checked 4 RTFM securityfocus.com/bid/56291
Salut,
A l’instant:[quote]Multiple vulnerabilities have been discovered in Icedove[/quote]
[quote]For the stable distribution (squeeze), these problems have been fixed
in version 3.0.11-1+squeeze14.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 10.0.9-1.
We recommend that you upgrade your icedove packages.[/quote]
Salut,
[quote]Package : openoffice.org
Vulnerability : remote
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4233[/quote]
[quote]For the stable distribution (squeeze), this problem has been fixed in
version 1:3.2.1-11+squeeze8.
openoffice.org package has been replaced by libreoffice in testing (wheezy)
and unstable (sid) distributions.
For the testing distribution (wheezy), this problem has been fixed in
version 1:3.5.4+dfsg-3.
For the unstable distribution (sid), this problem has been fixed in
version 1:3.5.4+dfsg-3.
We recommend that you upgrade your openoffice.org packages.[/quote]
Bonsoir,
Deux mises à jour de sécurité aujourd’hui :
[quote]Package : libproxy
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4505
The Red Hat Security Response Team discovered that libproxy, a library
for automatic proxy configuration management, applied insufficient
validation to the Content-Length header sent by a server providing a
proxy.pac file. Such remote server could trigger an integer overflow
and consequently overflow an in-memory buffer.
For the stable distribution (squeeze), this problem has been fixed in
version 0.3.1-2+squeeze1.
For the testing distribution (wheezy), and the unstable distribution
(sid), this problem has been fixed in version 0.3.1-5.1.
We recommend that you upgrade your libproxy packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: debian.org/security/[/quote]
et
[quote]Package : iceape
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3982 CVE-2012-3986 CVE-2012-3990 CVE-2012-3991
CVE-2012-4179 CVE-2012-4180 CVE-2012-4182 CVE-2012-4186
CVE-2012-4188
Several vulnerabilities have been discovered in Iceape, an internet
suite based on Seamonkey:
CVE-2012-3982
Multiple unspecified vulnerabilities in the browser engine
allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute
arbitrary code via unknown vectors.
CVE-2012-3986
Icedove does not properly restrict calls to DOMWindowUtils
methods, which allows remote attackers to bypass intended
access restrictions via crafted JavaScript code.
CVE-2012-3990
A Use-after-free vulnerability in the IME State Manager
implementation allows remote attackers to execute arbitrary
code via unspecified vectors, related to the
nsIContent::GetNameSpaceID function.
CVE-2012-3991
Icedove does not properly restrict JSAPI access to the
GetProperty function, which allows remote attackers to bypass
the Same Origin Policy and possibly have unspecified other
impact via a crafted web site.
CVE-2012-4179
A use-after-free vulnerability in the
nsHTMLCSSUtils::CreateCSSPropertyTxn function allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified vectors.
CVE-2012-4180
A heap-based buffer overflow in the
nsHTMLEditor::IsPrevCharInNodeWhitespace function allows
remote attackers to execute arbitrary code via unspecified
vectors.
CVE-2012-4182
A use-after-free vulnerability in the
nsTextEditRules::WillInsert function allows remote attackers
to execute arbitrary code or cause a denial of service (heap
memory corruption) via unspecified vectors.
CVE-2012-4186
A heap-based buffer overflow in the
nsWav-eReader::DecodeAudioData function allows remote attackers
to execute arbitrary code via unspecified vectors.
CVE-2012-4188
A heap-based buffer overflow in the Convolve3x3 function
allows remote attackers to execute arbitrary code via
unspecified vectors.
Additionally, this update fixes a regression in the patch for
CVE-2012-3959, released in DSA-2554-1.
For the stable distribution (squeeze), these problems have been fixed in
version 2.0.11-16.
For the testing distribution (wheezy), these problems have been fixed in
version 10.0.10esr-1.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.10esr-1.
