| Debian News |
| Following news come directly from distributions web site and can be in different languages. |
| DSA-2106 xulrunner - several vulnerabilities |
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL
applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
|
| more |
| DSA-2105 freetype - several vulnerabilities |
Several vulnerabilities have been discovered in the FreeType font
library. The Common
Vulnerabilities and Exposures project identifies the
following problems:
|
| more |
| DSA-2104 quagga - several vulnerabilities |
Several remote vulnerabilities have been discovered in the BGP
implementation of Quagga, a routing
daemon.
|
| more |
| DSA-2103 smbind - sql injection |
It was discovered that smbind, a PHP-based tool for managing DNS zones
for BIND, does not properly
validating input.
An unauthenticated remote attacker could execute arbitrary SQL commands
or gain
access to the admin account.
|
| more |
| DSA-2102 barnowl - unchecked return value |
It has been discovered that in barnowl, a curses-based instant-messaging
client, the return codes
of calls to the ZPending and ZReceiveNotice
functions in libzephyr were not checked, allowing
attackers to cause a
denial of service (crash of the application), and possibly execute
arbitrary
code.
|
| more |
| DSA-2101 wireshark - several vulnerabilities |
Several implementation errors in the dissector of the Wireshark network
traffic analyzer for the
ASN.1 BER protocol and in the SigComp Universal
Decompressor Virtual Machine may lead to the
execution of arbitrary code.
|
| more |
| DSA-2100 openssl - double free |
George Guninski discovered a double free in the ECDH code of the OpenSSL
crypto library, which may
lead to denial of service and potentially the
execution of arbitrary code.
|
| more |
| DSA-2099 openoffice.org - buffer overflows |
Charlie Miller has discovered two vulnerabilities in OpenOffice.org
Impress, which can be exploited
by malicious people to compromise a
user's system and execute arbitrary code.
|
| more |
| DSA-2098 typo3-src - several vulnerabilities |
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework:
cross-site Scripting, open redirection,
SQL injection, broken authentication and session
management,
insecure randomness, information disclosure and arbitrary code
execution. More details
can be found in
the Typo3 security advisory.
|
| more |
| DSA-2097 phpmyadmin - insufficient input sanitising |
Several remote vulnerabilities have been discovered in phpMyAdmin, a tool
to administer MySQL over
the web. The Common Vulnerabilities and Exposures
project identifies the following problems:
|
| more |
| DSA-2096 zope-ldapuserfolder - missing input validation |
Jeremy James discovered that in zope-ldapuserfolder, a Zope extension
used to authenticate against
an LDAP server, the authentication code
does not verify the password provided for the emergency
user. Malicious
users that manage to get the emergency user login can use this flaw to
gain
administrative access to the Zope instance, by providing an
arbitrary password.
|
| more |
| DSA-2095 lvm2 - insecure communication protocol |
Alasdair Kergon discovered that the cluster logical volume manager daemon
(clvmd) in lvm2, The
Linux Logical Volume Manager, does not verify client
credentials upon a socket connection, which
allows local users to cause a
denial of service.
|
| more |
| DSA-2094 linux-2.6 - privilege escalation/denial of service/information leak |
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of
service or privilege escalation. The Common
Vulnerabilities and Exposures project identifies the
following problems:
|
| more |
| DSA-2093 ghostscript - several vulnerabilities |
Two security issues have been discovered in Ghostscript, the GPL
PostScript/PDF interpreter. The
Common Vulnerabilities and Exposures
project identifies the following problems:
|
| more |
| DSA-2091 squirrelmail - No user-specific token implemented |
SquirrelMail, a webmail application, does not employ a user-specific token
for webforms. This
allows a remote attacker to perform a Cross Site Request
Forgery (CSRF) attack. The attacker may
hijack the authentication of
unspecified victims and send messages or change user preferences among
other
actions, by tricking the victim into following a link controlled by the
offender.
|
| more |
