Debian Security

DSA-2415 libmodplug - several vulnerabilities

2012-02-21

Several vulnerabilities that can lead to the execution of arbitrary code have been discovered in libmodplug, a library for MOD music based on ModPlug. The Common Vulnerabilities and Exposures project identifies the following issues:

DSA-2414 fex - insufficient input sanitization

2012-02-21

Nicola Fioravanti discovered that F*X, a web service for transferring very large files, is not properly sanitizing input parameters of the fup script. An attacker can use this flaw to conduct reflected cross-site scripting attacks via various script parameters.

DSA-2413 libarchive - buffer overflows

2012-02-20

Two buffer overflows have been discovered in libarchive, a library providing a flexible interface for reading and writing archives in various formats. The possible buffer overflows while reading ISO 9660 or tar streams allow remote attackers to execute arbitrary code depending on the application that makes use of this functionality.

DSA-2412 libvorbis - buffer overflow

2012-02-19

It was discovered that a heap overflow in the Vorbis audio compression library could lead to the execution of arbitrary code if a malformed Ogg Vorbis file is processed.

DSA-2411 mumble - information disclosure

2012-02-19

It was discovered that Mumble, a VoIP client, does not properly manage permissions on its user-specific configuration files, allowing other local users on the system to access them.

DSA-2410 libpng - integer overflow

2012-02-15

Jueri Aedla discovered an integer overflow in the libpng PNG library, which could lead to the execution of arbitrary code if a malformed image is processed.

DSA-2409 devscripts - several vulnerabilities

2012-02-15

Several vulnerabilities have been discovered in debdiff, a script used to compare two Debian packages, which is part of the devscripts package. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them:

DSA-2408 php5 - several vulnerabilities

2012-02-13

Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues:

DSA-2407 cvs - heap overflow

2012-02-09

It was discovered that a malicious CVS server could cause a heap overflow in the CVS client, potentially allowing the server to execute arbitrary code on the client.

DSA-2406 icedove - several vulnerabilities

2012-02-09

Several vulnerabilities have been discovered in Icedove, Debian's variant of the Mozilla Thunderbird code base.

DSA-2405 apache2 - multiple issues

2012-02-06

Several vulnerabilities have been found in the Apache HTTPD Server:

DSA-2403 php5 - code injection

2012-02-06

Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code.

DSA-2404 xen-qemu-dm-4.0 - buffer overflow

2012-02-05

Nicolae Mogoreanu discovered a heap overflow in the emulated e1000e network interface card of QEMU, which is used in the xen-qemu-dm-4.0 packages. This vulnerability might enable to malicious guest systems to crash the host system or escalate their privileges.

DSA-2384 cacti - several vulnerabilities

2012-02-04

Several vulnerabilities have been discovered in Cacti, a graphing tool for monitoring data. Multiple cross site scripting issues allow remote attackers to inject arbitrary web script or HTML. An SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands.

DSA-2402 iceape - several vulnerabilities

2012-02-02

Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey:

DSA-2401 tomcat6 - several vulnerabilities

2012-02-02

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine:

DSA-2400 iceweasel - several vulnerabilities

2012-02-02

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.

DSA-2399 php5 - several vulnerabilities

2012-01-31

Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues:

DSA-2398 curl - several vulnerabilities

2012-01-30

Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems:

DSA-2397 icu - buffer underflow

2012-01-29

It was discovered that a buffer overflow in the Unicode library ICU could lead to the execution of arbitrary code.

DSA-2396 qemu-kvm - buffer underflow

2012-01-27

Nicolae Mogoreanu discovered a heap overflow in the emulated e1000e network interface card of KVM, a solution for full virtualization on x86 hardware, which could result in denial of service or privilege escalation.

DSA-2395 wireshark - buffer underflow

2012-01-27

Laurent Butti discovered a buffer underflow in the LANalyzer dissector of the Wireshark network traffic analyzer, which could lead to the execution of arbitrary code (CVE-2012-0068).

DSA-2394 libxml2 - several vulnerabilities

2012-01-27

Many security problems have been fixed in libxml2, a popular library to handle XML data files.

DSA-2393 bip - buffer overflow

2012-01-25

Julien Tinnes reported a buffer overflow in the Bip multiuser IRC proxy which may allow arbitrary code execution by remote users.

DSA-2392 openssl - out-of-bounds read

2012-01-23

Antonio Martin discovered a denial-of-service vulnerability in OpenSSL, an implementation of TLS and related protocols. A malicious client can cause the DTLS server implementation to crash. Regular, TCP-based TLS is not affected by this issue.

DSA-2301 rails - several vulnerabilities

2012-01-23

Several vulnerabilities have been discovered in Rails, the Ruby web application framework. The Common Vulnerabilities and Exposures project identifies the following problems: