6009 matches found
Updated pixman package fixes security vulnerability
Bryan Quigley discovered an integer underflow in pixman. If a user were tricked into opening a specially crafted file, an attacker could cause a denial of service via application crash CVE-2013-6425...
Updated gimp package fixes security vulnerabilities
An integer overflow flaw and a heap-based buffer overflow were found in the way GIMP loaded certain X Window System XWD image dump files. A remote attacker could provide a specially crafted XWD image file that, when processed, would cause the XWD plug-in to crash or, potentially, execute arbitrar...
Updated links package fixes security vulnerability
Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode CVE-2013-6050...
Updated openttd package fixes security vulnerability
A missing validation in OpenTTD before 1.3.3 allows remote attackers to cause a denial of service crash by forcefully crashing aircraft near the corner of the map. This triggers a corner case where data outside of the allocated map array is accessed CVE-2013-6411...
Updated quassel package fixes security vulnerability
Security vulnerability in Quassel before 0.9.2 through which a manipulated, but properly authenticated client was able to retrieve the backlog of other users on the same core in some cases CVE-2013-6404...
Updated ganglia-web package fixes security vulnerability
XSS issue in ganglia-web makes it possible to execute JavaScript in victims' browser after tricking the victim into opening a specially crafted URL CVE-2013-6395...
Updated subversion package fixes security vulnerabilities
moddontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured b...
Updated drupal package fixes security vulnerabilities
Drupal's form API has built-in cross-site request forgery CSRF validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations CVE-2013-6385. Drupal core directly used the mtrand pseudorandom number...
Updated busybox package fixes security vulnerability
It was found that the mdev BusyBox utility could create certain directories within /dev with world-writable permissions. A local unprivileged user could use this flaw to manipulate portions of the /dev directory tree CVE-2013-1813...
Updated 389-ds-base package fixes CVE-2013-4485
Updated 389-ds-base packages fix security vulnerability: It was discovered that the 389 Directory Server did not properly handle certain Get Effective Rights GER search queries when the attribute list, which is a part of the query, included several names using the '@' character. An attacker able ...
Updated moodle package fixes security vulnerabilities
Some files were being delivered with incorrect headers in Moodle before 2.4.7, meaning they could be cached downstream CVE-2013-4522. Cross-site scripting in Moodle before 2.4.7 due to JavaScript in messages being executed on some pages CVE-2013-4523. The file system repository in Moodle before...
Updated graphicsmagick packages fix CVE-2013-4589
Updated graphicsmagick packages fix security vulnerability: GraphicsMagick before 1.3.18 is found to have a vulnerability which can be exploited by malicious people to cause a Denial of Service DoS. The vulnerability is caused due to an error within the "ExportAlphaQuantumType" function found in...
Updated gnutls package fixes security vulnerability
A DNS server that returns more 4 DANE entries could corrupt the memory of a requesting client using the DANE library from GnuTLS before 3.1.15 and 3.2.5 CVE-2013-4466. This updates GnuTLS to version 3.1.16, fixing this issue and several other bugs...
Updated polarssl, pdns & ragel packages fix CVE-2013-5915
Updated polarssl packages fix security vulnerability: The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount ...
Updated perl-HTTP-Body packages fix CVE-2013-4407
Updated perl-HTTP-Body package fixes security vulnerability: Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to...
Updated bip packages fix CVE-2013-4550
Updated bip package fixes security vulnerability: bip 0.8.8 and earlier contains an issue where failed SSL handshakes result in a resource leak. A remote attacker can use this flaw to cause bip to run out of resources, resulting in a denial of service CVE-2013-4550...
Updated graphicsmagick packages fix CVE-2013-4589
Updated graphicsmagick packages fix security vulnerability: GraphicsMagick before 1.3.18 is found to have a vulnerability which can be exploited by malicious people to cause a Denial of Service DoS. The vulnerability is caused due to an error within the "ExportAlphaQuantumType" function found in...
Updated nginx packages fix CVE-2013-4547
Updated nginx package fixes security vulnerability: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact CVE-2013-4547...
Updated samba packages fix CVE-2013-4475
Updated samba packages fix security vulnerabilities: Samba versions before 3.6.20 do not check the underlying file or directory ACL when opening an alternate data stream CVE-2013-4475. Samba is not configured by default to support alternate data streams, so only servers that have enabled the...
Updated wireshark packages fix multiple vulnerabilities
Updated wireshark packages fix security vulnerabilities: The IEEE 802.15.4 dissector could crash CVE-2013-6336. The NBAP dissector could crash CVE-2013-6337. The SIP dissector could crash CVE-2013-6338. The OpenWire dissector could go into a large loop CVE-2013-6339. The TCP dissector could crash...
Updated kernel-vserver package fixes security vulnerabilites.
This kernel-vserver update provides the upstream 3.4.69 kernel and fixes the following security issues: The ext4orphandel function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate...
Updated kernel-rt package fixes security vulnerabilites.
This kernel-rt update provides the upstream 3.4.69 kernel and fixes the following security issues: The ext4orphandel function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers t...
Updated kernel-tmb package fixes security vulnerabilites.
This kernel-tmb update provides the upstream 3.4.69 kernel and fixes the following security issues: The ext4orphandel function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers ...
Updated kernel-linus package fixes security vulnerabilites.
This kernel-linus update provides the upstream 3.4.69 kernel and fixes the following security issues: The ext4orphandel function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attacker...
Updated kernel package fixes security vulnerabilites.
This kernel update provides the upstream 3.4.69 kernel and fixes the following security issues: The ext4orphandel function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to...
