Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-4046 libspring-ldap-java - security update
    Tobias Schneider discovered that libspring-ldap-java, a Java library for Spring-based applications using the Lightweight Directory Access Protocol, would under some circumstances allow authentication with a correct username but an arbitrary password.
  • DSA-4045 vlc - security update
    Several vulnerabilities have been found in VLC, the VideoLAN project's media player. Processing malformed media files could lead to denial of service and potentially the execution of arbitrary code.
  • DSA-4044 swauth - security update
    A vulnerability has been discovered in swauth, an authentication system for Swift, a distributed virtual object store used in Openstack.
  • DSA-4043 samba - security update
    Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues:
  • DSA-4042 libxml-libxml-perl - security update
    A use-after-free vulnerability was discovered in XML::LibXML, a Perl interface to the libxml2 library, allowing an attacker to execute arbitrary code by controlling the arguments to a replaceChild() call.
  • DSA-4041 procmail - security update
    Jakub Wilk reported a heap-based buffer overflow vulnerability in procmail's formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss.
  • DSA-4040 imagemagick - security update
    This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed image files are processed.
  • DSA-4039 opensaml2 - security update
    Rod Widdowson of Steading System Software LLP discovered a coding error in the OpenSAML library, causing the DynamicMetadataProvider class to fail configuring itself with the filters provided and omitting whatever checks they are intended to perform.
  • DSA-4038 shibboleth-sp2 - security update
    Rod Widdowson of Steading System Software LLP discovered a coding error in the Dynamic metadata plugin of the Shibboleth Service Provider, causing the plugin to fail configuring itself with the filters provided and omitting whatever checks they are intended to perform.
  • DSA-4037 jackson-databind - security update
    It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.
  • DSA-4036 mediawiki - security update
    Multiple security vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work:
  • DSA-4035 firefox-esr - security update
    Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, denial of service or bypass of the same origin policy.
  • DSA-4034 varnish - security update
    'shamger' and Carlo Cannas discovered that a programming error in Varnish, a state of the art, high-performance web accelerator, may result in disclosure of memory contents or denial of service.
  • DSA-4033 konversation - security update
    Joseph Bisch discovered that Konversation, an user friendly Internet Relay Chat (IRC) client for KDE, could crash when parsing certain IRC color formatting codes.
  • DSA-4032 imagemagick - security update
    This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed GIF, TTF, SVG, TIFF, PCX, JPG or SFW files are processed.
  • DSA-4031 ruby2.3 - security update
    Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:
  • DSA-4030 roundcube - security update
    A file disclosure vulnerability was discovered in roundcube, a skinnable AJAX based webmail solution for IMAP servers. An authenticated attacker can take advantage of this flaw to read roundcube's configuration files.
  • DSA-4029 postgresql-common - security update
    It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files.
  • DSA-4028 postgresql-9.6 - security update
    Several vulnerabilities have been found in the PostgreSQL database system:
  • DSA-4027 postgresql-9.4 - security update
    A vulnerabilitiy has been found in the PostgreSQL database system: Denial of service and potential memory disclosure in the json_populate_recordset() and jsonb_populate_recordset() functions.
  • More...

Leave a Reply

Your email address will not be published. Required fields are marked *