Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2827-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

December 24, 2013 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libcommons-fileupload-java

Vulnerability : arbitrary file upload via deserialization

Problem type : local (remote)

Debian-specific: no

CVE ID : CVE-2013-2186

Debian Bug : 726601

 

It was discovered that Apache Commons FileUpload, a package to make it

easy to add robust, high-performance, file upload capability to servlets

and web applications, incorrectly handled file names with NULL bytes in

serialized instances. A remote attacker able to supply a serialized

instance of the DiskFileItem class, which will be deserialized on a

server, could use this flaw to write arbitrary content to any location

on the server that is accessible to the user running the application

server process.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 1.2.2-1+deb6u1.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1.2.2-1+deb7u1.

 

For the testing distribution (jessie), this problem has been fixed in

version 1.3-2.1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.3-2.1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2828-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

December 28, 2013 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal6

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-6385 CVE-2013-6386

 

Multiple vulnerabilities have been discovered in Drupal, a fully-featured

content management framework: vulnerabilities due to optimistic cross-site

request forgery protection, insecure pseudo random number generation, code

execution and incorrect security token validation.

 

In order to avoid the remote code execution vulnerability, it is

recommended to create a .htaccess file (or an equivalent configuration

directive in case you are not using Apache to serve your Drupal sites)

in each of your sites' "files" directories (both public and private, in

case you have both configured).

 

Please refer to the NEWS file provided with this update and the upstream

advisory at https://drupal.org/SA-CORE-2013-003 for further information.

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 6.29-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2829-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

December 28, 2013 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : hplip

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-0200 CVE-2013-4325 CVE-2013-6402 CVE-2013-6427

 

Multiple vulnerabilities have been found in the HP Linux Printing and

Imaging System: Insecure temporary files, insufficient permission checks

in PackageKit and the insecure hp-upgrade service has been disabled.

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 3.10.6-2+squeeze2.

 

For the stable distribution (wheezy), these problems have been fixed in

version 3.12.6-3.1+deb7u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 3.13.11-2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2830-1 security@debian.org

http://www.debian.org/security/ Florian Weiemr

December 30, 2013 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-i18n

Vulnerability : cross-site scripting

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-4492

 

Peter McLarnan discovered that the internationalization component of

Ruby on Rails does not properly encode parameters in generated HTML

code, resulting in a cross-site scripting vulnerability. This update

corrects the underlying vulnerability in the i18n gem, as provided by

the ruby-i18n package.

 

The oldstable distribution (squeeze) is not affected by this problem;

the libi18n-ruby package does not contain the vulnerable code.

 

For the stable distribution (wheezy), this problem has been fixed in

version 0.6.0-3+deb7u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 0.6.9-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2831-1 security@debian.org

http://www.debian.org/security/ Luciano Bello

December 31, 2013 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : puppet

Vulnerability : insecure temporary files

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-4969

 

An unsafe use of temporary files was discovered in Puppet, a tool for

centralized configuration management. An attacker can exploit this

vulnerability and overwrite an arbitrary file in the system.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 2.6.2-5+squeeze9.

 

For the stable distribution (wheezy), this problem has been fixed in

version 2.7.23-1~deb7u2.

 

For the testing distribution (jessie), this problem has been fixed in

version 3.4.0-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.4.0-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2832-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 01, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : memcached

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2011-4971 CVE-2013-7239

Debian Bug : 706426 733643

 

Multiple vulnerabilities have been found in memcached, a high-performance

memory object caching system. The Common Vulnerabilities and Exposures

project identifies the following issues:

 

CVE-2011-4971

 

Stefan Bucur reported that memcached could be caused to crash by

sending a specially crafted packet.

 

CVE-2013-7239

 

It was reported that SASL authentication could be bypassed due to a

flaw related to the managment of the SASL authentication state. With

a specially crafted request, a remote attacker may be able to

authenticate with invalid SASL credentials.

 

For the oldstable distribution (squeeze), these problems have been fixed

in version 1.4.5-1+deb6u1. Note that the patch for CVE-2013-7239 was not

applied for the oldstable distribution as SASL support is not enabled in

this version. This update also provides the fix for CVE-2013-0179 which

was fixed for stable already.

 

For the stable distribution (wheezy), these problems have been fixed in

version 1.4.13-0.2+deb7u1.

 

For the unstable distribution (sid), these problems will be fixed soon.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2833-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 01, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl

Vulnerability : several

Problem type : local

Debian-specific: no

CVE ID : CVE-2013-6449 CVE-2013-6450

Debian Bug : 732754 732710

 

Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support

was susceptible to denial of service and retransmission of DTLS messages

was fixed. In addition this updates disables the insecure Dual_EC_DRBG

algorithm (which was unused anyway, see

http://marc.info/?l=openssl-announce&m=138747119822324&w=2 for further

information) and no longer uses the RdRand feature available on some

Intel CPUs as a sole source of entropy unless explicitly requested.

