Advisory: Debian LTS Essential and Critical Security Patch Updates
Find the information you need for your favorite open source distribution .
Find the information you need for your favorite open source distribution .
The cPanel Security Team reported a time of check to time of use (TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take advantage of this flaw to set the mode on an attacker-chosen file to an attacker-chosen
Several issues were discovered in FreeRADIUS, a high-performance and highly configurable RADIUS server. CVE-2014-2015
Hanno Bock discovered that there was a buffer over-read vulnerability in the yodl ("Your Own Document Language") document processor. For Debian 7 "Wheezy", this issue has been fixed in yodl version
Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues.
It was discovered that there was a double-free vulnerability in the "openldap" LDAP server. A user with access to search the directory could crash slapd by issuing
Two denial of service vulnerabilities were identified in strongSwan, an IKE/IPsec suite, using Google's OSS-Fuzz fuzzing project. CVE-2017-9022
It was discovered that there was a command injection vulnerability in picocom, a dumb-terminal emulation program. For Debian 7 "Wheezy", this issue has been fixed in picocom version
Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2017-7502 A null pointer dereference vulnerability in NSS was found when server receives empty SSLv2 messages. This issue was introduced with the recent
Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests based on the Quick Emulator(Qemu).
The Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse "/proc/[pid]/stat" to read the device number of the tty from field 7 (tty_nr). A sudoers user can take advantage of this flaw on
Two vulnerabilities have been discovered in libtiff, a library providing support for the Tag Image File Format, which may result in denial of service (out-of-bounds read or assertion failure) via a crafted TIFF file.
Several heap-based buffer overflows and NULL pointer dereferences have been discovered in libpodofo, a library for manipulating PDF files, that allow remote attackers to cause a denial of service (application crash) or other unspecified impact via a
Gajim implements XEP-0146, an XMPP extension to run commands remotely from another client. However it was found that malicious servers can trigger commands, which could lead to leaking private conversations from encrypted sessions. To solve this, XEP-0146 support has been
It was found that pngquant is susceptible to a buffer overflow write issue triggered by a maliciously crafted png image, which could lead into denial of service or other issues.
CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
It was discovered that the exiv2 library fails to parse some crafted tiff images, leading to denial of service via application crash. For Debian 7 "Wheezy", these problems have been fixed in version
CVE-2017-8911 An integer underflow has been identified in the unicode_to_utf8() function in tnef 1.4.14. This might lead to invalid write
This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure, or the execution of
It was discovered that there was a use-after-free vulnerability in the libical iCalendar library. Remote attackers could cause a denial of service and possibly read heap memory via a specially crafted .ICS file.