securitybreach Posted August 20, 2015 Share Posted August 20, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3342-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini August 20, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2015-5949 Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a multimedia player and streamer, could dereference an arbitrary pointer due to insufficient restrictions on a writable buffer. This could allow remote attackers to execute arbitrary code via crafted 3GP files. For the stable distribution (jessie), this problem has been fixed in version 2.2.0~rc2-2+deb8u1. For the unstable distribution (sid), this problem will be fixed shortly. We recommend that you upgrade your vlc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV1fJdAAoJEK+lG9bN5XPLK9oQAJrHDlaC/qYA842zrby5b2jk ZhKkyU8x9hF80TV6l3XuIk66scm6PZVTaX1xTslvOLZQP/oALFdL8CWyZhB1YkG8 G2R3VKotoW20YR2ww6WY/eAgH+a56g0rjBNYAub3pyTOA7nmH0RkDtkgJNpwlmd0 Nqg0mXVeW1gdP+WXD44DU2j/3O6sqIjp/YWB00p2IIgOaMKV7IU8eCvjLNI3fi8E A1PTXoJo8LHsN1mXzuAG5Yan7P1mK3u/BgwJqW0rQDy6HaDdvG7zoBZyMcwOaqNX 4hhMVfrdNJFwXXIYPk9eIUyyKEk7Wz74y6EJ1cxJXYmreYzW7GWrKmofdnWNHK5q nwK6Csuqm1Z8nGclJVRd/+qtwIXX1s4ECwaK9pTE2+ScWNrFSGyqZ2MKcWkx3p3I xX/aDIWaWlJ2SH3hikK4amMFBLVEXCS+khQPFAdWwsQvjJ2QbJL4nJQ87quNrv/K 2MkoSPBoXnF+2e5DuN5YlieJ6SOSjjOE+qfS+Qg6k01ac0lxijEEjAJ1zfM+AfA+ I02kMDoUdhKxlgdcFxZX9HotZzjThMrdivuonKhtD0xICcRqxXHe2pD3QdPM6FhZ mVH3r1XSQGl+I4RHWUuflZiCj1uFfe6gbkzvNddPjZtXbHTSAYqpD8SOr8pr7rtU uviKCGQVXZxhc3LZIYwE =kepn -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted August 26, 2015 Share Posted August 26, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3343-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 26, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : twig James Kettle, Alain Tiemblo, Christophe Coevoet and Fabien Potencier discovered that twig, a templating engine for PHP, did not correctly process its input. End users allowed to submit twig templates could use specially crafted code to trigger remote code execution, even in sandboxed templates. For the stable distribution (jessie), this problem has been fixed in version 1.16.2-1+deb8u1. For the testing (stretch) and unstable (sid) distributions, this problem has been fixed in version 1.20.0-1. We recommend that you upgrade your twig packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJV3ZhyAAoJEBC+iYPz1Z1kfZAH/j4xWjGxAVvIIoIkyBOzdXZ4 xQgiHtPjJmrDqsAiW1kEFgpBRNA29WWDM8a0YNP0sI1KfhAwypAoaGhkWdeVoAgv yOTUcphI5eWc4PXnExf4xVqoWIMtY4eSs5CQ3Iy1wwMOLgoQGPfwMCuvQHx22Kyg tkqOgnfqwR1zEzZ4yQqOWVING4k6juIH3vjf1IvDeijfVnvKzCVT02CIX2sxLK4B OnYVXMnXPUHBqWFNrdycKmA1+dP4Pv0f5XuD69vRueXxVWwddnHyrxN9sStlPkP1 k0E6VLTxlwjlYxt9vigsx2q5lt3u+/FtpLmVVrmdU6yahOh+nC05rUzFoZUoa9k= =FPDb -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted August 27, 2015 Share Posted August 27, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3344-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 27, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-4598 CVE-2015-4643 CVE-2015-4644 CVE-2015-5589 CVE-2015-5590 Multiple vulnerabilities have been discovered in the PHP language: CVE-2015-4598 thoger at redhat dot com discovered that paths containing a NUL character were improperly handled, thus allowing an attacker to manipulate unexpected files on the server. CVE-2015-4643 Max Spelsberg discovered an integer overflow flaw leading to a heap-based buffer overflow in PHP's FTP extension, when parsing listings in FTP server responses. This could lead to a a crash or execution of arbitrary code. CVE-2015-4644 A denial of service through a crash could be caused by a segfault in the php_pgsql_meta_data function. CVE-2015-5589 kwrnel at hotmail dot com discovered that PHP could crash when processing an invalid phar file, thus leading to a denial of service. CVE-2015-5590 jared at enhancesoft dot com discovered a buffer overflow in the phar_fix_filepath function, that could causes a crash or execution of arbitrary code. Additionally, several other vulnerabilites were fixed: sean dot heelan at gmail dot com discovered a problem in the unserialization of some items, that could lead to arbitrary code execution. stewie at mail dot ru discovered that the phar extension improperly handled zip archives with relative paths, which would allow an attacker to overwrite files outside of the destination directory. taoguangchen at icloud dot com discovered several use-after-free vulnerabilities that could lead to arbitrary code execution. For the oldstable distribution (wheezy), these problems have been fixed in version 5.4.44-0+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 5.6.12+dfsg-0+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 5.6.12+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJV3t20AAoJEBC+iYPz1Z1kPWgIAKa4oEs0lHk2z/kWhdbPodRR i5QpFWjxD0MMC7ey8MZ2zyQFmC/YMnWtlxG98L4EBrMM9hgoWt/ZP1+WNANKX/4n nhtb587OxTNjjIDZ/tu81419HubGzsy5eqKA880KZqIGLBRNC0KBTe2SuEZxA/oG lJqWHFktUQfC6Z2JJwUe8Yy1nrxUsd/P/5y5igGoRrFNiskUoE0KsPLcqAXmxSp4 h4qJ+9MjlvnHJocYTBOdJOn9Sob3kviORO+5zXcE+UOTtdkSlWLykXkzSykM9g9d a2nu6CPYZN9UO3BsLT2SBJ/LOdTZXSoPjXsUK5SyxqXpgAp/XVJrJZJBH77xBv8= =QjTz -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted August 29, 2015 Share Posted August 29, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3345-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 29, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : iceweasel CVE ID : CVE-2015-4497 CVE-2015-4498 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-4497 Jean-Max Reymond and Ucha Gobejishvili discovered a use-after-free vulnerability which occurs when resizing of a canvas element is triggered in concert with style changes. A web page containing malicious content can cause Iceweasel to crash, or potentially, execute arbitrary code with the privileges of the user running Iceweasel. CVE-2015-4498 Bas Venis reported a flaw in the handling of add-ons installation. A remote attacker can take advantage of this flaw to bypass the add-on installation prompt and trick a user into installing