The OVAL Repository5.42014-07-01T06:31:59.059-04:00DSA-2925-1 rxvt-unicode - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7rxvt-unicodePhillip Hallam-Baker discovered that window property values could bequeried in rxvt-unicode, resulting in the potential execution ofarbitrary commands.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2915-1 dpkg - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7dpkgJakub Wilk discovered that dpkg did not correctly parse C-stylefilename quoting, allowing for paths to be traversed when unpacking asource package - leading to the creation of files outside the directoryof the source being unpacked.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2927-1 libxfont - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7libxfontIlja van Sprundel of IOActive discovered several security issues in theX.Org libXfont library, which may allow a local, authenticated user toattempt to raise privileges; or a remote attacker who can control thefont server to attempt to execute code with the privileges of the Xserver.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2915-2 dpkg - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7dpkgJakub Wilk discovered that dpkg did not correctly parse C-stylefilename quoting, allowing for paths to be traversed when unpacking asource package - leading to the creation of files outside the directoryof the source being unpacked.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2921-1 xbuffy - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7xbuffyMichael Niedermayer discovered a vulnerability in xbuffy, an utility fordisplaying message count in mailbox and newsgroup accounts.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2922-1 strongswan - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7strongswanA vulnerability has been found in the ASN.1 parser of strongSwan, anIKE/IPsec suite used to establish IPsec protected links.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2934-1 python-django - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7python-djangoSeveral vulnerabilities were discovered in Django, a high-level Pythonweb development framework.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2912-1 openjdk-6 - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7openjdk-6Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosureor denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2910-1 qemu-kvm - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7qemu-kvmMichael S. Tsirkin of Red Hat discovered a buffer overflow flaw in theway qemu processed MAC addresses table update requests from the guest.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2902-1 curl - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7curlTwo vulnerabilities have been discovered in cURL, an URL transferlibrary.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2901-1 wordpress - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7wordpressSeveral vulnerabilities were discovered in Wordpress, a web bloggingtool.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2916-1 libmms - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7libmmsAlex Chapman discovered that a buffer overflow in processing <q>MMS overHTTP</q> messages could result in the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2904-1 virtualbox - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7virtualbox-osevirtualboxFrancisco Falcon discovered that missing input sanitizing in the 3Dacceleration code in VirtualBox could lead to the execution of arbitrarycode on the host system.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2914-1 drupal6 - security updateDebian GNU/Linux 6.0drupal6An information disclosure vulnerability was discovered in Drupal, afully-featured content management framework. When pages are cached foranonymous users, form state may leak between anonymous users. Sensitiveor private information recorded for one anonymous user could thus bedisclosed to other users interacting with the same form at the sametime.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2917-1 super - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7superJohn Lightsey of the Debian Security Audit project discovered that thesuper package did not check for setuid failures, allowing local usersto increase the privileges on kernel versions which do not guardagainst RLIMIT_NPROC attacks.