We recommend that you upgrade your iceape packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: debian.org/security/[/quote]
Usti
Bonjour,
Une mise à jour de sécurité ce matin :
[quote]- -------------------------------------------------------------------------
Debian Security Advisory DSA-2574-1 security@debian.org
debian.org/security/
November 15, 2012 debian.org/security/faq
Package : typo3-src
Vulnerability : several
Problem type : remote
Debian-specific: no
Several vulnerabilities were discovered in TYPO3, a content management
system. This update addresses cross-site scripting, SQL injection,
and information disclosure vulnerabilities and corresponds to
TYPO3-CORE-SA-2012-005.
For the stable distribution (squeeze), this problem has been fixed in
version 4.3.9+dfsg1-1+squeeze7.
For the unstable distribution (sid), this problem has been fixed in
version 4.5.19+dfsg1-4.
We recommend that you upgrade your typo3-src packages.[/quote]
Usti
Bonjour,
Les mises à jour de sécurité depuis mon dernier message :
[quote]Package : tiff
Vulnerability : heap-based buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2012-4564
It was discovered that ppm2tiff of the tiff tools, a set of utilities
for TIFF manipulation and conversion, is not properly checking the return
value of an internal function used in order to detect integer overflows.
As a consequence, ppm2tiff suffers of a heap-based buffer overflow.
This allows attacker to potentially execute arbitrary code via a crafted
ppm image, especially in scenarios in which images are automatically
processed.
For the stable distribution (squeeze), this problem has been fixed in
version 3.9.4-5+squeeze7.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 4.0.2-5.[/quote]
[quote]Package : trousers
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-0698
Debian Bug : 692649
Andy Lutomirski discovered that tcsd (the TPM userspace daemon) was missing a
of input validation. Using carefully crafted input, it can lead to a denial of
service by making the daemon crash with a segmentation fault.
For the stable distribution (squeeze), this problem has been fixed in
version 0.3.5-2+squeeze1.
For the testing distribution (wheezy), this problem has been fixed in
version 0.3.9-1.
For the unstable distribution (sid), this problem has been fixed in
version 0.3.9-1.[/quote]
[quote]Package : rssh
Vulnerability : insufficient filtering of rsync command line
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2251 CVE-2012-2252
Debian Bug :
James Clawson discovered that rssh, a restricted shell for OpenSSH to be used
with scp/sftp, rdist and cvs, was not correctly filtering command line options.
This could be used to force the execution of a remote script and thus allow
arbitrary command execution. Two CVE were assigned:
CVE-2012-2251
Incorrect filtering of command line when using rsync protocol. It was
for example possible to pass dangerous options after a “–” switch. The rsync
protocol support has been added in a Debian (and Fedora/Red Hat) specific
patch, so this vulnerability doesn’t affect upstream.
CVE-2012-2251
Incorrect filtering of the “–rsh” option: the filter preventing usage of the
"–rsh=" option would not prevent passing “–rsh”. This vulnerability affects
upstream code.
For the stable distribution (squeeze), this problem has been fixed in
version 2.3.2-13squeeze2.
For the testing distribution (wheezy), this problem has been fixed in
version 2.3.3-6.
For the unstable distribution (sid), this problem has been fixed in
version 2.3.3-6.[/quote]
Usti
Bonsoir,
Une mise à jour de sécurité pour Wouwouwouwouwouwouwouwou 
[quote]Package : apache2
Vulnerability : Multiple issues
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4557 CVE-2012-4929
Debian Bug : 689936
A vulnerability has been found in the Apache HTTPD Server:
CVE-2012-4557
A flaw was found when mod_proxy_ajp connects to a backend
server that takes too long to respond. Given a specific
configuration, a remote attacker could send certain requests,
putting a backend server into an error state until the retry
timeout expired. This could lead to a temporary denial of
service.