 

For the stable distribution (wheezy), these problems have been fixed in

version 1.0.1e-2+deb7u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.0.1e-5.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2834-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 01, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : typo3-src

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-7073 CVE-2013-7074 CVE-2013-7075 CVE-2013-7076

CVE-2013-7078 CVE-2013-7079 CVE-2013-7080 CVE-2013-7081

Debian Bug : 731999

 

Several vulnerabilities were discovered in TYPO3, a content management

system. This update addresses cross-site scripting, information

disclosure, mass assignment, open redirection and insecure unserialize

vulnerabilities and corresponds to TYPO3-CORE-SA-2013-004.

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 4.3.9+dfsg1-1+squeeze9.

 

For the stable distribution (wheezy), these problems have been fixed in

version 4.5.19+dfsg1-5+wheezy2.

 

For the testing distribution (jessie), these problems have been fixed in

version 4.5.32+dfsg1-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.5.32+dfsg1-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2835-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 05, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : asterisk

Vulnerability : buffer overflow

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-7100

Debian Bug : 732355

 

Jan Juergens discovered a buffer overflow in the parser for SMS messages

in Asterisk.

 

An additional change was backported, which is fully described in

http://downloads.asterisk.org/pub/security/AST-2013-007.html

 

With the fix for AST-2013-007, a new configuration option was added in

order to allow the system adminitrator to disable the expansion of

"dangerous" functions (such as SHELL()) from any interface which is not

the dialplan. In stable and oldstable this option is disabled by default.

To enable it add the following line to the section '[options]' in

/etc/asterisk/asterisk.conf (and restart asterisk)

 

live_dangerously = no

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 1:1.6.2.9-2+squeeze12.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1:1.8.13.1~dfsg1-3+deb7u3.

 

For the testing distribution (jessie), this problem has been fixed in

version 1:11.7.0~dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:11.7.0~dfsg-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2836-1 security@debian.org

http://www.debian.org/security/ Raphael Geissert

January 05, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : devscripts

Vulnerability : arbitrary code execution

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-6888

 

Several vulnerabilities have been discovered in uscan, a tool to scan

upstream sits for new releases of packages, which is part of the

devscripts package. An attacker controlling a website from which uscan

would attempt to download a source tarball could execute arbitrary code

with the privileges of the user running uscan.

 

The Common Vulnerabilities and Exposures project id CVE-2013-6888 has

been assigned to identify them.

 

For the stable distribution (wheezy), these problems have been fixed in

version 2.12.6+deb7u2.

 

For the testing distribution (jessie) and the unstable distribution

(sid), these problems have been fixed in version 2.13.9.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2837-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 07, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl

Vulnerability : programming error

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-4353

 

Anton Johannson discovered that an invalid TLS handshake package could

crash OpenSSL with a NULL pointer dereference.

 

The oldstable distribution (squeeze) is not affected.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1.0.1e-2+deb7u3.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.0.1f-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2838-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 07, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libxfont

Vulnerability : buffer overflow

Problem type : local

Debian-specific: no

CVE ID : CVE-2013-6462

 

It was discovered that a buffer overflow in the processing of Glyph

Bitmap Distribution fonts (BDF) could result in the execution of

arbitrary code.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 1:1.4.1-4.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1:1.4.5-3.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:1.4.7-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2839-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 08, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : spice

Vulnerability : denial of service

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-4130 CVE-2013-4282

Debian Bug : 717030 728314

 

Multiple vulnerabilities have been found in spice, a SPICE protocol

client and server library. The Common Vulnerabilities and Exposures

project identifies the following issues:

 

CVE-2013-4130

 

David Gibson of Red Hat discovered that SPICE incorrectly handled

certain network errors. A remote user able to initiate a SPICE

connection to an application acting as a SPICE server could use this

flaw to crash the application.

 

CVE-2013-4282

 

Tomas Jamrisko of Red Hat discovered that SPICE incorrectly handled

long passwords in SPICE tickets. A remote user able to initiate a

SPICE connection to an application acting as a SPICE server could use

this flaw to crash the application.

 

Applications acting as a SPICE server must be restarted for this update

to take effect.

 

For the stable distribution (wheezy), these problems have been fixed in

version 0.11.0-1+deb7u1.

 

For the testing distribution (jessie), these problems have been fixed in

version 0.12.4-0nocelt2.

 

For the unstable distribution (sid), these problems have been fixed in

version 0.12.4-0nocelt2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2840-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 10, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : srtp

Vulnerability : buffer overflow

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-2139

Debian Bug : 711163

 

Fernando Russ from Groundworks Technologies reported a buffer overflow

flaw in srtp, Cisco's reference implementation of the Secure Real-time

Transport Protocol (SRTP), in how the

crypto_policy_set_from_profile_for_rtp() function applies

cryptographic profiles to an srtp_policy. A remote attacker could

exploit this vulnerability to crash an application linked against

libsrtp, resulting in a denial of service.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 1.4.4~dfsg-6+deb6u1.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1.4.4+20100615~dfsg-2+deb7u1.