an add-on from a malicious source. For the oldstable distribution (wheezy), these problems have been fixed in version 38.2.1esr-1~deb7u1. For the stable distribution (jessie), these problems have been fixed in version 38.2.1esr-1~deb8u1. For the unstable distribution (sid), these problems have been fixed in version 38.2.1esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV4Ti2AAoJEAVMuPMTQ89EuxQP/3bWxIX2aDy1urpbNZhrIvSC 8QvGSKIhtz9XcCO53oMcah+XTjZEthjKc4wd+wNGEybw9fR6YojFbf/RjLetUMMF 1sDYvt34jRzcz2tLnGqYfY/hLkbxr5L52kcYn1YVZZJ3ol+XFGqm2sf/OTRpiQgl mvh7NtNjpBGhkL3x85B+wlKvKd0Nz+p83XgQ6qq+PQcm4iusrCyjnc0DwXCngc+1 kSNho0+/aOUnCxpX1QOmyRGqcxUWDmj88YIpg7xBjfcKhTslFiTpYC3yF2dz73+X MyySK1I7nu9U5alH/eoOd4SaYVdpkufR/MhhCWOxDzTjRtiP+tGAc3/a5/7i6/Kl B8wPDhgkui2DHLaxz4dsjsuJ1YPfBMDa68+ilCYuNWjTnIid/Yho1vr5a0fQFNqF vTUaLVH9xnqTUM/SShp79Sta4n7f+NM8DrIJKQQH03D3XwA9NcJWPUoUm6nftdp9 qcvO3du4Zqn8vwxSVb+xNQlQgrrvJ37nvJtVXavSqfAZWKVYeMpNjyqlOcMKvhR0 tbT0x4YhtHs6c1q+BoldnjISe2wHNNWwQNRW8SrM5K+nzReQLjbm28uSWFVWf3Lq 567zgxCsbjlI2oXh3tftG9BY3ylh4mEna1cRhnnrnQU2Nl873sL3YOyuHyheAdTp g71rt6+1YTi8VmDxycAZ =tzb9 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted August 31, 2015 Share Posted August 31, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3346-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini August 31, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : CVE-2015-6658 CVE-2015-6659 CVE-2015-6660 CVE-2015-6661 CVE-2015-6665 Several vulnerabilities were discovered in Drupal, a content management framework: CVE-2015-6658 The form autocomplete functionality did not properly sanitize the requested URL, allowing remote attackers to perform a cross-site scripting attack. CVE-2015-6659 The SQL comment filtering system could allow a user with elevated permissions to inject malicious code in SQL comments. CVE-2015-6660 The form API did not perform form token validation early enough, allowing the file upload callbacks to be run with untrusted input. This could allow remote attackers to upload files to the site under another user's account. CVE-2015-6661 Users without the "access content" permission could see the titles of nodes that they do not have access to, if the nodes were added to a menu on the site that the users have access to. CVE-2015-6665 Remote attackers could perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element. For the oldstable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u11. For the stable distribution (jessie), these problems have been fixed in version 7.32-1+deb8u5. For the testing distribution (stretch), these problems have been fixed in version 7.39-1. For the unstable distribution (sid), these problems have been fixed in version 7.39-1. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV5C47AAoJEK+lG9bN5XPLHMcP/RF8sFLD2wP/V7v4nsuss5De yw2RpA3LrRTpAJCiQnfZDarw4o/THJYMHr/u/6zCIsvHphgdimZoe4CPnYugBMaN FmaSNbqDYpvZ7+YiUFm+ipPaHHOX7LzHbrR/c45GKq/dtUE/AemlMzm5BmVkD3Qa auxL7MRm4urv2iNX+wXwNvGSsBDLPArqjrj6MkkrEpaX6H9U/PdhciOeyTU6Mjop LwwDPDWSwFP9zJx6j//b77wS9zEFz56msCVuDTJpWYITtNxghLNAxWmfnzTEIlec llYtBmvrvBsbym8tvlIXM0M5dNQ7bQ8fbbNV3xVF1j6YHEZD2flfgAPbFJCJ5IFf ECe17HsvOICY3PHGBIs1xLguWflSgUpYBCgn978J3KA+xOXv/d+n2bXvE1T1xbDA TlX+IxWGBTU0ut/FQR8p7T7Dwai7RrhGGb50KkRYfO5oM1phUPknRMLnFpKq2uFG EIpe24FPOd21SYlLBkucegMC1+F7tXfMZQ+qj1QpKTBmGIpS1Tc92YVN1v5zKZh+ NjIMspkdgW2xsq/VD/xXMNyy2f6swh7tsFMvjh4Lgrxet6c6sAD6NvbBI9OMaJeb CEIh2K7SDBbCfFEjgpbBC5sEn3t7zYkNbWgHwj1gpGqVVMbyyy+shzupHb77Jcbe 5KiA8q3ZlDVcDhXfwGFP =/qJI -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 2, 2015 Share Posted September 2, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3347-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond September 02, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pdns CVE ID : CVE-2015-5230 Pyry Hakulinen and Ashish Shakla at Automattic discovered that pdns, an authoritative DNS server, was incorrectly processing some DNS packets; this would enable a remote attacker to trigger a DoS by sending specially crafted packets causing the server to crash. For the stable distribution (jessie), this problem has been fixed in version 3.4.1-4+deb8u3. For the testing distribution (stretch) and unstable distribution (sid), this problem has been fixed in version 3.4.6-1. We recommend that you upgrade your pdns packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJV5wINAAoJEBC+iYPz1Z1kT9AIAJP2pMIbvung1B0EYDD/+YgT nCqMFEhT+3miAmBMoDiOYE9K4dhLQAHQD+9YEVFfwcF9IV87mkkBhcCK5lLgQqfj xtNVcrRxCZlI/jdoVAzP6IhMlhkbAgTIFFGxegbIVx9bgsAs1wR2LpiCPZb3SZim ZaabfmyUMQfN9xlNbptVSNf08iGGvRTm3wAAGRbeM/DqRPjM5Gk/X7O7qlH8Z9mB 04//RtPzyohQOGMWkEF3oqCicVQRHKFIdB6FvJH9r9cnGghjLxgFfeLT1tqrRnDg csR4renxQZU/3ztReyibd/amTCpqKfe0ixsYR/PE71czqGmgatcptj2E03+UKa4= =gxuU -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3349-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 02, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu-kvm CVE ID : CVE-2015-5165 CVE-2015-5745 Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. CVE-2015-5745 A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash). For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u9. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV5yHRAAoJEAVMuPMTQ89EB2kP/AtJsGcAf37Nthx8tbD6/LUM 6Ou6bDZBoxgFGgtlM9ijK9W1lN9m7UoJBNgOLMGSDha6xCDhUlNk6r/yyR/3bRnh Ij2xbQwFMvbB8IG88I7H62YpZihY7O/9vqSYW/ZIu7tL4DAQNHctGZ1XocUiHh8i Ar/gE8bQSDKpx3XG/ZmlniBjozXEcHPc7WDM5eHU1bekwJ5MlO9S+l7ikAptVWMt fDT7pS1YcGmYftIYtt7MySTHl9F3ThcWBMuY+GeZnF9zQh0N8ltNtvaO87uJ1Oke qSDzPKoIy6Q1Cw6SEVloBASzsB7BFu7q8S7Zx6DKVDrS43JZNnXj7xX3DXtIGvtC yXr+xx15tk8oBVYQpg0kBgZjcU5IXC/zjL8KCzj2Nt8+e1w7ufcdgisp9X91hN5c t/kJmTI8wj0xT0UYCjCfdPLQr1U8ph5fk5coZkt6YVWkWCp1L1fSLDAhkcqM60ql ORZwyM7m3ZtoMRfAKNdJgjTHTyijE8CAsQDGcINEkhqz26gFuaU5TnkD/Ls5z0cc ZwTjXpd1VrCYUB0wkdbXWDtsAIZR4nmxl43Z9lOOXRgCMysakmTGYluFW2ypEhrB fqvXfYzV8assVcLyXnWyq8Ewh7OjX26Y5OlczgxHyBCDp2HK2ragzf93cYJL1v8t 6AheWSuueDqSs2b11Z8J =9NK7 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3348-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 02, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2015-3214 CVE-2015-5154 CVE-2015-5165 CVE-2015-5225 CVE-2015-5745 Debian Bug : 793811 794610 795087 795461 796465 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2015-3214 Matt Tait of Google's Project Zero security team discovered a flaw in the QEMU i8254 PIT emulation. A privileged guest user in a guest with QEMU PIT emulation enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-5154 Kevin Wolf of Red Hat discovered a heap buffer overflow flaw in the IDE subsystem in QEMU while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. CVE-2015-5225 Mr Qinghao Tang from QIHU 360 Inc. and Mr Zuozhi from Alibaba Inc discovered a buffer overflow flaw in the VNC display driver leading to heap memory corruption. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash), or potentially to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-5745 A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash). For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u9. The oldstable distribution is only affected by CVE-2015-5165 and CVE-2015-5745. For the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 1:2.4+dfsg-1a. We recommend that you upgrade your qemu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV5yHbAAoJEAVMuPMTQ89EL2EQAJRkjczhzMQFzfjym14afASB pr7b2Hu/M5i+hyuSr8Pv8G2zuEw2o60ezqcseuG2153hZs/yX0yk8qltwuTdLdMk At2FMs98XiD8xKY4mpCKHSdXcY+Cl7cjmogkcUe84dG4xfT5HUTOpZ7b2Ei22gOr lUmFf5SdG7yhsEk12sne06ArJh7AuDEUa9ltc+cH2+2091itC9DwflRf2y7NmYaf kM47ZBcMfmUxGbMPPxBV19T2L6ts1zTcPKMkE4FynDDsTzqDg5ndz8clBHKRF70x ltEXjTD1gLoJkNFGo2UrnfTHlu8UO5OAx1C1si+rtt8/93ran8IXaOO+u/AssqPU Jzwo2j4zOSLnSMlo722NuneqkneaTQabLM1tROpTOgRTXHmIvG1Uls6Rx5tQOUbZ wMszAC9aRQZiZ32yjUu0cVu7bsSIRzadNPjW3WzljtRGSEPYUg/pLicnAC+Bq6mu MOYllYs3nhybZoQ6NjFrJfA+sCjZuNmDhh5a3QUb/cjckygf2QMN8YBSoPy2khqX y8hTUcrYfmsJo5/rvAkki6kxOJiqK+8+fiw0ARcAOkOIOuP4tcExTwjfNBXtWgR6 ZHZOTA68XdkptRhYnlSfAUkhR06vP6q63k/hjR+7syWu6e9n+4cq/moEdUh+77Xo ULvsd7J2ar7JOVZ9HpWS =QpIk -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 2, 2015 Share Posted September 2, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3350-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 02, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2015-5722 Hanno Boeck discovered that incorrect validation of DNSSEC-signed records in the Bind DNS server could result in denial of service. Updates for the oldstable distribution (wheezy) will be released shortly. For the stable distribution (jessie), this problem has been fixed in version 9.9.5.dfsg-9+deb8u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJV524EAAoJEBDCk7bDfE42M7IP/RoNIA3BNrMHnjKWlbqRYVua H8M8yTAf7RRBkqpV50+wLT1xhTSIzcbHb1atn5FNEYFAGikGyRKYVFTO8Xd7lnPE PT3ZKjdJUQOZLoNqahEwqUENroCO2yVFXAWW6/tyf7sf3IaF0An+7vS9HfRejHSZ kwvFqQpUr7nk4LSr6uzKXShZm31X9v2+ZDvATX/HM9/ioYVyTIR/XT22tMt7wqUT ZANmQ+HkEiTXM88HgIgvN8H4/1EXO44Qot/O6ZB9RUopubnFlGCIA3ee2DAa4LNA qJPvn+5chr0vvgdx9LcyuJzVbFtIk5mLGGR4hUEPcDui/7xMJ+fT6veNfxMzSLpO 5c6vlFTVN9pWycYFN5Af//HfzOMe8y3o4to6cop49YZR0SfdIL7vuqo/jeaRqN8f hIlN/6HUMNRO9LSupUjkdivwiw1QzKUEHT6+k6X33PTT8zIJ28Nf4ui8AWlauikZ UQGAVjJEVDX+sdVurYpYel35LS3LFqgVUADzRjtxIszBS0M5UhO/E8JT0Pl4kX1c HvXe9mAqBPCUcoQ7Jkhjym8AQ2RTtNcNRNkl1rTHjfWtZ1pukfUu12VtXtBXcliH rJ24PSPSIMl0yGOGenT+Lwr/y5jWpfCp8w2rjMH2pXdz+bKjTfXmRWLe8DvRk5HV wj1XSuQQOXrR1zXR5zpd =ae/2 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 5, 2015 Share Posted September 5, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3352-1 security@debian.org https://www.debian.org/security/ Laszlo Boszormenyi (GCS) September 04, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : screen CVE ID : CVE-2015-6806 Debian Bug : 797624 A vulnerability was found in screen causing a stack overflow which results in crashing the screen server process, resulting in denial of service. For the oldstable distribution (wheezy), this problem has been fixed in version 4.1.0~20120320gitdb59704-7+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 4.2.1-3+deb8u1. For the testing (stretch) and unstable (sid) distributions, this problem has been fixed in version 4.3.1-2. We recommend that you upgrade your screen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV6VmiAAoJEBDCk7bDfE428D8P/RXE9Wg7j11Vt9iHdV5jro8p XNDvZyxRTyJw1xNLV/VWCV7MOS/9h3XCz8DUJwa6i8TJleaeESEklTL03NNsH0sI u72HavbLNnhamTREPGia15BByh/ra6U23RRrKgyK+Gxa0SrMRB+FraL06Ic5R5cE aeVFqTWaEvVem6DbP9P8MTeP5IT1TsNu5GGujzLVLu9QIrZW1sse1t6ccEqe6Mrw Sb9XevPXMSntskO0kqZVxe1LlmZZuRPMu3IRqOxbw8ycXrNnQzYitWTFpGW2K+BD KArd8zSKByuEPfnIbNzN6vl3Lly097qmQA4iWRKRVDy1+/alPWsTbrI6bv1hL/O1 fIPkrX8SZpdk6KflWNIS5HtL2u5THPApKh5l8cOkISUvaUWrzomMCbTEcWHEOg+W WckyAzbGvNQrVQaXJ5fe9RO05NDZ7grII4f7itK2j6pMJvxzE/ZYQObF8MELODxQ Ufg4n4rKH7lHBQJKWZnYPCNC/B/V/6RPXJlq/QBbZwVqAD7OwUfCrgdLeo37UrO5 u+TIplsAnyTI67VWKnZQB9xDss99ag0HTK+IweVGlV21cngJSr8MTCAjsVSVuG0D CoyjWU8yGww5wdWOnZK1WOIZ2TO63XfMkcnWaqgbENPnJRIdSdP+AiXSUHmi2/2/ krONwiiLVri4TxlrjyhX =52Mr -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 5, 2015 Share Posted September 5, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3353-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini September 05, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openslp-dfsg CVE ID : CVE-2015-5177 Debian Bug : 795429 Qinghao Tang of QIHU 360 discovered a double free flaw in OpenSLP, an implementation of the IETF Service Location Protocol. This could allow remote attackers to cause a denial of service (crash). For the oldstable distribution (wheezy), this problem has been fixed in version 1.2.1-9+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 1.2.1-10+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 1.2.1-11. We recommend that you upgrade your openslp-dfsg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV6v81AAoJEK+lG9bN5XPLCZEQAIqcadDeke6OIXqgMglx9j/V F4f1+kuaETjjNJDZ0/+1Hz7X7PA6CsWzyLeOuXd6UKQAiyeSg9IedFahlt8gQvCw zSVxXo12c//OG4bVG2q8bKRpPLp7/BtT6FUTmKKdSY5+zxJNPjZxa8KqF3cq5qZu HhrpJObetJZbzZp5TxWHJnv1cSS0zazv6eADDkutOcWV8H/+ifBBKyxdYIkFt5// Q1pooWwTJSzsN9yUp+r7jCI5vO9QeboH2nIt/LKRmZ3f24jkT7Q9oIkty0BPXY+j VoI2bDNofQPXXee+hVwVAMbL3BfrugZd2aR9QDPgwWGNBVJ/Dxu4+ohwVyZQcNE3 fxYGDdh5piixfter916zorgveTNhKsz4FASbO7XOu1vhTIsawmAYESN90fhdpG1O MgrtYD3F7rOwdjF/CNjSJCW7IVqcxqGzZBA4luecZIB71GY4QXUxQjMNjawsnLV/ VTgN47/KiSPSFUItLmBamds7kMt+vFW2ytj0iyBS+jYq9aLLKKCf50+mxs+hs6j0 1yg//tv7ln5aW9573Z3i94jaaZqGBnwYyp+tSgMVtHfMXpT8V74G7WN9FNkWfy9a Fg6zfakSRA6zYAHPRJ58Ndp5OKonUvwjVIY5ma1Q87C8CRXt8pEOW7zlLfBRbnwH nPXHGVSY8QG4Bg+w3Ljj =FB78 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
