Commit d4164fa5 authored by Rhonda D'Vine's avatar Rhonda D'Vine 🏳🌈

submitted BSA 085, 086 and 087

parent 0ea5f290
......@@ -82,6 +82,6 @@
082 haproxy
083 xml-security-c
084-darktable
085-roundcube
086-strongswan
087-openssh
085 roundcube
086 strongswan
087 openssh
[[!meta date="2013-11-12 21:33:26 UTC"]]
Package : roundcube
Vulnerability : design error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-6172
Debian Bug : 727668
It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.
roundcube in the oldstable distribution (squeeze) is not affected by
this problem.
For backports for the oldstable distribution (squeeze-backports-sloppy),
this problem has been fixed in 0.9.5-1~bpo60+1.
For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.
For backports for the stable distribution (wheezy-backports),
this problem has been fixed in 0.9.5-1~bpo70+1.
For the unstable distribution (sid), this problem has been fixed in
version 0.9.4-1.1.
We recommend that you upgrade your roundcube packages.
[[!meta date="2013-11-12 22:20:01 UTC"]]
Updated strongswan packages for squeeze-backports and wheezy-backports
fix the following vulnerabilities:
- CVE-2013-2944: When using the openssl plugin for ECDSA based
authentication, an empty, zeroed or otherwise invalid signature is
handled as a legitimate one.
- CVE-2013-6075: DoS vulnerability and potential authorization bypass
triggered by a crafted ID_DER_ASN1_DN ID payload.
- CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1
fragmentation payloads.
The squeeze-backports distribution was affected by CVE-2013-2944 and
CVE-2013-6075. These problems have been fixed in version
4.5.2-1.5+deb7u2~bpo60+1.
The wheezy-backports distribution was affected by CVE-2013-6075 and
CVE-2013-6076. These problems have been fixed in version
5.1.0-3~bpo70+1.
[[!meta date="2013-11-12 22:20:01 UTC"]]
Colin Watson uploaded new packages for openssh which fixed the following
security problems:
CVE-2013-4548
A memory corruption vulnerability exists in the post-authentication
sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or
aes256-gcm@openssh.com) is selected during kex exchange.
If exploited, this vulnerability might permit code execution with the
privileges of the authenticated user and may therefore allow bypassing
restricted shell/command configurations.
https://security-tracker.debian.org/tracker/CVE-2013-4548
For the wheezy-backports distribution, this problem has been fixed in
version 1:6.4p1-1~bpo70+1.
For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 1:6.4p1-1.
Other distributions are not vulnerable.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment