Package: postgresql-9.1
Vulnerability  : several
CVE ID : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 
 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067

Various vulnerabilities were discovered in PostgreSQL:

 * Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

   Granting a role without ADMIN OPTION is supposed to prevent the grantee
   from adding or removing members from the granted role, but this
   restriction was easily bypassed by doing SET ROLE first. The security
   impact is mostly that a role member can revoke the access of others,
   contrary to the wishes of his grantor. Unapproved role member additions
   are a lesser concern, since an uncooperative role member could provide
   most of his rights to others anyway by creating views or SECURITY
   DEFINER functions. (CVE-2014-0060)

 * Prevent privilege escalation via manual calls to PL validator functions
   (Andres Freund)

   The primary role of PL validator functions is to be called implicitly
   during CREATE FUNCTION, but they are also normal SQL functions that a
   user can call explicitly. Calling a validator on a function actually
   written in some other language was not checked for and could be
   exploited for privilege-escalation purposes. The fix involves adding a
   call to a privilege-checking function in each validator function.
   Non-core procedural languages will also need to make this change to
   their own validator functions, if any. (CVE-2014-0061)

 * Avoid multiple name lookups during table and index DDL (Robert Haas,
   Andres Freund)

   If the name lookups come to different conclusions due to concurrent
   activity, we might perform some parts of the DDL on a different table
   than other parts. At least in the case of CREATE INDEX, this can be used
   to cause the permissions checks to be performed against a different
   table than the index creation, allowing for a privilege escalation
   attack. (CVE-2014-0062)

 * Prevent buffer overrun with long datetime strings (Noah Misch)

   The MAXDATELEN constant was too small for the longest possible value of
   type interval, allowing a buffer overrun in interval_out(). Although the
   datetime input functions were more careful about avoiding buffer
   overrun, the limit was short enough to cause them to reject some valid
   inputs, such as input containing a very long timezone name. The ecpg
   library contained these vulnerabilities along with some of its own.
   (CVE-2014-0063)

 * Prevent buffer overrun due to integer overflow in size calculations
   (Noah Misch, Heikki Linnakangas)

   Several functions, mostly type input functions, calculated an allocation
   size without checking for overflow. If overflow did occur, a too-small
   buffer would be allocated and then written past. (CVE-2014-0064)

 * Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

   Use strlcpy() and related functions to provide a clear guarantee that
   fixed-size buffers are not overrun. Unlike the preceding items, it is
   unclear whether these cases really represent live issues, since in most
   cases there appear to be previous constraints on the size of the input
   string. Nonetheless it seems prudent to silence all Coverity warnings of
   this type. (CVE-2014-0065)

 * Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

   There are relatively few scenarios in which crypt() could return NULL,
   but contrib/chkpass would crash if it did. One practical case in which
   this could be an issue is if libc is configured to refuse to execute
   unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066)

 * Document risks of make check in the regression testing instructions
   (Noah Misch, Tom Lane)

   Since the temporary server started by make check uses trust
   authentication, another user on the same machine could connect to it as
   database superuser, and then potentially exploit the privileges of the
   operating-system user who started the tests. A future release will
   probably incorporate changes in the testing procedure to prevent this
   risk, but some public discussion is needed first. So for the moment,
   just warn people against using make check when there are untrusted users
   on the same machine. (CVE-2014-0067)

For the stable distribution (wheezy), these problems have been fixed in
version 9.1_9.1.12-0wheezy1.

For the unstable distribution (sid), these problems have been fixed in
version 9.3.3-1 of the postgresql-9.3 package.

We recommend

[Full-disclosure] [SECURITY] [DSA 2858-1] iceweasel security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2858-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 10, 2014  http://www.debian.org/security/faq
- -

Package: iceweasel
Vulnerability  : several
CVE ID : CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482 
 CVE-2014-1486 CVE-2014-1487 CVE-2014-1490 CVE-2014-1491

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors, 
use-after-frees, too-verbose error messages and missing permission checks
may lead to the execution of arbitrary code, the bypass of security 
checks or information disclosure. This update also addresses security 
issues in the bundled version of the NSS crypto library.

This update updates Iceweasel to the ESR24 series of Firefox.

For the stable distribution (wheezy), these problems have been fixed in
version 24.3.0esr-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 24.3.0esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlL48qgACgkQXm3vHE4uylpopQCffqocc9xEB/KkQlmKpyGmxAV3
s9YAn0bwPGWgFWQjfwZZoaleLfpg59Li
=1aEO
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2859-1] pidgin security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2859-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 10, 2014  http://www.debian.org/security/faq
- -

Package: pidgin
Vulnerability  : several
CVE ID : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 
 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 
 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020

Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol
instant messaging client:

CVE-2013-6477

Jaime Breva Ribes discovered that a remote XMPP user can trigger a 
crash by sending a message with a timestamp in the distant future.

CVE-2013-6478

Pidgin could be crashed through overly wide tooltip windows.

CVE-2013-6479

Jacob Appelbaum discovered that a malicious server or a man in the 
middle could send a malformed HTTP header resulting in denial of
service.

CVE-2013-6481

Daniel Atallah discovered that Pidgin could be crashed through 
malformed Yahoo! P2P messages.

CVE-2013-6482

Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
could be crashed through malformed MSN messages.

CVE-2013-6483

Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
could be crashed through malformed XMPP messages.

CVE-2013-6484

It was discovered that incorrect error handling when reading the 
response from a STUN server could result in a crash.

CVE-2013-6485

Matt Jones discovered a buffer overflow in the parsing of malformed
HTTP responses.

CVE-2013-6487

Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
Gadu-Gadu messages.

CVE-2013-6489

Yves Younan and Pawel Janic discovered an integer overflow when parsing
MXit emoticons.

CVE-2013-6490

Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

CVE-2014-0020

Daniel Atallah discovered that Pidgin could be crashed via malformed
IRC arguments.

For the oldstable distribution (squeeze), no direct backport is provided.
A fixed packages will be provided through backports.debian.org shortly

For the stable distribution (wheezy), these problems have been fixed in
version 2.10.9-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 2.10.9-1.

We recommend that you upgrade your pidgin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlL5DAsACgkQXm3vHE4uylpHBACgi35NdKeWengFu5JzJ4NKkj0T
w2MAni+6nXq2FQYjbUm+0k1QW5OrgtU+
=wmw4
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2857-1] libspring-java security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2857-1   secur...@debian.org
http://www.debian.org/security/   Markus Koschany
February 08, 2014  http://www.debian.org/security/faq
- -

Package: libspring-java
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6429 CVE-2013-6430

It was discovered by the Spring development team that the fix for the
XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring
Framework was incomplete.

Spring MVC's SourceHttpMessageConverter also processed user provided XML
and neither disabled XML external entities nor provided an option to
disable them. SourceHttpMessageConverter has been modified to provide an
option to control the processing of XML external entities and that
processing is now disabled by default.

In addition Jon Passki discovered a possible XSS vulnerability:
The JavaScriptUtils.javaScriptEscape() method did not escape all
characters that are sensitive within either a JS single quoted string,
JS double quoted string, or HTML script data context. In most cases this
will result in an unexploitable parse error but in some cases it could
result in an XSS vulnerability.

For the stable distribution (wheezy), these problems have been fixed in
version 3.0.6.RELEASE-6+deb7u2.

For the testing distribution (jessie), these problems have been fixed in
version 3.0.6.RELEASE-11.

For the unstable distribution (sid), these problems have been fixed in
version 3.0.6.RELEASE-11.

We recommend that you upgrade your libspring-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlL2QfYACgkQXm3vHE4uylrKVwCgl0VC2bcFi0cw8M+ENuNdBUtN
rdYAnjKXZ48KA8HONA3iDlymTMFYpogz
=SI4k
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2855-1] libav security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2855-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 05, 2014  http://www.debian.org/security/faq
- -

Package: libav
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE ID : CVE-2011-3944 CVE-2013-0845 CVE-2013-0846 CVE-2013-0849 
 CVE-2013-0865 CVE-2013-7010 CVE-2013-7014 CVE-2013-7015

Several security issues have been corrected in multiple demuxers and 
decoders of the libav multimedia library. The IDs mentioned above are just
a portion of the security issues fixed in this update. A full list of the
changes is available at
http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.10

For the stable distribution (wheezy), these problems have been fixed in
version 6:0.8.9-1.

For the unstable distribution (sid), these problems have been fixed in
version 6:9.11-1.

We recommend that you upgrade your libav packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlLye6kACgkQXm3vHE4uylrI8ACfbD6s1L9JSjxy9tKale/31uwM
faUAn245iY8Wf396t+iT1Q7iaP7s8/Xo
=bajx
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2845-1] mysql-5.1 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2845-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 17, 2014   http://www.debian.org/security/faq
- -

Package: mysql-5.1
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 
 CVE-2014-0402 CVE-2014-0412 CVE-2014-0437

This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple 
unspecified security problems in MySQL: 
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

For the oldstable distribution (squeeze), these problems have been fixed in
version 5.1.73-1.

We recommend that you upgrade your mysql-5.1 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlLZULQACgkQXm3vHE4uylqMyACeJrA+pR8CqpcR1m9AP77uXFT0
po0AoL3txJvp63DVJXGPdeuoac7CsnPU
=xjyb
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2846-1] libvirt security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2846-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 17, 2014   http://www.debian.org/security/faq
- -

Package: libvirt
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6458 CVE-2014-1447

Multiple security issues have been found in Libvirt, a virtualisation
abstraction library:

CVE-2013-6458

It was discovered that insecure job usage could lead to denial of
service against libvirtd.

