Two vulnerabilities have been discovered in the RPM package manager.
Category Archives: Debian
Debian Security Advisories
DSA-3127 iceweasel – security update
Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors
and implementation errors may lead to the execution of arbitrary code,
information leaks or denial of service.
DSA-3126 php5 – security update
It was discovered that libmagic as used by PHP, would trigger an out
of bounds memory access when trying to identify a crafted file.
DSA-3125 openssl – security update
Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:
DSA-3124 otrs2 – security update
Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered
a privilege escalation vulnerability in otrs2, the Open Ticket Request
System. An attacker with valid OTRS credentials could access and
manipulate ticket data of other users via the GenericInterface, if a
ticket webservice is configured and not additionally secured.
DSA-3123 binutils – security update
Multiple security issues have been found in binutils, a toolbox for
binary file manipulation. These vulnerabilities include multiple memory
safety errors, buffer overflows, use-after-frees and other implementation
errors may lead to the execution of arbitrary code, the bypass of security
restrictions, path traversal attack or denial of service.
DSA-3121 file – security update
Multiple security issues have been found in file, a tool/library to
determine a file type. Processing a malformed file could result in
denial of service. Most of the changes are related to parsing ELF
files.
DSA-3122 curl – security update
Andrey Labunets of Facebook discovered that cURL, an URL transfer
library, fails to properly handle URLs with embedded end-of-line
characters. An attacker able to make an application using libcurl to
access a specially crafted URL via an HTTP proxy could use this flaw to
do additional requests in a way that was not intended, or insert
additional request headers into the request.
DSA-3119 libevent – security update
Andrew Bartlett of Catalyst reported a defect affecting certain
applications using the Libevent evbuffer API. This defect leaves
applications which pass insanely large inputs to evbuffers open to a
possible heap overflow or infinite loop. In order to exploit this flaw,
an attacker needs to be able to find a way to provoke the program into
trying to make a buffer chunk larger than what will fit into a single
size_t or off_t.
DSA-3120 mantis – security update
Multiple security issues have been found in the Mantis bug tracking
system, which may result in phishing, information disclosure, CAPTCHA
bypass, SQL injection, cross-site scripting or the execution of arbitrary
PHP code.