In addition, this update also adds a server side mitigation for the
following issue:
CVE-2012-4929
If using SSL/TLS data compression with HTTPS in an connection
to a web browser, man-in-the-middle attackers may obtain
plaintext HTTP headers. This issue is known as the "CRIME"
attack. This update of apache2 disables SSL compression by
default. A new SSLCompression directive has been backported
that may be used to re-enable SSL data compression in
environments where the "CRIME" attack is not an issue.
For more information, please refer to:
[httpd.apache.org/docs/2.4/mod/mo ... ompression](http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression)
For the stable distribution (squeeze), these problems have been fixed in
version 2.2.16-6+squeeze10.
For the testing distribution (wheezy), these problems have been fixed in
version 2.2.22-12.
For the unstable distribution (sid), these problems have been fixed in
version 2.2.22-12.
We recommend that you upgrade your apache2 packages.[/quote]
Usti
Salut,
[quote]Debian Security Advisory DSA-2577-1 security@debian.org
debian.org/security/ Yves-Alexis Perez
December 01, 2012 debian.org/security/faq
Package : libssh
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4559 CVE-2012-4561 CVE-2012-4562
Debian Bug
Multiple vulnerabilities were discovered in libssh by Florian Weimer and Xi
Wang:[/quote]
MAJ “sécu” Squeeze ce matin mais … ATTENTION :
Bogues de gravité grave sur libxml2 (2.7.8.dfsg-2+squeeze5 -> 2.7.8.dfsg-2+squeeze6) <done>
#694521 - libxml2: CVE-2012-5134 (Corrigé : libxml2/2.9.0+dfsg1-4 libxml2/2.8.0+dfsg1-7)
Salut,
Pas de soucis:
[quote]Bogues de gravité grave sur libxml2 (2.7.8.dfsg-2+squeeze5 -> 2.7.8.dfsg-2+squeeze6)
#694521 - libxml2: CVE-2012-5134 (Corrigé : libxml2/2.9.0+dfsg1-4 libxml2/2.8.0+dfsg1-7)
[/quote]
[quote]Pour la distribution stable (Squeeze), ce problème a été corrigé dans la version 2.7.8.dfsg-2+squeeze6.
Pour la distribution unstable (Sid), ce problème a été corrigé dans la version 2.8.0+dfsg1-7.
Nous vous recommandons de mettre à jour vos paquets libxml2.[/quote]
Bonjour,
Une mise à jour de sécurité pour mysql :
[quote]- -------------------------------------------------------------------------
Debian Security Advisory DSA-2581-1 security@debian.org
debian.org/security/ Yves-Alexis Perez
December 04, 2012 debian.org/security/faq
Package : mysql-5.1
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3150 CVE-2012-3158 CVE-2012-3160 CVE-2012-3163
CVE-2012-3166 CVE-2012-3167 CVE-2012-3173 CVE-2012-3177
CVE-2012-3180 CVE-2012-3197 CVE-2012-5611
Debian Bug : 690778 695001
Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to a new upstream version,
5.1.66, which includes additional changes, such as performance improvements and
corrections for data loss defects. These changes are described in the MySQL
release notes at: dev.mysql.com/doc/refman/5.1/en/news-5-1-66.html
For the testing distribution (wheezy) and unstable distribution (sid), these
problems have been fixed in version 5.5.28+dfsg-1.
Additionally, CVE-2012-5611 has been fixed in this upload. The vulnerability
(discovered independently by Tomas Hoger from the Red Hat Security Response
Team and “king cope”) is a stack-based buffer overflow in acl_get() when
checking user access to a database. Using a carefully crafted database name, an
already authenticated MySQL user could make the server crash or even execute
arbitrary code as the mysql system user.
[b]
For the stable distribution (squeeze), this problem has been fixed in version
5.1.66-0+squeeze1.