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2928-1 linux-2.6 - security updateDebian GNU/Linux 6.0linux-2.6Several vulnerabilities have been discovered in the Linux kernel that may leadto a denial of service, information leak or privilege escalation.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2894-1 openssh - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7opensshTwo vulnerabilities were discovered in OpenSSH, an implementation of theSSH protocol suite.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2906-1 linux-2.6 - severalDebian GNU/Linux 6.0linux-2.6NOT FOUND!!!Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2874-1 mutt - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7muttBeatrice Torracca and Evgeni Golov discovered a buffer overflow in themutt mailreader. Malformed RFC2047 header lines could result in denialof service or potentially the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2899-1 openafs - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7openafsMichael Meffie discovered that in OpenAFS, a distributed filesystem,an attacker with the ability to connect to an OpenAFS fileserver cantrigger a buffer overflow, crashing the fileserver, and potentiallypermitting the execution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2903-1 strongswan - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7strongswanAn authentication bypass vulnerability was found in charon, the daemonhandling IKEv2 in strongSwan, an IKE/IPsec suite. The state machinehandling the security association (IKE_SA) handled some state transitionsincorrectly.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2909-1 qemu - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7qemuMichael S. Tsirkin of Red Hat discovered a buffer overflow flaw in theway qemu processed MAC addresses table update requests from the guest.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2892-1 a2ps - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7a2psSeveral vulnerabilities have been found in a2ps, an <q>Anything toPostScript</q> converter and pretty-printer.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2898-1 imagemagick - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7imagemagickSeveral buffer overflows were found in Imagemagick, a suite of imagemanipulation programs. Processing malformed PSD files could lead to theexecution of arbitrary code.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2885-1 libyaml-libyaml-perl - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7libyaml-libyaml-perlIvan Fratric of the Google Security Team discovered a heap-based bufferoverflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitterlibrary. A remote attacker could provide a specially-crafted YAMLdocument that, when parsed by an application using libyaml, would causethe application to crash or, potentially, execute arbitrary code withthe privileges of the user running the application.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2867-1 otrs2 - severalDebian GNU/Linux 6.0Debian GNU/Linux 7otrs2Several vulnerabilities were discovered in otrs2, the Open TicketRequest System.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2873-1 file - severalDebian GNU/Linux 6.0Debian GNU/Linux 7fileSeveral vulnerabilities have been found in file, a file typeclassification tool.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2893-1 openswan - security updateDebian GNU/Linux 6.0Debian GNU/Linux 7openswanTwo vulnerabilities were fixed in Openswan, an IKE/IPsec implementationfor Linux.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2841-1 movabletype-opensource - cross-site scriptingDebian GNU/Linux 6.0Debian GNU/Linux 7movabletype-opensourceA cross-site scripting vulnerability was discovered in the rich texteditor of the Movable Type blogging engine.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2832-1 memcached - severalDebian GNU/Linux 6.0Debian GNU/Linux 7memcachedMultiple vulnerabilities have been found in memcached, a high-performancememory object caching system.