CVE-2014-1447

It was discovered that a race condition in keepalive handling could
lead to denial of service against libvirtd.

For the stable distribution (wheezy), these problems have been fixed in
version 0.9.12.3-1. This bugfix point release also addresses some 
additional bugfixes.

For the unstable distribution (sid), these problems have been fixed in
version 1.2.1-1.

We recommend that you upgrade your libvirt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlLZg3wACgkQXm3vHE4uylo0MgCgn8enbxsu2ks6iM4YGcVwI+xY
uwoAoNK2mEZUV+SYCVPBVrrYnthuXqgB
=ZkzN
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2842-1] libspring-java security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2842-1   secur...@debian.org
http://www.debian.org/security/   Markus Koschany
January 13, 2014   http://www.debian.org/security/faq
- -

Package: libspring-java
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-4152
Debian Bug : 720902

Alvaro Munoz discovered a XML External Entity (XXE) injection in the 
Spring Framework which can be used for conducting CSRF and DoS attacks 
on other sites.

The Spring OXM wrapper did not expose any property for disabling entity
resolution when using the JAXB unmarshaller. There are four possible 
source implementations passed to the unmarshaller:

DOMSource
StAXSource
SAXSource
StreamSource

For a DOMSource, the XML has already been parsed by user code
and that code is responsible for protecting against XXE.

For a StAXSource, the XMLStreamReader has already been created
by user code and that code is responsible for protecting
against XXE.

For SAXSource and StreamSource instances, Spring processed
external entities by default thereby creating this
vulnerability.

The issue was resolved by disabling external entity processing
by default and adding an option to enable it for those users
that need to use this feature when processing XML from a
trusted source.

It was also identified that Spring MVC processed user provided
XML with JAXB in combination with a StAX XMLInputFactory
without disabling external entity resolution. External entity
resolution has been disabled in this case.

For the stable distribution (wheezy), this problem has been fixed in
version 3.0.6.RELEASE-6+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.0.6.RELEASE-10.

We recommend that you upgrade your libspring-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlLUDqMACgkQXm3vHE4uylqISQCfXnqq9kcJ+GXQLanlPAX1zDex
GK0An0Re0aPbcNQPadcnJvqE8FY39Mgy
=I7B1
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2841-1] movabletype-opensource security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2841-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 11, 2014   http://www.debian.org/security/faq
- -

Package: movabletype-opensource
Vulnerability  : cross-site scripting
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2014-0977
Debian Bug : 734304

A cross-site scripting vulnerability was discovered in the rich text 
editor of the Movable Type blogging engine.

For the oldstable distribution (squeeze), this problem has been fixed in
version 4.3.8+dfsg-0+squeeze4.

For the stable distribution (wheezy), this problem has been fixed in
version 5.1.4+dfsg-4+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 5.2.9+dfsg-1.

We recommend that you upgrade your movabletype-opensource packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlLRifgACgkQXm3vHE4uylrqQwCgs7od6yQXHC55MagOjjx+HNhC
nQkAoJH9jVxEbne55TIYoCHXEN5hMMQT
=DItV
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2837-1] openssl security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2837-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 07, 2014   http://www.debian.org/security/faq
- -

Package: openssl
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-4353

Anton Johannson discovered that an invalid TLS handshake package could
crash OpenSSL with a NULL pointer dereference.

The oldstable distribution (squeeze) is not affected.

For the stable distribution (wheezy), this problem has been fixed in
version 1.0.1e-2+deb7u3.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.1f-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlLMH74ACgkQXm3vHE4uylpecgCgh/5fGz8KgyptZuxcoZOXQO5S
BgUAn0q4B75sgiK0AJM2HiS853RgaBoG
=CAfN
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2838-1] libxfont security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2838-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 07, 2014   http://www.debian.org/security/faq
- -

Package: libxfont
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE ID : CVE-2013-6462

It was discovered that a buffer overflow in the processing of Glyph 
Bitmap Distribution fonts (BDF) could result in the execution of 
arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:1.4.1-4.

For the stable distribution (wheezy), this problem has been fixed in
version 1:1.4.5-3.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.4.7-1.

We recommend that you upgrade your libxfont packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlLMNy0ACgkQXm3vHE4uylrHYQCgzgZ09pFCzC24PWsgmTLwIVCs
/Z4AnRVfiyi0BPgUFEZG7vCd99nPlWkb
=mGL+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2835-1] asterisk security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2835-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 05, 2014   http://www.debian.org/security/faq
- -

Package: asterisk
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-7100
Debian Bug : 732355

Jan Juergens discovered a buffer overflow in the parser for SMS messages
in Asterisk. 

An additional change was backported, which is fully described in
http://downloads.asterisk.org/pub/security/AST-2013-007.html

With the fix for AST-2013-007, a new configuration option was added in 
order to allow the system adminitrator to disable the expansion of 
dangerous functions (such as SHELL()) from any interface which is not 
the dialplan. In stable and oldstable this option is disabled by default.
To enable it add the following line to the section '[options]' in
/etc/asterisk/asterisk.conf (and restart asterisk)

  live_dangerously = no

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:1.6.2.9-2+squeeze12.

For the stable distribution (wheezy), this problem has been fixed in
version 1:1.8.13.1~dfsg1-3+deb7u3.

For the testing distribution (jessie), this problem has been fixed in
version 1:11.7.0~dfsg-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:11.7.0~dfsg-1.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlLJihcACgkQXm3vHE4uylowgACeJE6Locz1ZcB6BxRYsgG/K2Zc
SpgAn1aJQKXmjoWf3LJ7QYvQyDfwv3Dl
=QX8K
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2833-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 01, 2014   http://www.debian.org/security/faq
- -

Package: openssl
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE ID : CVE-2013-6449 CVE-2013-6450
Debian Bug : 732754 732710

Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support
was susceptible to denial of service and retransmission of DTLS messages
was fixed. In addition this updates disables the insecure Dual_EC_DRBG
algorithm (which was unused anyway, see 
http://marc.info/?l=openssl-announcem=138747119822324w=2 for further
information) and no longer uses the RdRand feature available on some
Intel CPUs as a sole source of entropy unless explicitly requested.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.1e-5.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlLEBDMACgkQXm3vHE4uylpEbACg55hvNWUo8hTUtqMNoOeP986v
dG0AoJXsQoWloicwYo4fM8EwkbWxjun+
=KlR6
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2829-1] hplip security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2829-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 28, 2013  http://www.debian.org/security/faq
- -

Package: hplip
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-0200 CVE-2013-4325 CVE-2013-6402 CVE-2013-6427

Multiple vulnerabilities have been found in the HP Linux Printing and 
Imaging System: Insecure temporary files, insufficient permission checks
in PackageKit and the insecure hp-upgrade service has been disabled.

For the oldstable distribution (squeeze), these problems have been fixed in
version 3.10.6-2+squeeze2.

For the stable distribution (wheezy), these problems have been fixed in
version 3.12.6-3.1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 3.13.11-2.

We recommend that you upgrade your hplip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlK/EGkACgkQXm3vHE4uylqQ6ACfcyR1uGDT3b4xshhggjmO5QDd
9qwAoKKPDDDBnBU3u8DWYkE3QhNavERj
=gP71
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2825-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2825-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 20, 2013  http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE ID : CVE-2013-7113 CVE-2013-7114

Laurent Butti and Garming Sam discored multiple vulnerabilities in the
dissectors for NTLMSSPv2 and BSSGP, which could lead to denial of service
or the execution of arbitrary code.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.2-5wheezy9.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlK0XgcACgkQXm3vHE4uylrKjgCfVTOT8kARewE6iV6onlA/gfls
9qkAoLuMZRHe52ZLhignrtWWzF5R7X/F
=nXRp
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2822-1] xorg-server security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2822-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 18, 2013  http://www.debian.org/security/faq
- -

Package: xorg-server
Vulnerability  : integer underflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6424

Bryan Quigley discovered an integer underflow in the Xorg X server which
could lead to denial of service or the execution of arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.7.7-18.

For the stable distribution (wheezy), this problem has been fixed in
version 1.12.4-6+deb7u2.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your xorg-server packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKxvkQACgkQXm3vHE4uylpz4QCffdkLUwzOql3f8KkvHlMhwnnO
TSIAn1GEXxcJsCyqhuChrIhq1XmQQbz2
=bzQO
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2823-1] pixman security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2823-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 18, 2013  http://www.debian.org/security/faq
- -

Package: pixman
Vulnerability  : integer underflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6425

Bryan Quigley discovered an integer underflow in Pixman which could lead
to denial of service or the execution of arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 0.16.4-1+deb6u1.

For the stable distribution (wheezy), this problem has been fixed in
version 0.26.0-4+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.30.2-2.

We recommend that you upgrade your pixman packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKxvq0ACgkQXm3vHE4uylrxHQCfUM5UhvMdwaQFn7fnyHUcSdkv
6XAAoIL9+/pBjy04jZmYhZ4ztyaH0ApE
=oi7U
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2819-1] End-of-life announcement for iceape

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2819-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 16, 2013  http://www.debian.org/security/faq
- -

Package: iceape

Security support for Iceape, the Debian-branded version of the Seamonkey
suite needed to be stopped before the end of the regular security
maintenance life cycle.

