EUVD-2016-2351

Malware in sbrugna...

Debian DLA-2270-1 : jackson-databind security update

There were several CVEs reported against src:jackson-databind, which are as follows : CVE-2020-14060 FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool aka apache/drill...

[SECURITY] [DLA 2269-1] wordpress security update

Package : wordpress Version : 4.1.31+dfsg-0+deb8u1 CVE ID : CVE-2020-4046 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050 Debian Bug : 962685 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting XS...

[SECURITY] [DLA 2251-1] rails security update

Package : rails Version : 2:4.1.8-1+deb8u7 CVE ID : CVE-2020-8164 CVE-2020-8165 Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based framework geared for web application development, which could lead to remote code execution and untrusted user input usage, depending on the applicatio...

[SECURITY] [DLA 2249-1] libexif security update

Package : libexif Version : 0.6.21-2+deb8u4 CVE ID : CVE-2020-0182 CVE-2020-0198 Debian Bug : 962345 The following CVEs were reported against src:libexif. CVE-2020-0182 In exifentrygetvalue of exif-entry.c, there is a possible out of bounds read due to a missing bounds check. This could lead to...

Debian DLA-2226-1 : gst-plugins-ugly0.10 security update

Two memory management issues were found in the asfdemux element of the GStreamer 'ugly' plugin collection, which can be triggered via a maliciously crafted file. For Debian 8 'Jessie', these problems have been fixed in version 0.10.19-2.1+deb8u1. We recommend that you upgrade your...

[SECURITY] [DLA 2226-1] gst-plugins-ugly0.10 security update

Package : gst-plugins-ugly0.10 Version : 0.10.19-2.1+deb8u1 CVE ID : CVE-2017-5846 CVE-2017-5847 Two memory management issues were found in the asfdemux element of the GStreamer "ugly" plugin collection, which can be triggered via a maliciously crafted file. For Debian 8 "Jessie", these problems...

[SECURITY] [DLA 2222-1] libexif security update

Package : libexif Version : 0.6.21-2+deb8u3 CVE ID : CVE-2018-20030 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114 Debian Bug : 918730 961407 961409 961410 Various minor vulnerabilities have been addredd in libexif, a library to parse EXIF metadata files. CVE-2018-20030 This issue had already been...

[SECURITY] [DLA 2215-1] clamav security update

Package : clamav Version : 0.101.5+dfsg-0+deb8u2 CVE ID : CVE-2020-3327 CVE-2020-3341 The following CVEs were found in src:clamav package. CVE-2020-3327 A vulnerability in the ARJ archive parsing module in Clam AntiVirus ClamAV could allow an unauthenticated, remote attacker to cause a denial of...

Debian DLA-2203-1 : sqlite3 security update

It was discovered that there was a denial of service attack in the SQLite database, often embedded into other programs and servers. In the event of a semantic error in an aggregate query, SQLite did not return early from the 'resetAccumulator' function which would lead to a crash via a segmentati...

Debian DLA-2192-1 : ruby2.1 security update

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.1 has an unsafe object creation vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object...

Debian DLA-2191-1 : dom4j security update

A flaw was found in dom4j library. By using the default SaxReader provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE. For Debian 8 'Jessie', this problem has been fixed in version 1.6.1+dfsg.3-2+deb8u2. We recommend that you upgrade your dom4j packages...

Debian DLA-2190-1 : ruby-json security update

In ruby-json before 2.3.0, there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem including the one bundled with Ruby can be coerced into creating arbitrary objects in the target system. For Debian 8 'Jessie', this problem has been fixed in version...

Debian DLA-2174-1 : php-horde-data security update

A remote code execution vulnerability was discovered in the Horde Application Framework. An authenticated remote attacker could use this flaw to cause execution of uploaded CSV data. For Debian 8 'Jessie', this problem has been fixed in version 2.1.0-5+deb8u1. We recommend that you upgrade your...

[SECURITY] [DLA 2168-1] libplist security update

Package : libplist Version : 1.11-3+deb8u1 CVE ID : CVE-2017-5209 CVE-2017-5545 CVE-2017-5834 CVE-2017-5835 CVE-2017-6435 CVE-2017-6436 CVE-2017-6439 CVE-2017-7982 Debian Bug : 851196 852385 854000 860945 libplist is a library for reading and writing the Apple binary and XML property lists format...

[SECURITY] [DLA 2133-1] tomcat7 security update

Package : tomcat7 Version : 7.0.56-3+really7.0.100-1 CVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2019-17569 The refactoring in 7.0.98 introduced a regression. The result of the regression was...

[SECURITY] [DLA 2131-2] rrdtool regression update

Package : rrdtool Version : 1.4.8-1.2+deb8u2 CVE ID : CVE-2014-6262 Debian Bug : 952958 It was discovered that there was a regression in a previous fix, which resulted in the following error: ERROR: cannot compile regular expression: Error while compiling regular expression ^?:^%+|%%%+-...

[SECURITY] [DLA 2097-1] ppp security update

Package : ppp Version : 2.4.6-3.1+deb8u1 CVE ID : CVE-2020-8597 Debian Bug : 950618 Ilja Van Sprundel discovered a buffer overflow vulnerability in ppp, the Point-to-Point Protocol daemon. When receiving an EAP Request message in client mode, an attacker was able to overflow the rhostname array b...

Debian DLA-2067-1 : wordpress security update

An input sanitization bypass was discovered in Wordpress, a popular content management framework. An attacker can use this flaw to send malicious scripts to an unsuspecting user. For Debian 8 'Jessie', this problem has been fixed in version 4.1.29+dfsg-0+deb8u1. We recommend that you upgrade your...

Debian DLA-2061-1 : firefox-esr security update

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, data exfiltration or cross-site scripting. For Debian 8 'Jessie', these problems have been fixed in version 68.4.0esr-1deb8u1. We recommend that you...