 

For the testing distribution (jessie), this problem has been fixed in

version 1.4.5~20130609~dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.4.5~20130609~dfsg-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2841-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 11, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : movabletype-opensource

Vulnerability : cross-site scripting

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-0977

Debian Bug : 734304

 

A cross-site scripting vulnerability was discovered in the rich text

editor of the Movable Type blogging engine.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 4.3.8+dfsg-0+squeeze4.

 

For the stable distribution (wheezy), this problem has been fixed in

version 5.1.4+dfsg-4+deb7u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 5.2.9+dfsg-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2842-1 security@debian.org

http://www.debian.org/security/ Markus Koschany

January 13, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libspring-java

Vulnerability : denial of service

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-4152

Debian Bug : 720902

 

Alvaro Munoz discovered a XML External Entity (XXE) injection in the

Spring Framework which can be used for conducting CSRF and DoS attacks

on other sites.

 

The Spring OXM wrapper did not expose any property for disabling entity

resolution when using the JAXB unmarshaller. There are four possible

source implementations passed to the unmarshaller:

 

DOMSource

StAXSource

SAXSource

StreamSource

 

For a DOMSource, the XML has already been parsed by user code

and that code is responsible for protecting against XXE.

 

For a StAXSource, the XMLStreamReader has already been created

by user code and that code is responsible for protecting

against XXE.

 

For SAXSource and StreamSource instances, Spring processed

external entities by default thereby creating this

vulnerability.

 

The issue was resolved by disabling external entity processing

by default and adding an option to enable it for those users

that need to use this feature when processing XML from a

trusted source.

 

It was also identified that Spring MVC processed user provided

XML with JAXB in combination with a StAX XMLInputFactory

without disabling external entity resolution. External entity

resolution has been disabled in this case.

 

For the stable distribution (wheezy), this problem has been fixed in

version 3.0.6.RELEASE-6+deb7u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.0.6.RELEASE-10.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2843-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 13, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : graphviz

Vulnerability : buffer overflow

Problem type : local (remote)

Debian-specific: no

CVE ID : CVE-2014-0978 CVE-2014-1236

Debian Bug : 734745

 

Two buffer overflow vulnerabilities were reported in Graphviz, a rich

collection of graph drawing tools. The Common Vulnerabilities and

Exposures project identifies the following issues:

 

CVE-2014-0978

 

It was discovered that user-supplied input used in the yyerror()

function in lib/cgraph/scan.l is not bound-checked before beeing

copied into an insufficiently sized memory buffer. A

context-dependent attacker could supply a specially crafted input

file containing a long line to cause a stack-based buffer overlow,

resulting in a denial of service (application crash) or potentially

allowing the execution of arbitrary code.

 

CVE-2014-1236

 

Sebastian Krahmer reported an overflow condition in the chkNum()

function in lib/cgraph/scan.l that is triggered as the used regular

expression accepts an arbitrary long digit list. With a specially

crafted input file, a context-dependent attacker can cause a

stack-based buffer overflow, resulting in a denial of service

(application crash) or potentially allowing the execution of

arbitrary code.

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 2.26.3-5+squeeze2.

 

For the stable distribution (wheezy), these problems have been fixed in

version 2.26.3-14+deb7u1.

 

For the unstable distribution (sid), these problems will be fixed soon.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2844-1 security@debian.org

http://www.debian.org/security/ Raphael Geissert

January 15, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : djvulibre

Vulnerability : arbitrary code execution

Problem type : local (remote)

Debian-specific: no

CVE ID : CVE-2012-6535

 

It was discovered that djvulibre, the Open Source DjVu implementation

project, can be crashed or possibly make it execute arbitrary code when

processing a specially crafted djvu file.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 3.5.23-3+squeeze1.

 

This problem has been fixed before the release of the stable distribution

(wheezy), therefore it is not affected.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2845-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 17, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mysql-5.1

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401

CVE-2014-0402 CVE-2014-0412 CVE-2014-0437

 

This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple

unspecified security problems in MySQL:

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 5.1.73-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2831-2 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 17, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : puppet

Vulnerability : regression

Debian-specific: no

Debian Bug : 734444

 

The fix for CVE-2013-4969 contained a regression affecting the default

file mode if none is specified on a file resource.

 

The oldstable distribution (squeeze) is not affected by this regression.

 

For the stable distribution (wheezy), this problem has been fixed in

version 2.7.23-1~deb7u3.

 

For the testing distribution (jessie) and the unstable distribution

(sid), this problem has been fixed in version 3.4.2-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2846-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

January 17, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libvirt

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-6458 CVE-2014-1447

 

Multiple security issues have been found in Libvirt, a virtualisation

abstraction library:

 

CVE-2013-6458

 

It was discovered that insecure job usage could lead to denial of

service against libvirtd.

 

CVE-2014-1447

 

It was discovered that a race condition in keepalive handling could

lead to denial of service against libvirtd.

 

For the stable distribution (wheezy), these problems have been fixed in

version 0.9.12.3-1. This bugfix point release also addresses some

additional bugfixes.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.2.1-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2847-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 20, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-1475 CVE-2014-1476

 

Multiple vulnerabilities have been discovered in Drupal, a

fully-featured content management framework. The Common Vulnerabilities

and Exposures project identifies the following issues:

 

CVE-2014-1475

 

Christian Mainka and Vladislav Mladenov reported a vulnerability

in the OpenID module that allows a malicious user to log in as

other users on the site, including administrators, and hijack

their accounts.

 

CVE-2014-1476

 

Matt Vance and Damien Tournoud reported an access bypass

vulnerability in the taxonomy module. Under certain circumstances,

unpublished content can appear on listing pages provided by the

taxonomy module and will be visible to users who should not have

permission to see it.

 

These fixes require extra updates to the database which can be done from

the administration pages. Furthermore this update introduces a new

security hardening element for the form API. Please refer to the

upstream advisory at https://drupal.org/SA-CORE-2014-001 for further

information.

 

For the stable distribution (wheezy), these problems have been fixed in

version 7.14-2+deb7u2.

 

For the testing distribution (jessie), these problems have been fixed in

version 7.26-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 7.26-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2848-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 23, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mysql-5.5

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-5891 CVE-2013-5908 CVE-2014-0386 CVE-2014-0393

CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420

CVE-2014-0437

 

Several issues have been discovered in the MySQL database server. The

vulnerabilities are addressed by upgrading MySQL to the new upstream

version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's

Critical Patch Update advisory for further details:

 

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-34.html

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-35.html

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

 

For the stable distribution (wheezy), these problems have been fixed in

version 5.5.35+dfsg-0+wheezy1.

 

For the unstable distribution (sid), these problems have been fixed in

version 5.5.35+dfsg-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2826-2 security@debian.org

http://www.debian.org/security/ Yves-Alexis Perez

January 23, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : denyhosts

Vulnerability : regression

Debian Bug : 734329

CVE ID : CVE-2013-6890

 

A regression has been found on the denyhosts packages fixing

CVE-2013-6890. This regression could cause an attempted breakin attempt

to be missed by denyhosts, which would then fail to enforce a ban.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 2.6-7+deb6u3.

 

For the stable distribution (wheezy), this problem has been fixed in

version 2.6-10+deb7u3.

 

For the testing (jessie) and unstable (sid) distribution, the package denyhosts

has been removed, and its users are encouraged to switch to an alternative like

fail2ban.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2849-1 security@debian.org

http://www.debian.org/security/ Florian Weimer

January 31, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : curl

Vulnerability : information disclosure

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-0015

 

Paras Sethia discovered that libcurl, a client-side URL transfer

library, would sometimes mix up multiple HTTP and HTTPS connections

with NTLM authentication to the same server, sending requests for one

user over the connection authenticated as a different user.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 7.21.0-2.1+squeeze7.

 

For the stable distribution (wheezy), this problem has been fixed in

version 7.26.0-1+wheezy8.

 

For the unstable distribution (sid), this problem has been fixed in

version 7.35.0-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2850-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

January 31, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libyaml

Vulnerability : heap-based buffer overflow

Problem type : local (remote)

Debian-specific: no

CVE ID : CVE-2013-6393

Debian Bug : 737076

 

Florian Weimer of the Red Hat Product Security Team discovered a

heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and

emitter library. A remote attacker could provide a YAML document with a

specially-crafted tag that, when parsed by an application using libyaml,

would cause the application to crash or, potentially, execute arbitrary

code with the privileges of the user running the application.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 0.1.3-1+deb6u2.

 

For the stable distribution (wheezy), this problem has been fixed in

version 0.1.4-2+deb7u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 0.1.4-3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2851-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 02, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal6

Vulnerability : impersonation

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-1475

 

Christian Mainka and Vladislav Mladenov reported a vulnerability in the

OpenID module of Drupal, a fully-featured content management framework.

A malicious user could exploit this flaw to log in as other users on the

site, including administrators, and hijack their accounts.

 

These fixes require extra updates to the database which can be done from

the administration pages.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 6.30-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2853-1 security@debian.org

http://www.debian.org/security/ Luciano Bello

February 05, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : horde3

Vulnerability : Remote code execution

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-1691

Debian Bug : 737149

 

Pedro Ribeiro from Agile Information Security found a possible remote

code execution on Horde3, a web application framework. Unsanitized

variables are passed to the unserialize() PHP function. A remote attacker

could specially-crafted one of those variables allowing her to load and

execute code.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 3.3.8+debian0-3.

 

In the testing (jessie) and unstable (sid) distributions, Horde is

distributed in the php-horde-util package. This problem has been fixed in

version 2.3.0-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2854-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 05, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mumble

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-0044 CVE-2014-0045

Debian Bug : 737739

 

Several issues have been discovered in mumble, a low latency VoIP

client. The Common Vulnerabilities and Exposures project identifies the

following issues:

 

CVE-2014-0044

 

It was discovered that a malformed Opus voice packet sent to a

Mumble client could trigger a NULL pointer dereference or an

out-of-bounds array access. A malicious remote attacker could

exploit this flaw to mount a denial of service attack against a

mumble client by causing the application to crash.

