[Secure-testing-team] Bug#699226: rails: CVE-2013-0333: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
Package: rails Severity: grave Tags: security Justification: user security hole Hi The following advisory was made for rails: [1] http://weblog.rubyonrails.org/ [2]: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo Disclaimer: I have not checked which versions in Debian might be affected. Can you check and adjust the affected versions? Regards, Salvatore ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
[Secure-testing-team] Embedded code in mednafen and xmoto
Hi, I maintain mednafen and xmoto which ship other packages' source code. mednafen includes: * lzo2, not-affected since 0.8.D.3-4 and 0.9.17.1-1 (the source package includes minilzo but the binary package is built using the minilzo package instead) * libvorbisidec, not-affected since 0.9.17.1-1 (as above) * libmpcdec, not-affected since 0.9.21-1 (as above) mednafen 0.8.D.3-4 and 0.8.D.3-5 attempted to use the packaged libvorbisidec, but this breaks CD playback when using .ogg files (see #699143), so it's likely that future packages in the 0.8 series will build using the embedded code. xmoto includes an old version of chipmunk, and can't easily be fixed. This is tracked by #623299. Regards, Stephen signature.asc Description: PGP signature ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
[Secure-testing-team] Bug#699316: libupnp: Multiple stack buffer overflow vulnerabilities
Package: libupnp Severity: grave Tags: security Hi, the following vulnerabilities were published for libupnp. CVE-2012-5958[0]: Stack buffer overflow of Tempbuf CVE-2012-5959[1]: Stack buffer overflow of Event-UDN CVE-2012-5960[2]: Stack buffer overflow of Event-UDN CVE-2012-5961[3]: Stack buffer overflow of Evt-UDN CVE-2012-5962[4]: Stack buffer overflow of Evt-DeviceType CVE-2012-5963[5]: Stack buffer overflow of Event-UDN CVE-2012-5964[6]: Stack buffer overflow of Event-DeviceType CVE-2012-5965[7]: Stack buffer overflow of Event-DeviceType Upstream changelog for 1.6.18 states: *** Version 1.6.18 *** 2012-12-06 Marcelo Roberto Jimenez mroberto(at)users.sourceforge.net Security fix for CERT issue VU#922681 This patch addresses three possible buffer overflows in function unique_service_name(). The three issues have the folowing CVE numbers: CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf CVE-2012-5959 Issue #4: Stack buffer overflow of Event-UDN CVE-2012-5960 Issue #8: Stack buffer overflow of Event-UDN Notice that the following issues have already been dealt by previous work: CVE-2012-5961 Issue #1: Stack buffer overflow of Evt-UDN CVE-2012-5962 Issue #3: Stack buffer overflow of Evt-DeviceType CVE-2012-5963 Issue #5: Stack buffer overflow of Event-UDN CVE-2012-5964 Issue #6: Stack buffer overflow of Event-DeviceType CVE-2012-5965 Issue #7: Stack buffer overflow of Event-DeviceType If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5958 http://security-tracker.debian.org/tracker/CVE-2012-5958 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5959 http://security-tracker.debian.org/tracker/CVE-2012-5959 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5960 http://security-tracker.debian.org/tracker/CVE-2012-5960 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5961 http://security-tracker.debian.org/tracker/CVE-2012-5961 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5962 http://security-tracker.debian.org/tracker/CVE-2012-5962 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5963 http://security-tracker.debian.org/tracker/CVE-2012-5963 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5964 http://security-tracker.debian.org/tracker/CVE-2012-5964 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5965 http://security-tracker.debian.org/tracker/CVE-2012-5965 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team