We recommend to migrate to Iceweasel for the web browser functionality
and to Icedove for the e-mail bits. Iceweasel and Icedove are based
on the same codebase and will continue to be supported with security
updates. Alternatively you can switch to the binaries provided by
Mozilla available at http://www.seamonkey-project.org/releases/

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKvJBMACgkQXm3vHE4uyloALgCfU5PPVJ7Ajg4g1MestH4cEcxl
+0cAn3cqG8HvyUNp4ACD9/96gZG5HigR
=AbYs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2812-1] samba security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2812-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 09, 2013  http://www.debian.org/security/faq
- -

Package: samba
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-4408 CVE-2013-4475

Two security issues were found in Samba, a SMB/CIFS file, print, and 
login server:

CVE-2013-4408

It was discovered that multiple buffer overflows in the processing
of DCE-RPC packets may lead to the execution of arbitrary code.

CVE-2013-4475

Hemanth Thummala discovered that ACLs were not checked when opening
files with alternate data streams. This issue is only exploitable
if the VFS modules vfs_streams_depot and/or vfs_streams_xattr are
used.

For the oldstable distribution (squeeze), these problems have been fixed in
version 3.5.6~dfsg-3squeeze11.

For the stable distribution (wheezy), these problems have been fixed in
version 3.6.6-6+deb7u2.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your samba packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKllvwACgkQXm3vHE4uylqeFwCfXK4hwDQUORI/R6IJMZPeD/NE
q5gAnibkbRAkNMZetbqYxmu3LZJBQXSD
=xqxf
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2813-1] gimp security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2813-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 09, 2013  http://www.debian.org/security/faq
- -

Package: gimp
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE ID : CVE-2013-1913 CVE-2013-1978

Murray McAllister discovered multiple integer and buffer overflows in the
XWD plugin in Gimp, which can result in the execution of arbitrary code.

For the oldstable distribution (squeeze), these problems have been fixed 
in version 2.6.10-1+squeeze4. This update also fixes CVE-2012-3403, 
CVE-2012-3481 and CVE-2012-5576.

For the stable distribution (wheezy), these problems have been fixed in
version 2.8.2-2+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your gimp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKl0q4ACgkQXm3vHE4uylpoBwCglVv4QNW12srXQk8inB4sTVQf
boYAoMbYFCj+ycwu4dAn+0TIl/tnSfQX
=Iw3T
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2807-1] links2 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2807-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 30, 2013  http://www.debian.org/security/faq
- -

Package: links2
Vulnerability  : integer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6050

Mikulas Patocka discovered an integer overflow in the parsing of HTML 
tables in the Links web browser. This can only be exploited when running 
Links in graphical mode.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2.3~pre1-1+squeeze2.

For the stable distribution (wheezy), this problem has been fixed in
version 2.7-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 2.8-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.8-1.

We recommend that you upgrade your links2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKaEsAACgkQXm3vHE4uylo5GQCeK591/fdk5dWM58+llKUkucPA
WpwAoK4GPo5mEtkKRHCrMrL5eo5tDh4h
=kVGD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2803-1] quagga security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2803-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 26, 2013  http://www.debian.org/security/faq
- -

Package: quagga
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2236 CVE-2013-6051
Debian Bug : 730513 726724

Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP 
routing daemon:

CVE-2013-2236

A buffer overflow was found in the OSPF API-server (exporting the LSDB 
and allowing announcement of Opaque-LSAs).

CVE-2013-6051

bgpd could be crashed through BGP updates. This only affects Wheezy/stable.

For the oldstable distribution (squeeze), these problems have been fixed in
version 0.99.20.1-0+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 0.99.22.4-1+wheezy1.

For the unstable distribution (sid), these problems have been fixed in
version 0.99.22.4-1.

We recommend that you upgrade your quagga packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKUyFsACgkQXm3vHE4uylouHQCeNCxgOv9G1tH64xIrkFeU4uii
rvAAoIzFahZs7T2On3ppR7ivv3Q4YSuQ
=6ZKz
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2804-1] drupal7 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2804-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 26, 2013  http://www.debian.org/security/faq
- -

Package: drupal7
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-6385 CVE-2013-6386 CVE-2013-6387 CVE-2013-6388 
 CVE-2013-6389

Multiple vulnerabilities have been discovered in Drupal, a fully-featured 
content management framework: Cross-site request forgery, insecure
pseudo random number generation, code execution, incorrect security token
validation and cross-site scripting.

In order to avoid the remote code execution vulnerability, it is 
recommended to create a .htaccess file (or an equivalent configuration 
directive in case you are not using Apache to serve your Drupal sites) 
in each of your sites'files directories (both public and private, in 
case you have both configured).

Please refer to the NEWS file provided with this update and the upstream
advisory at https://drupal.org/SA-CORE-2013-003 for further information.

For the stable distribution (wheezy), these problems have been fixed in
version 7.14-2+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 7.24-1.

We recommend that you upgrade your drupal7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKU0OsACgkQXm3vHE4uyloCQwCfZacV87eOtGiU6pZpNLaIYv2o
/zgAniyQJO58YkAKZer+fYjegTt7xGU5
=7KOj
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2797-1] icedove security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2797-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 13, 2013  http://www.debian.org/security/faq
- -

Package: icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-5590 CVE-2013-5595 CVE-2013-5597 CVE-2013-5599 
 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5604

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail and news client.  Multiple memory safety 
errors, and other implementation errors may lead to the execution of 
arbitrary code.

The Icedove version in the oldstable distribution (squeeze) is no longer
supported with full security updates. However, it should be noted that
almost all security issues in Icedove stem from the included browser engine.
These security problems only affect Icedove if scripting and HTML mails
are enabled. If there are security issues specific to Icedove (e.g. a 
hypothetical buffer overflow in the IMAP implementation) we'll make an 
effort to backport such fixes to oldstable.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.10-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.10-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKD8mcACgkQXm3vHE4uyloeHwCfWWO3MfAFcAEkE8o0vhKz5Yg1
jXIAoLqGrMpnsOHhE3A1PUMl/QxpVKWN
=SP2m
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2793-1] libav security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2793-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 09, 2013  http://www.debian.org/security/faq
- -

Package: libav
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-0844 CVE-2013-0850 CVE-2013-0853 CVE-2013-0854 
 CVE-2013-0857 CVE-2013-0858 CVE-2013-0866

Several security issues have been corrected in multiple demuxers and 
decoders of the libav multimedia library. The CVE IDs mentioned above are 
just a small portion of the security issues fixed in this update. A full
list of the changes is available at
http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9

For the stable distribution (wheezy), these problems have been fixed in
version 0.8.9-1.

For the unstable distribution (sid), these problems have been fixed in
version 9.10-1.

We recommend that you upgrade your libav packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlJ+RYcACgkQXm3vHE4uylqkTwCfZdzvMgdNka3GaGRdHhNwPhgu
kLUAn2ttuJ9K+UKLG4xdJI6sdwi2Y1Tu
=I9iq
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2749-1] asterisk security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2749-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
September 02, 2013 http://www.debian.org/security/faq
- -

Package: asterisk
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-5641 CVE-2013-5642

Colin Cuthbertson and Walter Doekes discovered two vulnerabilities in
the SIP processing code of Asterisk - an open source PBX and telephony 
toolkit -, which could result in denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1:1.6.2.9-2+squeeze11.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.13.1~dfsg-3+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIkpL0ACgkQXm3vHE4uylq9kQCfS6ZselcMAH5LwaS6/ybU9Pz+
U/EAn1QPFkiOwRm2w0aOWPQR4rfa80yj
=IMS+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2746-1] icedove security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2746-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
August 29, 2013http://www.debian.org/security/faq
- -

Package: icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 
 CVE-2013-1714 CVE-2013-1717

Multiple security issues have been found in Icedove, Debian's version of 
the Mozilla Thunderbird mail and news client. Multiple memory safety 
errors, missing permission checks and other implementation errors may 
lead to the execution of arbitrary code or cross-site scripting.

The Icedove version in the oldstable distribution (squeeze) is no longer 
supported with full security updates. However, it should be noted that 
almost all security issues in Icedove stem from the included browser engine.
These security problems only affect Icedove if scripting and HTML mails 
are enabled. If there are security issues specific to Icedove (e.g. a 
hypothetical buffer overflow in the IMAP implementation) we'll make an 
effort to backport such fixes to oldstable.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.8-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.8-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIfhf8ACgkQXm3vHE4uylqF2QCeK7C4vEufIlumHBA/ElEt8/DK
WW8An0Q0dB0o6Q9xLtdKeDzbg7RB/J6c
=VAfs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2744-1] tiff security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2744-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
August 27, 2013http://www.debian.org/security/faq
- -

Package: tiff
Vulnerability  : several
Problem type   : local(remote)
Debian-specific: no
CVE ID : CVE-2013-4231 CVE-2013-4232 CVE-2013-4244

Pedro Ribeiro and Huzaifa S. Sidhpurwala discovered multiple 
vulnerabilities in various tools shipped by the tiff library. Processing 
a malformed file may lead to denial of service or the execution of 
arbitrary code.

For the oldstable distribution (squeeze), these problems have been fixed in
version 3.9.4-5+squeeze10.