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2827-1 libcommons-fileupload-java - arbitrary file upload via deserializationDebian GNU/Linux 6.0Debian GNU/Linux 7libcommons-fileupload-javaIt was discovered that Apache Commons FileUpload, a package to make it easy to add robust, high-performance, file upload capability to servlets and web applications, incorrectly handled file names with NULL bytes in serialized instances. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2816-1 php5 - severalDebian GNU/Linux 6.0Debian GNU/Linux 7php5Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2829-1 hplip - severalDebian GNU/Linux 6.0Debian GNU/Linux 7hplipMultiple vulnerabilities have been found in the HP Linux Printing and Imaging System: Insecure temporary files, insufficient permission checks in PackageKit and the insecure hp-upgrade service has been disabled.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2674-1 libxv - severalDebian GNU/Linux 6.0Debian GNU/Linux 7libxvIlja van Sprundel of IOActive discovered several security issues in multiple components of the X.org graphics stack and the related libraries: Various integer overflows, sign handling errors in integer conversions, buffer overflows, memory corruption and missing input sanitising may lead to privilege escalation or denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2261-1 redmine - severalDebian GNU/Linux 6.0redmineJoernchen of Phenoelit discovered several vulnerabilities in Redmine, a project management web application.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2531-1 xen - severalDebian GNU/Linux 6.0xenSeveral denial-of-service vulnerabilities have been discovered in Xen, the popular virtualization software.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2448-1 inspircd - buffer overflowDebian GNU/Linux 6.0Debian GNU/Linux 7inspircdIt was discovered that a heap-based buffer overflow in InspIRCd could allow remote attackers to execute arbitrary code via a crafted DNS query.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2612-1 ircd-ratbox - programming errorDebian GNU/Linux 6.0ircd-ratboxIt was discovered that a bug in the server capability negotiation code of ircd-ratbox could result in denial of service.Sergey ArtykhovDRAFTINTERIMACCEPTEDACCEPTEDDSA-2701-1 krb5 - denial of serviceDebian GNU/Linux 6.0Debian GNU/Linux 7krb5It was discovered that the kpasswd service running on UDP port 464 could respond to response packets, creating a packet loop and a denial of service condition.Sergey ArtykhovDRAFTINTERIMACCEPTEDMaria KedovskayaINTERIMSergey ArtykhovACCEPTEDACCEPTEDDebian 7 is installedDebian 7Debian 7 (wheezy) is installedMaria KedovskayaDRAFTINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDDebian 6.0 is installedDebian 6.0Debian 6.0 (squeeze) is installedSecPod TeamDRAFTINTERIMChandan SACCEPTEDSergey ArtykhovINTERIMACCEPTEDACCEPTEDrxvt-unicodelibxfontdpkgxbuffypython-djangoopenjdk-6qemu-kvmcurlwordpresslibmmsvirtualboxvirtualbox-osedrupal6superopensshlinux-2.6muttopenafsstrongswanqemua2psimagemagicklibyaml-libyaml-perlotrs2fileopenswanmovabletype-opensourcememcachedlibcommons-fileupload-javaphp5hpliplibxvredminexeninspircdircd-ratbox/etcdebian_version^(\d).*$1/etcdebian_version^(\d\.\d).*$1krb50:9.15-2+deb7u10:9.07-2+deb6u10:1.15.9-00:1.16.13-01:1.4.5-41:1.4.1-50:1.16.14-00:1.15.10-00:3.3.bl.3.dfsg-8+deb7u10:3.3.bl.3.dfsg-8+deb6u10:4.5.2-1.5+deb7u40:4.4.1-5.60:1.4.5-1+deb7u70:1.2.3-3+squeeze100:6b31-1.13.3-1~deb7u10:6b31-1.13.3-1~deb6u10:0.12.5+dfsg-5+squeeze110:1.1.2+dfsg-6+deb7u10:7.21.0-2.1+squeeze80:7.26.0-1+wheezy90:3.6.1+dfsg-1~deb6u20:3.6.1+dfsg-1~deb7u20:0.6.2-3+deb7u10:0.6-1+squeeze20:4.1.18-dfsg-2+deb7u30:3.2.10-dfsg-1+squeeze30:6.31-10:3.30.0-3+squeeze20:3.30.0-6+deb7u10:2.6.32-48squeeze61:6.0p1-4+deb7u11:5.5p1-6+squeeze50:2.6.32-48squeeze50:1.5.21-6.2+deb7u20:1.5.20-9+squeeze30:1.6.1-3+deb7u20:1.4.12.1+dfsg-4+squeeze30:4.5.2-1.5+deb7u30:4.4.1-5.50:0.12.5+dfsg-3squeeze40:1.1.2+dfsg-6a+deb7u11:4.14-1.1+deb6u11:4.14-1.1+deb7u18:6.7.7.10-5+deb7u38:6.6.0.4-3+squeeze40:0.33-1+squeeze30:0.38-3+deb7u20:3.1.7+dfsg1-8+deb7u40:2.4.9+dfsg1-3+squeeze50:5.11-2+deb7u20:5.04-5+squeeze41:2.6.37-3+deb7u11:2.6.28+dfsg-5+squeeze20:4.3.8+dfsg-0+squeeze40:5.1.4+dfsg-4+deb7u10:1.4.13-0.2+deb7u10:1.4.5-1+deb6u10:1.2.2-1+deb7u10:1.2.2-1+deb6u10:5.3.3-7+squeeze180:5.4.4-14+deb7u70:3.10.6-2+squeeze20:3.12.6-3.1+deb7u12:1.0.5-1+squeeze12:1.0.7-1+deb7u10:1.0.1-20:4.0.1-5.30:1.1.22+dfsg-4+squeeze10:1.1.22+dfsg-4+wheezy10:3.0.6.dfsg-2squeeze176.00:1.8.3+dfsg-4squeeze70:1.10.1+dfsg-5+deb7u1