For the testing distribution (wheezy) and unstable distribution (sid), this
problem will be fixed soon.[/b]
We recommend that you upgrade your mysql-5.1 packages.[/quote]
Usti
Bonsoir,
Une mise à jour de sécurité pour Xen :
[quote]Package : xen
Vulnerability : several
Problem type : local
Debian-specific: no
CVE ID : CVE-2011-3131 CVE-2012-4535 CVE-2012-4537 CVE-2012-4538
CVE-2012-4539 CVE-2012-5510 CVE-2012-5513 CVE-2012-5514
CVE-2012-5515
Debian Bug :
Multiple denial of service vulnerabilities have been discovered in the xen
hypervisor. One of the issue (CVE-2012-5513) could even lead to privilege
escalation from guest to host.
Some of the recently published Xen Security Advisories (XSA 25 and 28) are not
fixed by this update and should be fixed in a future release.
CVE-2011-3131 (XSA 5): DoS using I/OMMU faults from PCI-passthrough guest
A VM that controls a PCI[E] device directly can cause it to issue DMA
requests to invalid addresses. Although these requests are denied by the
I/OMMU, the hypervisor needs to handle the interrupt and clear the error from
the I/OMMU, and this can be used to live-lock a CPU and potentially hang the
host.
CVE-2012-4535 (XSA 20): Timer overflow DoS vulnerability
A guest which sets a VCPU with an inappropriate deadline can cause an
infinite loop in Xen, blocking the affected physical CPU indefinitely.
CVE-2012-4537 (XSA 22): Memory mapping failure DoS vulnerability
When set_p2m_entry fails, Xen's internal data structures (the p2m and m2p
tables) can get out of sync. This failure can be triggered by unusual guest
behaviour exhausting the memory reserved for the p2m table. If it happens,
subsequent guest-invoked memory operations can cause Xen to fail an assertion
and crash.
CVE-2012-4538 (XSA 23): Unhooking empty PAE entries DoS vulnerability
The HVMOP_pagetable_dying hypercall does not correctly check the
caller's pagetable state, leading to a hypervisor crash.
CVE-2012-4539 (XSA 24): Grant table hypercall infinite loop DoS vulnerability
Due to inappropriate duplicate use of the same loop control variable,
passing bad arguments to GNTTABOP_get_status_frames can cause an
infinite loop in the compat hypercall handler.
CVE-2012-5510 (XSA 26): Grant table version switch list corruption vulnerability
Downgrading the grant table version of a guest involves freeing its status
pages. This freeing was incomplete - the page(s) are freed back to the
allocator, but not removed from the domain's tracking list. This would cause
list corruption, eventually leading to a hypervisor crash.
CVE-2012-5513 (XSA 29): XENMEM_exchange may overwrite hypervisor memory
The handler for XENMEM_exchange accesses guest memory without range checking
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.
.
A malicious guest administrator can cause Xen to crash. If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn't itself control
the values written.
CVE-2012-5514 (XSA 30): Broken error handling in guest_physmap_mark_populate_on_demand()
guest_physmap_mark_populate_on_demand(), before carrying out its actual
operation, checks that the subject GFNs are not in use. If that check fails,
the code prints a message and bypasses the gfn_unlock() matching the
gfn_lock() carried out before entering the loop.
.
A malicious guest administrator can then use it to cause Xen to hang.
CVE-2012-5515 (XSA 31): Several memory hypercall operations allow invalid extent order values
Allowing arbitrary extent_order input values for XENMEM_decrease_reservation,
XENMEM_populate_physmap, and XENMEM_exchange can cause arbitrarily long time
being spent in loops without allowing vital other code to get a chance to
execute. This may also cause inconsistent state resulting at the completion
of these hypercalls.
For the stable distribution (squeeze), these problems have been fixed in
version 4.0.1-5.5.
For the testing distribution (wheezy), these problems have been fixed in
version 4.1.3-6.
For the unstable distribution (sid), these problems have been fixed in
version 4.1.3-6.