 

CVE-2014-0445

 

It was discovered that a malformed Opus voice packet sent to a

Mumble client could trigger a heap-based buffer overflow. A

malicious remote attacker could use this flaw to cause a client

crash (denial of service) or potentially use it to execute

arbitrary code.

 

The oldstable distribution (squeeze) is not affected by these problems.

 

For the stable distribution (wheezy), these problems have been fixed in

version 1.2.3-349-g315b5f5-2.2+deb7u1.

 

For the unstable distribution (sid), these problems will be fixed soon.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2855-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

February 05, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libav

Vulnerability : several

Problem type : local

Debian-specific: no

CVE ID : CVE-2011-3944 CVE-2013-0845 CVE-2013-0846 CVE-2013-0849

CVE-2013-0865 CVE-2013-7010 CVE-2013-7014 CVE-2013-7015

 

Several security issues have been corrected in multiple demuxers and

decoders of the libav multimedia library. The IDs mentioned above are just

a portion of the security issues fixed in this update. A full list of the

changes is available at

http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.10

 

For the stable distribution (wheezy), these problems have been fixed in

version 6:0.8.9-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 6:9.11-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2852-1 security@debian.org

http://www.debian.org/security/ Florian Weimer

February 06, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libgadu

Vulnerability : heap-based buffer overflow

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-6487

 

Yves Younan and Ryan Pentney discovered that libgadu, a library for

accessing the Gadu-Gadu instant messaging service, contained an

integer overflow leading to a buffer overflow. Attackers which

impersonate the server could crash clients and potentially execute

arbitrary code.

 

For the oldstable distribution (squeeze), this problem has been fixed

in version 1:1.9.0-2+squeeze2.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1:1.11.2-1+deb7u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:1.11.3-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2856-1 security@debian.org

http://www.debian.org/security/ Florian Weimer

February 07, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libcommons-fileupload-java

Vulnerability : denial of service

Problem type : remote

Debian-specific: no

CVE ID : CVE-2014-0050

 

It was discovered that the Apache Commons FileUpload package for Java

could enter an infinite loop while processing a multipart request with

a crafted Content-Type, resulting in a denial-of-service condition.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 1.2.2-1+deb6u2.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1.2.2-1+deb7u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.3.1-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2857-1 security@debian.org

http://www.debian.org/security/ Markus Koschany

February 08, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libspring-java

Vulnerability : several

Problem type : remote

Debian-specific: no

CVE ID : CVE-2013-6429 CVE-2013-6430

 

It was discovered by the Spring development team that the fix for the

XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring

Framework was incomplete.

 

Spring MVC's SourceHttpMessageConverter also processed user provided XML

and neither disabled XML external entities nor provided an option to

disable them. SourceHttpMessageConverter has been modified to provide an

option to control the processing of XML external entities and that

processing is now disabled by default.

 

In addition Jon Passki discovered a possible XSS vulnerability:

The JavascriptUtils.javascriptEscape() method did not escape all

characters that are sensitive within either a JS single quoted string,

JS double quoted string, or HTML script data context. In most cases this

will result in an unexploitable parse error but in some cases it could

result in an XSS vulnerability.

 

For the stable distribution (wheezy), these problems have been fixed in

version 3.0.6.RELEASE-6+deb7u2.

 

For the testing distribution (jessie), these problems have been fixed in

version 3.0.6.RELEASE-11.

 

For the unstable distribution (sid), these problems have been fixed in

version 3.0.6.RELEASE-11.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2858-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

February 10, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

Vulnerability : several

CVE ID : CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482

CVE-2014-1486 CVE-2014-1487 CVE-2014-1490 CVE-2014-1491

 

Multiple security issues have been found in Iceweasel, Debian's version

of the Mozilla Firefox web browser: Multiple memory safety errors,

use-after-frees, too-verbose error messages and missing permission checks

may lead to the execution of arbitrary code, the bypass of security

checks or information disclosure. This update also addresses security

issues in the bundled version of the NSS crypto library.

 

This update updates Iceweasel to the ESR24 series of Firefox.

 

For the stable distribution (wheezy), these problems have been fixed in

version 24.3.0esr-1~deb7u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 24.3.0esr-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2859-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

February 10, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pidgin

Vulnerability : several

CVE ID : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481

CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485

CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020

 

Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol

instant messaging client:

 

CVE-2013-6477

 

Jaime Breva Ribes discovered that a remote XMPP user can trigger a

crash by sending a message with a timestamp in the distant future.

 

CVE-2013-6478

 

Pidgin could be crashed through overly wide tooltip windows.

 

CVE-2013-6479

 

Jacob Appelbaum discovered that a malicious server or a "man in the

middle" could send a malformed HTTP header resulting in denial of

service.

