Matthew Daley discovered that squid, a web proxy cache, does not
properly perform input validation when parsing requests. A remote
attacker could use this flaw to mount a denial of service attack, by
sending specially crafted Range requests.
Category Archives: Debian
Debian Security Advisories
DSA-3137 websvn – security update
James Clawson discovered that websvn, a web viewer for Subversion
repositories, would follow symlinks in a repository when presenting a
file for download. An attacker with repository write access could
thereby access any file on disk readable by the user the webserver
runs as.
DSA-3136 polarssl – security update
A vulnerability was discovered in PolarSSL, a lightweight crypto and
SSL/TLS library. A remote attacker could exploit this flaw using
specially crafted certificates to mount a denial of service against an
application linked against the library (application crash), or
potentially, to execute arbitrary code.
DSA-3135 mysql-5.5 – security update
Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.41. Please see the MySQL 5.5 Release Notes and Oracle’s
Critical Patch Update advisory for further details:
DSA-3134 sympa – security update
A vulnerability has been discovered in the web interface of sympa, a
mailing list manager. An attacker could take advantage of this flaw in
the newsletter posting area, which allows sending to a list, or to
oneself, any file located on the server filesystem and readable by the
sympa user.
DSA-3133 privoxy – security update
Multiple use-after-frees were discovered in Privoxy, a privacy-enhancing
HTTP proxy.
DSA-3132 icedove – security update
Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and implementation errors may lead to the execution of arbitrary
code, information leaks or denial of service.
DSA-3131 xdg-utils – security update
John Houwer discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user’s preferred application, to execute arbitrary
commands remotely.
DSA-3130 lsyncd – security update
It was discovered that lsyncd, a daemon to synchronize local directories
using rsync, performed insufficient sanitising of filenames which might
result in the execution of arbitrary commands.
DSA-3128 linux – security update
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or information leaks.