Next Page >>
Debian Bug
Package : mantis
Vulnerability : information leak
Problem type : local
Debian-specific: yes
Debian Bug : 425010
It was discovered that the Debian Mantis package, a web based bug
tracking system, installed the database credentials in a file with
world-readable permissions onto the local filesystem. This allows
local users to acquire the credentials used to control the Mantis
Package : weechat
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0661
Debian Bug : 519940
BugTraq ID : 34148
Sebastien Helleu discovered that an error in the handling of color codes
in the weechat IRC client could cause an out-of-bounds read of an internal
Package : znc
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-0759
Debian Bug : 516950
It was discovered that znc, an IRC proxy/bouncer, does not properly
sanitize input contained in configuration change requests to the
webadmin interface. This allows authenticated users to elevate their
privileges and indirectly execute arbitrary commands (CVE-2009-0759).
Package : openldap2.3
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2952
Debian Bug : 488710
Cameron Hotchkies discovered that the OpenLDAP server slapd, a free
implementation of the Lightweight Directory Access Protocol, could be
crashed by sending malformed ASN1 requests.
Package : clamav
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2713
Debian Bug : 490925
Damian Put discovered a vulnerability in the ClamAV anti-virus
toolkit's parsing of Petite-packed Win32 executables. The weakness
leads to an invalid memory access, and could enable an attacker to
crash clamav by supplying a maliciously crafted Petite-compressed
Package : refpolicy
Vulnerability : incompatible policy
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490271
In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
Package : openssh
Vulnerability : remote
Problem type : unsafe signal handler
Debian-specific: no
CVE Id(s) : CVE-2008-4109
Debian Bug : 498678
It has been discovered that the signal handler implementing the login
timeout in Debian's version of the OpenSSH server uses functions which
are not async-signal-safe, leading to a denial of service
vulnerability (CVE-2008-4109).
Package : libapache-mod-jk
Vulnerability : information disclosure
Problem type : remote
Debian-specific: no
CVE ID : CVE-2008-5519
Debian Bug : 523054
An information disclosure flaw was found in mod_jk, the Tomcat Connector
module for Apache. If a buggy client included the "Content-Length" header
without providing request body data, or if a client sent repeated
equests very quickly, one client could obtain a response intended for
Package : elinks
Vulnerability : buffer overflow
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2008-7224
Debian Bug : 380347
Jakub Wilk discovered an off-by-one buffer overflow in the charset
handling of elinks, a feature-rich text-mode WWW browser, which might
lead to the execution of arbitrary code if the user is tricked into
opening a malformed HTML page.
Package : streamripper
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4337 CVE-2008-4829
Debian Bug : 506377
Multiple buffer overflows involving HTTP header and playlist parsing
have been discovered in streamripper (CVE-2007-4337, CVE-2008-4829).
For the stable distribution (etch), these problems have been fixed in
Package : dbus
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id : CVE-2009-1189
Debian Bug : 532720
It was discovered that the dbus_signature_validate function in
dbus, a simple interprocess messaging system, is prone to a denial of
service attack. This issue was caused by an incorrect fix for
Package : netatalk
Vulnerability : missing input sanitising
Problem type : local(remote)
Debian-specific: no
CVE ID : CVE-2008-5718
Debian Bug : 510585
It was discovered that netatalk, an implementation of the AppleTalk
suite, is affected by a command injection vulnerability when processing
PostScript streams via papd. This could lead to the execution of
arbitrary code. Please note that this only affects installations that are
Package : amule
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-1440
Debian Bug : 525078
Sam Hocevar discovered that amule, a client for the eD2k and Kad
networks, does not properly sanitise the filename, when using the
preview function. This could lead to the injection of arbitrary commands
Package : dvipng
Vulnerability : buffer overflow
Problem type : remote (local)
Debian-specific: no
CVE Id : CVE-2010-0829
Debian Bug : 580628
Dan Rosenberg discovered that in dvipng, a utility that converts DVI
files to PNG graphics, several array index errors allow context-dependent
attackers, via a specially crafted DVI file, to cause a denial of
service (crash of the application), and possibly arbitrary code
Package : squirrelmail
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1578 CVE-2009-1579 CVE-2009-1580 CVE-2009-1581
Debian Bug : 528528
Several remote vulnerabilities have been discovered in SquirrelMail,
a webmail application. The Common Vulnerabilities and Exposures project
identifies the following problems:
Package : krb5
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2009-4212
Debian Bug : none
It was discovered that krb5, a system for authenticating users and services on a
network, is prone to integer underflow in the AES and RC4 decryption operations of
the crypto library. A remote attacker can cause crashes, heap corruption, or,
under extraordinarily unlikely conditions, arbitrary code execution.
