6009 matches found
Updated libpng package fixes security vulnerability
The pngpushreadchunk function in pngpread.c in the progressive decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause a denial of service infinite loop and CPU consumption via an IDAT chunk with a length of zero CVE-2014-0333...
Updated freetype2 packages fix security vulnerabilities
It was reported that Freetype before 2.5.3 suffers from an out-of-bounds stack-based read/write flaw in cf2hintmapbuild in the CFF rasterizing code, which could lead to a buffer overflow CVE-2014-2240. It was also reported that Freetype before 2.5.3 has a denial-of-service vulnerability in the CF...
Updated udisks and udisks2 packages fixes security vulnerability
A flaw was found in the way udisks and udisks2 handled long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon root CVE-2014-0004...
Updated flash-player-plugin packages fix security vulnerabilities
Adobe Flash Player 11.2.202.346 contains fixes to important vulnerabilities found in earlier versions that could allow a remote attacker to bypass security restrictions or to access sensitive information. This update resolves a vulnerability that could be used to bypass the same origin policy...
Updated imapsync packages fix an information disclosure
Updated imapsync package fixes security vulnerability: Imapsync, by default, runs a "release check" when executed, which causes imapsync to connect to http://imapsync.lamiral.info and send information about the version of imapsync, the operating system and perl CVE-2013-4279. The imapsync package...
Updated wireshark packages fix multiple vulnerabilies
The NFS dissector could crash CVE-2014-2281. The M3UA dissector could crash CVE-2014-2282. The RLC dissector could crash CVE-2014-2283. The MPEG file parser could overflow a buffer CVE-2014-2299...
Updated wireshark packages fix multiple vulnerabilies
Updated wireshark packages fix security vulnerabilities: The NFS dissector could crash CVE-2014-2281. The RLC dissector could crash CVE-2014-2283. The MPEG file parser could overflow a buffer CVE-2014-2299...
Updated mediawiki packages fix multiple vulnerabilities
Updated mediawiki packages fix security vulnerabilities: MediaWiki before 1.22.3 does not block unsafe namespaces, such as a W3C XHTML namespace, in uploaded SVG files. Some client software may use these namespaces in a way that results in XSS. This was fixed by disallowing uploading SVG files...
Updated file packages fix CVE-2014-2270
Updated file packages fix security vulnerability: A flaw was found in the way the file utility determined the type of Portable Executable PE format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code...
Updated net-snmp packages fix two vulnerabilities
Updated net-snmp packages fix security vulnerabilities: Remotely exploitable denial of service vulnerability in Net-SNMP, in the Linux implementation of the ICMP-MIB, making the SNMP agent vulnerable if it is making use of the ICMP-MIB table objects CVE-2014-2284. Remotely exploitable denial of...
Updated chromium-browser-stable package fixes security vulnerabilities
Use-after-free in svg images CVE-2013-6663. Use-after-free in speech recognition CVE-2013-6664. Heap buffer overflow in software rendering CVE-2013-6665. Chrome allows requests in flash header request CVE-2013-6666. Various fixes from internal audits, fuzzing and other initiatives CVE-2013-6667...
Updated owncloud packages fix security vulnerabilities and bugs
Updated owncloud packages fix security vulnerabilities: Owncloud versions 5.0.15 and 6.0.2 fix several unspecified security vulnerabilities, as well as many other bugs. See the upstream Changelog for more information...
Updated libssh package fixes security vulnerability
When using libssh before 0.6.3, a libssh-based server, when accepting a new connection, forks and the child process handles the request. The RANDbytes function of openssl doesn't reset its state after the fork, but simply adds the current process id getpid to the PRNG state, which is not guarante...
Updated python-logilab-common packages fix security vulnerabilities
Updated python-logilab-common packages fix security vulnerabilities about temporary file handling CVE-2014-1838 and CVE-2014-1839...
Updated gnutls packages fix security vulnerability
It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by...
Updated egroupware package fixes security vulnerability
eGroupware prior to 1.8.006.20140217 is vulnerable to remote file deletion and possible remote code execution due to user input being passed to PHP's unserialize method CVE-2014-2027...
Updated qt5 packages fix security vulnerability.
It was discovered that QXmlSimpleReader in Qt incorrectly handled XML entity expansion. An attacker could use this flaw to cause Qt applications to consume large amounts of resources, resulting in a denial of service CVE-2013-4549...
Updated otrs package fixes security vulnerability
An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed CVE-2014-1695...
Updated mediawiki packages fix security vulnerabilities
MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS CVE-2013-6451. Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lea...
Updated zarafa packages fix security vulnerabilities
Robert Scheck discovered multiple vulnerabilities in Zarafa that could allow a remote unauthenticated attacker to crash the zarafa-server daemon, preventing access to any other legitimate Zarafa users CVE-2014-0037, CVE-2014-0079...
Updated x2goserver package fixes security vulnerability
A vulnerability in x2goserver before 4.0.0.2 in the setgid wrapper x2gosqlitewrapper.c, which does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path. A remote attacker may be able to execute arbitrary code with the privileges of the user running...
Updated tomcat packages fix CVE-2014-0050
Updated tomcat packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition CVE-2014-0050. Tomcat 7 includes an...
Updated apache-commons-fileupload package fixes CVE-2014-0050
Updated apache-commons-fileupload packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition CVE-2014-0050...
Updated mariadb packages provide the latest release in the 5.5 series
Updated mariadb packages fix security vulnerabilities: MariaDB has been updated to the latest release in the 5.5 series, 5.5.36, which fixes several security vulnerabilities and other bugs. See the Release Notes for more details. Note: if upgrading the main mariadb package, you should run the...