sunrat Posted September 6, 2015 Share Posted September 6, 2015 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 8: 8.2 released press@debian.org September 5th, 2015 https://www.debian.o...s/2015/20150905 ------------------------------------------------------------------------ The Debian project is pleased to announce the second update of its stable distribution Debian 8 (codename "jessie"). This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were published separately and are referenced where applicable. Please note that this update does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old "jessie" CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated. Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update. New installation media and CD and DVD images containing updated packages will be available soon at the regular locations. Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | akonadi [1] | Fix a bug that caused old files to be | | | kept when they should be removed | | | | | apache2 [2] | Fix conffile logic for wheezy to jessie | | | upgrades; fix -D[efined] or <Define>[d] | | | variables lifetime accross restarts; | | | mpm_event: Fix process deadlock when | | | shutting down a worker; mpm_event: Fix | | | crashes due to various race conditions | | | | | apt [3] | Parse specific-arch dependencies | | | correctly on single-arch systems; | | | remove "first package seen is native | | | package" assumption; fix endless loop | | | in apt-get update that can cause all | | | disk space to be used | | | | | bareos [4] | Fix backup corruption on multi-volume | | | jobs; add autopkgtests | | | | | base-files [5] | Update for the point release | | | | | binutils-mingw-w64 [6] | Apply upstream fix to handle Visual | | | Studio DLLs | | | | | bird [7] | Correctly migrate bird6.conf from bird6 | | | package | | | | | cron [8] | Cron.service: Use KillMode=process to | | | kill only the daemon, not running jobs | | | | | cross-gcc [9] | Require bash in rules.template makefile | | | | | dbus [10] | Fix a memory leak when | | | GetConnectionCredentials is called; | | | stop dbus-monitor replying to | | | org.freedesktop.DBus.Peer messages, | | | including those that another process | | | should have replied to | | | | | debian-installer [11] | Add image for Seagate DockStar; add | | | symlinks for OpenRD variants; append | | | DTB for LaCie NAS devices that require | | | it | | | | | debian-installer- | Set the menu icon text in the source | | launcher [12] | package to read "Install Debian | | | jessie" | | | | | debian-installer-netboot- | Rebuild against new debian-installer | | images [13] | | | | | | designate [14] | Fix mDNS DoS through incorrect handling | | | of large RecordSets [CVE-2015-5695] | | | | | dovecot [15] | Fix SSL/TLS handshake failures leading | | | to a crash of the login process with | | | newer versions of OpenSSL [CVE-2015- | | | 3420]; fix mbox corruption issue | | | | | ejabberd [16] | Fix logging of nicknames in muc logs | | | and parsing of "ldap_dn_filter" | | | option; postinst: restart on upgrade; | | | logrotate: don't signal a non-running | | | daemon | | | | | flash-kernel [17] | Combine i.MX53 QSB and LOCO board | | | entries, they are the same thing and | | | the LOCO variant was missing DTB | | | information, possibly causing issues | | | during wheezy to jessie upgrades | | | | | fusiondirectory [18] | Access javascript libraries via a path | | | relative to FusionDirectory's base path | | | | | glibc [19] | Fix pthread_mutex_trylock with lock | | | elision; fix gprof entry point on | | | ppc64el; fix a buffer overflow in | | | getanswer_r [CVE-2015-1781] | | | | | glusterfs [20] | Stop creating UNIX domain sockets as | | | FIFOs on NFS | | | | | gnome-terminal [21] | Open new tabs in working directory, | | | rather than home directory | | | | | gnutls28 [22] | Fix a crash in VIA PadLock asm; fix | | | GNUTLS-SA-2015-2, which allowed MD5 | | | signatures (which are disabled by | | | default) in the ServerKeyExchange | | | message | | | | | gosa [23] | Fix idGenerator for patterns like | | | {%sn[3-6}-{%givenName[3-6]}; enable | | | CSV / LDIF import on (non-Debian-Edu) | | | clean installations by default | | | | | groovy2 [24] | Fix remote execution of untrusted code | | | and possible DoS vulnerability | | | [CVE-2015-3253] | | | | | grub-installer [25] | Correctly propagate grub-installer/ | | | force-efi-extra-removable to installed | | | system | | | | | gtk+3.0 [26] | Fix several crashes | | | | | haproxy [27] | Fix a segfault when parsing a | | | configuration file containing disabled | | | proxy sections | | | | | how-can-i-help [28] | Use HTTPS to connect to UDD | | | | | kic [29] | configure: Do not add -L without | | | argument to $LIBS | | | | | lame [30] | Enable functions with SSE instructions | | | to maintain their own properly aligned | | | stack. Fixes crashes when called from | | | the ocaml bindings | | | | | libdatetime-timezone- | New upstream release | | perl [31] | | | | | | libgee-0.8 [32] | Fix default value of --enable- | | | consistency-check, otherwise a very | | | expensive debug option is turned on by | | | default and would make a lot of | | | applications unusably slow | | | | | libio-socket-ssl- | Make PublicSuffix::_default_data thread | | perl [33] | safe | | | | | libisocodes [34] | Fix GLib critical warning if the | | | environment variable LANGUAGE is not | | | set | | | | | libvirt [35] | Teach virt-aa-helper to use | | | TEMPLATE.qemu if the domain is kvm or | | | kqemu; fix crash on live migration; | | | allow access to libnl-3 