(Jun 22) Two vulnerabilities were discovered in LAVA, a continuous integration system for deploying operating systems for running tests, which could result in information disclosure of files readable by the lavaserver system user or the execution of arbitrary code via a XMLRPC call.
(Jun 22) It was discovered that the low-level interface to the RSA key pair generator of Bouncy Castle (a Java implementation of cryptographic algorithms) could perform less Miller-Rabin primality tests than expected.
(Jun 20) This update provides mitigations for the “lazy FPU” vulnerability affecting a range of Intel CPUs, which could result in leaking CPU register states belonging to another vCPU previously scheduled on the same CPU. For additional information please refer to
(Jun 17) Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a persistent key-value database, which could result in denial of service. For the stable distribution (stretch), these problems have been fixed in
(Jun 17) It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. For the stable distribution (stretch), this problem has been fixed in
(Jun 14) Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in cross-site scripting and PHP injection. For the oldstable distribution (jessie), this problem has been fixed
(Jun 12) Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
(Jun 12) Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive.
(Jun 10) Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.
(Jun 8) Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.