For the stable distribution (wheezy), these problems have been fixed in
version 4.0.2-6+deb7u2.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.3-3.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIcvnUACgkQXm3vHE4uyloIbwCgo4OMvqUIR3VslZHxol2C0L+A
PrkAnihvG0HIfFVRcNyp0reBbweGymKS
=VdI+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2739-1] cacti security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2739-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
August 21, 2013http://www.debian.org/security/faq
- -

Package: cacti
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1434 CVE-2013-1435

Two security issues (SQL injection and command line injection via SNMP
settings) were found in Cacti, a web interface for graphing of monitoring 
systems. 

For the oldstable distribution (squeeze), these problems have been fixed in
version 0.8.7g-1+squeeze2.

For the stable distribution (wheezy), these problems have been fixed in
version 0.8.8a+dfsg-5+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 0.8.8b+dfsg-2.

We recommend that you upgrade your cacti packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIVGbIACgkQXm3vHE4uylreEgCbBAn3yyfWbdhnXbyGYIHh9PFv
u3YAnioUU1Bpnb51iQ3n2M27RskKnH3Y
=XvPc
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2735-1] iceweasel security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2735-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
August 07, 2013http://www.debian.org/security/faq
- -

Package: iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 
 CVE-2013-1714 CVE-2013-1717

Multiple security issues have been found in Iceweasel, Debian's version 
of the Mozilla Firefox web browser: Multiple memory safety errors, 
missing permission checks and other implementation errors may lead to 
the execution of arbitrary code, cross-site scripting, privilege 
escalation, bypass of the same-origin policy or the installation of 
malicious addons.

The Iceweasel version in the oldstable distribution (squeeze) is no 
longer supported with security updates.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.8esr-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.8esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlICVeQACgkQXm3vHE4uylpxcwCg0aSZ2guURbRwOCvlMCEX8SLM
6d8AoJ+EWsZdjm/dtFxRNQ4QYgPrGC92
=tept
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2734-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2734-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
August 05, 2013http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-4930 CVE-2013-4932 CVE-2013-4933 CVE-2013-4934 
 CVE-2013-4935

Multiple vulnerabilities were discovered in the dissectors for DVB-CI,
GSM A Common and ASN.1 PER and in the Netmon file parser.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.2.11-6+squeeze11.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.2-5wheezy5.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.1-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlH/zrkACgkQXm3vHE4uylrlNgCgy3VC5Pp9JIEopwRluMPBrMi4
TX4AoIRxNZdumgDSR7dkg/HfPaMHjcFr
=kQHX
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2729-1] openafs security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2729-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
July 28, 2013  http://www.debian.org/security/faq
- -

Package: openafs
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE ID : CVE-2013-4134 CVE-2013-4135

OpenAFS, the implementation of the distributed filesystem AFS, has been
updated to no longer use DES for the encryption of tickets. Additional
migration steps are needed to fully set the update into effect. For more
information please see the upstream advisory:
http://www.openafs.org/security/OPENAFS-SA-2013-003.txt

In addition the 'encrypt' option to the 'vos' tool was fixed.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.12.1+dfsg-4+squeeze2.

For the stable distribution (wheezy), these problems have been fixed in
version 1.6.1-3+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.6.5-1.

We recommend that you upgrade your openafs packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlH1iJwACgkQXm3vHE4uylqtOgCdH6R3kV9Z9xA2iwxUJ3beYa8R
uysAoOCWxleO/V/Cuov4p83uwY7ya6Fv
=we5l
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2727-1] openjdk-6 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2727-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
July 25, 2013  http://www.debian.org/security/faq
- -

Package: openjdk-6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 
 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 
 CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 
 CVE-2013-2452 CVE-2013-2453 CVE-2013-2455 CVE-2013-2456 
 CVE-2013-2457 CVE-2013-2459 CVE-2013-2461 CVE-2013-2463  
 CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 
 CVE-2013-2472 CVE-2013-2473

Several vulnerabilities have been discovered in OpenJDK, an 
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure
or denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 6b27-1.12.6-1~deb6u1.

For the stable distribution (wheezy), these problems have been fixed in
version 6b27-1.12.6-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 6b27-1.12.6-1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHxlD8ACgkQXm3vHE4uylrAVgCfUvMGB6DZA4/zGvdtcRPDfNoe
XUsAniwGJ/tAKzXDVcmn/k6jBUG/qlWi
=wlJl
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2725-1] tomcat6 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2725-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
July 18, 2013  http://www.debian.org/security/faq
- -

Package: tomcat6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-3544 CVE-2013-2067

Two security issues have been found in the Tomcat servlet and JSP engine:

CVE-2012-3544

The input filter for chunked transfer encodings could trigger high 
resource consumption through malformed CRLF sequences, resulting in 
denial of service.

CVE-2013-2067

The FormAuthenticator module was vulnerable to session fixation.

For the oldstable distribution (squeeze), these problems have been fixed in
version 6.0.35-1+squeeze3. This update also provides fixes for 
CVE-2012-2733,CVE-2012-3546,CVE-2012-4431, CVE-2012-4534,CVE-2012-5885,
CVE-2012-5886 and CVE-2012-5887, which were all fixed for stable already.

For the stable distribution (wheezy), these problems have been fixed in
version 6.0.35-6+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHoLKoACgkQXm3vHE4uylp56QCff9NXUl0J3tcY6bjyROYrMWh5
kekAoJb3+ErnUADVo4tpir+woaK+7lma
=bdVm
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2722-1] openjdk-7 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2722-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
July 15, 2013  http://www.debian.org/security/faq
- -

Package: openjdk-7
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 
 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 
 CVE-2013-2447 CVE-2013-2448 CVE-2013-2449 CVE-2013-2450 
 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 
 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2458 
 CVE-2013-2459 CVE-2013-2460 CVE-2013-2461 CVE-2013-2463 
 CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 
 CVE-2013-2472 CVE-2013-2473

Several vulnerabilities have been discovered in OpenJDK, an 
implementation of the Oracle Java platform, resulting in the execution 
of arbitrary code, breakouts of the Java sandbox, information disclosure 
or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 7u25-2.3.10-1~deb7u1. In addition icedtea-web needed to be
updated to 1.4-3~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 7u25-2.3.10-1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHkFUAACgkQXm3vHE4uylpOpQCgt8zoGF/tvtlPfwUoZEZLaxnT
T6cAn1bi4j9GS2Ftdgce+Sj301ML6OJd
=k1yV
-END PGP SIGNATURE-




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2720-1] icedove security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2720-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
July 06, 2013  http://www.debian.org/security/faq
- -

Package: icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 
 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 
 CVE-2013-1694 CVE-2013-1697

Multiple security issues have been found in Icedove, Debian's version
of the Mozilla Thunderbird mail and news client. Multiple memory safety 
errors, use-after-free vulnerabilities, missing permission checks, incorrect 
memory handling and other implementaton errors may lead to the execution
of arbitrary code, privilege escalation, information disclosure or
cross-site request forgery.

As already announced for Iceweasel: We're changing the approach for
security updates for Icedove in stable-security: Instead of
backporting security fixes, we now provide releases based on the 
Extended Support Release branch. As such, this update introduces
packages based on Thunderbird 17 and at some point in the future we 
will switch to the next ESR branch once ESR 17 has reached it's end 
of life.

Some Icedove extensions currently packaged in the Debian archive are 
not compatible with the new browser engine. Up-to-date and compatible 
versions can be retrieved from http://addons.mozilla.org as a short 
term solution.

An updated and compatible version of enigmail is included with this 
update.

The icedove version in the oldstable distribution (squeeze) is no
longer supported with full security updates. However, it should be
noted that almost all security issues in Icedove stem from the
included browser engine. These security problems only affect Icedove
if scripting and HTML mails are enabled. If there are security issues
specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP
implementation) we'll make an effort to backport such fixes to oldstable.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.7-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.7-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHYOV0ACgkQXm3vHE4uyloU2wCg4l3I0e41UASWhsFC7D9BSuiH
cxIAn24DJFsYpSO7f8p3EH8TcCD800CC
=fQYl
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2716-1] iceweasel security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2716-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 26, 2013  http://www.debian.org/security/faq
- -

Package: iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 
 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 
 CVE-2013-1694 CVE-2013-1697

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-free vulnerabilities, missing permission checks, incorrect 
memory handling and other implementaton errors may lead to the execution
of arbitrary code, privilege escalation, information disclosure or
cross-site request forgery.

The iceweasel version in the oldstable distribution (squeeze) is no
longer supported with security updates.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.7esr-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.7esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHK8xwACgkQXm3vHE4uylpwJACcC016haKkOmAV6qUhbcrwaE3r
+JkAn2WJZ7PBhyukQ6umlbTNN5GHPUBU
=FjcR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2714-1] kfreebsd-9 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2714-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 25, 2013  http://www.debian.org/security/faq
- -

Package: kfreebsd-9
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2171

Konstantin Belousov and Alan Cox discovered that insufficient permission
checks in the memory management of the FreeBSD kernel could lead to
privilege escalation.

For the stable distribution (wheezy), this problem has been fixed in
version 9.0-10+deb70.2.

For the unstable distribution (sid), this problem has been fixed in
version 9.0-12.

We recommend that you upgrade your kfreebsd-9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHJ0doACgkQXm3vHE4uylqjLwCg4KRLRjp4uRk6HFyQq9QwBdPx
BjkAoJ8vtwiijYd1MUuQnQocDSD5kNJH
=KyCc
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2711-1] haproxy security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2711-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 19, 2013  http://www.debian.org/security/faq
- -

Package: haproxy
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-2942 CVE-2013-1912 CVE-2013-2175

Multiple security issues have been found in HAProxy, a load-balancing 
reverse proxy:

CVE-2012-2942

Buffer overflow in the header capture code.