Updated chromium-browser-stable packages address multiple vulnerabilities
Use-after-free related to web contents CVE-2013-6653. Bad cast in SVG CVE-2013-6654. Use-after-free in layout CVE-2013-6655. Information leaks in XSS auditor CVE-2013-6656, CVE-2013-6657. Use-after-free in layout CVE-2013-6658. Issue with certificates validation in TLS handshake CVE-2013-6659...
Updated imapsync package fixes CVE-2014-2014
Updated imapsync package fixes security vulnerability: In imapsync before 1.584, a certificate verification failure when using the --tls option results in imapsync attempting a cleartext login CVE-2014-2014...
Updated subversion packages fix CVE-2014-0032
Updated subversion packages fix security vulnerability: The moddavsvn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service crash via an OPTIONS request CVE-2014-0032. The package has been updated to version 1.8.8, which...
Updated subversion packages fix CVE-2014-0032
Updated subversion packages fix security vulnerability: The moddavsvn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service crash via an OPTIONS request CVE-2014-0032. The package has been patched to correct this issue...
Updated kernel fixes security vulnerabilities
This kernel update provides an update to the upstream stable 3.12.13 maintenance release and fixes the following security issues: A flaw was found in the way cifs handled iovecs with bogus pointers userland passed down via writev during uncached writes. An unprivileged local user with access to...
Updated lxc packages fix security vulnerability
Florian Sagar discovered that the LXC sshd template set incorrect mount permissions. An attacker could possibly use this flaw to cause privilege escalation on the host CVE-2013-6441...
Updated oath-toolkit packages fix security vulnerability
It was found that comments lines starting with a hash in /etc/users.oath could prevent one-time-passwords OTP from being invalidated, leaving the OTP vulnerable to replay attacks CVE-2013-7322...
Updated xstream packages fix CVE-2013-7285
Updated xstream packages fix security vulnerability: It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code executio...
Updated phpseclib and phpmyadmin packages fix security vulnerability
Cross-site scripting XSS vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action CVE-2014-1879. This upgrade provides the latest phpmyadmin version 4.1.8 to address this vulnerabilit...
Updated perl-CGI-Application packages fix CVE-2013-7329
Updated perl-CGI-Application package fixes security vulnerability: When applications using CGI::Application overload setup, which is normally the case, CGI::Application since version 4.19 has dumphtml as a default run-mode unless the application explicitly redefines it. This unexpectedly dumps a...
Updated openswan packages fix CVE-2013-6466
Updated openswan packages fix security vulnerability: A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service daemon crash,...
Updated springframework package fixes security vulnerabilities
It was discovered by the Spring development team that the fix for the XML External Entity XXE Injection CVE-2013-4152 in the Spring Framework was incomplete. Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option ...
Updated zabbix packages fix multiple vulnerabilities
Updated zabbix packages fix security vulnerabilities: Zabbix before 2.0.11 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldapbindpassword value in the HTML source code CVE-2013-5572. Zabbix before 2.0.11 allows switchi...
Updated otrs packages fix security vulnerabilities and a missing dependency
Updated otrs package fixes security vulnerabilities: In OTRS before 3.2.14, an attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks CVE-2014-1694. In OTRS before 3.2.14, an...
Updated perl-Module-Metadata package clarifies the man page
This update clarifies the module's documentation about the code it executes i.e. it does "eval" a module to determine its version number. Previously it said that it did not execute unsafe code CVE-2013-1437...
Updated file package fixes security vulnerability
It was discovered that file before 5.17 contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files CVE-2014-1943. Additionally, other well-crafted files might result in long...
Updated flash-player-plugin package fixes security vulnerabilities
Adobe Flash Player 11.2.202.341 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to remotely take control of the affected system. This update resolves a stack overflow vulnerability that could result in...
Updated libtar package fixes security vulnerability
A directory traversal attack was reported against libtar, a C library for manipulating tar archives. The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files beyond the tarextractglob an...
Updated python-numpy packages fix security vulnerabilities
f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py CVE-2014-1858, CVE-2014-1859...
Updated freeradius package fixes security vulnerability
SSHA processing in freeradius before 2.2.3 runs into a stack-based buffer overflow in the freeradius rlmpap module if the password source uses an unusually long hashed password CVE-2014-2015...
Updated imagemagick package fixes security vulnerabilities
A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running...
Updated gnome-chemistry-utils, gnumeric and goffice packages fix security vulnerability
Heap-based buffer overflow in the mseschergetdata function in plugins/excel/ms-escher.c in GNOME Office Gnumeric before 1.12.9 allows remote attackers to cause a denial of service crash via a crafted xls file with a crafted length value. CVE-2013-6836...
Updated python & python3 packages fix multiple vulnerabilities
Updated python and python3 packages fix security vulnerabilities: A vulnerability was reported in Python's socket module, due to a boundary error within the sockrecvfrominto function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses t...
Updated puppet & puppet3 packages fix CVE-2013-4969 and a regression
Updated puppet and puppet3 packages fix security vulnerability: An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system CVE-2013-4969. This update also...
Updated mongodb package fixes security vulnerability
A possible DoS issue was discovered in MongoDB CVE-2012-6619. The --objcheck command line switch has now been enabled by default in the mongod service as a protective measure...
Updated tomcat6 packages fix multiple vulnerabilities and logging
Updated tomcat6 packages fix security vulnerabilities: It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service CVE-2012-3544....