We recommend that you upgrade your xen packages.[/quote]
Usti
Bonjour,
C’est au tour d’Iceweasel maintenant :
[quote]Package : iceweasel
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Debian Bug :
Multiple vulnerabilities have been found in Iceweasel, the Debian web browser
based on Mozilla Firefox:
CVE-2012-5829
Heap-based buffer overflow in the nsWindow::OnExposeEvent function could
allow remote attackers to execute arbitrary code.
CVE-2012-5842
Multiple unspecified vulnerabilities in the browser engine could allow remote
attackers to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code.
CVE-2012-4207
The HZ-GB-2312 character-set implementation does not properly handle a ~
(tilde) character in proximity to a chunk delimiter, which allows remote
attackers to conduct cross-site scripting (XSS) attacks via a crafted
document.
CVE-2012-4201
The evalInSandbox implementation uses an incorrect context during the
handling of JavaScript code that sets the location.href property, which
allows remote attackers to conduct cross-site scripting (XSS) attacks or read
arbitrary files by leveraging a sandboxed add-on.
CVE-2012-4216
Use-after-free vulnerability in the gfxFont::GetFontEntry function allows
remote attackers to execute arbitrary code or cause a denial of service (heap
memory corruption) via unspecified vectors.
For the stable distribution (squeeze), these problems have been fixed in
version 3.5.16-20.
For the testing distribution (wheezy), these problems have been fixed in
version 10.0.11esr-1.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.11esr-1.
We recommend that you upgrade your iceweasel packages.[/quote]
Usti
Bonjour,
Iceape maintenant, vont-ils faire tous les ice* ?
[quote]Package : iceape
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Debian Bug :
For the stable distribution (squeeze), these problems have been fixed in
version 2.0.11-17.
For the testing distribution (wheezy), these problems have been fixed in
version 2.7.11-1.
For the unstable distribution (sid), these problems have been fixed in
version 2.7.11-1.
We recommend that you upgrade your iceape packages.[/quote]
Usti
Bonjour,
3 mises à jour de sécurité tombées hier :
[quote]Package : libcgi-pm-perl
Vulnerability : HTTP header injection
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-5526
Debian Bug : 693421
It was discovered that the CGI module for Perl does not filter LF
characters in the Set-Cookie and P3P headers, potentially allowing
attackers to inject HTTP headers.
For the stable distribution (squeeze), this problem has been fixed in
version 3.49-1squeeze2.
For the unstable distribution (sid), this problem has been fixed in
version 3.61-2.
We recommend that you upgrade your libcgi-pm-perl packages.[/quote]
[quote]Package : perl
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-5195 CVE-2012-5526
Debian Bug : 689314 693420 695223
Two vulnerabilities were discovered in the implementation of the Perl
programming language:
CVE-2012-5195
The “x” operator could cause the Perl interpreter to crash
if very long strings were created.
CVE-2012-5526
The CGI module does not properly escape LF characters
in the Set-Cookie and P3P headers.
In addition, this update adds a warning to the Storable documentation
that this package is not suitable for deserializing untrusted data.
For the stable distribution (squeeze), these problems have been fixed in
version 5.10.1-17squeeze4.
For the unstable distribution (sid), these problems have been fixed in
version 5.14.2-16.
We recommend that you upgrade your perl packages.[/quote]
[quote]Package : bogofilter
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-5468
Debian Bug : 695139
A heap-based buffer overflow was discovered in bogofilter, a software
package for classifying mail messages as spam or non-spam. Crafted
mail messages with invalid base64 data could lead to heap corruption
and, potentially, arbitrary code execution.
For the stable distribution (squeeze), this problem has been fixed in
version 1.2.2-2+squeeze1.
For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 1.2.2+dfsg1-2.
We recommend that you upgrade your bogofilter packages.[/quote]
Usti
Bonjour,
Une mise à jour de sécurité pour Icedove :
[quote]Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4201 CVE-2012-4207 CVE-2012-4216 CVE-2012-5829
CVE-2012-5842
Multiple vulnerabilities have been found in Icedove, Debian’s version
of the Mozilla Thunderbird mail and news client.
