Two security issues were found in the Python interface to the apt package manager; package downloads from unsigned repositories were incorrectly rejected and the hash validation relied on MD5.
Comment
Posts Tagged Debian
211 results.
Multiple integer overflows have been discovered in the libtiff library and the included tools. For the stable distribution (buster), these problems have been fixed in
Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP in openconnect, an open client for Cisco AnyConnect, Pulse and GlobalProtect VPN. A malicious HTTP server (after having accepted its identity certificate), can provide bogus chunk lengths for chunked HTTP
Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes.
Multiple issues have been found in cacti, a server monitoring system, potentially resulting in SQL code execution or information disclosure by authenticated users.
Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code or information disclosure.
Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks.
It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation.
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, data exfiltration or cross-site scripting.
Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create open redirects, poison cache, and bypass authorization access and
Simon Charette reported that the password reset functionality in Django, a high-level Python web development framework, uses a Unicode case-insensitive query to retrieve accounts matching the email address requesting the password reset. An attacker can take advantage of this
It was reported that Netty, a Java NIO client/server framework, is prone to a HTTP request smuggling vulnerability due to mishandling whitespace before the colon in HTTP headers.
Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects.
It was discovered that debian-lan-config, a FAI config space for the Debian-LAN system, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals.
It was found that freeimage, a graphics library, was affected by the following two security issues: CVE-2019-12211
Guido Vranken discovered an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. For the oldstable distribution (stretch), this problem has been fixed
It was discovered that the Title blacklist functionality in MediaWiki, a website engine for collaborative work, could by bypassed. For the oldstable distribution (stretch), this problem has been fixed
Stephan Zeisberg reported an out-of-bounds write vulnerability in the _sasl_add_string() function in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer. A remote attacker can take advantage of this issue to cause denial-of-service conditions for
It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the “fileinto” was used, bypassing ACL checks.
It was discovered that debian-edu-config, a set of configuration files used for the Debian Edu blend, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals.
It was discovered that python-ecdsa, a cryptographic signature library for Python, incorrectly handled certain signatures. A remote attacker could use this issue to cause python-ecdsa to either not warn about incorrect signatures, or generate exceptions resulting in a
Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code.
Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code.
Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed
Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. CVE-2018-11805
This update ships updated CPU microcode for CFL-S (Coffe Lake Desktop) models of Intel CPUs which were not yet included in the Intel microcode update released as DSA 4565-1. For details please refer to https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/IPU-2019.2-microcode-update-guidance-v1.01.pdf
Multiple cross-site scripting and cross-site request forgery issues were discovered in the DAViCal CalDAV Server. For the oldstable distribution (stretch), these problems have been fixed
A vulnerability was discovered in the SPIP publishing system, which could result in unauthorised writes to the database by authors. The oldstable distribution (stretch) is not affected.
Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system. CVE-2019-1348