configuration; | | | report original error when QMP probing | | | fails with new QEMU | | | | | linux-ftpd-ssl [36] | Fix " NLST of empty directory results | | | in segfault" | | | | | lynx-cur [37] | Use gnutls_set_default_priority() | | | instead of a custom priority string, so | | | fixing GNUTLS-SA-2015-2 in GnuTLS does | | | not break SSL support in lynx | | | | | mesa [38] | Disable asynchronous DMA on radeonsi | | | which can cause lockups | | | | | motif [39] | Disable fix for upstream bug #1565 | | | which caused segfaults in ddd and xpdf | | | | | mozilla-gnome- | Restore compatibility with newer | | keyring [40] | Iceweasel versions | | | | | nbd [41] | Fix authfile parsing | | | | | nss [42] | Fix certificate chain generation to | | | prefer stronger/newer certificates over | | | weaker/older certs | | | | | ocl-icd [43] | Fix "clSVMFree never called in OpenCL | | | ICD" | | | | | pdf.js [44] | Drop xul-ext-pdf.js package since it's | | | not compatible with iceweasel 38 | | | | | postgresql-9.1 [45] | New upstream release | | | | | postgresql-9.4 [46] | New upstream release | | | | | prosody [47] | Fix CNAME resolution | | | | | python-apt [48] | Work around a cyclic reference from | | | Cache to its methods; LFS fixes; fix | | | splitting of multi-lines Binary fields | | | in dsc files; arch-qualify in | | | compare_to_version_in_cache(); fix | | | apt.Package.installed_files for multi- | | | arch packages | | | | | python- | Fix S3token incorrect condition | | keystoneclient [49] | expression for ssl_insecure [CVE-2015- | | | 1852] | | | | | python- | Fix S3Token TLS cert verification | | keystonemiddleware [50] | option not honored [CVE-2015-1852] | | | | | python-reportlab [51] | Correctly handle PNGs containing | | | transparency | | | | | python-swiftclient [52] | Add missing dependency on python-pkg- | | | resources | | | | | r-cran-rcurl [53] | Build-Depend on libcurl4-openssl-dev, | | | fixing issues with PEM certificate | | | bundles | | | | | rawtherapee [54] | Fix dcraw imput sanitization errors | | | [CVE-2015-3885] | | | | | requestpolicy [55] | Restore compatibility with newer | | | Iceweasel versions | | | | | rsyslog [56] | Disable transactions in ompgsql as they | | | were not working properly | | | | | ruby2.1 [57] | Fix Request hijacking vulnerability in | | | Rubygems [CVE-2015-3900] | | | | | syslinux [58] | Fix booting on some Chromebooks | | | | | systemd [59] | Disable default DNS servers in systemd- | | | resolve; use strictly versioned | | | dependendency on libsystemd-dev for the | | | transitional dev packages; udev: | | | Increase udev event timeout to 180s | | | | | tabmixplus [60] | Restore compatibility with newer | | | Iceweasel versions | | | | | tcpdump [61] | Fix -Z confirmation log being sent to | | | stdout, where it can get mixed with | | | pcap stream data if '-w -' is used | | | | | torrus [62] | Revert broken patch refresh, thereby | | | fixing rrdup_notify | | | | | tzdata [63] | New upstream release | | | | | ufraw [64] | Fix buffer overflow in ljpeg_start | | | [CVE-2015-3885] | | | | | unattended-upgrades [65] | Make optional automatic-reboot work | | | again; really fix adding of jessie- | | | security | | | | | wesnoth-1.10 [66] | Disallow inclusion of .pbl files from | | | WML [CVE-2015-5069, CVE-2015-5070] | | | | | xemacs21 [67] | Conflict against old transitional | | | packages to make absolutely sure that | | | they are removed before we try to | | | upgrade; remove dependency from support | | | to binary package since the binary | | | package already has the equivalent | | | dependency | | | | | xserver-xorg-video- | Don't pretend to support rotation | | modesetting [68] | | | | | +---------------------------+-----------------------------------------+ 1: https://packages.deb...org/src:akonadi 2: https://packages.deb...org/src:apache2 3: https://packages.debian.org/src:apt 4: https://packages.debian.org/src:bareos 5: https://packages.deb.../src:base-files 6: https://packages.deb...utils-mingw-w64 7: https://packages.debian.org/src:bird 8: https://packages.debian.org/src:cron 9: https://packages.deb...g/src:cross-gcc 10: https://packages.debian.org/src:dbus 11: https://packages.deb...ebian-installer 12: https://packages.deb...taller-launcher 13: https://packages.deb...-netboot-images 14: https://packages.deb...g/src:designate 15: https://packages.deb...org/src:dovecot 16: https://packages.deb...rg/src:ejabberd 17: https://packages.deb...rc:flash-kernel 18: https://packages.deb...fusiondirectory 19: https://packages.debian.org/src:glibc 20: https://packages.deb...g/src:glusterfs 21: https://packages.deb...:gnome-terminal 22: https://packages.deb...rg/src:gnutls28 23: https://packages.debian.org/src:gosa 24: https://packages.deb...org/src:groovy2 25: https://packages.deb...:grub-installer 26: https://packages.deb...org/src:gtk 3.0 27: https://packages.deb...org/src:haproxy 28: https://packages.deb...:how-can-i-help 29: https://packages.debian.org/src:kic 30: https://packages.debian.org/src:lame 31: https://packages.deb...e-timezone-perl 32: https://packages.deb.../src:libgee-0.8 33: https://packages.deb...socket-ssl-perl 34: https://packages.deb...src:libisocodes 35: https://packages.deb...org/src:libvirt 36: https://packages.deb...:linux-ftpd-ssl 37: https://packages.deb...rg/src:lynx-cur 38: https://packages.debian.org/src:mesa 39: https://packages.debian.org/src:motif 40: https://packages.deb...a-gnome-keyring 41: https://packages.debian.org/src:nbd 42: https://packages.debian.org/src:nss 43: https://packages.deb...org/src:ocl-icd 44: https://packages.debian.org/src:pdf.js 45: https://packages.deb...:postgresql-9.1 46: https://packages.deb...:postgresql-9.4 47: https://packages.deb...org/src:prosody 48: https://packages.deb.../src:python-apt 49: https://packages.deb...-keystoneclient 50: https://packages.deb...stonemiddleware 51: https://packages.deb...ython-reportlab 52: https://packages.deb...hon-swiftclient 53: https://packages.deb...rc:r-cran-rcurl 54: https://packages.deb...src:rawtherapee 55: https://packages.deb...c:requestpolicy 56: https://packages.deb...org/src:rsyslog 57: https://packages.deb...org/src:ruby2.1 58: https://packages.deb...rg/src:syslinux 59: https://packages.deb...org/src:systemd 60: https://packages.deb.../src:tabmixplus 61: https://packages.deb...org/src:tcpdump 62: https://packages.debian.org/src:torrus 63: https://packages.debian.org/src:tzdata 64: https://packages.debian.org/src:ufraw 65: https://packages.deb...tended-upgrades 66: https://packages.deb...rc:wesnoth-1.10 67: https://packages.deb...rg/src:xemacs21 68: https://packages.deb...deo-modesetting Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+---------------------------+ | Advisory ID | Package | +----------------+---------------------------+ | DSA-3260 [69] | iceweasel [70] | | | | | DSA-3276 [71] | symfony [72] | | | | | DSA-3277 [73] | wireshark [74] | | | | | DSA-3278 [75] | libapache-mod-jk [76] | | | | | DSA-3279 [77] | redis [78] | | | | | DSA-3282 [79] | strongswan [80] | | | | | DSA-3283 [81] | cups [82] | | | | | DSA-3284 [83] | qemu [84] | | | | | DSA-3286 [85] | xen [86] | | | | | DSA-3287 [87] | openssl [88] | | | | | DSA-3288 [89] | libav [90] | | | | | DSA-3289 [91] | p7zip [92] | | | | | DSA-3291 [93] | drupal7 [94] | | | | | DSA-3292 [95] | cinder [96] | | | | | DSA-3293 [97] | pyjwt [98] | | | | | DSA-3294 [99] | wireshark [100] | | | | | DSA-3295 [101] | cacti [102] | | | | | DSA-3296 [103] | libcrypto++ [104] | | | | | DSA-3297 [105] | unattended-upgrades [106] | | | | | DSA-3298 [107] | jackrabbit [108] | | | | | DSA-3299 [109] | stunnel4 [110] | | | | | DSA-3300 [111] | iceweasel [112] | | | | | DSA-3301 [113] | haproxy [114] | | | | | DSA-3302 [115] | libwmf [116] | | | | | DSA-3303 [117] | cups-filters [118] | | | | | DSA-3304 [119] | bind9 [120] | | | | | DSA-3305 [121] | python-django [122] | | | | | DSA-3306 [123] | pdns [124] | | | | | DSA-3307 [125] | pdns-recursor [126] | | | | | DSA-3308 [127] | mysql-5.5 [128] | | | | | DSA-3309 [129] | tidy [130] | | | | | DSA-3310 [131] | freexl [132] | | | | | DSA-3312 [133] | cacti [134] | | | | | DSA-3313 [135] | linux [136] | | | | | DSA-3315 [137] | chromium-browser [138] | | | | | DSA-3317 [139] | lxc [140] | | | | | DSA-3318 [141] | expat [142] | | | | | DSA-3319 [143] | bind9 [144] | | | | | DSA-3320 [145] | openafs [146] | | | | | DSA-3321 [147] | opensaml2 [148] | | | | | DSA-3321 [149] | xmltooling [150] | | | | | DSA-3322 [151] | ruby-rack [152] | | | | | DSA-3323 [153] | icu [154] | | | | | DSA-3325 [155] | apache2 [156] | | | | | DSA-3326 [157] | ghostscript [158] | | | | | DSA-3328 [159] | wordpress [160] | | | | | DSA-3329 [161] | linux [162] | | | | | DSA-3330 [163] | activemq [164] | | | | | DSA-3331 [165] | subversion [166] | | | | | DSA-3332 [167] | wordpress [168] | | | | | DSA-3333 [169] | iceweasel [170] | | | | | DSA-3334 [171] | gnutls28 [172] | | | | | DSA-3335 [173] | request-tracker4 [174] | | | | | DSA-3336 [175] | nss [176] | | | | | DSA-3337 [177] | gdk-pixbuf [178] | | | | | DSA-3338 [179] | python-django [180] | | | | | DSA-3340 [181] | zendframework [182] | | | | | DSA-3341 [183] | conntrack [184] | | | | | DSA-3342 [185] | vlc [186] | | | | | DSA-3343 [187] | twig [188] | | | | | DSA-3345 [189] | iceweasel [190] | | | | +----------------+---------------------------+ 69: https://www.debian.o...y/2015/dsa-3260 70: https://packages.deb...g/src:iceweasel 71: https://www.debian.o...y/2015/dsa-3276 72: https://packages.deb...org/src:symfony 73: https://www.debian.o...y/2015/dsa-3277 74: https://packages.deb...g/src:wireshark 75: https://www.debian.o...y/2015/dsa-3278 76: https://packages.deb...ibapache-mod-jk 77: https://www.debian.o...y/2015/dsa-3279 78: https://packages.debian.org/src:redis 79: https://www.debian.o...y/2015/dsa-3282 80: https://packages.deb.../src:strongswan 81: https://www.debian.o...y/2015/dsa-3283 82: https://packages.debian.org/src:cups 83: https://www.debian.o...y/2015/dsa-3284 84: https://packages.debian.org/src:qemu 85: https://www.debian.o...y/2015/dsa-3286 86: https://packages.debian.org/src:xen 87: https://www.debian.o...y/2015/dsa-3287 88: https://packages.deb...org/src:openssl 89: https://www.debian.o...y/2015/dsa-3288 90: https://packages.debian.org/src:libav 91: https://www.debian.o...y/2015/dsa-3289 92: https://packages.debian.org/src:p7zip 93: https://www.debian.o...y/2015/dsa-3291 94: https://packages.deb...org/src:drupal7 95: https://www.debian.o...y/2015/dsa-3292 96: https://packages.debian.org/src:cinder 97: https://www.debian.o...y/2015/dsa-3293 98: https://packages.debian.org/src:pyjwt 99: https://www.debian.o...y/2015/dsa-3294 100: https://packages.deb...g/src:wireshark 101: https://www.debian.o...y/2015/dsa-3295 102: https://packages.debian.org/src:cacti 103: https://www.debian.o...y/2015/dsa-3296 104: https://packages.deb...src:libcrypto 105: https://www.debian.o...y/2015/dsa-3297 106: https://packages.deb...tended-upgrades 107: https://www.debian.o...y/2015/dsa-3298 108: https://packages.deb.../src:jackrabbit 109: https://www.debian.o...y/2015/dsa-3299 110: https://packages.deb...rg/src:stunnel4 111: https://www.debian.o...y/2015/dsa-3300 112: https://packages.deb...g/src:iceweasel 113: https://www.debian.o...y/2015/dsa-3301 114: https://packages.deb...org/src:haproxy 115: https://www.debian.o...y/2015/dsa-3302 116: https://packages.debian.org/src:libwmf 117: https://www.debian.o...y/2015/dsa-3303 118: https://packages.deb...rc:cups-filters 119: https://www.debian.o...y/2015/dsa-3304 120: https://packages.debian.org/src:bind9 121: https://www.debian.o...y/2015/dsa-3305 122: https://packages.deb...c:python-django 123: https://www.debian.o...y/2015/dsa-3306 124: https://packages.debian.org/src:pdns 125: https://www.debian.o...y/2015/dsa-3307 126: https://packages.deb...c:pdns-recursor 127: https://www.debian.o...y/2015/dsa-3308 128: https://packages.deb...g/src:mysql-5.5 129: https://www.debian.o...y/2015/dsa-3309 130: https://packages.debian.org/src:tidy 131: https://www.debian.o...y/2015/dsa-3310 132: https://packages.debian.org/src:freexl 