CVE-2012-4201
The evalInSandbox implementation uses an incorrect context during
the handling of JavaScript code that sets the location.href
property, which allows remote attackers to conduct cross-site
scripting (XSS) attacks or read arbitrary files by leveraging a
sandboxed add-on.
CVE-2012-4207
The HZ-GB-2312 character-set implementation does not properly handle
a ~ (tilde) character in proximity to a chunk delimiter, which
allows remote attackers to conduct cross-site scripting (XSS)
attacks via a crafted document.
CVE-2012-4216
Use-after-free vulnerability in the gfxFont::GetFontEntry function
allows remote attackers to execute arbitrary code or cause a denial
of service (heap memory corruption) via unspecified vectors.
CVE-2012-5829
Heap-based buffer overflow in the nsWindow::OnExposeEvent function could
allow remote attackers to execute arbitrary code.
CVE-2012-5842
Multiple unspecified vulnerabilities in the browser engine could
allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary
code.
For the stable distribution (squeeze), these problems have been fixed in
version 3.0.11-1+squeeze15.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.11-1.
We recommend that you upgrade your icedove packages.[/quote]
Usti
Reuh,
C’est maintenant au tour de tiff !
[quote]Package : tiff
Vulnerability : buffer overflow
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-5581
Debian Bug : 694693
The tiff library for handling TIFF image files contained a stack-based
buffer overflow, potentially allowing attackers who can submit such
files to a vulnerable system to execute arbitrary code.
For the stable distribution (squeeze), this problem has been fixed in
version 3.9.4-5+squeeze8.
For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 4.0.2-1 of the tiff
package, and version 3.9.6-10 of the tiff3 package.
We recommend that you upgrade your tiff packages.[/quote]
Usti
Bonsoir,
Une mise à jour de sécurité pour wireshark :
[quote]Package : wireshark
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4048 CVE-2012-4296
Bjorn Mork and Laurent Butti discovered crashes in the PPP and RTPS2
dissectors, which could potentially result in the execution of arbitrary
code.
For the stable distribution (squeeze), these problems have been fixed in
version 1.2.11-6+squeeze8.
For the unstable distribution (sid), these problems have been fixed in
version 1.8.2-1.
We recommend that you upgrade your wireshark packages.[/quote]
Usti
Bonjour,
Deux mises à jour de sécurité aujourd’hui :
[quote]Package : mahara
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-2239 CVE-2012-2243 CVE-2012-2244 CVE-2012-2246
CVE-2012-2247 CVE-2012-2253 CVE-2012-6037
Multiple security issues have been found in Mahara - an electronic
portfolio, weblog, and resume builder -, which can result in cross-site
scripting, clickjacking or arbitrary file execution.
For the stable distribution (squeeze), these problems have been fixed in
version 1.2.6-2+squeeze6.
For the unstable distribution (sid), these problems have been fixed in
version 1.5.1-3.1.
We recommend that you upgrade your mahara packages.[/quote]
et
[quote]Package : elinks
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4545
Marko Myllynen discovered that elinks, a powerful text-mode browser,
incorrectly delegates user credentials during GSS-Negotiate.
For the stable distribution (squeeze), this problem has been fixed in
version 0.12~pre5-2+squeeze1. Since the initial Squeeze release
Xulrunner needed to be updated and the version currently in the archive
is incompatible with Elinks. As such, Javascript support needed to be
disabled (only a small subset of typical functionality was supported
anyway). It will likely be re-enabled in a later point update
For the testing distribution (wheezy), this problem has been fixed in
version 0.12~pre5-9.
For the unstable distribution (sid), this problem has been fixed in
version 0.12~pre5-9.
We recommend that you upgrade your elinks packages.[/quote]
Usti