Debian: >> Debian Linux Security Vulnerabilities
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVSS Score
7.5
EPSS Score
0.177
Published
2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
CVSS Score
6.7
EPSS Score
0.001
Published
2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
CVSS Score
8.1
EPSS Score
0.021
Published
2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
CVSS Score
9.3
EPSS Score
0.009
Published
2019-12-12
sysstat through 12.2.0 has a double free in check_file_actlst in sa_common.c.
CVSS Score
9.8
EPSS Score
0.01
Published
2019-12-11
An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.
CVSS Score
7.5
EPSS Score
0.021
Published
2019-12-11
node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)
CVSS Score
6.1
EPSS Score
0.006
Published
2019-12-11
Orca has arbitrary code execution due to insecure Python module load
CVSS Score
7.3
EPSS Score
0.002
Published
2019-12-11
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware
CVSS Score
6.1
EPSS Score
0.011
Published
2019-12-11
smokeping before 2.6.9 has XSS (incomplete fix for CVE-2012-0790)
CVSS Score
6.1
EPSS Score
0.006
Published
2019-12-11