 

CVE-2013-6481

 

Daniel Atallah discovered that Pidgin could be crashed through

malformed Yahoo! P2P messages.

 

CVE-2013-6482

 

Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin

could be crashed through malformed MSN messages.

 

CVE-2013-6483

 

Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin

could be crashed through malformed XMPP messages.

 

CVE-2013-6484

 

It was discovered that incorrect error handling when reading the

response from a STUN server could result in a crash.

 

CVE-2013-6485

 

Matt Jones discovered a buffer overflow in the parsing of malformed

HTTP responses.

 

CVE-2013-6487

 

Yves Younan and Ryan Pentney discovered a buffer overflow when parsing

Gadu-Gadu messages.

 

CVE-2013-6489

 

Yves Younan and Pawel Janic discovered an integer overflow when parsing

MXit emoticons.

 

CVE-2013-6490

 

Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

 

CVE-2014-0020

 

Daniel Atallah discovered that Pidgin could be crashed via malformed

IRC arguments.

 

For the oldstable distribution (squeeze), no direct backport is provided.

A fixed packages will be provided through backports.debian.org shortly

 

For the stable distribution (wheezy), these problems have been fixed in

version 2.10.9-1~deb7u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.10.9-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2860-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 11, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : parcimonie

Vulnerability : information disclosure

CVE ID : CVE-2014-1921

Debian Bug : 738134

 

Holger Levsen discovered that parcimonie, a privacy-friendly helper to

refresh a GnuPG keyring, is affected by a design problem that undermines

the usefulness of this piece of software in the intended threat model.

 

When using parcimonie with a large keyring (1000 public keys or more),

it would always sleep exactly ten minutes between two key fetches. This

can probably be used by an adversary who can watch enough key fetches to

correlate multiple key fetches with each other, which is what parcimonie

aims at protecting against. Smaller keyrings are affected to a smaller

degree. This problem is slightly mitigated when using a HKP(s) pool as

the configured GnuPG keyserver.

 

For the stable distribution (wheezy), this problem has been fixed in

version 0.7.1-1+deb7u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 0.8.1-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2850-2 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 12, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libyaml

Vulnerability : regression

Debian Bug : 738587

 

The security update released in DSA-2850-1 for libyaml introduced a

regression in libyaml failing to parse a subset of valid yaml documents.

For reference the original advisory text follows.

 

Florian Weimer of the Red Hat Product Security Team discovered a

heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and

emitter library. A remote attacker could provide a YAML document with a

specially-crafted tag that, when parsed by an application using libyaml,

would cause the application to crash or, potentially, execute arbitrary

code with the privileges of the user running the application.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 0.1.3-1+deb6u3.

 

For the stable distribution (wheezy), this problem has been fixed in

version 0.1.4-2+deb7u3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2861-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 16, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : file

Vulnerability : denial of service

CVE ID : CVE-2014-1943

Debian Bug : 738832

 

It was discovered that file, a file type classification tool, contains a

flaw in the handling of "indirect" magic rules in the libmagic library,

which leads to an infinite recursion when trying to determine the file

type of certain files. The Common Vulnerabilities and Exposures project

ID CVE-2014-1943 has been assigned to identify this flaw. Additionally,

other well-crafted files might result in long computation times (while

using 100% CPU) and overlong results.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 5.04-5+squeeze3.

 

For the stable distribution (wheezy), this problem has been fixed in

version 5.11-2+deb7u1.

 

For the unstable distribution (sid), this problem will be fixed soon.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2862-1 security@debian.org

http://www.debian.org/security/ Michael Gilbert

February 16, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

Vulnerability : several

CVE ID : CVE-2013-6641 CVE-2013-6643 CVE-2013-6644 CVE-2013-6645

CVE-2013-6646 CVE-2013-6649 CVE-2013-6650

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2013-6641

 

Atte Kettunen discovered a use-after-free issue in Blink/Webkit form

elements.

 

CVE-2013-6643

 

Joao Lucas Melo Brasio discovered a Google account information

disclosure issue related to the one-click sign-on feature.

 

CVE-2013-6644

 

The chrome development team discovered and fixed multiple issues with

potential security impact.

 

CVE-2013-6645

 

Khalil Zhani discovered a use-after-free issue related to speech input.

 

CVE-2013-6646

 

Colin Payne discovered a use-after-free issue in the web workers

implementation.

 

CVE-2013-6649

 

Atte Kettunen discovered a use-after-free issue in the Blink/Webkit

SVG implementation.

 

CVE-2013-6650

 

Christian Holler discovered a memory corruption in the v8 javascript

library.

 

For the stable distribution (wheezy), these problems have been fixed in

version 32.0.1700.123-1~deb7u1.

