Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-4232 xen - security update
    This update provides mitigations for the lazy FPU vulnerability affecting a range of Intel CPUs, which could result in leaking CPU register states belonging to another vCPU previously scheduled on the same CPU. For additional information please refer to https://xenbits.xen.org/xsa/advisory-267.html
  • DSA-4231 libgcrypt20 - security update
    It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.
  • DSA-4230 redis - security update
    Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a persistent key-value database, which could result in denial of service.
  • DSA-4229 strongswan - security update
    Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite.
  • DSA-4228 spip - security update
    Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in cross-site scripting and PHP injection.
  • DSA-4227 plexus-archiver - security update
    Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive.
  • DSA-4226 perl - security update
    Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
  • DSA-4225 openjdk-7 - security update
    Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.
  • DSA-4224 gnupg - security update
    Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
  • DSA-4223 gnupg1 - security update
    Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
  • DSA-4222 gnupg2 - security update
    Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
  • DSA-4221 libvncserver - security update
    Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents.
  • DSA-4220 firefox-esr - security update
    Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code.
  • DSA-4219 jruby - security update
    Several vulnerabilities were discovered in jruby, a Java implementation of the Ruby programming language. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.
  • DSA-4218 memcached - security update
    Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems:
  • DSA-4217 wireshark - security update
    It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC, IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code.
  • DSA-4216 prosody - security update
    It was discovered that Prosody, a lightweight Jabber/XMPP server, does not properly validate client-provided parameters during XMPP stream restarts, allowing authenticated users to override the realm associated with their session, potentially bypassing security policies and allowing impersonation.
  • DSA-4215 batik - security update
    Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a toolkit for processing SVG images, did not properly validate its input. This would allow an attacker to cause a denial-of-service, mount cross-site scripting attacks, or access restricted files on the server.
  • DSA-4214 zookeeper - security update
    It was discovered that Zookeeper, a service for maintaining configuration information, enforced no authentication/authorisation when a server attempts to join a Zookeeper quorum.
  • DSA-4213 qemu - security update
    Several vulnerabilities were discovered in qemu, a fast processor emulator.
  • More...

Leave a Reply

Your email address will not be published. Required fields are marked *