Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-3790 spice - security update
    Several vulnerabilities were discovered in spice, a SPICE protocol client and server library. The Common Vulnerabilities and Exposures project identifies the following problems:
  • DSA-3789 libevent - security update
    Several vulnerabilities were discovered in libevent, an asynchronous event notification library. They would lead to Denial Of Service via application crash, or remote code execution.
  • DSA-3788 tomcat8 - security update
    It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.
  • DSA-3787 tomcat7 - security update
    It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.
  • DSA-3786 vim - security update
    Editor spell files passed to the vim (Vi IMproved) editor may result in an integer overflow in memory allocation and a resulting buffer overflow which potentially could result in the execution of arbitrary code or denial of service.
  • DSA-3785 jasper - security update
    Multiple vulnerabilities have been discovered in the JasPer library for processing JPEG-2000 images, which may result in denial of service or the execution of arbitrary code if a malformed image is processed.
  • DSA-3784 viewvc - security update
    Thomas Gerbet discovered that viewvc, a web interface for CVS and Subversion repositories, did not properly sanitize user input. This problem resulted in a potential Cross-Site Scripting vulnerability.
  • DSA-3783 php5 - security update
    Several issues have been discovered in PHP, a widely-used open source general-purpose scripting language.
  • DSA-3782 openjdk-7 - security update
    Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the bypass of Java sandbox restrictions, denial of service, arbitrary code execution, incorrect parsing of URLs/LDAP DNs or cryptographic timing side channel attacks.
  • DSA-3781 svgsalamander - security update
    Luc Lynx discovered that SVG Salamander, a SVG engine for Java was susceptible to server side request forgery.
  • DSA-3780 ntfs-3g - security update
    Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
  • DSA-3779 wordpress - security update
    Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to hijack victims' credentials, access sensitive information, execute arbitrary commands, bypass read and post restrictions, or mount denial-of-service attacks.
  • DSA-3778 ruby-archive-tar-minitar - security update
    Michal Marek discovered that ruby-archive-tar-minitar, a Ruby library that provides the ability to deal with POSIX tar archive files, is prone to a directory traversal vulnerability. An attacker can take advantage of this flaw to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.
  • DSA-3777 libgd2 - security update
    Multiple vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed.
  • DSA-3776 chromium-browser - security update
    Several vulnerabilities have been discovered in the chromium web browser.
  • DSA-3775 tcpdump - security update
    Multiple vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or the execution of arbitrary code.
  • DSA-3774 lcms2 - security update
    Ibrahim M. El-Sayed discovered an out-of-bounds heap read vulnerability in the function Type_MLU_Read in lcms2, the Little CMS 2 color management library, which can be triggered by an image with a specially crafted ICC profile and leading to a heap memory leak or denial-of-service for applications using the lcms2 library.
  • DSA-3773 openssl - security update
    Several vulnerabilities were discovered in OpenSSL:
  • DSA-3772 libxpm - security update
    Tobias Stoeckmann discovered that the libXpm library contained two integer overflow flaws, leading to a heap out-of-bounds write, while parsing XPM extensions in a file. An attacker can provide a specially crafted XPM file that, when processed by an application using the libXpm library, would cause a denial-of-service against the application, or potentially, the execution of arbitrary code with the privileges of the user running the application.
  • DSA-3771 firefox-esr - security update
    Multiple security issues have been found in the Mozilla Firefox web browser: Memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure or privilege escalation.
  • More...

Leave a Reply

Your email address will not be published. Required fields are marked *