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3628 CVE-2009-3629 CVE-2009-3630 CVE-2009-3631
CVE-2009-3632 CVE-2009-3633 CVE-2009-3634 CVE-2009-3635
CVE-2009-3636
Debian Bug : 552020
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
Package : egroupware
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : not yet available
Debian Bug : 573279
Nahuel Grisolia discovered two vulnerabilities in Egroupware, a web-based
groupware suite: Missing input sanitising in the spellchecker integration
may lead to the execution of arbitrary commands and a cross-site scripting
vulnerability was discovered in the login page.
Package : djbdns
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-0858
Debian Bug : 518169
Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain
Name System server, does not constrain offsets in the required manner,
which allows remote attackers with control over a third-party subdomain
served by tinydns and axfrdns, to trigger DNS responses containing
Package : libsndfile
Vulnerability : integer overflow
Problem type : local
Debian-specific: no
CVE ID : CVE-2009-0186
Debian Bug : none
BugTraq ID : 33963
Alan Rad Pop discovered that libsndfile, a library to read and write
sampled audio data, is prone to an integer overflow. This causes a
Package : trac-git
Vulnerability : shell command injection
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2010-0394
Debian Bug : 567039
The trac-git package released in DSA-1990-1 had a wrong dependency that
could not be satisfied in Debian stable. This update corrects this
problem. For reference, the original advisory text is provided below.
Package : belpic
Vulnerability : cryptographic weakness
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-0049
Debian Bug : 511261
It was discovered that belpic, the belgian eID PKCS11 library, does not
properly check the result of an OpenSSL function for verifying
cryptographic signatures, which could be used to bypass the certificate
validation.
Package : zaptel
Vulnerability : array index error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-5396 CVE-2008-5744
Debian Bug : 507459 510583
An array index error in zaptel, a set of drivers for telephony hardware,
could allow users to crash the system or escalate their privileges by
overwriting kernel memory (CVE-2008-5396).
Package : drupal6
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2009-2372 CVE-2009-2373 CVE-2009-2374
Debian Bug : 535435 547140
Several vulnerabilities have been found in drupal6, a fully-featured
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:
Package : hf
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2378
Debian Bug : 504182
Steve Kemp discovered that hf, an amateur-radio protocol suite using
a soundcard as a modem, insecurely tried to execute an external command
which could lead to the elevation of privileges for local users.
Package : shadow
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-5394
Debian Bug : 505271
Paul Szabo discovered that login, the system login tool, did not
correctly handle symlinks while setting up tty permissions. If a local
attacker were able to gain control of the system utmp file, they could
cause login to change the ownership and permissions on arbitrary files,
Package : no-ip
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-5297
Debian Bug : 506179
A buffer overflow has been discovered in the HTTP parser of the No-IP.com
Dynamic DNS update client, which may result in the execution of arbitrary
code.
Packages : cyrus-imapd-2.2 kolab-cyrus-imapd
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2009-2632 CVE-2009-3235
Debian Bug : 547712
It was discovered that the SIEVE component of cyrus-imapd and
kolab-cyrus-imapd, the Cyrus mail system, is vulnerable to a buffer
overflow when processing SIEVE scripts.
Package : awstats
Vulnerability : cross-site scripting
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3714
Debian Bug : 495432
Morgan Todd discovered a cross-site scripting vulnerability in awstats,
a log file analyzer, involving the "config" request parameter (and
possibly others; CVE-2008-3714).
Package : libpng
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-2445 CVE-2007-5269 CVE-2008-1382 CVE-2008-5907 CVE-2008-6218 CVE-2009-0040
Debian Bug : 446308 476669 516256 512665
Several vulnerabilities have been discovered in libpng, a library for
reading and writing PNG files. The Common Vulnerabilities and
Exposures project identifies the following problems:
Next Page>>
|