Updated qemu package fixes security vulnerability
A buffer overflow flaw was found in the way QEMU processed the SCSI "REPORT LUNS" command when more than 256 LUNs were specified for a single SCSI target. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code...
Updated glibc package fixes security vulnerabilities
Updated glibc packages fixes the following security issues: Integer overflow in string/strcolll.c in the GNU C Library aka glibc or libc6 2.17 and earlier allows context-dependent attackers to cause a denial of service crash or possibly execute arbitrary code via a long string, which triggers a...
Updated memcached packages fix CVE-2011-4971
Updated memcached packages fix security vulnerability: Memcached is vulnerable to a denial of service as it can be made to crash when it receives a specially crafted packet over the network CVE-2011-4971. The updated packages have been upgraded to the 1.4.15 version and patched to resolve this fl...
Updated curl packages fix CVE-2013-4545
Updated curl packages fix security vulnerability: Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPTSSLVERIFYHOST check when the CURLOPTSSLVERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled...
Updated firefox, rootcerts, nspr & nss packages fix security vulnerabilities
Updated nspr and nss packages fix security vulnerabilities: Potentially exploitable buffer overflow in NSS before 3.15.3 that allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets CVE-2013-5605. The CERTVerifyCert function in...
Updated krb5 package fixes security vulnerabilities
An authenticated remote client can cause a KDC to crash by making a valid TGS-REQ to a KDC serving a realm with a single-component name. The processtgsreq function dereferences a null pointer because an unusual failure condition causes a helper function to return success CVE-2013-1417. If a KDC...
Updated krb5 package fixes security vulnerabily
If a KDC serves multiple realms, certain requests can cause setupserverrealm to dereference a null pointer, crashing the KDC. This can be triggered by an unauthenticated user CVE-2013-1418...
Updated lighttpd packages fix multiple security vulnerbilities
Updated lighttpd packages fix security vulnerabilities: lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the...
Updated libjpeg packages fix vulnerabilities in libjpeg-turbo
Updated libjpeg packages fix security vulnerabilities: libjpeg 6b and libjpeg-turbo will use uninitialized memory when decoding images with missing SOS data for the luminance component Y in presence of valid chroma data Cr, Cb CVE-2013-6629. libjpeg-turbo will use uninitialized memory when handli...
Updated poppler packages fix multiple vulnerabilities
Updated poppler packages fix security vulnerabilities: Poppler is found to be affected by a stack based buffer overflow vulnerability in the pdfseparate utility. Successfully exploiting this issue could allow remote attackers to execute arbitrary code in the context of the affected application...
Updated pmake packages fix CVE-2011-1920
Updated pmake package fixes security vulnerability: The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and earlier, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/depend temporary file, related to bsd.lib.mk and bsd.prog.mk CVE-2011-1920...
Updated python-scipy packages fix a security vulnerability and missing deps
Updated python-scipy package fixes security vulnerability: scipy.weave will use /tmp/username as persistent storage cache, but it does not check whether or not this directory already exists, does not check whether it is a directory or a symlink, and also does not verify permissions or ownership,...
Updated iceape packages fix many vulnerabilities
Updated iceape packages fix security issues: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allow remote attackers to cause a denial of service memory...
Updated flash-player-plugin packages fix multiple security vulnerabilities
Adobe Flash Player 11.2.202.327 contains fixes to critical security vulnerabilities found in earlier versions. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update resolves memory corruption vulnerabilities that could lead...
Updated torque packages fix CVE-2013-4495
Updated torque packages fix security vulnerability: A user could submit executable shell commands on the tail of what is passed with the -M switch for qsub. This was later passed to a pipe, making it possible for these commands to be executed as root on the pbsserver CVE-2013-4495...
Updated thunderbird package fixes security vulnerabilities
Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird CVE-2013-5590, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602...
Updated roundcubemail package fixes security vulnerability
It was discovered that roundcube does not properly sanitize the session parameter in steps/utils/savepref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code...
Updated chromium-browser-stable packages fix multiple vulnerabilities
Updated chromium-browser-stable packages fix security vulnerabilities: Various fixes from internal audits, fuzzing and other initiatives CVE-2013-2931. Use after free related to speech input elements CVE-2013-6621. Use after free related to media elements CVE-2013-6622. Out of bounds read in SVG...
Updated java-1.6.0-openjdk package fixes multiple vulnerabilities
Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the...
Updated java-1.7.0-openjdk package fixes security vulnerabilities
Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine...
Updated chromium-browser-stable packages fix multiple vulnerabilities
Updated chromium-browser-stable packages fix security vulnerabilities: Atte Kettunen of OUSPG discover a use-after-free issue in Blink's XML HTTP request implementation CVE-2013-2925. cloudfuzzer discovered a use-after-free issue in the list indenting implementation CVE-2013-2926. cloudfuzzer...
Updated firefox & related packages fix multiple security vulnerabilities
Updated firefox packages fix security vulnerabilities: Mozilla Network Security Services NSS before 3.15.2 does not ensure that data structures are initialized before read operations, which allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors...
Updated python-pycrypto packages fix CVE-2013-1445
Updated python-pycrypto package fixes security vulnerability: In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number generator PRNG exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the...
Updated dropbear packages fix CVE-2013-4421
Updated dropbear package fixes security vulnerability: Possible memory exhaustion denial of service due to the size of decompressed payloads in dropbear before 2013.59 CVE-2013-4421. Inconsistent delays in authorization failures could be used to disclose the existence of valid user accounts in...
Updated x11-server packages fix CVE-2013-4396
Updated x11-server packages fix security vulnerability: Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service daemon crash or possibly execute arbitrary code vi...