Debian Security Advisory DSA 2915-1 (dpkg - security update)

Jakub Wilk discovered that dpkg did not correctly parse C-style filename quoting, allowing for paths to be traversed when unpacking a source package - leading to the creation of files outside the directory of the source being unpacked. The update to the stable distribution wheezy incorporates...

Debian DSA-2913-1 : drupal7 - security update

An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to othe...

Debian Security Advisory DSA 2913-1 (drupal7 - security update)

An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to othe...

Debian Security Advisory DSA 2914-1 (drupal6 - security update)

An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to othe...

Debian Security Advisory DSA 2912-1 (openjdk-6 - security update)

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. OpenVAS Vulnerability Test $Id: deb2912.nasl 6724 2017-07-14 09:57:17Z...

Debian Security Advisory DSA 2911-1 (icedove - security update)

Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, out of bound reads, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure or denial o...

Debian DSA-2910-1 : qemu-kvm - security update

Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the...

Debian Security Advisory DSA 2910-1 (qemu-kvm - security update)

Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the...

Debian Security Advisory DSA 2897-1 (tomcat7 - security update)

Multiple security issues were found in the Tomcat servlet and JSP engine: CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login...

Debian Security Advisory DSA 2890-1 (libspring-java - security update)

Two vulnerabilities were discovered in libspring-java, the Debian package for the Java Spring framework. CVE-2014-0054 Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities. CVE-2014-1904 Spring MVC introduces a cross-site scripting vulnerability if the action on a...

Debian DSA-2887-1 : ruby-actionmailer-3.2 - security update

Aaron Neyer discovered that missing input sanitising in the logging component of Ruby Actionmailer could result in denial of service through a malformed e-mail message. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

Debian Security Advisory DSA 2889-1 (postfixadmin - security update)

An SQL injection vulnerability was discovered in postfixadmin, a web administration interface for the Postfix Mail Transport Agent, which allowed authenticated users to make arbitrary manipulations to the database. The oldstable distribution squeeze does not contain postfixadmin. OpenVAS...

Debian Security Advisory DSA 2888-1 (ruby-actionpack-3.2 - security update)

Toby Hsieh, Peter McLarnan, Ankit Gupta, Sudhir Rao and Kevin Reintjes discovered multiple cross-site scripting and denial of service vulnerabilities in Ruby Actionpack. OpenVAS Vulnerability Test $Id: deb2888.nasl 6750 2017-07-18 09:56:47Z teissa $ Auto-generated from advisory DSA 2888-1 using...

Debian Security Advisory DSA 2886-1 (libxalan2-java - security update)

Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs could access system properties or load arbitrary classes, resulting in information disclosure and, potentially, arbitrary code execution. OpenVAS Vulnerability Test $Id...

Debian Security Advisory DSA 2885-1 (libyaml-libyaml-perl - security update)

Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application t...

Debian Security Advisory DSA 2882-1 (extplorer - security update)

Multiple cross-site scripting XSS vulnerabilities have been discovered in extplorer, a web file explorer and manager using Ext JS. A remote attacker can inject arbitrary web script or HTML code via a crafted string in the URL to application.js.php, admin.php, copymove.php, functions.php, header.p...

Debian Security Advisory DSA 2881-1 (iceweasel - security update)

Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, out of bound reads, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure, denial of service...

Debian Security Advisory DSA 2880-1 (python2.7 - security update)

Multiple security issues were discovered in Python: CVE-2013-4238 Ryan Sleevi discovered that NULL characters in the subject alternate names of SSL cerficates were parsed incorrectly. CVE-2014-1912 Ryan Smith-Roberts discovered a buffer overflow in the socket.recvfrominto function. OpenVAS...

Debian DSA-2875-1 : cups-filters - security update

Florian Weimer of the Red Hat Product Security Team discovered multiple vulnerabilities in the pdftoopvp CUPS filter, which could result in the execution of aribitrary code if a malformed PDF file is processed. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package...

Debian Security Advisory DSA 2879-1 (libssh - security update)

It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly...