securitybreach Posted May 22, 2015 Share Posted May 22, 2015 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3270-1 security@debian.org http://www.debian.org/security/ Christoph Berg May 22, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-9.4 CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 Several vulnerabilities have been found in PostgreSQL-9.4, a SQL database system. CVE-2015-3165 (Remote crash) SSL clients disconnecting just before the authentication timeout expires can cause the server to crash. CVE-2015-3166 (Information exposure) The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure. CVE-2015-3167 (Possible side-channel key exposure) In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts. Fix by using a one-size-fits-all message. For the stable distribution (jessie), these problems have been fixed in version 9.4.2-0+deb8u1. For the testing distribution (stretch), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 9.4.2-1. Link to comment Share on other sites More sharing options...
securitybreach Posted May 23, 2015 Share Posted May 23, 2015 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3271-1 security@debian.org http://www.debian.org/security/ Alessandro Ghedini May 23, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nbd CVE ID : CVE-2013-7441 CVE-2015-0847 Debian Bug : 781547 784657 Tuomas Räsänen discovered that unsafe signal handling in nbd-server, the server for the Network Block Device protocol, could allow remote attackers to cause a deadlock in the server process and thus a denial of service. Tuomas Räsänen also discovered that the modern-style negotiation was carried out in the main server process before forking the actual client handler. This could allow a remote attacker to cause a denial of service (crash) by querying a non-existent export. This issue only affected the oldstable distribution (wheezy). For the oldstable distribution (wheezy), these problems have been fixed in version 1:3.2-4~deb7u5. For the stable distribution (jessie), these problems have been fixed in version 1:3.8-4+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1:3.10-1. For the unstable distribution (sid), these problems have been fixed in version 1:3.10-1. Link to comment Share on other sites More sharing options...
securitybreach Posted May 23, 2015 Share Posted May 23, 2015 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3272-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 23, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ipsec-tools CVE ID : CVE-2015-4047 Debian Bug : 785778 Javantea discovered a NULL pointer dereference flaw in racoon, the Internet Key Exchange daemon of ipsec-tools. A remote attacker can use this flaw to cause the IKE daemon to crash via specially crafted UDP packets, resulting in a denial of service. For the oldstable distribution (wheezy), this problem has been fixed in version 1:0.8.0-14+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 1:0.8.2+20140711-2+deb8u1. For the testing distribution (stretch) and the unstable distribution (sid), this problem will be fixed soon. Link to comment Share on other sites More sharing options...
securitybreach Posted May 24, 2015 Share Posted May 24, 2015 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3265-2 security@debian.org http://www.debian.org/security/ Alessandro Ghedini May 24, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : zendframework The update for zendframework issued as DSA-3265-1 introduced a regression preventing the use of non-string or non-stringable objects as header values. A fix for this problem is now applied, along with the final patch for CVE-2015-3154. For reference the original advisory text follows. Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens. CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension. CVE-2014-8089 Jonas Sandström discovered an SQL injection vector when manually quoting value for sqlsrv extension, using null byte. CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers. For the oldstable distribution (wheezy), this problem has been fixed in version 1.11.13-1.1+deb7u2. For the stable distribution (jessie), this problem has been fixed in version 1.12.9+dfsg-2+deb8u2. For the testing distribution (stretch), this problem has been fixed in version 1.12.13+dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.12.13+dfsg-1. Link to comment Share on other sites More sharing options...
securitybreach Posted May 25, 2015 Share Posted May 25, 2015 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3273-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 25, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tiff CVE ID : CVE-2014-8127 CVE-2014-8128 CVE-2014-8129 CVE-2014-9330 CVE-2014-9655 William Robinet and Michal Zalewski discovered multiple vulnerabilities in the TIFF library and its tools, which may result in denial of service or the execution of arbitrary code if a malformed TIFF file is processed. For the oldstable distribution (wheezy), these problems have been fixed in version 4.0.2-6+deb7u4. For the stable distribution (jessie), these problems have been fixed before the initial release. Link to comment Share on other sites More sharing options...
securitybreach Posted May 27, 2015 Share Posted May 27, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3268-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 26, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ntfs-3g CVE ID : CVE-2015-3202 Debian Bug : 786475 The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was incomplete. This update corrects that problem. For reference the original advisory text follows. Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing mount or umount with elevated privileges. A local user can take advantage of this flaw to overwrite arbitrary files and gain elevated privileges by accessing debugging features via the environment that would not normally be safe for unprivileged users. For the oldstable distribution (wheezy), this problem has been fixed in version 1:2012.1.15AR.5-2.1+deb7u2. Note that this issue does not affect the binary packages distributed in Debian in wheezy as ntfs-3g does not use the embedded fuse-lite library. For the stable distribution (jessie), this problem has been fixed in version 1:2014.2.15AR.2-1+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 1:2014.2.15AR.3-3. We recommend that you upgrade your ntfs-3g packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVZM0HAAoJEAVMuPMTQ89EJggP/0zWLrGHeQuWaOanEo/zBdKq R6Er4/Apz1tlduUYz7whFuZTM4jZYjo9G15laoZefB+4ntzmSiCZMp+9KuPf8oN5 90rOU6/Pw91e8BxEiTIQ+V9QLAwdu84NMuuNFxBnqSWg55q/FzBbup0pnz/rJupi XvJkcSeEmx9rPOhHET/xMMu1jCDD+L/j14+ekcfyBx/Gvw8HxYiHHFMSoOvDIG17 1nU3BOu7CjOrvu4rsUpEYVUYIOSjq86SToZcBb8MJ2yPhNh+hqr76qx14REpPV2t CYUCGb2nU0Vwix/IGsKzYUZJeFVjdNuNNWP0qxP2sF0EZWihYBCPYJstfdgbFAM5 XrYTS9O7MwMNn3D5Ac2Z0IPFr4/jq2JhzVSJ16/8ZOo6DY6xCjFy/ysErCkD+Qu6 DMNKvmT+Q3h3T+eEEKSpfcZFXT3peg0obATvsTGONn2so4OYGk0NT4V9Mybq+D3L qbdB0DDsbjmG3csHchYeoPIy7wYuw2JChkViZAcolXtn4ClQdOhZxqDGRzYDrLcc YnoWP4hvac9EFUs7NHZ+fYXUGCgc8F5oTqZ2DmPiMXg8f0tWBDWMnznumhc5skip l9IqI4kmU+Ik7KsbHOaRpItgnup88Mpw5FxgWDxOQEUET6jtEwhZohRN4rMbyWep iUKNmJ4HnoBJVgX3810+ =O+Kf -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted May 29, 2015 Share Posted May 29, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3274-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 28, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : virtualbox CVE ID : CVE-2015-3456 Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential privilege escalation. For the oldstable distribution (wheezy), this problem has been fixed in version 4.1.18-dfsg-2+deb7u5. For the stable distribution (jessie), this problem has been fixed in version 4.3.18-dfsg-3+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 4.3.28-dfsg-1. We recommend that you upgrade your virtualbox packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVZ4W5AAoJEBDCk7bDfE42H3UP/01HvE6NBAxILIG59waLVfhS H8melBbEHZZ8mAbKkzMbnQaiPjibnu3qH+1mUuFy3S8vH85cG/+0N9jWbrCQyc4U byywL/TFKS7jKjHO2zGR+tw9WVrxKe94P05o2U1vskeDG3p60Vb7lxzRPiTNSdwD a7T4T9ab57j4Nrn5Sxr3le6Bjw9YCDMVrJmKdLGTBYgXFZz8ShihnDmhwFSrHvbZ eT3eNGkiCiNT2u4qxVNRtaETmYR6Q5nL9qQzYitIfEpSd/mrRL7dmvkRg4oEw3iH VU+wX8zpU9G3SoQTML5hEPvFVlgk855a2fEx81cfL6P4oOVU2/g0tsJoMdX0KQ0x euOcvRHk7q6KScr5fkc+T3ZScz9IKUuFlCml+7lHRCbOfzOszcU1bJQNFfEA+TW9 h9U0gLa2hUoeU3r97tMoaBeoDZR2PnWTvUxn0l4wae/UcxbGi0Hp6roBqPWub036 f8kIcutsMiL+r3A6L3q3damBDU4rtAt1bt4unvUCbMea9fF4NzrR4+eISt6Pyp6Q hYn6XZrmAtZH6169dqmjJZLtUQDevMKo8zExt5PaBoiabKRwhCB6kSTUjiTU3rGW 87XG2X3kw/8eAyBxSB5Zka2RjujUlaA3hgz20z2jj+gzqEH1PUQrezDKQz+hgZZD AFIVk5GpQSnviJjNjxgZ =334W -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted May 30, 2015 Share Posted May 30, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3275-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 30, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : fusionforge CVE ID : CVE-2015-0850 Ansgar Burchardt discovered that the Git plugin for FusionForge, a web-based project-management and collaboration software, does not sufficiently validate user provided input as parameter to the method to create secondary Git repositories. A remote attacker can use this flaw to execute arbitrary code as root via a specially crafted URL. For the stable distribution (jessie), this problem has been fixed in version 5.3.2+20141104-3+deb8u1. For the testing distribution (stretch) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your fusionforge packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVaXwVAAoJEAVMuPMTQ89E1WMQAIKNgu7rsz7hpSoz+Sp+3OWg /XGK/hmY+0ksO5/eOGueZQlAOMxRVeINspD658FJ4GbvM8rwhIPE/rW7NyDh39uN NtYgHLJDkwtYJ6o4Ubb5SapEoEMHtU7tOz1zyinncDzf/l3NmwoFhFt8ql0VQFFp hDkx0Ovmz4efQWipKFCbC5jUBTAmNcOnghHIHLkr97SRKh4oHwWIbqUgEFbg+Zkk hlQ6peYqBjqcdLlzt9ifFVaStaf/RH/onl5JDNHav2oystPtbCyfc5gT7efX1yeL ZwTpIa1zkPyybqxJe74GBx9IdDkOjIrm3syW2NGBB98QixEuEuBCMcZrHJf+csQV 3prZbvJUevtoSOO4CpVa6733pt0jiM1irSIonICobujrxHi4WZ8eDcng5lg2nE7z lroALjTcBkQwl02ptRy7aXM66fbLLvkxflI8Ti1hCuoUiLfSFNbbmGB6fB2GQq8f uqZPqlFutBvwikPMUZXfo6o8JqzY7/hDK+K2FSgq2yJipaBWb2q4OOC+SkbN/51J Wk+gOf0ZNj81lNCloGK6fX57BypzO1SOg55ZT1DsgDc4BogbQ/XrV66FRnFiZEaS bhsS2JEuXELaRwQ1NtWI4beocTvcIyO8PTabw/pHkeJ9LOSyOhceTEGmdOLn0nsz EuCeXkJfZ21JlExUXwEu =hJMK -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 1, 2015 Share Posted June 1, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3269-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 31, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-9.1 Debian Bug : 786874 The update for postgresql-9.1 in DSA-3269-1 introduced a regression which can causes PostgreSQL to refuse to restart after an unexpected shutdown or when restoring from a binary backup. Updated packages are now available to address this regression. Please refer to the upstream Bug FAQ for additional information: https://wiki.postgre...Permissions_Bug For reference, the original advisory text follows. Several vulnerabilities have been found in PostgreSQL-9.1, a SQL database system. CVE-2015-3165 (Remote crash) SSL clients disconnecting just before the authentication timeout expires can cause the server to crash. CVE-2015-3166 (Information exposure) The replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure CVE-2015-3167 (Possible side-channel key exposure) In contrib/pgcrypto, some cases of decryption with an incorrect key could report other error message texts. Fix by using a one-size-fits-all message. For the oldstable distribution (wheezy), this problem has been fixed in version 9.1.16-0+deb7u2. We recommend that you upgrade your postgresql-9.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVapP7AAoJEAVMuPMTQ89E6IQP/0FqmHNNmQel7gWlFgxW8TJs yat/dsA5e08OovZV40FZ/AogXvRwxSjoNdxo/R0NL4RzA5V6KhWC2taWx+xG0YUX 9eMvu/LbqBo/K9hwn+mTmNXegRHrNvDS1fPeDTdU5vsr7lAWFay+mncbXQNCWmeW wWFU6zONqccNJT1aLV55xmvu5OsUDNm3DcWg/wXDSImpGPesj2QnDhe8GxxjBo1h cf6hIh4wOyB+qYxWtxb20UIsmfHpIe4HadvejT4wGP7qXlCqs93BL1qpgDQuvZEc IXQAD9LRwGDyopKHSp8d7s5PTCCcYRGLopJ1ozSBfJ12PSTXPM2OqMwSeXbv/Fc9 u20Z2i+HqDeYRQnBas/xX9M+QwEEQZPQ/eOgnTLEMBpDG4RujYEsRCxODt6ZoWVA jwcZlNqkBRO1b4BVnjIQmldSIKap3tWiB6UA+To1SvZw1rkyvirpc/u8dscMcuLW loHrzFeIMOFjZNG3ssMiQ5sv3B+IZNcb0uXkAQQFu9bcGCtdq1Y6WxRvK327O+o7 KTTazBA1OKeR09wqBh+uOIIlv/Bc56Dt+Krpr3bjq5NHAFCkIY6nUa+dmgOi0K23 pEXPabJyKJs9zOGNMamgEk89/E/t9Q3+DPxEnLqJBlP1FwiZm0bYUVo3K03dZJlq 18GSE1ofUQIuv6FYG9EQ =rZH8 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 2, 2015 Share Posted June 2, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3277-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 02, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2015-3809 CVE-2015-3810 CVE-2015-3811 CVE-2015-3812 CVE-2015-3813 CVE-2015-3814 CVE-2015-3815 Multiple vulnerabilities were discovered in the dissectors/parsers for LBMR, web sockets, WCP, X11, IEEE 802.11 and Android Logcat, which could result in denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy16. For the stable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1.12.5+g5819e5b-1. For the unstable distribution (sid), these problems have been fixed in version 1.12.5+g5819e5b-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVbd0LAAoJEBDCk7bDfE42ZpsQAL33mj0Bp4+A6YZgU5WdVgOk PTdpeS5D7WzygYQp+jr8iGJojKvOrxP9ptRLISv7XU1cjWf5TtQ3RYReM+tFabA7 228bvSVke0dzf1lqIR/LSNRa92QCpyGfouZFDpQijrIzjqiMWfizd5LLCOTqbNhj A0dF80J3UGKv/C612LkYQdKrQA7ZX2SbMdTTZbinlJuVbZawPhB50hbpLCFKK4RT U4PcGiPzh9BmwYAdBX6DQGrYOvXyv7QpB+oZrOh7Gi/ice3IrbGjkuReLkl6cfPG vmYGkZnrc35nJNvwyGeBiELkgw28Lz1WX3eWXv3hKcWAIhRBknhZ+sHtrys93j4R TumnS41yNUYNENBxF/WFWYmw3oqBao170KE89GGKrgW0adHQceD3L8zz5JBDFQJ+ P9tCdd6qzJAzuHsmt4j+tuGuGl5UCVC1vtzWey3vwbeKzttBhZOBH6XGb/cwLdEP gK/1nDdShoxliLf8z+ACOgmGwjrUPhXI4lRHZ8z9ItV0dvqb7ZbW4hpBC6SbOlxw rLbwn36+8YjXl9nPKrjCUSfpjwDxSU5WnqtkcB4CNzeZe3OQwNZxjFG0TOfoHRBX BsJov8xq0GnDE8J6/WcNHUwoNMo4AbFhftP7c1oHVu2F9z9GlLgnNIhPY34+lfo7 +3UQffRzOXo11xJKrrqT =4A8G -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 3, 2015 Share Posted June 3, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3249-2 security@debian.org http://www.debian.org/security/ Sebastien Delafond June 02, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jqueryui Debian Bug : 787100 The update for jqueryui in DSA-3249-1 introduced a regression where direct usage of the file jquery.ui.dialog.js can get broken due to a missing function definition. For the oldstable distribution (wheezy), this problem has been fixed in version 1.8.ooops.21+dfsg-2+deb7u2. We recommend that you upgrade your jqueryui packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVbhbkAAoJEBC+iYPz1Z1kApYIAIuRImpM6/8Xbn6IqrfjA57h QfW4h4b8fdPDPmfs+WEGMFaS5wYXvodXof93Z1r6seTIbATJj3s9f//VOSE2+yu+ v7q4vTgUgG1hxhpr/BfTC2kuXmA38QgpwQ6Y8oB+DM4JfswyX9cA/i14CfB4D3tM Ch2n/ZQYPXlYXSAEJwqhRNpfO7fniBIZn12wr7Rk4zsnwuqAZpFouAtKR+eNtF2+ p8QI/7dvN+tR71spmDDZJZqdau3+JbM+OMtRzMmwDwUi2K2XZdRwc34UEkxIl5G7 msPZHo1LOL8eYufaBvXmUW6HuVf76IqMpNZvTd5XwI876qt0/qSyMAStgDesJh0= =CQs1 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 4, 2015 Share Posted June 4, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3278-1 security@debian.org http://www.debian.org/security/ Markus Koschany June 03, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libapache-mod-jk CVE ID : CVE-2014-8111 Debian Bug : 783233 An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. For the oldstable distribution (wheezy), this problem has been fixed in version 1:1.2.37-1+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 1:1.2.37-4+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 1:1.2.40+svn150520-1. For the unstable distribution (sid), this problem has been fixed in version 1:1.2.40+svn150520-1. We recommend that you upgrade your libapache-mod-jk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVb0AhAAoJEAVMuPMTQ89Ef+gP/1e6ZRHna5rrHYiaclwnWg8Y YHIjWwqfsnldjqfTirrBtf9TlLZrqIUHhaeaA0PEbzvzqVfh5QToOvvMeFHqXLS2 4eSmUtc3hb5BQlSvPsuP5RzeDYPy0S2zRaJlQ6dKSXmxb3Zh1drjxUg9kzpEGU9v ykwDIRO7w+YpfcNqoxldgL0JOngMa9Qhl/wSwLV559wrESiSp2QifN/JZz2YRvsp XeZvCHV5dHYJLfCOn3bQ6QRf0votEFObrW2T14noo/Srxv1n+4sstql7bCDbKW8c O3SrlEk7HX5N4qPlG8Jo288NH1gqxXbuJ9SqF1MlIJsYE2UWT2nydfHVM1vMH23+ Spfd51SfmrK2GSOg2tna29BDGInDZ0Tud+GqsTKMMICgtg7SCK4FIrZYhhFFompG li9h7DE96Cbv6J5a8JSIYg/kyzFOO8VcYakOUOJ2Oyo8Tv2a6GJLF9azjsThE7bv LBUWbk2cOsd98BYtsUwFKJhqQLBvRCYnw85/WbC8EDmkbyrxIKf0uaF1e6vc9qV9 4OKmIgbNageXDzrfnc9PrwZ05xPiPhFJUk3Bu3XzosMzqU7XBPhtjkvPGJGcMv9g cCepn+vtFQFBR612a4Gm16XN068zbnBR8VHx3PRNIVkPyhoxR55RdFtwPL7FCHX0 XVZyRUFDwW4cMiJnJ49U =M39D -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 6, 2015 Share Posted June 6, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3279-1 security@debian.org http://www.debian.org/security/ Alessandro Ghedini June 06, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redis CVE ID : CVE-2015-4335 It was discovered that redis, a persistent key-value database, could execute insecure Lua bytecode by way of the EVAL command. This could allow remote attackers to break out of the Lua sandbox and execute arbitrary code. For the stable distribution (jessie), this problem has been fixed in version 2:2.8.17-1+deb8u1. For the testing distribution (stretch), this problem will be fixed in version 2:3.0.2-1. For the unstable distribution (sid), this problem has been fixed in version 2:3.0.2-1. We recommend that you upgrade your redis packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVcs+9AAoJEK+lG9bN5XPLU74P/0JkRt5MbpSrCaydmUfIVoYI hEX9w6wwBsINZTE+n4D4+2icrCu1NMFEnHg21sU55iZgvbGFiBv2c1lu6YX35O6I He84RfFliyhNbplTcBoWLK8Otw9V8BLH1iZNtohci4atmCnb/h7fQ5ggb/5tocu2 GHnJaDzJRs6k4DgRRtj3Y40R/Z/CagYu/6BXUuBAiFJq8iBMSROGtIX/7H1UWtW0 Glzp2VvWWP5YgXUgf0s14Tzmv8Y5roggnHs26reoHUKap5gVwpxBjo5WlQ2lMEiF d7hV5apMQT32Fnr7iBynpyNd+ZHlFnlpugiv7MzuKa//v4Xx8bXqguyPi0Q86NxL Mg4cXPxVYLutMRiYMlFvYZxowuPT1YENR18f98WLsiB7rKP0KGetijSt+9m4iGxK 7yWUWo4h/Fe2RaGJsb8mlJJaCWA2M6ghWud96rx3UDxnxRXPw9TSJvbG5izS0zRC DrMi+5U/GTZ5qyc44UyELTAkGkMtDdt+KQjf7lvm+p1qiLozT2U7kDOC4OR/UOQw mOOSnlxszAPfUKTPQQ688wirnSmuf5Gxub1DouuAMZdTjNq6MAhdm5W1Fm8R9tvy KT9MasqKAotrTUZFU4PyCI7kCnNTOdADRrf4fgQCTVSPlqnd+PkCHlnucOci6PX7 ipBBrnSPePMDHD5Gz1zI =3W9c -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 7, 2015 Share Posted June 7, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3280-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 07, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-2783 CVE-2015-3329 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 Multiple vulnerabilities have been discovered in PHP: CVE-2015-4025 / CVE-2015-4026 Multiple function didn't check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code. CVE-2015-4021 CVE-2015-3329 CVE-2015-2783 Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives. For the oldstable distribution (wheezy), these problems have been fixed in version 5.4.41-0+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 5.6.9+dfsg-0+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 5.6.9+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 5.6.9+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVdHnyAAoJEBDCk7bDfE42+jAP/0nZWh6HnJpBhxbSgP9fHmtJ NOp7GthaatDYuqZ2VOmQ16nh55p90fcbOkiUMtLvK6PF/D+JI0XpAnAKrHTWH491 0Iz5Gh3sCKccQYweRAojgNOIm2zBKLFfzK778h6lQIcM3UY1w16RGWqSPEQ/L0pW CfxoGpom2SlhGE4wVxX1bmSGeM1k79hoZrzcBV7EfrqBU3zP/tSfRCTjjEIkYIov almbQRAfdNnvOpJtBS+1NE/As4OX7JkJCCx45Bjfeond9oA22CsR62tan2+Y2wrk Bd1UU8nNGnBfcv8ramWXzwZbUQDGfbsMJ4Dj/RpmID0e3HCAkRcSLEuSCWqCCE0o c6eL6gOWCp7l9uvsJZ3CG67zRkqdU1pj1dHy6p7j0E+o4iNSVwRYxqAO/luF/baB kOH5UV62On2UoSDGS4Ix+hHavC8dfX1L6NvH7YigXZYxNAsMLEo3x5M+tz5bJk7E I2RwRJ8rrDN8jC8f4sag+IThCezDHz3SPFE+IFyD3UredQwePfaY7IYn4Cl+nezY 7yrcdyi1KJSQyDM9upE+L6Ytcv/5tZiOdOUxq31NKb7O3rLvTKZtreUAxvFiTepT MGPsLGF3LRsQoty3S8g1tkl2DHt6IZgIELT5x6xDCs7jBvC5R45UfhvFNm6fhM7F wjZ8f1+8OlapWivt9p0R =80kf -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 7, 2015 Share Posted June 7, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3281-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst June 7, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- This is a notice that the Debian security team has changed its PGP/GPG contact key because of a periodic regular key rollover. The new key's fingerprint is: 0D59 D2B1 5144 766A 14D2 41C6 6BAF 400B 05C3 E651 The creation date is 2015-01-18 and it has been signed by the previous Security Team contact key and several individual team members. Please use the new key from now on for encrypted communication with the Debian Security Team. You can obtain the new key from a keyserver, e.g., http://pgp.surfnet.nl/pks/lookup?op=vindex&search=0x0D59D2B15144766A14D241C66BAF400B05C3E651 Our website has been updated to reflect this change. Note that this concerns only the key used for communication with the team. The keys used to sign the security.debian.org APT archive or the keys used to sign the security advisories have not changed. Further information is available at https://www.debian.org/security/. Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVdJSGAAoJEFb2GnlAHawEOxIIAJWUNtyJ24UvHIj128PY1hkY AdDMzO+kLJNnkEftKRsj6RkcFgroFqoK/HqfOGM1nkGLbfwM92S7eDW3VoMtvmXH wePiZdhpijfLjbazGggPd5q4lWWYcIMQ9opCz5/lmEeRPCec0wU5X6HDcSJP0OCs dksvJRqu/Z9ZXV3NG5ytP1Llgr6nnSk+FPrQj5f006P7Kqy3R5XKed2tdKtBSVtY mSO6/nmMRdbsht0FMzJ+FnNVrM6Tclje5RrTnl6dPYkqnySlTERvwXAEsTkaaiY0 SuTHbPjBtgJo4crfEt/AoNbhfby/IaeOi2AOc0zKpGziiax+opxUCRbwL2irX9Q= =gsdL -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 8, 2015 Share Posted June 8, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3282-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez June 08, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : strongswan CVE ID : CVE-2015-4171 Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec suite used to establish IPsec protected links. When an IKEv2 client authenticates the server with certificates and the client authenticates itself to the server using pre-shared key or EAP, the constraints on the server certificate are only enforced by the client after all authentication steps are completed successfully. A rogue server which can authenticate using a valid certificate issued by any CA trusted by the client could trick the user into continuing the authentication, revealing the username and password digest (for EAP) or even the cleartext password (if EAP-GTC is accepted). For the oldstable distribution (wheezy), this problem has been fixed in version 4.5.2-1.5+deb7u7. For the stable distribution (jessie), this problem has been fixed in version 5.2.1-6+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 5.3.1-1. For the unstable distribution (sid), this problem has been fixed in version 5.3.1-1. We recommend that you upgrade your strongswan packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -- Yves-Alexis Perez -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJVdao4AAoJEG3bU/KmdcCluZAH/0KIDlKhVrU58yZ2uqThY8IZ +rYZDO1Liz4X5Ycx+vo+tM85DsqUYNQeTeBSKxpQX57XKF2KY09tVF08C1oXo8u6 JA3h9B4zsSBMm3210IQ4XQBQZSA5XnqRg4mTANihtdCZNhwrtskAcEiHwDqKtzkW FNHNzLtduM9q7w8rApLYAYROKGjO2rR0YyEQ6iu55fnMoyhL8Qy9t5uwTOx+fGDS 8ai8lKMIGTtVXVYw/HrsYJA5hl88ndbbBAZzoJrPcxFiFFjBpawpWdhgPlf4kYRr 3GrsqJcwQvPSbQcOyxzGIFa08JJOGPwRx1M1HfkmZHI8RQQ8f/jp9ZsibXaFXPs= =HOGE -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 10, 2015 Share Posted June 10, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3283-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 09, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cups CVE ID : CVE-2015-1158 CVE-2015-1159 It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server. For the oldstable distribution (wheezy), these problems have been fixed in version 1.5.3-5+deb7u6. For the stable distribution (jessie), these problems have been fixed in version 1.7.5-11+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 1.7.5-12. We recommend that you upgrade your cups packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVd0tJAAoJEAVMuPMTQ89EY3AQAJgNcIGHoYtwo8gKZUY3FR17 rQ0YIDOcITHGNBz8CUvg1k5FdpRx5xj9hrOj1jWmbtq0jNnreUf9j2VzNYRZ1vHU VFNWeGZFeWjKMUuk9W+vVignldkslvSGWu4bM9rHVWBTHApydp4VOZR7Va75bLru PiOq9rARGSWwEUrTscpujEYe5uvpeq8secQrnevhC0L219GzNKpiPmOFRk2wBlzx dhYTPQ516EHBg75R8t/S/hmOmVRNSZzhOro/9Dv2ldmy2hHAzBSyu5o0Wa4Bc8Rr N9gn7aXM+7B+jY9qvhXhstQBBQAAGbIJnGvSKTdzPnzzZo/iFVUZkIO6VH9+bdvj u5/XG0k2ZarcVIIR/6CR0GQFrt7xnx0EQ1OhjztzwH8hOeKp3PSXOv/tODU5Yer+ 5UkRkPJZpWppJ9z10/QQc/k6PbGdpodpdOvchbQJRcg8OcYun+rg+G+9+yk7Srkc 3VkQ1WYlLT5hn6o0XQtvqnfUjGpy8RvnAbzCA9gscO8w0IIykQc2UYtcPYpwcfQg vyd0n68+8fw6q2EOB8HNPBwvT8v+K+XT4/0vTdmZYFeFV36Ca//7ehQ0CRj/kIFJ pG/ucF2/5aie2hQpXQx13OqMc0ZTwetbKVrjIorH21dTZFGnezal9aAGzliVl8lP /fC+tztvQSK8xLlNonrz =PByh -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 13, 2015 Share Posted June 13, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3284-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2015-3209 CVE-2015-4037 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106 Debian Bug : 787547 788460 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service. CVE-2015-4103 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service. CVE-2015-4104 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service. CVE-2015-4105 Jan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service. CVE-2015-4106 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code. For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u8. Only CVE-2015-3209 and CVE-2015-4037 affect oldstable. For the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 1:2.3+dfsg-6. We recommend that you upgrade your qemu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVe2FLAAoJEAVMuPMTQ89EMUoP/3ZM/GqxfgYdY2ysKzqMFesy TJ9IU16jV6EQlQV/tXR/S5v98ZdD/8lRqGNQeBSoZhaCV5OdFk59whxkBUh+qPVQ R23Owg8fgFLEt9BnEP0p4SS/Ol/mPnffahAUcawKTm3cA2GJeuEn9bSwqsp0Dqw4 b825yj9CqFwxPSFUNEK0OdgQi9Ch7xi2lm+PPSC9czlisCOnX37wrSsPGLCdMLMJ M5TEKMLrfwkAz1anAkqanCJ76OHTA/g+BxboB00Rfxdj+vNfQ9gULLI608hNQguX mN/j650Ltiejm87/XCsY5ROXqrmxU2edNIzovkruYuQspdpNWq1tv6YNtpIsOqKA cUlQ01o0BImfP2Jxr3HO6EVQIiA+tt4Z/JIRe2Tpq14mkWQZKEqypW8segmF9Cen msuVM0pdbCT0WgAQYIZtx5r+9qKy/WY5MEAYZiipJHF2brBeEbSFjMQ/nZhEj/p8 RckM8BhQn5hhVRLku3+eVGyEitrQ+6lBwGL9H6h2iri9i0G1JRg6r9PF0s0amHht yGhfpv9tGIN6CEY9Srx527tCDfdNBduLl/rBaXpW7G3TydZDPo2wXIqiwZh2cb6s lY04+Gniq/1xanTazH0zSq0xCCRDjhK2FgnA16KITwHcXsxj4R/Vjul5Id+2LH28 pvVYLYEJbPoEooiDsI94 =atuh -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3285-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu-kvm CVE ID : CVE-2015-3209 CVE-2015-4037 Debian Bug : 788460 Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u8. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVe2FWAAoJEAVMuPMTQ89Ee4IP/3Wo1PrIGhkQTJiOf/21YH+7 hUM9EgWBMDz/Iq5hEmH7OsVDVfWtUFpqbokthSRVyec7SVnrJAAgIRYPZfg0qXlZ 5FQkymRN5+5WFlRd3l23mQpHpIAc+p3u24DWkXblqsLclwidFseoUVaj82GSJGlW z/CIFwHhEaa5pIWj44KIhg1qL2wCKDLL/KWHpONEUfXyZET7IF3kUKGFFC9UOco3 rgFiHC0CLNoaxt6biX2akSQgFI3Kj1IR1NIB2zFZhH4eXdiDp1M4VTKch9IALIoK G6KiQwrucTALntEvegFtdTrRsgE7bGUzc89grLrXAWhid4rvs2cc3XYK0hTq1GcT Tzs9CYtpCJ0E7JY6/V12WAY3YJLFcvde5DNZM2xFltmGeAyfpdjbuSvD54lfW4NZ Fukl3ERhxk0MjO0267qKT5Xv7q+JcLht9Bowhseazda9W3Pi9SpLlxKonlFMwyWm iB5rc61ReOXom1aJgO3tJkHTBAjXiLDlXrES4wWUXIL5HbVWsx6DJ12SUt3RbVtr GEs2Vt4h/J+D+6umpjHwnvVhkZKM3J2F9WXLRGVfrvctj9J3kmFQjhGAQ9kOlav8 t3AvMuVifdojal3fEb1a8HrOgZOPlurEATIBSljSNBWfrBDi2IWNZruiBCO56Ap8 XPYm9Yc9IdYTUfXgcU5w =CM7i -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 13, 2015 Share Posted June 13, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3286-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2015-3209 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106 CVE-2015-4163 CVE-2015-4164 Multiple security issues have been found in the Xen virtualisation solution: CVE-2015-3209 Matt Tait discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-4103 Jan Beulich discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service. CVE-2015-4104 Jan Beulich discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service. CVE-2015-4105 Jan Beulich reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service. CVE-2015-4106 Jan Beulich discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code. CVE-2015-4163 Jan Beulich discovered that a missing version check in the GNTTABOP_swap_grant_ref hypercall handler may result in denial of service. This only applies to Debian stable/jessie. CVE-2015-4164 Andrew Cooper discovered a vulnerability in the iret hypercall handler, which may result in denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u8. For the stable distribution (jessie), these problems have been fixed in version 4.4.1-9+deb8u1. CVE-2015-3209, CVE-2015-4103, CVE-2015-4104, CVE-2015-4105 and CVE-2015-4106 don't affect the Xen package in stable jessie, it uses the standard qemu package and has already been fixed in DSA-3284-1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVfDmzAAoJEBDCk7bDfE42W3AP+QGuXuhGJ5FFSHK7UmCFPbrn xsujh8hQKJHb7WFc7k/xdimHWRT2K6MJ6v29Zl+MNR2oLcO0ty28Xuyb+EIWwTbV avuP2igg56delwp73P5ts3ZX4YFBCsonqCjIhSd3QCQkAIGL63x78n26OrDAVvba 2piJ2lJPAMhm4gBJvkWbKnQaIDaDN5qzckZwXfHgCYKhu/d0C2ZrD+RcMg+UTq6j CFqWB/xaGMT6WILfiKPOMlKkNxH1rqaJ3Kou5q8i9T4QvZq9vU0KHhYWWecFo/KP S1AH7Vp1UZPQbxVAYHq2mITvIr6RRRMZxJEpzG6wnlPV5G8cM6ZqR1a7nBQ9mhoB lRWNs8zHvMpS2XxfXzgt/pV3jH1Pj+ELPWP+m4Kjy8g2xFaiW8y4LYq4AUv5+oDa IBuJW+UNkEWIyrWqhzu0laT8EwTmS1JFt4est4bbNMU0O2Xdo6qB432XNwM804lo lsii1eEXe0FKpFZVYKho1gLCHVxdWz3EPhZ5qHb8Gi5tnbElVY7aqtACBFXvKd6K 81+qOpiqGk8EMHkdmGBXpwJoMTIczBXxXD9RZazq1Ynr3yNcgtnsz7CVqJTUAb2a Ot4yIf0E5kYAau+tyVQ+Y0ZRbUN3A1u+6gpJqLvTqF80pj1M8kt7DuXC/2lQXl4q ngY7U6RlmLRNSaXd+xvR =gL/x -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 13, 2015 Share Posted June 13, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3287-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini June 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-4000 Multiple vulnerabilities were discovered in OpenSSL, a Secure Sockets Layer toolkit. CVE-2014-8176 Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered that an invalid memory free could be triggered when buffering DTLS data. This could allow remote attackers to cause a denial of service (crash) or potentially execute arbitrary code. This issue only affected the oldstable distribution (wheezy). CVE-2015-1788 Joseph Barr-Pixton discovered that an infinite loop could be triggered due to incorrect handling of malformed ECParameters structures. This could allow remote attackers to cause a denial of service. CVE-2015-1789 Robert Swiecki and Hanno Böck discovered that the X509_cmp_time function could read a few bytes out of bounds. This could allow remote attackers to cause a denial of service (crash) via crafted certificates and CRLs. CVE-2015-1790 Michal Zalewski discovered that the PKCS#7 parsing code did not properly handle missing content which could lead to a NULL pointer dereference. This could allow remote attackers to cause a denial of service (crash) via crafted ASN.1-encoded PKCS#7 blobs. CVE-2015-1791 Emilia Käsper discovered that a race condition could occur due to incorrect handling of NewSessionTicket in a multi-threaded client, leading to a double free. This could allow remote attackers to cause a denial of service (crash). CVE-2015-1792 Johannes Bauer discovered that the CMS code could enter an infinite loop when verifying a signedData message, if presented with an unknown hash function OID. This could allow remote attackers to cause a denial of service. Additionally OpenSSL will now reject handshakes using DH parameters shorter than 768 bits as a countermeasure against the Logjam attack (CVE-2015-4000). For the oldstable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u17. For the stable distribution (jessie), these problems have been fixed in version 1.0.1k-3+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1.0.2b-1. For the unstable distribution (sid), these problems have been fixed in version 1.0.2b-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVfD8XAAoJEK+lG9bN5XPLVMcP/3IJavEP0DvwOjnmmoRMTZ6E gx/OkKjyojIT5+S5nF2NuEnkMXkQkEioOhABedGiREM5441zClA2ahbjXPe+NWsU MTXdVDx0CyWon2aE4vyn9XxD1vyhKffPBozS+WYZlQyB7y1xBD7as1pp40gxn3Ps p9I379gQ/HbKW9GK4E9y/ocXHs9WFXeh9uBEge+N+VQi+t0C8WJZX1LJ4k1Fc5GY /5RpEU6ntJWhQaUxdaVK7Eh7DThnlmoLp5cyxK6daesXrbwS3jyNknk05XphktkG I2IBoZe+Z1Dgm9URqMh6O1amOOzdbc5y9HOwmW457F/ky5DggTlabeOS+Dwo3X6P AzWaRgOizSDyxsdBpDD3QsqZlnWI5dKLy2irvKS6c0N3ju8huwEKRdOYfbFZHA2r x/uW6GFrDhVMcdA5UjvEZoKHmC7aXdaTbLodeVNchx5ARz85OZgfo40StNi09ihC 26peaJNLwls32YwaIoMX9lTJRcKhdOPkvu6ufp8lTCxaYD/B2+T9gCaqUP89KgA2 zo18PGsBHPizKPVg5jRQd7esigsqR+R84FIe13yxytw85oK58awkxkibZl/HldFQ wO7cQlBDm5sKIGLu36A6Qw+ofafk34JPLjSi7xFSxID86S77/z16B/ySB0OvzHvJ AXTWHHGtbZfFFPXAIHeu =7M6H -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 15, 2015 Share Posted June 15, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3252-2 security@debian.org https://www.debian.org/security/ Alessandro Ghedini June 14, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sqlite3 CVE ID : CVE-2015-3416 Debian Bug : 783968 Michal Zalewski discovered that SQLite3, an implementation of an SQL database engine, did not properly handle precision and width values during floating-point conversions, leading to an integer overflow and a stack-based buffer overflow. This could allow remote attackers to cause a denial of service (crash) or possibly have unspecified other impact. Note that this issue had already been fixed for the stable distribution (jessie) as part of DSA 3252-1. For the oldstable distribution (wheezy), this problem has been fixed in version 3.7.13-1+deb7u2. For the stable distribution (jessie), this problem has been fixed in version 3.8.7.1-1+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 3.8.10.2-1. For the unstable distribution (sid), this problem has been fixed in version 3.8.10.2-1. We recommend that you upgrade your sqlite3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVfZk3AAoJEK+lG9bN5XPLpV0P/0WW2qKSSsMkFznwZ8tK2n6I LbvWQcPN48ydcIk68eHACRXMcMS4utmOgH/Ge51fIx/BqGL0waZhBJ3w2vlYiiSM 3aLNCtmyipX/rugLglVcI+yeHSjMrqKnL7Fqkmv21yNxM/jTjYuwH22yNSaGuqGU Zk4IYus738LzSQIMDiZ3+HW5A6j3MeJkoLwgW+C2yuwVs2p3df9uKxyOn5t8tZuZ cuXvTzIx3hL65ZKS24c+fVV+kqyPT0yaM5JxFiTigm6QmUS0olAmQFaGLNRyxbD8 7RZvg7qsKqZQBxO375gGMeISMFWAXyNUfPUo36QG6xcMt6fgWgSCKqcLrYd7N/Yx ZKWRrF4/5d6eagyNTLflAI8/le4Bjksoe2MP6Fy9/Xs28oS3UU63ZA1X40LZ1QAD NR6LxMiqbRWKolYQg8IDeYbe5ABevOmK4Ko27o9+NM7YJwzRZ3iJ1WyM5sUj9EKh 8uVnT6BgQk/uYPziaoegeKYMTQ5fJ8Lt/p26y8aK7jw7GAWK7sPiaAiBYz2TNk29 Q8fIcCN6bJ8kOpR6JCzQiONLKjWHX6gYww7Q7Gk3KVngoOIwBRQXHnLCYiqzP4TX zYZGNCeUQJp4xosr4EebGWFVGRZO1f8lS5z5+kiR9At1AypImBm/eLoOC+6eQTbl 2/h0kXgEbXU/yVZ5bGhH =75qj -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 15, 2015 Share Posted June 15, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3289-1 security@debian.org https://www.debian.org/security/ Ben Hutchings June 15, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : p7zip CVE ID : CVE-2015-1038 Debian Bug : 774660 Alexander Cherepanov discovered that p7zip is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory. For the oldstable distribution (wheezy), this problem has been fixed in version 9.20.1~dfsg.1-4+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 9.20.1~dfsg.1-4.1+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 9.20.1~dfsg.1-4.2. We recommend that you upgrade your p7zip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVfwdnAAoJEAVMuPMTQ89E7nsP/A48ZX8CcFIp18rrQfVlnm7F eJoczO/lFXnzGuSmpLkgC5T0qWlLQkoi8SwUwH4HlIHrXNTTBMg5OhynxeKzZEXE GS/m9gyXpQfHOEp4uXLzuF9+GejTucSdolOmbj7ibiSHpvc2/k/vTjBOEz+pFtTU jElwPO0xk7+vqL30MuOb4z3+ljKiMoKlbEXur0wqQJEASnJR/Y0BBwQVgP6Vomvr uV5NhnILC7T0dn6W8SCIlH6l+PH3am9ZSU7ZIis34CqJj1/kTidh1Yx08m5VteSk hcoUpprI9GxBlpAUnZpGeQzNF339q3fu79oqn/QPmN8eS+nxR5iz5LlF3Qkf7uNI hBBDayoVuXvc+cYnNzbCQlsX1SujRB+T0YY7FmG3lmINsAVhZxPdzb33Y/bz/PTy aeyPbLV5JRacs6Cf3ohQkx5OLGMWYS68GlYlJ6Vl8nXy3bZQs0SliJ0Yrw8qeN/+ Bs/mCuGwFmAtIil51eO6hgK7DyPmg4F0wQ8cYlDdd+9lwjwpJhsv78HEL9Fwes+0 6TMO+/bklwXl6MXlBRplKgH71qY3TSXLB42b1V8k1WtmvOZabbPR8qGYUyk4KNTl FRh0tSYLJBNBDKIHbBauzwFDSwt4Nim/f9RvGtzCiaMAmjEnz5lORwDcxOohYGBK eLbOWitv060If2LLga6c =/lLN -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 18, 2015 Share Posted June 18, 2015 ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3290-1 security@debian.org https://www.debian.org/security/ Ben Hutchings June 18, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2015-1805 CVE-2015-3636 CVE-2015-4167 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, information leaks or data corruption. CVE-2015-1805 