Vulnerabilities > Debian > High

DATE CVE VULNERABILITY TITLE RISK
2014-11-24 CVE-2014-9030 Improper Input Validation vulnerability in multiple products
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE.
7.1
2014-11-10 CVE-2014-8369 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges.
local
low complexity
linux debian opensuse suse CWE-119
7.8
2014-11-10 CVE-2014-3687 Resource Exhaustion vulnerability in multiple products
The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.
7.5
2014-11-10 CVE-2014-3673 Improper Input Validation vulnerability in multiple products
The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.
7.5
2014-11-03 CVE-2014-0490 Improper Input Validation vulnerability in Debian Advanced Package Tool
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
network
low complexity
debian linux CWE-20
7.5
2014-11-03 CVE-2014-0489 Improper Input Validation vulnerability in Debian Advanced Package Tool 1.0.3/1.0.5/1.0.7
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
network
low complexity
debian CWE-20
7.5
2014-11-03 CVE-2014-0487 Security Bypass vulnerability in apt
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
network
low complexity
debian
7.5
2014-10-16 CVE-2014-3704 SQL Injection vulnerability in multiple products
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
network
low complexity
drupal debian CWE-89
7.5
2014-09-30 CVE-2014-6051 Numeric Errors vulnerability in multiple products
Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow.
7.5
2014-08-14 CVE-2014-4344 Null Pointer Dereference vulnerability in multiple products
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
network
low complexity
debian redhat mit CWE-476
7.8