Here are the latest security advisories for the Debian Linux distribution:
- DSA-4118 tomcat-native - security update
Jonas Klempel reported that tomcat-native, a library giving Tomcat
access to the Apache Portable Runtime (APR) library's network connection
(socket) implementation and random-number generator, does not properly
handle fields longer than 127 bytes when parsing the AIA-Extension field
of a client certificate. If OCSP checks are used, this could result in
client certificates that should have been rejected to be accepted.
- DSA-4117 gcc-4.9 - security update
This update doesn't fix a vulnerability in GCC itself, but instead
provides support for building retpoline-enabled Linux kernel updates.
- DSA-4116 plasma-workspace - security update
Krzysztof Sieluzycki discovered that the notifier for removable devices
in the KDE Plasma workspace performed insufficient sanitisation of
FAT/VFAT volume labels, which could result in the execution of arbitrary
shell commands if a removable device with a malformed disk label is
- DSA-4115 quagga - security update
Several vulnerabilities have been discovered in Quagga, a routing
daemon. The Common Vulnerabilities and Exposures project identifies the
- DSA-4114 jackson-databind - security update
It was discovered that jackson-databind, a Java library used to parse
JSON and other data formats, did not properly validate user input
before attempting deserialization. This allowed an attacker to perform
code execution by providing maliciously crafted input.
- DSA-4113 libvorbis - security update
Two vulnerabilities were discovered in the libraries of the Vorbis audio
compression codec, which could result in denial of service or the
execution of arbitrary code if a malformed media file is processed.
- DSA-4112 xen - security update
Multiple vulnerabilities have been discovered in the Xen hypervisor:
- DSA-4111 libreoffice - security update
Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that
missing restrictions in the implementation of the WEBSERVICE function
in LibreOffice could result in the disclosure of arbitrary files
readable by the user who opens a malformed document.
- DSA-4110 exim4 - security update
Meh Chang discovered a buffer overflow flaw in a utility function used
in the SMTP listener of Exim, a mail transport agent. A remote attacker
can take advantage of this flaw to cause a denial of service, or
potentially the execution of arbitrary code via a specially crafted
- DSA-4109 ruby-omniauth - security update
Lalith Rallabhandi discovered that OmniAuth, a Ruby library for
implementing multi-provider authentication in web applications,
mishandled and leaked sensitive information. An attacker with access to
the callback environment, such as in the case of a crafted web
application, can request authentication services from this module and
access to the CSRF token.
- DSA-4108 mailman - security update
Calum Hutton and the Mailman team discovered a cross site scripting and
information leak vulnerability in the user options page. A remote
attacker could use a crafted URL to steal cookie information or to
fish for whether a user is subscribed to a list with a private roster.
- DSA-4107 django-anymail - security update
It was discovered that the webhook validation of Anymail, a Django email
backends for multiple ESPs, is prone to a timing attack. A remote
attacker can take advantage of this flaw to obtain a
WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.
- DSA-4106 libtasn1-6 - security update
Two vulnerabilities were discovered in Libtasn1, a library to manage
ASN.1 structures, allowing a remote attacker to cause a denial of
service against an application using the Libtasn1 library.
- DSA-4105 mpv - security update
It was discovered that mpv, a media player, was vulnerable to remote code
execution attacks. An attacker could craft a malicious web page that,
when used as an argument in mpv, could execute arbitrary code in the host
of the mpv user.
- DSA-4104 p7zip - security update
'landave' discovered a heap-based buffer overflow vulnerability in the
NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file
archiver with high compression ratio. A remote attacker can take
advantage of this flaw to cause a denial-of-service or, potentially the
execution of arbitrary code with the privileges of the user running
p7zip, if a specially crafted shrinked ZIP archive is processed.
- DSA-4103 chromium-browser - security update
Several vulnerabilities have been discovered in the chromium web browser.
- DSA-4102 thunderbird - security update
Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or URL spoofing.
- DSA-4101 wireshark - security update
It was discovered that wireshark, a network protocol analyzer, contained
several vulnerabilities in the dissectors/file parsers for IxVeriWave,
WCP, JSON, XML, NTP, XMPP and GDB, which could result in denial of
service or the execution of arbitrary code.
- DSA-4100 tiff - security update
Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.
- DSA-4099 ffmpeg - security update
Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.