Red Hat discovered that the pipe iovec read and write implementations may iterate over the iovec twice but will modify the iovec such that the second iteration accesses the wrong memory. A local user could use this flaw to crash the system or possibly for privilege escalation. This may also result in data corruption and information leaks in pipes between non-malicious processes. CVE-2015-3636 Wen Xu and wushi of KeenTeam discovered that users allowed to create ping sockets can use them to crash the system and, on 32-bit architectures, for privilege escalation. However, by default, no users on a Debian system have access to ping sockets. CVE-2015-4167 Carl Henrik Lunde discovered that the UDF implementation is missing a necessary length checks. A local user that can mount devices could use this flaw to crash the system. For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.68-1+deb7u2. For the stable distribution (jessie), these problems were fixed in version 3.16.7-ckt11-1 or earlier, except for CVE-2015-4167 which will be fixed later. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVgl5uAAoJEAVMuPMTQ89E0w4P/iN3c8IcJfvQJry+CKyC4suV XnNlo3rtYuTRiF1JLyA/XzwAgvO5NXQbkeqkM/bGtO2pGnUT58ABP81n0rZsWzUR lps5aiAqm0pkKZb+0JhchVBo+8BZr8pUJ/ezlqdfeImMXiXhGjDtwxK+NYxEM77L MXPH18EZtyxkhEqWPWEKKGGT2KhEXrKR/wj3BXL/zbvi+m54Xuhn0Nx0Y5D3tvO3 FMR4CMnYdLXyk40mFbUdvONSz3Krl3jY7si9Tv3rxLZvwTwU14Fj9uPlRjAufWv2 uMm7wVuDzUTaDXX8pg+I7NrseTP8U+0cvHFLMWhCTn2Wza5ZL/iDKzECkJUi6mGS pVBMd8j38zQa/t/WoIl8PKxL/tT0YbAnPapkOvpA37Ck8pLxggDDkks4S6WJndH7 RSK+zkJQNsnu2/w61kJpefy2RISpzvjKQoxDvgObZ9xW2Uw2MgYH7X7JssUZvw/b gxcMH9YDigCg7YWazY9gMx1AfK1gEPjX7//6ViaTna5Q+yQQjnBdiHOaebxTkFaB RCL+kalPbqbHKmjsY93woDJBnDfnqHym3CbGXa5eekmeV1lbEyokupJcgmqExCgO doaB12Gpk7tSgDDT5I2Nd/OacG1tGrPAnLyc6SdMbzL5WUUZBE54XrNvuy5swmWZ FDtQUDHyLAUzj4e84goJ =Py9L -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 18, 2015 Share Posted June 18, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3291-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 18, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : CVE-2015-3231 CVE-2015-3232 CVE-2015-3233 CVE-2015-3234 Several vulnerabilities were found in drupal7, a content management platform used to power websites. CVE-2015-3231 Incorrect cache handling made private content viewed by "user 1" exposed to other, non-privileged users. CVE-2015-3232 A flaw in the Field UI module made it possible for attackers to redirect users to malicious sites. CVE-2015-3233 Due to insufficient URL validation, the Overlay module could be used to redirect users to malicious sites. CVE-2015-3234 The OpenID module allowed an attacker to log in as other users, including administrators. For the oldstable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u10. For the stable distribution (jessie), these problems have been fixed in version 7.32-1+deb8u4. For the unstable distribution (sid), these problems have been fixed in version 7.38.1. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVgwLfAAoJEBC+iYPz1Z1kWA8H/0Vz1+4+01DmM/MO3R84Be9M slFYMUkEUcw62w9b/pog5ddHI4BzdFZWMjqHy9u7rtpLTZCfm1gkGp5F24PsSc1S Gm1UBzO3zXMsi20ZRAS/ejGwSm3j6pw9CrOG+RY0GkwRt+tcoBk8cuXz4n0eXySA 6oRfvNLm1NsFCpZzbTcTKK04kGqs2H87W7mHzTYrtUwEAuR0/911e4PZy+5nwate qBPidZP2IuIbhXOFvAt1+1/U9IgETrKi4HK6CeqSb00tF19MUF0fkoMoL9Qz/R37 e84feluJIJdqgBD80eFC4ZVjBApSFhYG5d4t9RbgtZHmnF204ZHEln1gcSBnl4g= =9R+q -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 19, 2015 Share Posted June 19, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3292-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 19, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cinder CVE ID : CVE-2015-1851 Debian Bug : 788996 Bastian Blank from credativ discovered that cinder, a storage-as-a-service system for the OpenStack cloud computing suite, contained a bug that would allow an authenticated user to read any file from the cinder server. For the stable distribution (jessie), this problem has been fixed in version 2014.1.3-11+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 2015.1.0+2015.06.16.git26.9634b76ba5-1. We recommend that you upgrade your cinder packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVg/79AAoJEBC+iYPz1Z1kodkH/2zADe1fUmy9nbDI3YBPdHYH W/hjoU19ivJgaCNYAmkI1GrzzW/I11fPHxQV1A5q+IBAdhNoXur4HsVCPwfigBIq Nj5f6Wi5srPGyNe8LJ8+XQO+C5prQkP+dnNOJxIfHZVh/J5ZFjBDOoiKA5nQ4MDj Mdt66RA8afVH+6SmtIhpsD43FUG+lA/6T6Ua+QyA+gXr+5zBr8ZMgMdbYnKqtvXZ RyzBx1kAJoN9LT+euDGXpDpgteEOeqZfr3UCiUDtsJR/PdsptNpMmJNHI9mOQy4l 0JwHR5a140+zoI6Qi2sv29r1aWiEJgatRH0b3nDykNIvfXhcF75fays9qy0OcVU= =F1xY -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 20, 2015 Share Posted June 20, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini June 20, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pyjwt Debian Bug : 781640 Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ For the stable distribution (jessie), this problem has been fixed in version 0.2.1-1+deb8u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your pyjwt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVhWykAAoJEK+lG9bN5XPLpg8P/0GeeATVVK2WAj4w2b73H96q R/sdb7tJ/7c059UVdDK7vONadXCtXooHcjzgB1ovoPeEc6TMTkNKg8+i4OqoVFta evPOFzYIyv1VFLp3hLjHW/wBMrehlePs75nu/RmAjo5i+cOmxdR/cRlG8fB5gjxu 9dsSH04fwzOAgOtNvaOSTVypRlZtgmKfydPp6an30WyqzhNK0+TzRnD2ZimkUPqK LJe8aL2cBf4oiSlgUJYL1QF4/KSF9DRFU0TIfju7N9Z+XnSfMrBb4dPF+361Bswa hBn8+ZaCKZdFTDrlGc9zGC16x7IDAtjh33gNdogJODkBK+zhctyVI5jkWILXcvOW pw+eCojBvPdHTP2vZzfkQX8CeMC/GJmqKuO6RZrNAXaL4c8ra1pZ07ZY/g8hyXnH nEPm3O2DyARatJqkrfuCq2eJ8z+9twZbQDc7iYmXYAEA2bV9p1B58Pys6XuUyNoZ FoJ4cBunuQzSHUgBk6cw+OQvYR74Y95QKUUH4XEsaoLQwGrK4ZKvgYQs4WSYTNEP 0+Q8nSadOazkxyNCjfkuPPhBMHA/eNGtD8b95toFfbpxhYOF+Er613FzXXCH+n7u Hkf6Wthm+7nxDiJ9Wcas+Kdas/mR49DrKx8tV5KWW626ZTWShwATU4TSlY0jGkrq VaL+u11Sk3pYImakNCLr =U6Rt -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 24, 2015 Share Posted June 24, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3294-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 23, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2015-4651 CVE-2015-4652 Multiple vulnerabilities were