Here are the latest security advisories for the Debian Linux distribution:
- DSA-4178 libreoffice - security update
Two vulnerabilities were discovered in LibreOffice's code to parse
MS Word and Structured Storage files, which could result in denial of
service and potentially the execution of arbitrary code if a malformed
file is opened.
- DSA-4177 libsdl2-image - security update
Multiple vulnerabilities have been discovered in the image loading
library for Simple DirectMedia Layer 2, which could result in denial of
service or the execution of arbitrary code if malformed image files are
- DSA-4176 mysql-5.5 - security update
Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.60, which includes additional changes. Please see the MySQL
5.5 Release Notes and Oracle's Critical Patch Update advisory for
- DSA-4175 freeplane - security update
Wojciech Regula discovered an XML External Entity vulnerability in the
XML Parser of the mindmap loader in freeplane, a Java program for
working with mind maps, resulting in potential information disclosure if
a malicious mind map file is opened.
- DSA-4174 corosync - security update
The Citrix Security Response Team discovered that corosync, a cluster
engine implementation, allowed an unauthenticated user to cause a
denial-of-service by application crash.
- DSA-4173 r-cran-readxl - security update
Marcin Noga discovered multiple vulnerabilities in readxl, a GNU R
package to read Excel files (via the integrated libxls library), which
could result in the execution of arbitrary code if a malformed
spreadsheet is processed.
- DSA-4172 perl - security update
Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:
- DSA-4171 ruby-loofah - security update
The Shopify Application Security Team reported that ruby-loofah, a
general library for manipulating and transforming HTML/XML documents and
fragments, allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments. This might
allow to mount a code injection attack into a browser consuming
- DSA-4169 pcs - security update
Cédric Buissart from Red Hat discovered an information disclosure bug in pcs, a
pacemaker command line interface and GUI. The REST interface normally doesn't
allow passing --debug parameter to prevent information leak, but the check
- DSA-4170 pjproject - security update
Multiple vulnerabilities have been discovered in the PJSIP/PJProject
multimedia communication which may result in denial of service during
the processing of SIP and SDP messages and ioqueue keys.
- DSA-4168 squirrelmail - security update
Florian Grunow and Birk Kauer of ERNW discovered a path traversal
vulnerability in SquirrelMail, a webmail application, allowing an
authenticated remote attacker to retrieve or delete arbitrary files
via mail attachment.
- DSA-4167 sharutils - security update
A buffer-overflow vulnerability was discovered in Sharutils, a set of
utilities handle Shell Archives. An attacker with control on the input of
the unshar command, could crash the application or execute arbitrary code
in the its context.
- DSA-4166 openjdk-7 - security update
Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, execution of arbitrary code, incorrect
LDAP/GSS authentication, insecure use of cryptography or bypass of
- DSA-4165 ldap-account-manager - security update
Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web
front-end for LDAP directories.
- DSA-4164 apache2 - security update
Several vulnerabilities have been found in the Apache HTTPD server.
- DSA-4163 beep - security update
It was discovered that a race condition in beep (if configured as setuid
via debconf) allows local privilege escalation.
- DSA-4162 irssi - security update
Multiple vulnerabilities have been discovered in Irssi, a terminal-based
IRC client which can result in denial of service.
- DSA-4161 python-django - security update
James Davis discovered two issues in Django, a high-level Python web
development framework, that can lead to a denial-of-service attack.
An attacker with control on the input of the django.utils.html.urlize()
function or django.utils.text.Truncator's chars() and words() methods
could craft a string that might stuck the execution of the application.
- DSA-4160 libevt - security update
It was discovered that insufficient input sanitising in libevt, a library
to access the Windows Event Log (EVT) format, could result in denial of
service if a malformed EVT file is processed.
- DSA-4159 remctl - security update
Santosh Ananthakrishnan discovered a use-after-free in remctl, a server
for Kerberos-authenticated command execution. If the command is
configured with the sudo option, this could potentially result in the
execution of arbitrary code.