CVE-2013-1912

Buffer overflow in the HTTP keepalive code.

CVE-2013-2175

Denial of service in parsing HTTP headers.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.8-1+squeeze1.

The stable distribution (wheezy) doesn't contain haproxy.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.24-1.

We recommend that you upgrade your haproxy packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHB5iUACgkQXm3vHE4uyloejQCcDLeGSbq/TcynokkvYSZf7tgW
ykUAn2IzWLERPgLLKGWdtiazkMZ1hAJh
=fAae
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2628-2] nss-pam-ldapd update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2628-2   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 18, 2013  http://www.debian.org/security/faq
- -

Package: nss-pam-ldapd
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID : CVE-2013-0288

The security update DSA-2628 for nss-pam-ldapd failed to build on
kfreebsd-amd64 and kfreebsd-i386. 

For the oldstable distribution (squeeze) this problem has been fixed in
version 0.7.15+squeeze4.

We recommend that you upgrade your nss-pam-ldapd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHAuioACgkQXm3vHE4uylp1SgCfRfaE/82UPlw630fJJY2AiO9G
cQgAniRuJHY6scVJcCIszlq69vCLRwIv
=swiz
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2709-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2709-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 17, 2013  http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-4074 CVE-2013-4075 CVE-2013-4076 CVE-2013-4077 
 CVE-2013-4078 CVE-2013-4081 CVE-2013-4082 CVE-2013-4083

Multiple vulnerabilities were discovered in the dissectors for CAPWAP, 
GMR-1 BCCH, PPP, NBAP, RDP, HTTP, DCP ETSI and in the Ixia IxVeriWave 
file parser, which could result in denial of service or the execution of 
arbitrary code.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.2-5wheezy4.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlG/PDcACgkQXm3vHE4uylpbFACfUo3vfb+t9jrvuaRSuplNL12N
vE8AoOL5VT4XRAWZKQgfzX3ECcU07NiP
=fjQs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2699-1] iceweasel security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2699-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 02, 2013  http://www.debian.org/security/faq
- -

Package: iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-0773 CVE-2013-0775 CVE-2013-0776 CVE-2013-0780 
 CVE-2013-0782 CVE-2013-0783 CVE-2013-0787 CVE-2013-0788 
 CVE-2013-0793 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800 
 CVE-2013-0801 CVE-2013-1670 CVE-2013-1674 CVE-2013-1675
 CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679
 CVE-2013-1680 CVE-2013-1681

Multiple security issues have been found in Iceweasel, Debian's version 
of the Mozilla Firefox web browser: Multiple memory safety errors, 
missing input sanitising vulnerabilities, use-after-free vulnerabilities, 
buffer overflows and other programming errors may lead to the execution 
of arbitrary code, privilege escalation, information leaks or 
cross-site-scripting.

We're changing the approach for security updates for Iceweasel, Icedove 
and Iceape in stable-security: Instead of backporting security fixes, 
we now provide releases based on the Extended Support Release branch. As 
such, this update introduces packages based on Firefox 17 and at some 
point in the future we will switch to the next ESR branch once ESR 17 
has reached it's end of life.

Some Xul extensions currently packaged in the Debian archive are not
compatible with the new browser engine. Up-to-date and compatible 
versions can be retrieved from http://addons.mozilla.org as a short 
term solution. A solution to keep packaged extensions compatible with 
the Mozilla releases is still being sorted out.

We don't have the resources to backport security fixes to the Iceweasel 
release in oldstable-security any longer. If you're up to the task and 
want to help, please get in touch with t...@security.debian.org. 
Otherwise, we'll announce the end of  security support for Iceweasel, 
Icedove and Iceape in Squeeze in the next update round.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.6esr-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.6esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGrdIYACgkQXm3vHE4uylpV0ACeO8LQiy/UiTlwEPvuQx/CTJDO
CdwAn3eC1sTBLQvklJARBebGvVlpQvNC
=xPKt
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2700-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2700-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
June 02, 2013  http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-3555 CVE-2013-3557 CVE-2013-3558 CVE-2013-3559 
 CVE-2013-3560 CVE-2013-3562

Multiple vulnerabilities were discovered in the dissectors for GTPv2,
ASN.1 BER, PPP CCP, DCP ETSI, MPEG DSM-CC and Websocket, which could 
result in denial of service or the execution of arbitrary code.

The oldstable distribution (squeeze) is not affected.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.2-5wheezy3.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.7-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGrkVgACgkQXm3vHE4uylp3RgCg4t6Gd4/msDGQu2rVCSiW8991
38gAniiM3gXTPngF/l7yY93jTCvJqpby
=vH7t
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2677-1] libxrender security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2677-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxrender
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1987

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:0.9.6-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1:0.9.7-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:0.9.7-1+deb7u1.

We recommend that you upgrade your libxrender packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNLUACgkQXm3vHE4uyloWLwCdExGEri73mKXnX/jd3atI54Gd
fHUAn2jTyN+sW+JIQu7Yrun4m9WUxCQ3
=IgPf
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2678-1] mesa security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2678-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: mesa
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1993

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 7.7.1-6.

For the stable distribution (wheezy), this problem has been fixed in
version 8.0.5-4+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 8.0.5-6.

We recommend that you upgrade your mesa packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNRMACgkQXm3vHE4uylok7wCgoYincClsSUlWB9CfAnyqUs8M
GukAoM9LF+Ip0kMPRlU9dBz9xNL82g8I
=h7YT
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2679-1] xserver-xorg-video-openchrome security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2679-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: xserver-xorg-video-openchrome
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1994

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 0.2.904+svn842-2+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 0.2.906-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.2.906-2+deb7u1.

We recommend that you upgrade your xserver-xorg-video-openchrome packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNWgACgkQXm3vHE4uylrTpgCgiBj+1I/dfil1g/twTYSiZHJL
KPwAoIM3x/WBiv691U1KrJCPCkLIozOx
=MrEv
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2680-1] libxt security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2680-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxt
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2002 CVE-2013-2005

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1:1.0.7-1+squeeze1.

For the stable distribution (wheezy), these problems have been fixed in
version 1:1.1.3-1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1:1.1.3-1+deb7u1.

We recommend that you upgrade your libxt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNcMACgkQXm3vHE4uylqcaQCfV0+rOuDMcV8+rEdK97xsS6Gt
JKIAniCBFZA1mxf9P3vInyIRW3CyDyZZ
=M7zp
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2681-1] libxcursor security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2681-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxcursor
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2003

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:1.1.10-2+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1:1.1.13-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.1.13-1+deb7u1.

We recommend that you upgrade your libxcursor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNiEACgkQXm3vHE4uylqueQCgxNhVeiuAWxZiltTa9qednH80
AxMAoKlzGd4n3R/FqGxQAlxYYyAs89g5
=UP6u
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2682-1] libxext security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2682-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxext
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1982

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2:1.1.2-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.3.1-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.3.1-2+deb7u1.

We recommend that you upgrade your libxext packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNmgACgkQXm3vHE4uylpVYACfRb+H3PUEGtobBFX3RbsybBZX
V6oAn1qWPcdPuXIv/FsB5vTn2PzSBl10
=F/p+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2683-1] libxi security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2683-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxi
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1984 CVE-2013-1995 CVE-2013-1998

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 2:1.3-8.

For the stable distribution (wheezy), these problems have been fixed in
version 2:1.6.1-1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 2:1.6.1-1+deb7u1.

We recommend that you upgrade your libxi packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNuQACgkQXm3vHE4uylqwkgCg2wpO4xxuZcNIdmhzU77/BkYp
fqgAniSSgyOipXL842s19bceNfBljw/y
=eaz9
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2684-1] libxrandr security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2684-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxrandr
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1986

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2:1.3.0-3+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.3.2-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.3.2-2+deb7u1.

We recommend that you upgrade your libxrandr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNzMACgkQXm3vHE4uylrhFQCfYHBP99XPbhQcKTzjTfrgvphm
0RcAni6xpidICEgPNAtfxx5SMapo5Kex
=QCny
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2685-1] libxp security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2685-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxp
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2062

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:1.0.0.xsf1-2+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1:1.0.1-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.0.1-2+deb7u1.

We recommend that you upgrade your libxp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeN4AACgkQXm3vHE4uylp7JQCguqKXqXG9GqBhrNDb2B7SIKUe
czoAoNnzD4qyJRi9CbqIPR/j2pjDyDRn
=umC9
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2686-1] libxcb security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2686-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxcb
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2064

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.6-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1.8.1-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.8.1-2+deb7u1.

We recommend that you upgrade your libxcb packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeN9EACgkQXm3vHE4uylr53gCeMXQ0/KXlRqLQ5Xw4bvtkHa8d
ce4AnjyUYH34VDTIq56rV5CVhOkLU+U8
=ucCl
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2687-1] libfs security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2687-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libfs
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1996

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2:1.0.2-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.0.4-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.0.4-1+deb7u1.

We recommend that you upgrade your libfs packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeOBwACgkQXm3vHE4uylo0wwCeKo/LPrrrtxViPOdaHlylBl6W
5PwAnjikx0jhWFqwf/h8sFkhbS14ewyx
=UdYB
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2688-1] libxres security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2688-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxres
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1988

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2:1.0.4-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.0.6-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.0.6-1+deb7u1.

We recommend that you upgrade your libxres packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeOI4ACgkQXm3vHE4uylrwnACfaX+RwOPjFkir3+zBx3EePjiE
6TUAnjP/4FDp6iM2VX38Yed19xBFA4GV
=RayP
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2689-1] libxtst security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2689-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxtst
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2063

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 2:1.1.0-3+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.2.1-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.2.1-1+deb7u1.

We recommend that you upgrade your libxtst packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeON8ACgkQXm3vHE4uylp8tQCgz9rbJY7bp51pFHYM0xr0f7/f
bMUAoMCn8dSk/F7IQ+3dbVMxVFBkIwEw
=ee0F
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2676-1] libxfixes security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2676-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxfixes
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1983

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 4.0.5-1+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1:5.0-4+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.0-4+deb7u1.

We recommend that you upgrade your libxfixes packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNGgACgkQXm3vHE4uylorbACfbKyJ+5tuvzMDW5LOK7C/0Lis
V2gAoLMvptDOSkBeG8UalxWLhzVZAMnq
=xHEW
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2675-1] libxvmc security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2675-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxvmc
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1990 CVE-2013-1999

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 2:1.0.5-1+squeeze1.

For the stable distribution (wheezy), these problems have been fixed in
version 2:1.0.7-1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 2:1.0.7-1+deb7u1.

We recommend that you upgrade your libxvmc packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeNB0ACgkQXm3vHE4uylpi6gCgxvPOGpUp2C1WzBaTKmYo2llz
MLoAoKdsBUkUM1qMKN9lyMqFo/L/ZjRo
=C2hN
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2674-1] libxv security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2674-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxv
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1989 CVE-2013-2066

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 2:1.0.5-1+squeeze1.

For the stable distribution (wheezy), these problems have been fixed in
version 2:1.0.7-1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 2:1.0.7-1+deb7u1.

We recommend that you upgrade your libxv packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeM8oACgkQXm3vHE4uylo6EQCfdm8PIgsn9oCKoeT5BQZCxDHW
tnEAoKrkpGMgI3p2cciWIj3E5V9XQf5j
=9LEf
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2673-1] libdmx security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2673-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libdmx
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1992

Ilja van Sprundel of IOActive discovered several security issues in 
multiple components of the X.org graphics stack and the related 
libraries: Various integer overflows, sign handling errors in integer 
conversions, buffer overflows, memory corruption and missing input 
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:1.1.0-2+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1.1.2-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.2-1+deb7u1.

We recommend that you upgrade your libdmx packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeM1UACgkQXm3vHE4uylpQPgCeO0wyNY7OIfaZAftZgG9SVMFX
0oIAnRjZAaERaUGkQ4GYeR4TI665E0Yp
=WBmW
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2690-1] libxxf86dga security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2690-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxxf86dga
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1991 CVE-2013-2000

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), these problems have been fixed in
version 2:1.1.1-2+squeeze1.

For the stable distribution (wheezy), these problems have been fixed in
version 2:1.1.3-2+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 2:1.1.3-2+deb7u1.

We recommend that you upgrade your libxxf86dga packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeOl8ACgkQXm3vHE4uylpDKACdHWUKZzMN3YOgJDpYenbeLOyd
UVsAn3mwxkngZVFHuMoEFoifrTn87IHU
=exJE
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2691-1] libxinerama security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2691-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxinerama
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1985

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.1-3+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1.1.2-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.2-1+deb7u1.

We recommend that you upgrade your libxinerama packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeOpQACgkQXm3vHE4uylrHtQCeNA0Icopuu81Z0jp7MsGGjBY3
YWEAniQIJ+AOY+qt7d8UHcXA55WUpQ0C
=ApP3
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2692-1] libxxf86vm security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2692-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 23, 2013   http://www.debian.org/security/faq
- -

Package: libxxf86vm
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2001

Ilja van Sprundel of IOActive discovered several security issues in
multiple components of the X.org graphics stack and the related
libraries: Various integer overflows, sign handling errors in integer
conversions, buffer overflows, memory corruption and missing input
sanitising may lead to privilege escalation or denial of service.

For the oldstable distribution (squeeze), this problem will be fixed
soon as version 1:1.1.0-2+squeeze1.

For the stable distribution (wheezy), this problem has been fixed in
version 1:1.1.2-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.1.2-1+deb7u1.

We recommend that you upgrade your libxxf86vm packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGeOvAACgkQXm3vHE4uylr6EgCffVfHl2qmCgS8tN5JmlF54cnE
9xgAoO0I9C9vPBeJ6vSl4qr/zQu9lGYg
=N55T
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2667-1] mysql-5.5 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2667-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
May 12, 2013   http://www.debian.org/security/faq
- -

Package: mysql-5.5
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1502 CVE-2013-1511 CVE-2013-1532 CVE-2013-1544 
 CVE-2013-2375 CVE-2013-2376 CVE-2013-2389 CVE-2013-2391 
 CVE-2013-2392

Several issues have been discovered in the MySQL database server. The 
vulnerabilities are addressed by upgrading MySQL to a new upstream 
version, 5.5.31, which includes additional changes, such as performance 
improvements and corrections for data loss defects. 

For the stable distribution (wheezy), these problems have been fixed in
version 5.5.31+dfsg-0+wheezy1.

For the unstable distribution (sid), these problems have been fixed in
version 5.5.31+dfsg-1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGP7fUACgkQXm3vHE4uylqlywCfbAjmgJeD8bHXIVIkvMBEKlcb
aiMAnj4Jqmct6e52m72Q3jiEGDl6qrIS
=orFh
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2655-1] rails security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2655-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 28, 2013 http://www.debian.org/security/faq
- -

Package: rails
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-2932 CVE-2012-3464 CVE-2012-3465 CVE-2013-1854 
 CVE-2013-1855 CVE-2013-1857

Several cross-site-scripting and denial of service vulnerabilities were 
discovered in Ruby on Rails, a Ruby framework for web application 
development.

For the stable distribution (squeeze), these problems have been fixed in
version 2.3.5-1.2+squeeze8.

For the testing distribution (wheezy) and the unstable distribution (sid),
these problems have been fixed in the version 3.2.6-5 of 
ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3,
version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of 
ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFUbH8ACgkQXm3vHE4uylpsqQCfX695TQww9jB4MtB0rPE8hzzb
ZgAAoIjUMa20xfUcvUe0l88L2tsJ7GSu
=Y08N
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2647-1] firebird2.1 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2647-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 15, 2013 http://www.debian.org/security/faq
- -

Package: firebird2.1
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2492
Debian Bug : 702735

A buffer overflow was discovered in the Firebird database server, which
could result in the execution of arbitrary code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.1.3.18185-0.ds1-11+squeeze1.

For the testing distribution (wheezy), firebird2.1 will be removed in
favour of firebird2.5.

For the unstable distribution (sid), firebird2.1 will be removed in
favour of firebird2.5.

We recommend that you upgrade your firebird2.1 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFDVTAACgkQXm3vHE4uylpaDwCgpIhP8UejIDjtwawUn69ojwoo
XlgAniRXVjNCBJH8dkCktheT5y7bT7Te
=IbR6
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2648-1] firebird2.5 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2648-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 15, 2013 http://www.debian.org/security/faq
- -

Package: firebird2.5
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-5529 CVE-2013-2492

A buffer overflow was discovered in the Firebird database server, which
could result in the execution of arbitrary code. In addition, a denial 
of service vulnerability was discovered in the TraceManager.

For the stable distribution (squeeze), these problems have been fixed in
version 2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your firebird2.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFDVTMACgkQXm3vHE4uylotqACfe59uT9iU7IWHVw86fEDL+6vf
mdsAoOrNpU89y8r0UnZ3bhfwwjekgsIb
=YBPm
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2644-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2644-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 14, 2013 http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-2478 CVE-2013-2480 CVE-2013-2481 CVE-2013-2483 
 CVE-2013-2484 CVE-2013-2488

Multiple vulnerabilities were discovered in the dissectors for the 
MS-MMS, RTPS, RTPS2, Mount, ACN, CIMD and DTLS protocols, which could 
result in denial of service or the execution of arbitrary code.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.11-6+squeeze10.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.2-5.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFCDkAACgkQXm3vHE4uyloEwgCgzlhBmcOE2bETDSVOxX2ABgXk
MfwAnAw02OlPzjvfz9rraywZilRY20YA
=OzLs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2638-1] openafs security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2638-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 04, 2013 http://www.debian.org/security/faq
- -

Package: openafs
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1794 CVE-2013-1795

Multiple buffer overflows were discovered in OpenAFS, the implementation
of the distributed filesystem AFS, which might result in denial of
service or the execution of arbitrary code. Further information is
available at http://www.openafs.org/security.

For the stable distribution (squeeze), this problem has been fixed in
version 1.4.12.1+dfsg-4+squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.1-3.

We recommend that you upgrade your openafs packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE1ICcACgkQXm3vHE4uylrOlQCg6kwBRETO/tr5SfUk1GrFtubp
YPMAnA+FqS0AWVLBYzT69pNaOW4ULfA8
=rU8A
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2636-2] xen regression update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2636-2   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 03, 2013 http://www.debian.org/security/faq
- -

Package: xen
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-4544 CVE-2012-5511 CVE-2012-5634 CVE-2013-0153

A regression in combination with pygrub has been discovered. For the 
stable distribution (squeeze), these problems have been fixed in version 
4.0.1-5.8.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEzM4MACgkQXm3vHE4uylqZUQCfVbtusWfxuG9ZTo2lgOw6GgL3
45wAoMnsE19oWqrVxOTFhRZAnNG1THLo
=QuId
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2636-1] xen security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2636-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
March 01, 2013 http://www.debian.org/security/faq
- -

Package: xen
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-4544 CVE-2012-5511 CVE-2012-5634 CVE-2013-0153
Debian Bug : 

Multiple vulnerabilities have been discovered in the Xen hypervisor. The 
Common Vulnerabilities and Exposures project identifies the following 
problems:

CVE-2012-4544

Insufficient validation of kernel or ramdisk sizes in the Xen PV 
domain builder could result in denial of service.

