Amir Sarabadani and Kunal Mehta discovered that the import functionality of Hyperkitty, the web user interface to access Mailman 3 archives, did not restrict the visibility of private archives during the import, i.e. that during the import of a private Mailman 2 archive the archive was
Luis Merino, Markus Vervier and Eric Sesterhenn discovered an off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code.
Roman Fiedler reported that missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the
The update for prosody released as DSA 4916-1 introduced a regression in websocket support. Updated prosody packages are now available to correct this issue.
Jasper Lievisse Adriaanse reported an integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption. For the stable distribution (buster), this problem has been fixed in
Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure. For the stable distribution (buster), these problems have been fixed in
Multiple security issues have been discovered in the PostgreSQL database system, which could result in the execution of arbitrary code or disclosure of memory content.
Jemery Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files. For the stable distribution (buster), this problem has been fixed in
The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.
A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.
It was discovered that libhibernate3-java, a powerful, high performance object/relational persistence and query service, is prone to an SQL injection vulnerability allowing an attacker to access unauthorized information or possibly conduct further attacks.
It was discovered that the Shibboleth Service Provider is prone to a NULL pointer dereference flaw in the cookie-based session recovery feature. A remote, unauthenticated attacker can take advantage of this flaw to cause a denial of service (crash in the shibd daemon/service).
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.