 

For the testing distribution (jessie), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 32.0.1700.123-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2863-1 security@debian.org

http://www.debian.org/security/ Luciano Bello

February 18, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libtar

Vulnerability : directory traversal

CVE ID : CVE-2013-4420

Debian Bug : 731860

 

A directory traversal attack was reported against libtar, a C library for

manipulating tar archives. The application does not validate the

filenames inside the tar archive, allowing to extract files in arbitrary

path. An attacker can craft a tar file to override files beyond the

tar_extract_glob and tar_extract_all prefix parameter.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 1.2.11-6+deb6u2.

 

For the stable distribution (wheezy), this problem has been fixed in

version 1.2.16-1+deb7u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.2.20-2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2864-1 security@debian.org

http://www.debian.org/security/ Christoph Berg

February 20, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-8.4

Vulnerability : several

CVE ID : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063

CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067

 

Various vulnerabilities were discovered in PostgreSQL:

 

* Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

 

Granting a role without ADMIN OPTION is supposed to prevent the grantee

from adding or removing members from the granted role, but this

restriction was easily bypassed by doing SET ROLE first. The security

impact is mostly that a role member can revoke the access of others,

contrary to the wishes of his grantor. Unapproved role member additions

are a lesser concern, since an uncooperative role member could provide

most of his rights to others anyway by creating views or SECURITY

DEFINER functions. (CVE-2014-0060)

 

* Prevent privilege escalation via manual calls to PL validator functions

(Andres Freund)

 

The primary role of PL validator functions is to be called implicitly

during CREATE FUNCTION, but they are also normal SQL functions that a

user can call explicitly. Calling a validator on a function actually

written in some other language was not checked for and could be

exploited for privilege-escalation purposes. The fix involves adding a

call to a privilege-checking function in each validator function.

Non-core procedural languages will also need to make this change to

their own validator functions, if any. (CVE-2014-0061)

 

* Avoid multiple name lookups during table and index DDL (Robert Haas,

Andres Freund)

 

If the name lookups come to different conclusions due to concurrent

activity, we might perform some parts of the DDL on a different table

than other parts. At least in the case of CREATE INDEX, this can be used

to cause the permissions checks to be performed against a different

table than the index creation, allowing for a privilege escalation

attack. (CVE-2014-0062)

 

* Prevent buffer overrun with long datetime strings (Noah Misch)

 

The MAXDATELEN constant was too small for the longest possible value of

type interval, allowing a buffer overrun in interval_out(). Although the

datetime input functions were more careful about avoiding buffer

overrun, the limit was short enough to cause them to reject some valid

inputs, such as input containing a very long timezone name. The ecpg

library contained these vulnerabilities along with some of its own.

(CVE-2014-0063)

 

* Prevent buffer overrun due to integer overflow in size calculations

(Noah Misch, Heikki Linnakangas)

 

Several functions, mostly type input functions, calculated an allocation

size without checking for overflow. If overflow did occur, a too-small

buffer would be allocated and then written past. (CVE-2014-0064)

 

* Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

 

Use strlcpy() and related functions to provide a clear guarantee that

fixed-size buffers are not overrun. Unlike the preceding items, it is

unclear whether these cases really represent live issues, since in most

cases there appear to be previous constraints on the size of the input

string. Nonetheless it seems prudent to silence all Coverity warnings of

this type. (CVE-2014-0065)

 

* Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

 

There are relatively few scenarios in which crypt() could return NULL,

but contrib/chkpass would crash if it did. One practical case in which

this could be an issue is if libc is configured to refuse to execute

unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)

 

* Document risks of make check in the regression testing instructions

(Noah Misch, Tom Lane)

 

Since the temporary server started by make check uses "trust"

authentication, another user on the same machine could connect to it as

database superuser, and then potentially exploit the privileges of the

operating-system user who started the tests. A future release will

probably incorporate changes in the testing procedure to prevent this

risk, but some public discussion is needed first. So for the moment,

just warn people against using make check when there are untrusted users

on the same machine. (CVE-2014-0067)

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 8.4.20-0squeeze1.

 

For the unstable distribution (sid), these problems have been fixed in

version 9.3.3-1 of the postgresql-9.3 package.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2865-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

February 20, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.1

Vulnerability : several

CVE ID : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063

CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067

 

Various vulnerabilities were discovered in PostgreSQL:

 

* Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

 

Granting a role without ADMIN OPTION is supposed to prevent the grantee

from adding or removing members from the granted role, but this

restriction was easily bypassed by doing SET ROLE first. The security

impact is mostly that a role member can revoke the access of others,

contrary to the wishes of his grantor. Unapproved role member additions

are a lesser concern, since an uncooperative role member could provide

most of his rights to others anyway by creating views or SECURITY

DEFINER functions. (CVE-2014-0060)

 

* Prevent privilege escalation via manual calls to PL validator functions

(Andres Freund)

 

The primary role of PL validator functions is to be called implicitly

during CREATE FUNCTION, but they are also normal SQL functions that a

user can call explicitly. Calling a validator on a function actually

written in some other language was not checked for and could be

exploited for privilege-escalation purposes. The fix involves adding a

call to a privilege-checking function in each validator function.