CVE-2012-5511

Several HVM control operations performed insufficient validation of
input, which could result in denial of service through resource
exhaustion.

CVE-2012-5634

Incorrect interrupt handling when using VT-d hardware could result
in denial of service.

CVE-2013-0153

Insufficient restriction of interrupt access could result in denial
of service.


For the stable distribution (squeeze), these problems have been fixed in
version 4.0.1-5.7.

For the testing distribution (wheezy), these problems have been fixed in
version 4.1.4-2.

For the unstable distribution (sid), these problems have been fixed in
version 4.1.4-2.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEw/3YACgkQXm3vHE4uylrX+ACgtVk1Pg/7Op/sVbMAmliP7WM/
G38An2vc8pHv2LM2h3q2Sz2VRKkJhPVV
=/k4L
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2628-1] nss-pam-ldapd security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2628-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 18, 2013  http://www.debian.org/security/faq
- -

Package: nss-pam-ldapd
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID : CVE-2013-0288
Debian Bug : 690319

Garth Mollett discovered that a file descriptor overflow issue in the
use of FD_SET() in nss-pam-ldapd, which provides NSS and PAM modules for
using LDAP as a naming service, can lead to a stack-based buffer
overflow. An attacker could, under some circumstances, use this flaw to
cause a process that has the NSS or PAM module loaded to crash or
potentially execute arbitrary code.

For the stable distribution (squeeze) this problem has been fixed in
version 0.7.15+squeeze3.

For the testing distribution (wheezy), this problem has been fixed in
version 0.8.10-3.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.10-3.

We recommend that you upgrade your nss-pam-ldapd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEiW7gACgkQXm3vHE4uyloWqwCcDZWJYLmupXkP8XOAhAY9825R
5rMAoOA3R8aSGzI+t1PAbx1hoUqR5Hgg
=/Twb
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2624-1] ffmpeg security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2624-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 16, 2013  http://www.debian.org/security/faq
- -

Package: ffmpeg
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-0858 CVE-2012-2777 CVE-2012-2783 CVE-2012-2784 
 CVE-2012-2788 CVE-2012-2801 CVE-2012-2803

Several vulnerabilities have been discovered in FFmpeg, a multimedia 
player, server and encoder. Multiple input validations in the decoders/ 
demuxers for Shorten, Chines AVS video, VP5, VP6, AVI, AVS and MPEG-1/2
files could lead to the execution of arbitrary code.

Most of these issues were discovered by Mateusz Jurczyk and Gynvael 
Coldwind.

For the stable distribution (squeeze), these problems have been fixed in
version 4:0.5.10-1.

For the testing distribution (wheezy) and the unstable distribution (sid), 
these problems have been fixed in version 6:0.8.5-1 of the source package
libav.

We recommend that you upgrade your ffmpeg packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEfzSEACgkQXm3vHE4uylrcUACdG519Lt/pqSwMAJVlGWqoSJXe
MSoAn3YHmqjoS3YVBocLSOV90w8ESpRg
=8ZFy
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2625-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2625-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 17, 2013  http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1582 CVE-2013-1586 CVE-2013-1588 CVE-2013-1590

Multiple vulnerabilities were discovered in the dissectors for the CLNP,
DTLS, DCP-ETSI and NTLMSSP protocols, which could result in denial of
service or the execution of arbitrary code.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.11-6+squeeze9.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEgF2sACgkQXm3vHE4uylo/4QCgkfQkzzKBxisAc6wCTNaGMdeN
+2MAn3KVXhdhVK9+tAjjcGxd0lJWQ3Vy
=EpbC
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2619-1] xen-qemu-dm-4.0 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2619-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 10, 2013  http://www.debian.org/security/faq
- -

Package: xen-qemu-dm-4.0
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-6075

A buffer overflow was found in the e1000e emulation, which could be
triggered when processing jumbo frames.

For the stable distribution (squeeze), this problem has been fixed in
version 4.0.1-2+squeeze3.

For the unstable distribution (sid), this problem has been fixed in
version 4.1.3-8 of the xen source package.

We recommend that you upgrade your xen-qemu-dm-4.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEX5CcACgkQXm3vHE4uylo4mgCdFJc+356WLUt64gpK/iA3pTt7
nB0AoOQ24Y1lE7KKo9FOExLXV9YOBqfN
=M4Nv
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2612-2] ircd-ratbox update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2612-2   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 10, 2013   http://www.debian.org/security/faq
- -

Package: ircd-ratbox
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-6084

This update to the previous ircd-ratbox DSA only raises the version number
to ensure that a higher version is used than a previously binNMU on some
architectures.

For the stable distribution (squeeze), this problem has been fixed in
version 3.0.6.dfsg-2+squeeze1.

We recommend that you upgrade your ircd-ratbox packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEUEARECAAYFAlEX6JUACgkQXm3vHE4uylpioQCcDQvyJFUkZ53pzs3k7CFDvlL1
v6gAlAkyL/gZnYMKLZiUgbE7m3Stvg0=
=J5xk
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2612-1] ircd-ratbox security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2612-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 24, 2013   http://www.debian.org/security/faq
- -

Package: ircd-ratbox
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-6084

It was discovered that a bug in the server capability negotiation code of
ircd-ratbox could result in denial of service.

For the stable distribution (squeeze), this problem has been fixed in
version 3.0.6.dfsg-2squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 3.0.7.dfsg-3.

For the unstable distribution (sid), this problem has been fixed in
version 3.0.7.dfsg-3.

We recommend that you upgrade your ircd-ratbox packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEBqQcACgkQXm3vHE4uylqiNQCeMoOg3cwLxuUxFMx4if6HRZ5n
Q1UAoIZ5vDAHxoyDGAx2oY2q++Dc4qNV
=O+2l
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2603-1] emacs23 security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2603-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 09, 2013   http://www.debian.org/security/faq
- -

Package: emacs23
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE ID : CVE-2012-3479

Paul Ling discovered that Emacs insufficiently restricted the evaluation 
of Lisp code if enable-local-variables is set to safe.

For the stable distribution (squeeze), this problem has been fixed in
version 23.2+1-7+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 23.4+1-4.

For the unstable distribution (sid), this problem has been fixed in
version 23.4+1-4.

We recommend that you upgrade your emacs23 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDtvmsACgkQXm3vHE4uylpaPgCg0AjfRooP2fgExqr57m9w99/a
/ccAn2ebRUVkS3jF5WMBjYjh4LTpWERa
=VGZR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2598-1] weechat security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2598-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
January 05, 2013   http://www.debian.org/security/faq
- -

Package: weechat
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-1428 CVE-2012-5534

Two security issues have been discovered in Weechat a, fast, light and 
extensible chat client:

CVE-2011-1428

   X.509 certificates were incorrectly validated.

CVE-2012-5534

   The hook_process function in the plugin API allowed the execution
   of arbitrary shell commands.

For the stable distribution (squeeze), these problems have been fixed in
version 0.3.2-1+squeeze1.

For the testing distribution (wheezy), these problems have been fixed in
version 0.3.8-1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 0.3.9.2-1.

We recommend that you upgrade your weechat packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDnYUMACgkQXm3vHE4uylpAmgCgkJdKvmYIbMnVdR8UX7bwS4Gn
TbYAoNXrjCm3zkWI/MgxW5H7vfA7ReWF
=/ysR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2594-1] virtualbox-ose security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2594-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 30, 2012  http://www.debian.org/security/faq
- -

Package: virtualbox-ose
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-3221

halfdog discovered that incorrect interrupt handling in Virtualbox,
a x86 virtualization solution - can lead to denial of service.

For the stable distribution (squeeze), this problem has been fixed in
version 3.2.10-dfsg-1+squeeze1.

For the testing distribution (wheezy) and the unstable distribution 
(sid), this problem has been fixed in version 4.1.18-dfsg-1.1 of
the virtualbox source package.

We recommend that you upgrade your virtualbox-ose packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDgPkQACgkQXm3vHE4uylrlygCggMYY4Ripy52U2h601w2d1JMS
sUcAn0quBL+QYjChBO3gsqQxgvhHaYgj
=PoU2
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2595-1] ghostscript security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2595-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 30, 2012  http://www.debian.org/security/faq
- -

Package: ghostscript
Vulnerability  : integer overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-4405

Marc Schoenefeld discovered that an integer overflow in the ICC parsing
code of Ghostscript can lead to the execution of arbitrary code.

For the stable distribution (squeeze), this problem has been fixed in
version 8.71~dfsg2-9+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 9.05~dfsg-6.1.

For the unstable distribution (sid), this problem has been fixed in
version 9.05~dfsg-6.1.

