Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-4178 libreoffice - security update
    Two vulnerabilities were discovered in LibreOffice's code to parse MS Word and Structured Storage files, which could result in denial of service and potentially the execution of arbitrary code if a malformed file is opened.
  • DSA-4177 libsdl2-image - security update
    Multiple vulnerabilities have been discovered in the image loading library for Simple DirectMedia Layer 2, which could result in denial of service or the execution of arbitrary code if malformed image files are opened.
  • DSA-4176 mysql-5.5 - security update
    Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:
  • DSA-4175 freeplane - security update
    Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened.
  • DSA-4174 corosync - security update
    The Citrix Security Response Team discovered that corosync, a cluster engine implementation, allowed an unauthenticated user to cause a denial-of-service by application crash.
  • DSA-4173 r-cran-readxl - security update
    Marcin Noga discovered multiple vulnerabilities in readxl, a GNU R package to read Excel files (via the integrated libxls library), which could result in the execution of arbitrary code if a malformed spreadsheet is processed.
  • DSA-4172 perl - security update
    Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems:
  • DSA-4171 ruby-loofah - security update
    The Shopify Application Security Team reported that ruby-loofah, a general library for manipulating and transforming HTML/XML documents and fragments, allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. This might allow to mount a code injection attack into a browser consuming sanitized output.
  • DSA-4169 pcs - security update
    C├ędric Buissart from Red Hat discovered an information disclosure bug in pcs, a pacemaker command line interface and GUI. The REST interface normally doesn't allow passing --debug parameter to prevent information leak, but the check wasn't sufficient.
  • DSA-4170 pjproject - security update
    Multiple vulnerabilities have been discovered in the PJSIP/PJProject multimedia communication which may result in denial of service during the processing of SIP and SDP messages and ioqueue keys.
  • DSA-4168 squirrelmail - security update
    Florian Grunow and Birk Kauer of ERNW discovered a path traversal vulnerability in SquirrelMail, a webmail application, allowing an authenticated remote attacker to retrieve or delete arbitrary files via mail attachment.
  • DSA-4167 sharutils - security update
    A buffer-overflow vulnerability was discovered in Sharutils, a set of utilities handle Shell Archives. An attacker with control on the input of the unshar command, could crash the application or execute arbitrary code in the its context.
  • DSA-4166 openjdk-7 - security update
    Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions.
  • DSA-4165 ldap-account-manager - security update
    Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web front-end for LDAP directories.
  • DSA-4164 apache2 - security update
    Several vulnerabilities have been found in the Apache HTTPD server.
  • DSA-4163 beep - security update
    It was discovered that a race condition in beep (if configured as setuid via debconf) allows local privilege escalation.
  • DSA-4162 irssi - security update
    Multiple vulnerabilities have been discovered in Irssi, a terminal-based IRC client which can result in denial of service.
  • DSA-4161 python-django - security update
    James Davis discovered two issues in Django, a high-level Python web development framework, that can lead to a denial-of-service attack. An attacker with control on the input of the django.utils.html.urlize() function or django.utils.text.Truncator's chars() and words() methods could craft a string that might stuck the execution of the application.
  • DSA-4160 libevt - security update
    It was discovered that insufficient input sanitising in libevt, a library to access the Windows Event Log (EVT) format, could result in denial of service if a malformed EVT file is processed.
  • DSA-4159 remctl - security update
    Santosh Ananthakrishnan discovered a use-after-free in remctl, a server for Kerberos-authenticated command execution. If the command is configured with the sudo option, this could potentially result in the execution of arbitrary code.
  • More...

Leave a Reply

Your email address will not be published. Required fields are marked *