discovered in the dissectors for WCCP and GSM DTAP, which could result in denial of service. The oldstable distribution (wheezy) is not affected. For the stable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u2. For the testing distribution (stretch), these problems have been fixed in version 1.12.6+gee1fce6-1. For the unstable distribution (sid), these problems have been fixed in version 1.12.6+gee1fce6-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVib/kAAoJEBDCk7bDfE42iZ0P/101nUT2U0EE0NVjzshto+OF 0RXqIacu+9GURRRvYZbcB/vjdY/1qtfRA1go/PGxX7V9YqQ5t7j+iDgak2/w1TIg ZyVGEZZSFrp48cZRoQbTEkZ9aHwClNTOdZrcH++FtHlNP8Xc8G4W3ssIbwc9PrBL ZNlAMQbEyzIbqIIWiw4VUpuNoN3kglt6iMDkfzLdLSG+hRkSX03srFGrD0WtVa0J U+EAZbOeAEeAHNTMwR2Rj4OOzBZAd6ac1UKZcasf/URwYQFBQStPTFLnlbLbI10g KHDUo7S4Nzxo9oJq/g9J/ud7vg2eLP3DrgYRagub9wsVvTwUjujxudbOmGqQIc37 rR9U8f26YCjXagQ+SMMuLyv4kuWaP+y4oMobgUbEB2NsNECEi2TXLi/RysDAoEOP Vh1E+yHyPVkqxd+jfzB+Wc3bqWxiNmzC/PynOH3diGEUl51fl4fjYs/73rn6OPsv H9Kj4sfYua8rEOnvFIVM1tyeQBum1JJNzd1Sb01Dp7/Ps6XQhTuu+TJu7tMMGPfw ZkIjm6EOTOaBnqSGu93Sw/NU9UQnoB/nRYOSNKuawV3Dom3zKHoKh+GEd66cFtqd ybd15z3hTyacvTRirr7jSnXxB+VlwspjFhiY5X6bEu+VJCQJeSYoLQYtcURb+45S yF9XEYjusfHQX6TeA++h =0wI6 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 25, 2015 Share Posted June 25, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3295-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 24, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cacti CVE ID : CVE-2015-2665 CVE-2015-4342 CVE-2015-4454 Several vulnerabilities (cross-site scripting and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems. For the oldstable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 0.8.8b+dfsg-8+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 0.8.8d+ds1-1. We recommend that you upgrade your cacti packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVivszAAoJEAVMuPMTQ89Eq+sP/2jqe/IKVQwUxnJEY1w6hCRY S5kVRgGIW+e6WZnuIqTXWcELC+XhmOWv1F2McC7SJXclV7eMIlae/JwKb47XFVAX 1Nw1NlK+LZlbm23pqTv0ao8a0REhqkhMMENs/Ss1P2QFHxSCAqcoyXQ2wvTLwfXR 8Bm1qV12pHDd0TZG5gInNVncWL13sFIs8Fx0+psLyFa3yh2u5nbylVM2XNa3XTOn YtG4OnWkBrinpXtJ9S3XfF3JTUgMv0WLoK0ZD105GKJnxDWwsalDgFqkInGoYX6R oA/USy1LgX98s19tRKYhgadyl4FcUF62SR6arhPkLQdH3RX8uuZEs8/ozY6u4WSp 24Fsq4x+4M+9tUwNVwOgZ6+pCPkul3tSTfnxE7uao09JCQmD6QuEqbuJObEexnqz xm4JU3d0nXhLl7CGXdgMr4Cs4B+zRW/yCXyBQkbq72BhBPQE/70c1ze+sIdpCJI8 a3seNpa40kvEUQfxin7+itkfJhz2g1beRUsHclSTz8YrBD3iz79hnhlzJPte5H4z WDBXrNkxKnBQMTkhaTufT+NdnlkcxFPbr6HEW70Px/WNPsSca469NGyHy+u9QZM/ oM78VdKjP4AGKzBBY4HYplkbhRAgfF67Wdg0M5GZ8VRuh0knbogeau+srUTj16BO ZUkO3AskyvyalG1tCSsy =OST/ -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 29, 2015 Share Posted June 29, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3296-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini June 29, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libcrypto++ CVE ID : CVE-2015-2141 Evgeny Sidorov discovered that libcrypto++, a general purpose C++ cryptographic library, did not properly implement blinding to mask private key operations for the Rabin-Williams digital signature algorithm. This could allow remote attackers to mount a timing attack and retrieve the user's private key. For the oldstable distribution (wheezy), this problem has been fixed in version 5.6.1-6+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 5.6.1-6+deb8u1. For the testing distribution (stretch), this problem will be fixed in version 5.6.1-7. For the unstable distribution (sid), this problem has been fixed in version 5.6.1-7. We recommend that you upgrade your libcrypto++ packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVkQXjAAoJEK+lG9bN5XPLGCoP/jlLKGCEKcVIyNFSzNQ3r/K2 j9pYi/aRG8XtKXawti8cG33nhXbjlqKf96kGPHx7Deu9CBiDm5prscfGqUGfc6ru vQhdkamghhI8OsLKeitqHXPFNDleFXa3UlwomBNIqUXzQyREDidQJKZhhg1RS5dY sovbJtUwm0H7F98+u1tEE3tyQQC8VcX3xXncXgVMV4HcVcOj+4tEl64PljUSeGzW Hz2FqQLqk4t7ckT31vlKtVQivAvPiDVu0EazTAnnQkm0FEQCScVCdQz744Ox5RzO P/nuYuK2n5QuI9/0LbnCniEY1wqIKvkXh00lrG00QKbtWpdw891nc7FoMeO6qfLe jVYiJjfV5/tJwFYGr5Dd9ShPXQUR7UnIPh3rgAIYWhYkYE0KHhUBZXcVElSOwCOR ZXuZ9F6I9cXX8NLRBULfXXasPNLi+gYMYcGbF9y1dDaYXH+sskuRXWh1tat2PvuO 6e4u49UyiVvd5GnUWv5IIJJcrCoCayewRsHBsddeagtgtXCA+LRLg9uylm1HELNL rjG+yZcoMRmojyCiEHN5xJekjkK0P82moURBTKq1cnL6eb3GhGB95VJ4UKqg/RNS iGnxrfijoK5ZN7m8qylvoVQExQ8q1nOKSJT1lcpvFAVyFh4RVcjuMALsVIOgVURC Xg0YheXBZs4lRtCcKLtl =NhFp -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted June 29, 2015 Share Posted June 29, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3297-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini June 29, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : unattended-upgrades CVE ID : CVE-2015-1330 It was discovered that unattended-upgrades, a script for automatic installation of security upgrades, did not properly authenticate downloaded packages when the force-confold or force-confnew dpkg options were enabled via the DPkg::Options::* apt configuration. For the oldstable distribution (wheezy), this problem has been fixed in version 0.79.5+wheezy2. For the stable distribution (jessie), this problem has been fixed in version 0.83.3.2+deb8u1. For the unstable distribution (sid), this problem will be fixed shortly. We recommend that you upgrade your unattended-upgrades packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVkXzQAAoJEK+lG9bN5XPL7YQQAIhydn8pwEFGRiW1SrVaODJx XAWCacPo+3aP+qO0C4XDkotLUv1NGy8qbsreUmu/5ED+hzMjCcfk3+yXFkD7/paB xvUQuhKgjAoxTMZWUNjHqik2LFfbd+o5L6q6j+AF/C1SeR36C1lapy25pdD/SIGN Y0dA9Cy2DWUV8IWNJuTwKP2FeGaDdTtZNH0TbA4F2ApC2H2Cx0jJg/pjiV61nk6W OrJyEkqZ+rlr/luucOE52IEto9Ojh1sWzJ2WBCZkvA/AWLL8JTFUR6REQuH5AYSy pbxla8C5mOLoIe1wOAJDsV5Fob9J6vDBe8Id2dOowQD8XtoFzUUzGqxbuteL//9Q nFnKcxEommS2bRIvjWf3s2FBYKcXExonqe1ZNnYzt2AKEKvWiCz5/il1eEXX7ZpO Ryk4Qepox4yIEShu6auR234TUaFBVezmOAD6BWXdUOZ5DtJ739SSNgKoZo8vcz4A LPtWLF30Eb+00fXExy+NoPIwRwjRHFUhii0mEbKHG2P3jvsWZs1ozX3l4Lh4/k6F +ObZPinGbjVCYRcaV+f0Twsb7PvlOchw1iF02UF6YVxjIiUNZUW6+n7m251kffFa 7QmyjKKdNd8t+3Hxf9oAZCAAKswzOopBhGw9f3irHXSOBdhUpPDo6wrG9Un7AJDb vL3fNxm/g7OC6j4MFgUe =Y41R -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
Recommended Posts