Non-core procedural languages will also need to make this change to

their own validator functions, if any. (CVE-2014-0061)

 

* Avoid multiple name lookups during table and index DDL (Robert Haas,

Andres Freund)

 

If the name lookups come to different conclusions due to concurrent

activity, we might perform some parts of the DDL on a different table

than other parts. At least in the case of CREATE INDEX, this can be used

to cause the permissions checks to be performed against a different

table than the index creation, allowing for a privilege escalation

attack. (CVE-2014-0062)

 

* Prevent buffer overrun with long datetime strings (Noah Misch)

 

The MAXDATELEN constant was too small for the longest possible value of

type interval, allowing a buffer overrun in interval_out(). Although the

datetime input functions were more careful about avoiding buffer

overrun, the limit was short enough to cause them to reject some valid

inputs, such as input containing a very long timezone name. The ecpg

library contained these vulnerabilities along with some of its own.

(CVE-2014-0063)

 

* Prevent buffer overrun due to integer overflow in size calculations

(Noah Misch, Heikki Linnakangas)

 

Several functions, mostly type input functions, calculated an allocation

size without checking for overflow. If overflow did occur, a too-small

buffer would be allocated and then written past. (CVE-2014-0064)

 

* Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

 

Use strlcpy() and related functions to provide a clear guarantee that

fixed-size buffers are not overrun. Unlike the preceding items, it is

unclear whether these cases really represent live issues, since in most

cases there appear to be previous constraints on the size of the input

string. Nonetheless it seems prudent to silence all Coverity warnings of

this type. (CVE-2014-0065)

 

* Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

 

There are relatively few scenarios in which crypt() could return NULL,

but contrib/chkpass would crash if it did. One practical case in which

this could be an issue is if libc is configured to refuse to execute

unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)

 

* Document risks of make check in the regression testing instructions

(Noah Misch, Tom Lane)

 

Since the temporary server started by make check uses "trust"

authentication, another user on the same machine could connect to it as

database superuser, and then potentially exploit the privileges of the

operating-system user who started the tests. A future release will

probably incorporate changes in the testing procedure to prevent this

risk, but some public discussion is needed first. So for the moment,

just warn people against using make check when there are untrusted users

on the same machine. (CVE-2014-0067)

 

For the stable distribution (wheezy), these problems have been fixed in

version 9.1_9.1.12-0wheezy1.

 

For the unstable distribution (sid), these problems have been fixed in

version 9.3.3-1 of the postgresql-9.3 package.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2866-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 22, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gnutls26

Vulnerability : certificate verification flaw

CVE ID : CVE-2014-1959

 

Suman Jana reported that GnuTLS, deviating from the documented behavior,

considers a version 1 intermediate certificate as a CA certificate by

default.

 

The oldstable distribution (squeeze) is not affected by this problem as

X.509 version 1 trusted CA certificates are not allowed by default.

 

For the stable distribution (wheezy), this problem has been fixed in

version 2.12.20-8.

 

For the testing distribution (jessie) and the unstable distribution

(sid), this problem has been fixed in version 2.12.23-12.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2867-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

February 23, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : otrs2

Vulnerability : several

CVE ID : CVE-2014-1471 CVE-2014-1694

 

Several vulnerabilities were discovered in otrs2, the Open Ticket

Request System. The Common Vulnerabilities and Exposures project

identifies the following problems:

 

CVE-2014-1471

 

Norihiro Tanaka reported missing challenge token checks. An attacker

that managed to take over the session of a logged in customer could

create tickets and/or send follow-ups to existing tickets due to

these missing checks.

 

CVE-2014-1694

 

Karsten Nielsen from Vasgard GmbH discovered that an attacker with a

valid customer or agent login could inject SQL code through the

ticket search URL.

 

For the oldstable distribution (squeeze), these problems have been fixed in

version 2.4.9+dfsg1-3+squeeze5.

 

For the stable distribution (wheezy), these problems have been fixed in

version 3.1.7+dfsg1-8+deb7u4.

 

For the testing distribution (jessie) and the unstable distribution

(sid), these problems have been fixed in version 3.3.4-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2868-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

March 02, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php5

Vulnerability : denial of service

CVE ID : CVE-2014-1943

Debian Bug : 739012

 

It was discovered that file, a file type classification tool, contains a

flaw in the handling of "indirect" magic rules in the libmagic library,

which leads to an infinite recursion when trying to determine the file

type of certain files. The Common Vulnerabilities and Exposures project

ID CVE-2014-1943 has been assigned to identify this flaw. Additionally,

other well-crafted files might result in long computation times (while

using 100% CPU) and overlong results.

 

This update corrects this flaw in the copy that is embedded in the

php5 package.

 

For the oldstable distribution (squeeze), this problem has been fixed in

version 5.3.3-7+squeeze19.

 

For the stable distribution (wheezy), this problem has been fixed in

version 5.4.4-14+deb7u8.

 

For the testing distribution (jessie) and the unstable distribution

(sid), this problem will be fixed soon.

Link to comment
Share on other sites

×
×
  • Create New...