Debian Security   [more] [xml]
 2014-07-29 DSA-2992 linux - security update

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation:

 2014-07-27 DSA-2991 modsecurity-apache - security update

Martin Holst Swende discovered a flaw in the way chunked requests are handled in ModSecurity, an Apache module whose purpose is to tighten the Web application security. A remote attacker could use this flaw to bypass intended mod_security restrictions by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header, allowing to send requests containing content that should have been removed by mod_security.

 2014-07-27 DSA-2990 cups - security update

It was discovered that the web interface in CUPS, the Common UNIX Printing System, incorrectly validated permissions on rss files and directory index files. A local attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.

 2014-07-24 DSA-2989 apache2 - security update

Several security issues were found in the Apache HTTP server.

 2014-07-24 DSA-2988 transmission - security update

Ben Hawkes discovered that incorrect handling of peer messages in the Transmission bittorrent client could result in denial of service or the execution of arbitrary code.

 2014-07-23 DSA-2987 openjdk-7 - security update

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.

 2014-07-23 DSA-2986 iceweasel - security update

Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service.

 2014-07-22 DSA-2985 mysql-5.5 - security update

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.38. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

 2014-07-22 DSA-2984 acpi-support - security update

CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script.

 2014-07-20 DSA-2983 drupal7 - security update

Multiple security issues have been discovered in the Drupal content management system, ranging from denial of service to cross-site scripting. More information can be found at

 2014-07-19 DSA-2982 ruby-activerecord-3.2 - security update

Sean Griffin discovered two vulnerabilities in the PostgreSQL adapter for Active Record which could lead to SQL injection.

 2014-07-18 DSA-2981 polarssl - security update

A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS library, which can be exploited by a remote unauthenticated attacker to mount a denial of service against PolarSSL servers that offer GCM ciphersuites. Potentially clients are affected too if a malicious server decides to execute the denial of service attack against its clients.

 2014-07-17 DSA-2980 openjdk-6 - security update

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.

 2014-07-17 DSA-2979 fail2ban - security update

Two vulnerabilities were discovered in Fail2ban, a solution to ban hosts that cause multiple authentication errors. When using Fail2ban to monitor Postfix or Cyrus IMAP logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, resulting in denial of service.

 2014-07-11 DSA-2978 libxml2 - security update

Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.

 2014-07-11 DSA-2977 libav - security update

Don A. Baley discovered an integer overflow in the lzo compression handler which could result in the execution of arbitrary code.

 2014-07-10 DSA-2976 eglibc - security update

Stephane Chazelas discovered that the GNU C library, glibc, processed ".." path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings.

 2014-07-09 DSA-2975 phpmyadmin - security update

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

 2014-07-08 DSA-2974 php5 - security update

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems:

 2014-07-07 DSA-2973 vlc - security update

Multiple buffer overflows have been found in the VideoLAN media player. Processing malformed subtitles or movie files could lead to denial of service and potentially the execution of arbitrary code.

 2014-07-06 DSA-2972 linux - security update

Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

 2014-07-02 DSA-2971 dbus - security update

Several vulnerabilities have been discovered in dbus, an asynchronous inter-process communication system. The Common Vulnerabilities and Exposures project identifies the following problems:

 2014-06-29 DSA-2970 cacti - security update

Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti, a web frontend for RRDTool.

Debian Wiki   [more] [xml]
 2014-07-30T10:36:17Z fr/OpenOffice
version de Debian incluant OpenOffice par défaut
 2014-07-30T10:08:30Z Keysigning/Offers
 2014-07-30T09:24:11Z PauloTome
Added name and email adress   [more] [xml]
 Tue, 29 Jul 2014 23:00:00 -0700 Tiny Raspberry Pi-compatible SBC targets wearables

 Linux Gizmos: Hardkernel launched a $30 Raspberry-Pi compatible "Odroid-W" wearables oriented SBC

 Tue, 29 Jul 2014 19:00:00 -0700 Can Android be made truly free and open source?

 ITworld: If you don't really care about FOSS then Google owning Android isn't a problem at all.

 Tue, 29 Jul 2014 15:00:00 -0700 Samsung's Tizen smartphone OS: Dead or alive?

 ZDnet: Does Tizen have a future, or is it going to be another unlaunched Linux-based mobile operating system?

