Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-3916 atril - security update
    It was discovered that Atril, the MATE document viewer, made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely.
  • DSA-3915 ruby-mixlib-archive - security update
    It was discovered that ruby-mixlib-archive, a Chef Software's library used to handle various archive formats, was vulnerable to a directory traversal attack. This allowed attackers to overwrite arbitrary files by using a malicious tar archive containing ".." in its entries.
  • DSA-3914 imagemagick - security update
    This updates fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed RLE, SVG, PSD, PDB, DPX, MAT, TGA, VST, CIN, DIB, MPC, EPT, JNG, DJVU, JPEG, ICO, PALM or MNG files are processed.
  • DSA-3913 apache2 - security update
    Robert Swiecki reported that mod_auth_digest does not properly initialize or reset the value placeholder in [Proxy-]Authorization headers of type Digest between successive key=value assignments, leading to information disclosure or denial of service.
  • DSA-3912 heimdal - security update
    Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams reported that Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos, trusts metadata taken from the unauthenticated plaintext (Ticket), rather than the authenticated and encrypted KDC response. A man-in-the-middle attacker can use this flaw to impersonate services to the client.
  • DSA-3911 evince - security update
    Felix Wilhelm discovered that the Evince document viewer made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely.
  • DSA-3910 knot - security update
    Clément Berthaux from Synaktiv discovered a signature forgery vulnerability in knot, an authoritative-only DNS server. This vulnerability allows an attacker to bypass TSIG authentication by sending crafted DNS packets to a server.
  • DSA-3909 samba - security update
    Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in samba, the SMB/CIFS file, print, and login server. Also known as Orpheus' Lyre, this vulnerability is located in Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by an attacker on the network path to impersonate a server.
  • DSA-3908 nginx - security update
    An integer overflow has been found in the HTTP range module of Nginx, a high-performance web and reverse proxy server, which may result in information disclosure.
  • DSA-3907 spice - security update
    Frediano Ziglio discovered a buffer overflow in spice, a SPICE protocol client and server library which may result in memory disclosure, denial of service and potentially the execution of arbitrary code.
  • DSA-3906 undertow - security update
    Two vulnerabilities have been discovered in Undertow, a web server written in Java, which may lead to denial of service or HTTP request smuggling.
  • DSA-3905 xorg-server - security update
    Two security issues have been discovered in the X.org X server, which may lead to privilege escalation or an information leak.
  • DSA-3904 bind9 - security update
    Clément Berthaux from Synaktiv discovered two vulnerabilities in BIND, a DNS server implementation. They allow an attacker to bypass TSIG authentication by sending crafted DNS packets to a server.
  • DSA-3903 tiff - security update
    Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.
  • DSA-3902 jabberd2 - security update
    It was discovered that jabberd2, a Jabber instant messenger server, allowed anonymous SASL connections, even if disabled in the configuration.
  • DSA-3901 libgcrypt20 - security update
    Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that Libgcrypt is prone to a local side-channel attack allowing full key recovery for RSA-1024.
  • DSA-3900 openvpn - security update
    Several issues were discovered in openvpn, a virtual private network application.
  • DSA-3899 vlc - security update
    Several vulnerabilities have been found in VLC, the VideoLAN project's media player. Processing malformed subtitles or movie files could lead to denial of service and potentially the execution of arbitrary code.
  • DSA-3898 expat - security update
    Multiple vulnerabilities have been discovered in Expat, an XML parsing C library. The Common Vulnerabilities and Exposures project identifies the following problems:
  • DSA-3897 drupal7 - security update
    Two vulnerabilities were discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues:
  • More...

Leave a Reply

Your email address will not be published. Required fields are marked *