We recommend that you upgrade your ghostscript packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDgXAkACgkQXm3vHE4uylqfMQCg52omxzpj/M5XDqho6BMF9KjK
QmwAn2TFNE3y+A8bv3PUMGti3b1Cj9Z2
=SVWN
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2593-1] moin security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2593-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 29, 2012  http://www.debian.org/security/faq
- -

Package: moin
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : not available yet

It was discovered that missing input validation in the twikidraw and
anywikidraw actions can result in the execution of arbitrary code.
This security issue in being actively exploited.

This update also addresses path traversal in AttachFile.

For the stable distribution (squeeze), this problem has been fixed in
version 1.9.3-1+squeeze4.

For the unstable distribution (sid), this problem has been fixed in
version 1.9.5-4.

We recommend that you upgrade your moin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDfUv0ACgkQXm3vHE4uylrQvACg3AbeVY1QHMJr2Vwuu7voNuH7
8g0AnR8Cui3FPs+z4tu3WaLaRkn/WvbU
=x1Oq
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2591-1] mahara security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2591-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 27, 2012  http://www.debian.org/security/faq
- -

Package: mahara
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-2239 CVE-2012-2243 CVE-2012-2244 CVE-2012-2246 
 CVE-2012-2247 CVE-2012-2253 CVE-2012-6037

Multiple security issues have been found in Mahara - an electronic 
portfolio, weblog, and resume builder -, which can result in cross-site
scripting, clickjacking or arbitrary file execution.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.6-2+squeeze6.

For the unstable distribution (sid), these problems have been fixed in
version 1.5.1-3.1.

We recommend that you upgrade your mahara packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDc1IMACgkQXm3vHE4uylqMPgCg5dS6sguZrMHSYcBwOKfBL2N+
j2wAn36pxjwQBWzicqcDoQhMnxzZM+PZ
=6mgD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2592-1] elinks security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2592-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 28, 2012  http://www.debian.org/security/faq
- -

Package: elinks
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-4545

Marko Myllynen discovered that elinks, a powerful text-mode browser, 
incorrectly delegates user credentials during GSS-Negotiate.

For the stable distribution (squeeze), this problem has been fixed in
version 0.12~pre5-2+squeeze1. Since the initial Squeeze release
Xulrunner needed to be updated and the version currently in the archive
is incompatible with Elinks. As such, Javascript support needed to be
disabled (only a small subset of typical functionality was supported
anyway). It will likely be re-enabled in a later point update

For the testing distribution (wheezy), this problem has been fixed in
version 0.12~pre5-9.

For the unstable distribution (sid), this problem has been fixed in
version 0.12~pre5-9.

We recommend that you upgrade your elinks packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDdEEgACgkQXm3vHE4uyloZXACg4mj3PpAsZfOX7YTOiYCfAAU5
9S8AoKQNPnIs2c9vJwnhDqfPbNGqXJVg
=zBUI
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2590-1] wireshark security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2590-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 26, 2012  http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-4048 CVE-2012-4296

Bjorn Mork and Laurent Butti discovered crashes in the PPP and RTPS2
dissectors, which could potentially result in the execution of arbitrary
code.

For the stable distribution (squeeze), these problems have been fixed in
version 1.2.11-6+squeeze8.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.2-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDbFMQACgkQXm3vHE4uylrx5ACfcXma384Y7fP17yWVBFSySCPl
7QYAoMQKizdcTlqpwhDISMbTkfOhQT4y
=udUl
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2580-1] libxml security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2580-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 02, 2012  http://www.debian.org/security/faq
- -

Package: libxml2
Vulnerability  : buffer overflow
Problem type   : local(remote)
Debian-specific: no
CVE ID : CVE-2012-5134

Jueri Aedla discovered a buffer overflow in the libxml XML library, which
could result in the execution of arbitrary code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze6.

For the unstable distribution (sid), this problem has been fixed in
version 2.8.0+dfsg1-7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlC7v+YACgkQXm3vHE4uylrnRwCgoiHd8YRYurlOhNb0+pjQQ1In
ZwoAn3nI0j2fPqx8IfpD7fVkK3FAYKEm
=a85v
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2561-1] tiff security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2561-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
October 21, 2012   http://www.debian.org/security/faq
- -

Package: tiff
Vulnerability  : buffer overflow
Problem type   : local(remote)
Debian-specific: no
CVE ID : CVE-2012-4447

It was discovered that a buffer overflow in libtiff's parsing of files
using PixarLog compression could lead to the execution of arbitrary
code.

For the stable distribution (squeeze), this problem has been fixed in
version 3.9.4-5+squeeze6.

For the testing distribution (wheezy) and the unstable distribution
sid), this problem has been fixed in version 3.9.6-9 of the tiff3
source package and in version 4.0.2-4 of the tiff source package.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlCEHHIACgkQXm3vHE4uylrbNgCgj1z+KMxqNBioKct5cwa7qD6S
P2IAnjjisFo2oDGBS3cH4IECT7CVYxOd
=4Wjs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2555-1] libxslt security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2555-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
October 05, 2012   http://www.debian.org/security/faq
- -

Package: libxslt
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-2870 CVE-2012-2871 CVE-2012-2893

Nicholas Gregoire and Cris Neckar discovered several memory handling
bugs in libxslt, which could lead to denial of service or the execution
of arbitrary code if a malformed document is processed.

For the stable distribution (squeeze), these problems have been fixed in
version 1.1.26-6+squeeze2.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.26-14.

We recommend that you upgrade your libxslt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBvDikACgkQXm3vHE4uylqyxQCgoDea5HoIMlTGsyY7j0lSTC41
6goAn3A9XemdHAAH63KnAXeLJq8xfqvJ
=5h/g
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2550-2] asterisk regression update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2550-2   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
September 26, 2012 http://www.debian.org/security/faq
- -

Package: asterisk
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737

A regression in the SIP handling code was found in DSA-2550-1. 

For the stable distribution (squeeze), this problem has been fixed in
version 1:1.6.2.9-2+squeeze8.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBjJnEACgkQXm3vHE4uylqJsACgoeA/kky6st0av/TqkZFL2ZZh
90YAnAmz1yk9Q8gtRi6vipubwJiY2a/V
=+kqj
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2553-1] iceweasel security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2553-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
September 24, 2012 http://www.debian.org/security/faq
- -

Package: iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-1970 CVE-2012-1972 CVE-2012-1973 CVE-2012-1974 
 CVE-2012-1975 CVE-2012-1976 CVE-2012-3959 CVE-2012-3962 
 CVE-2012-3969 CVE-2012-3972 CVE-2012-3978

Several vulnerabilities have been discovered in Iceweasel, a web
browser based on Firefox. The included XULRunner library provides
rendering services for several other applications included in Debian.

The reported vulnerabilities could lead to the execution of arbitrary
code or the bypass of content-loading restrictions via the location
object.

For the stable distribution (squeeze), these problems have been fixed in
version 3.5.16-18.

For the testing distribution (wheezy), these problems have been fixed in
version 10.0.7esr-2.

For the unstable distribution (sid), these problems have been fixed in
version 10.0.7esr-2.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBglasACgkQXm3vHE4uyloMjwCcDXD8phU6TcMl7mr924seM/CO
8RYAn0HEKhLsKierDXDn+ErNLzv+u6sp
=AIOu
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2550-1] asterisk security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2550-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
September 18, 2012 http://www.debian.org/security/faq
- -

Package: asterisk
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737

Several vulnerabilities were discovered in Asterisk, a PBX and telephony 
toolkit, allowing privilege escalation in the Asterisk Manager, denial of
service or privilege escalation.

More detailed information can be found in the Asterisk advisories:
http://downloads.asterisk.org/pub/security/AST-2012-010.html 
http://downloads.asterisk.org/pub/security/AST-2012-011.html 
http://downloads.asterisk.org/pub/security/AST-2012-012.html 
http://downloads.asterisk.org/pub/security/AST-2012-013.html 

For the stable distribution (squeeze), these problems have been fixed in
version 1:1.6.2.9-2+squeeze7.

For the testing distribution (wheezy) and the unstable distribution (sid), 
these problems have been fixed in version 1:1.8.13.1~dfsg-1.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBYrLoACgkQXm3vHE4uylqDBgCfTQnp2Z1XZSgJkg1L84SDPnjK
muwAoOINdMCYMfcEc8spGQ7wrCWPKGaR
=FRM+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2548-1] tor security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2548-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
September 13, 2012 http://www.debian.org/security/faq
- -

Package: tor
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-3518 CVE-2012-3519 CVE-2012-4419

Severel vulnerabilities have been discovered in Tor, an online privacy 
tool.

CVE-2012-3518

  Avoid an uninitialised memory read when reading a vote or consensus
  document that has an unrecognized flavour name. This could lead to
  a remote, resulting in denial of service.

CVE-2012-3519

  Try to leak less information about what relays a client is choosing to
  a side-channel attacker.

CVE-2012-4419

  By providing specially crafted date strings to a victim tor instance, 
  an attacker can cause it to run into an assertion and shut down

Additionally the update to stable includes the following fixes:
- - When waiting for a client to renegotiate, don't allow it to add any
  bytes to the input buffer. This fixes a potential DoS issue
  [tor-5934, tor-6007].

For the stable distribution (squeeze), these problems have been fixed in
version 0.2.2.39-1.

For the unstable distribution, these problems have been fixed in version
0.2.3.22-rc-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBSMjQACgkQXm3vHE4uylq6wgCggMNGWPFQe8JxitNIDSJ7rxS9
87MAn0Z3TVgrowBSSb7iouq9E3Ty9ozG
=zQL+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/