rootserverprojekt.de

Package : iceweasel / icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477
CVE-2012-0479

The updates DSA-2457 and DSA-2458 for Iceweasel and Icedove introduced a regression, which could lead to crashes when interpreting some Javascript statements.

For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-15 for Iceweasel and 2.0.11-12 for Icedove.

The unstable distribution (sid) is not affected.

We recommend that you upgrade your iceweasel and icedove packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : ffmpeg
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE ID : CVE-2011-3892 CVE-2011-3893 CVE-2011-3895 CVE-2011-3929
CVE-2011-3936 CVE-2011-3940 CVE-2011-3947 CVE-2012-0853
CVE-2012-0947

Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/ demuxers for Westwood Studios VQA, Apple MJPEG-B, Theora, Matroska, Vorbis, Sony ATRAC3, DV, NSV, files could lead to the execution of arbitrary code.

These issues were discovered by Aki Helin, Mateusz Jurczyk, Gynvael Coldwind, and Michael Niedermayer.

For the stable distribution (squeeze), this problem has been fixed in version 4:0.5.8-1.

For the unstable distribution (sid), this problem has been fixed in version 6:0.8.2-1 of libav.

We recommend that you upgrade your ffmpeg packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : gridengine
Vulnerability : privilege escalation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0208

Dave Love discovered that users who are allowed to submit jobs to a Grid Engine installation can escalate their privileges to root because the environment is not properly sanitized before creating processes.

For the stable distribution (squeeze), this problem has been fixed in version 6.2u5-1squeeze1.

For the unstable distribution (sid), this problem has been fixed in version 6.2u5-6.

We recommend that you upgrade your gridengine packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : openoffice.org
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2012-1149

Tielei Wang discovered that OpenOffice.org does not allocate a large enough memory region when processing a specially crafted JPEG object, leading to a heap-based buffer overflow and potentially arbitrary code execution.

For the stable distribution (squeeze), this problem has been fixed in version 1:3.2.1-11+squeeze5.

For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:3.4.5-1 of the libreoffice package.

We recommend that you upgrade your openoffice.org packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : ikiwiki
Vulnerability : cross-site scripting
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0220

Raúl Benencia discovered that ikiwiki, a wiki compiler, does not properly escape the author (and its URL) of certain metadata, such as comments. This might be used to conduct cross-site scripting attacks.

For the stable distribution (squeeze), this problem has been fixed in version 3.20100815.9.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 3.20120516.

We recommend that you upgrade your ikiwiki packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : openssl
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2333

It was discovered that openssl did not correctly handle explicit Initialization Vectors for CBC encryption modes, as used in TLS 1.1, 1.2, and DTLS. An incorrect calculation would lead to an integer underflow and incorrect memory access, causing denial of service (application crash.)

For the stable distribution (squeeze), this problem has been fixed in version 0.9.8 o-4squeeze13.

For the testing distribution (wheezy), and the unstable distribution (sid), this problem has been fixed in version 1.0.1c-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : pidgin-otr
Vulnerability : format string vulnerability
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2369
Debian Bug : 673154

intrigeri discovered a format string error in pidgin-otr, an off-the-record messaging plugin for Pidgin.

This could be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine.

The problem is only in pidgin-otr. Other applications which use libotr are not affected.

For the stable distribution (squeeze), this problem has been fixed in version 3.2.0-5+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in version 3.2.1-1.

For the unstable distribution (sid), this problem has been fixed in version 3.2.1-1.

We recommend that you upgrade your pidgin-otr packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Package : sympa
Vulnerability : authorization bypass
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2352
Debian Bug :

Several vulnerabilities have been discovered in Sympa, a mailing list manager, that allow to skip the scenario-based authorization mechanisms. This vulnerability allows to display the archives management page, and download and delete the list archives by unauthorized users.

For the stable distribution (squeeze), this problem has been fixed in version 6.0.1+dfsg-4+squeeze1.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 6.1.11~dfsg-2.

We recommend that you upgrade your sympa packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/