OSNews   [more] [xml]
 Tue, 29 Jul 2014 18:28:36 GMT Another day, another sensationalist, unfounded security story
Dan Goodin, at Ars Technica, is writing about a security flaw in Android. It's got all the usual scary-scary language about doom and gloom, quotes from antivirus peddlers, and it wasn't long until sensationalist Apple site AppleInsider took it all one step further (relevant). So, is this a real security threat, or are we looking at sensationalism run amok? This is the issue in a nutshell. The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information. Sounds serious! Should you be worried? Is it time to stock up on canned beans and switch to a Nokia 3310? Of course, it's always time to switch to a Nokia 3310, but not really because of this "issue". Buried deep within the Ars Technica article is Google's response to the issue. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability. First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things. First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you're safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running. As a sidenote, you can actually disable Verify Apps, but unlike what some people seem to think, the dialog you get about sending data to Google when trying to sideload an application has nothing to do with this (that dialog just covers sending data about the application to Google, which is not required for Verify Apps to work). To actually completely disable Verify Apps, you need to go into the Google Settings application (or the Android settings application in 4.2 and up), navigate to Security, and disable it from there. To get back to the matter at hand: this means that every Android user with Google Play Services is 100% protected from this issue. The only way an Android user can potentially be affected by this issue is if she, one specifically allows installation from unknown sources, and two, specifically disables Verify Apps - all accompanied by several warnings. Luckily, not a single application in or outside of Google Play is currently trying to exploit this issue. While one can expect sensationalist nonsense from a site like AppleInsider - you don't blame TMZ for reporting on a fart by Miley Cyrus; you don't blame AppleInsider for spreading sensationalist nonsense - I'm very disappointed that a respected site like Ars Technica resorts to spreading this kind of fear, uncertainty, and doubt, especially since this isn't the first time the site has done so. Recently, it has become very clear that the security industry - antivirus peddlers and similar companies - have focussed all their attention on Android, resorting to all sorts of dirty tactics to scare unsuspecting users into buying their useless software. Since I can't stress this often enough: do not install antivirus on Android (or iOS, for that matter). It is not needed in any way, shape, or form. This is not the first time they have tried to spread and exploit fear, uncertainty, and doubt. Back when Windows started properly shoring up its security, Microsoft released MSE, and the mass infections of the early XP days became a thing of the past, they tried to use the exact same tactics to try and scare the rapidly growing number of OS X users into buying their junk. I advocated against this practice then (more here), and I will advocate against it now. When you come across stories like this, you can almost always assume it's FUD, whether it covers Android, OS X, or iOS. They almost always originate from antivirus peddlers, who know full well that operating system security - on both desktop and mobile - has increased so much these past decade or so that their core business model is at stake, and as such, they have to drum up the FUD. I just wish respected websites would not dance to their tunes for clicks. And yes, you should totally get a 3310.
 Tue, 29 Jul 2014 14:33:44 GMT Arment on 'app rot'
We've touched on this topic several times already - most recently only a few days ago: the application store model is facing some serious issues at the moment, to the heavy detriment of users and developers alike. If you don't want to take my word for it - and really, you shouldn't, as you should make up your own mind - Marco Arment has written a great summary of all the problems the application store model is facing, with a lot of quotes from other sources to come to a good overview. Apple's App Store design is a big part of the problem. The dominance and prominence of "top lists" stratifies the top 0.02% so far above everyone else that the entire ecosystem is encouraged to design for a theoretical top-list placement that, by definition, won't happen to 99.98% of them. Top lists reward apps that get people to download them, regardless of quality or long-term use, so that's what most developers optimize for. Profits at the top are so massive that the promise alone attracts vast floods of spam, sleaziness, clones, and ripoffs. Quality, sustainability, and updates are almost irrelevant to App Store success and usually aren't rewarded as much as we think they should be, and that's mostly the fault of Apple's lazy reliance on top lists instead of more editorial selections and better search. And: As the economics get tighter, it becomes much harder to support the lavish treatment that developers have given apps in the past, such as full-time staffs, offices, pixel-perfect custom designs of every screen, frequent free updates, and completely different iPhone and iPad interfaces. The application store model is under serious pressure.
 Tue, 29 Jul 2014 08:34:52 GMT seL4 microkernel released as open source
General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement. It is still the world's most highly-assured OS. And here's the code. News   [more] [xml]
 2014-07-28T09:00:12+00:00 DistroWatch Weekly, Issue 569
This week in DistroWatch Weekly: Reviews: First impressions of Deepin 2014 News: Fedora Magazine encourages people to join Ask Fedora, Gentoo developer weighs in on using LibreSSL, FreeBSD team issues quarterly report, Ubuntu launches 8th edition of The Official Ubuntu Book Questions and Answers: Encrypted package downloads Released....
 2014-07-27T10:17:27+00:00 Distribution Release: Salix 14.1 "Openbox"
George Vlahavas has announced the release of Salix 14.1 "Openbox" edition, a lightweight Slackware-based distribution featuring with Openbox as the default window manager: "Salix Openbox 14.1 brings the Openbox window manager, teamed with fbpanel and SpaceFM to create a fast and flexible desktop environment. This is the most....
 2014-07-26T00:34:00+00:00 Development Release: Scientific Linux 7.0 Beta 1
Pat Riehecky has announced the availability of the first beta build of Scientific Linux 7.0, a distribution compiled from the source code for Red Hat Enterprise Linux 7 and enhanced with extra applications for scientific computing: "Today we are announcing a beta release of Scientific Linux 7. Changes....

powered by zFeeder





Translate to Spanish