133: https://www.debian.o...y/2015/dsa-3312 134: https://packages.debian.org/src:cacti 135: https://www.debian.o...y/2015/dsa-3313 136: https://packages.debian.org/src:linux 137: https://www.debian.o...y/2015/dsa-3315 138: https://packages.deb...hromium-browser 139: https://www.debian.o...y/2015/dsa-3317 140: https://packages.debian.org/src:lxc 141: https://www.debian.o...y/2015/dsa-3318 142: https://packages.debian.org/src:expat 143: https://www.debian.o...y/2015/dsa-3319 144: https://packages.debian.org/src:bind9 145: https://www.debian.o...y/2015/dsa-3320 146: https://packages.deb...org/src:openafs 147: https://www.debian.o...y/2015/dsa-3321 148: https://packages.deb...g/src:opensaml2 149: https://www.debian.o...y/2015/dsa-3321 150: https://packages.deb.../src:xmltooling 151: https://www.debian.o...y/2015/dsa-3322 152: https://packages.deb...g/src:ruby-rack 153: https://www.debian.o...y/2015/dsa-3323 154: https://packages.debian.org/src:icu 155: https://www.debian.o...y/2015/dsa-3325 156: https://packages.deb...org/src:apache2 157: https://www.debian.o...y/2015/dsa-3326 158: https://packages.deb...src:ghostscript 159: https://www.debian.o...y/2015/dsa-3328 160: https://packages.deb...g/src:wordpress 161: https://www.debian.o...y/2015/dsa-3329 162: https://packages.debian.org/src:linux 163: https://www.debian.o...y/2015/dsa-3330 164: https://packages.deb...rg/src:activemq 165: https://www.debian.o...y/2015/dsa-3331 166: https://packages.deb.../src:subversion 167: https://www.debian.o...y/2015/dsa-3332 168: https://packages.deb...g/src:wordpress 169: https://www.debian.o...y/2015/dsa-3333 170: https://packages.deb...g/src:iceweasel 171: https://www.debian.o...y/2015/dsa-3334 172: https://packages.deb...rg/src:gnutls28 173: https://www.debian.o...y/2015/dsa-3335 174: https://packages.deb...equest-tracker4 175: https://www.debian.o...y/2015/dsa-3336 176: https://packages.debian.org/src:nss 177: https://www.debian.o...y/2015/dsa-3337 178: https://packages.deb.../src:gdk-pixbuf 179: https://www.debian.o...y/2015/dsa-3338 180: https://packages.deb...c:python-django 181: https://www.debian.o...y/2015/dsa-3340 182: https://packages.deb...c:zendframework 183: https://www.debian.o...y/2015/dsa-3341 184: https://packages.deb...g/src:conntrack 185: https://www.debian.o...y/2015/dsa-3342 186: https://packages.debian.org/src:vlc 187: https://www.debian.o...y/2015/dsa-3343 188: https://packages.debian.org/src:twig 189: https://www.debian.o...y/2015/dsa-3345 190: https://packages.deb...g/src:iceweasel Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +----------------------------+-----------------------------------------+ | Package | Reason | +----------------------------+-----------------------------------------+ | criu [191] | Fast-moving target, too difficult to | | | keep updated | | | | | dactyl [192] | Incompatible with newer Iceweasel | | | versions | | | | | fullscreen-extension [193] | Incompatible with newer Iceweasel | | | versions | | | | | netty3.1 [194] | Dependency for non-present jetty | | | | | php-zend-xml [195] | Security issues; useless in Debian | | | | | rubyfilter [196] | Broken (empty) package | | | | +----------------------------+-----------------------------------------+ 191: https://packages.debian.org/src:criu 192: https://packages.debian.org/src:dactyl 193: https://packages.deb...creen-extension 194: https://packages.deb...rg/src:netty3.1 195: https://packages.deb...rc:php-zend-xml 196: https://packages.deb.../src:rubyfilter Debian Installer ---------------- URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.or...essie/ChangeLog The current stable distribution: http://ftp.debian.or...n/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.or...roposed-updates stable distribution information (release notes, errata etc.): https://www.debian.o...eleases/stable/ Security announcements and information: https://security.debian.org/ [197] 197: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>. Link to comment Share on other sites More sharing options...
securitybreach Posted September 10, 2015 Share Posted September 10, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3355-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini September 10, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libvdpau CVE ID : CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 Debian Bug : 797895 Florian Weimer of Red Hat Product Security discovered that libvdpau, the VDPAU wrapper library, did not properly validate environment variables, allowing local attackers to gain additional privileges. For the oldstable distribution (wheezy), these problems have been fixed in version 0.4.1-7+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 0.8-3+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1.1.1-1. For the unstable distribution (sid), these problems have been fixed in version 1.1.1-1. We recommend that you upgrade your libvdpau packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV8UE8AAoJEK+lG9bN5XPLd6YP/R1bGtDqgFix0QlePO4zBfNU uWkPYYlQNihDd+0m2DnOvKD9m934aeArwoj4hDcu8lwxkX+3TGeFbiHM6fo+kz2P zVZmBt3K11TUzJ9hQcJNpw0E7JpYfBeBFVTMiFwE1An2JG+GDGwlOY9jq69/n++r +lk2unQ9e4SF2nynSDfuakU95RpcYBaSUgOjttQrOlh5wQJVldRhyltUBfNcinD6 PlIEF9Hr0PVboFfL6q5W+hGPDElGQAYRn6M2ISz/en3/IADe3r7uJlLwLGcahr5J I3dejzgGif2eSigidkagsUuevwbotznDcBo58xRMc3R/a7QYI6fVEwaK3s3xCC/V 5wv0aABatKaXO8T/95yKXGJ5O12zqlzIhiup3vWENhh1hqwKy6Tv44Zl21YzigdR qfloo5poqKhK3vXQVgeaANy6sjTVGFzWQX5Tk1TTDB1Oh4iFMqFBBj0qXYnT9nEt 6n5X4FX/oRAnBmhhsp9YLVZwpZ3QofUE1m33vuMKkjLCAXveXrvdapBqDtnXhXsA ov49RIilPH2xDG4OSWquJG2Ua4nMKPVhZ/St2wQJ5SP2nVZ6fmKv2Mq3IgHjCcMY a/TALnJgn+l/GKE7hm0PlJ+jwMLobtO4uJotoeMgpsZJT9qyVCg5Y50R+fYKe1+2 uGCGEq0U8v5y7asmernY =YTzO -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 12, 2015 Share Posted September 12, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3356-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 12, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openldap CVE ID : CVE-2015-6908 Debian Bug : 798622 Denis Andzakovic discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, does not properly handle BER data. An unauthenticated remote attacker can use this flaw to cause a denial of service (slapd daemon crash) via a specially crafted packet. For the oldstable distribution (wheezy), this problem has been fixed in version 2.4.31-2+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 2.4.40+dfsg-1+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 2.4.42+dfsg-2. We recommend that you upgrade your openldap packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV87FJAAoJEAVMuPMTQ89EQg0P/3PLqJ6BGTe82TdHFblTXOo5 7Un/Wyn/vlpZmxvvyK2V0aUyaxHMxJF4epkkxYuw1aezkLTL0N4TJD340BKg07yL shEPGarzr8Uz09vtiXwGkVbdN9Vy3O+EnAsUeWri5msi7gvi16p7lWKRE+sFlJUB Tc4tMP4DtT60gTh+nhnEPPzqZ1fN8/Q2hjfMo4OypZJiMShRyA+/8a5BO9MtRFt5 MlM8j7N6WWujevvaQruYvZMlRhiX3y1Nj6Qs4tI1K516LwvWKxSB6E/i0DvRlXng AK3XcG63XpEk5Xvyn0r2IqQ2BPHguKpyZBknP0t6WZuVSDKBnDPWkyn6IFd5mIbi v7ASefpqdMeoyMbO9geLDnjA4QLwzf+D/FHHFaiS6RvRCecYQpQ+zFKaElAK80Af fnsc69cwkwP3QGgke0yZNwFAlGNjnYpZA/kbkuajWhvDJ7ORzcUCDeJl/aM8Ewd6 hONkpCBt9ZkEP2NXiO8nh2OUnxob6apFrdRizrXg0z+FWcjFLjWzzZDfQ61Bc9P3 kW0LpedsteYv+ALhLG/vmrXhNQu6vX/alPiIsyaKXvENb3VMxMqpweEhuvLRNpKl uTeKN+c1p+tT1jFfTe97UspRPnkmUqHuvBAPjifFr5ul7JSXzpo/gm3n1C3xXRuW JzjOveySpH1hwGsrmXSR =kj8y -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 13, 2015 Share Posted September 13, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3357-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vzctl CVE ID : not yet available It was discovered that vzctl, a set of control tools for the OpenVZ server virtualisation solution, determined the storage layout of containers based on the presense of an XML file inside the container. An attacker with local root privileges in a simfs-based container could gain control over ploop-based containers. Further information on the prerequites of such an attack can be found at https://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c The oldstable distribution (wheezy) is not affected. For the stable distribution (jessie), this problem has been fixed in version 4.8-1+deb8u2. During the update existing configurations are automatically updated. For the testing distribution (stretch), this problem has been fixed in version 4.9.4-2. For the unstable distribution (sid), this problem has been fixed in version 4.9.4-2. We recommend that you upgrade your vzctl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJV9XVNAAoJEBDCk7bDfE42wH8QAKu1HMclVr6qaMzXLzdKJnFh vToZwqzLqcG7wcMMBDEjWDxvJqkUqaJNs1h2RVgy3hwoOo/rZA1tM0+rsubXxXai b5TN30vexwkMC+DHmJ7UcdP+CZSFfOv6iLXjP7BTVC+th/CrT+wlaaXlawar7oFn GebJtggNOCLiRRCG16xP+Hg0fPASYe7M7JlgkwugVBJKL0gd5PYdgifsqgplCSIG FTELm3rl9hhPveO4owBpEfC/o2EURSrzJs/6wgYfr2tKq56udiRD2egGYVMMCsFT vd8ufZcjXl0yHwH1UdY4rzncCwRNjf/SICFmfAsRiRDSc4GB45x5+bdYosywcjdR QEiHPwVsoFD6vvo3yVYkANoO9r20qS+lEV8gbYE/sZua6lWvYqG3ezh+FseyJxNK mLJHy16TA5mhvqFwb4kX1i1pmsxhcC0nzfN+5kPMZM65t5jUSZ/Ctsq+NqiLXQ74 aBMabN6GdlseksaR7jbzQsbkng1PRAfZfRMExsXI1lyK1nln0tQ7P8PGIcjwWHX9 Y9u+Zsa/73sDfIir/kIqHvqIwfLHBObjUQYNThIMO8iRssdPtuj7MvYhPcecy+Dy uXp3hdqATIEo0tHf9tJT3zL9SJJxAc3c/wRvLuk+eFvFlgC1Gkb5Koc1BJpyn2hB wRhAME+VvMLR9Tg7c5LS =MiSK -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3358-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-6834 CVE-2015-6835 CVE-2015-6836 CVE-2015-6837 CVE-2015-6838 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to new upstream versions (5.4.45 and 5.6.13), which include additional bug fixes. Please refer to the upstream changelog for more information: https://php.net/ChangeLog-5.php#5.4.45 https://php.net/ChangeLog-5.php#5.6.13 For the oldstable distribution (wheezy), these problems have been fixed in version 5.4.45-0+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 5.6.13+dfsg-0+deb8u1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV9Y63AAoJEAVMuPMTQ89EVioP/j9LN6C/27AuDTvbdxOosyv7 Rk1Q2JdoP/O/QCE3phgb45cYAPswUpUeqpCoP0vv7wUqAvDPTeM9PKDM6n2Trkof 8gL0egtUUGk1YM5SyJ6QaSHvnB5p+1DbCgGwglH+PAMtAU3PvNS/jAsddGH+lh3f WcxTvKVHyifIOm3/3WDJ3t+Suco79wCIqlz7FqBCmF5Cxavbg4Imh1umQYntSBKl GqncvtBju087sKpIN72MjgBXnbjsUqi4aJpSaULET9FfYxaJQi1Jbd0U7AX5g2n2 FWqccvNT6V5YZ/q4fPMUymP5d9P5fopzCMCmaXf+PRxNRkpvnaph1x5mW/NvFt/N KW3e7lUeXIHvtJDqd6LTdv3dU8nfeiIaiAiN4ES9mFJ3kv7XCl2zmi8/CZrNFIhR 5oao8+YHMVkcA6pYfLm0EN8xJwF3sNo77cxdYjcmNKi0lEy32dd502jgwVSaEISU 78clABh+SNODCsywutnn7WF0QgbYWPbFL17vfoS7IcWFUSN3xjuAOgSPGUBEYA96 pCGA1wBOg72K1PTaAjrowqa3T7qyCA7tbygk69rR9CVouJeTZXSGYX23CWl16x2Y MOI6ynhyV2LEfAUyjz/prvABRL9A74hnFVhY5ThLcFH3EyS3KgZZ6qX+u6U3G6iB 2btYznTmaTe0EspBeqTX =w0ar -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 13, 2015 Share Posted September 13, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3359-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : virtualbox CVE ID : CVE-2015-2594 This update fixes an unspecified security issue in VirtualBox related to guests using bridged networking via WiFi. Oracle no longer provides information on specific security vulnerabilities in VirtualBox. To still support users of the already released Debian releases we've decided to update these to the respective 4.1.40 and 4.3.30 bugfix releases. For the oldstable distribution (wheezy), this problem has been fixed in version 4.1.40-dfsg-1+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 4.3.30-dfsg-1+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 4.3.30-dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 4.3.30-dfsg-1. We recommend that you upgrade your virtualbox packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJV9dKWAAoJEBDCk7bDfE42u/YP/0bVVFMRv1BJxedTuwec6HDI 83SdgmFO0UeHRcB0PUHJingoPXR61Odo0EYUWNcBHikXiLlJSs+ENL8pxoi3gHmv /nI8kCN5Jh3XRURi3x9LHt27t1jj9AREhQ9FxhNmFvIuhPSpb9RdIGBJppcVauJH 0zphwuBp0XHeQ59ogg2weJ5SsCWgwpTKBOreHoCUzYyI37evTLKWHPtNl8CeMU95 8qQ/qdS1vd1B+WxAjM7jFfpnlEp+seWiytms1LE14ttfFSy7eBuLnfaHznRc95RQ nFp64DS3MFJLE36EnwNf3/OdREhsMJJzSCRJj1QgyH0WM5AnnN3HmipEnb/HPAKy jvv7382EMJgrTOO6hXLW81yXdeeb1/nA0Ev0wtfmgWfQcufs9Gj1WHZFMkh5rC0s PmzCm1KtTGQDliLQlnGYowp4azpcVJjmfSFjMT54tjXGBWUHu5jN8SE2q8tBZ3ar Cd3/2p6KFjg5sgEx0L5fyoe5ST/Dkzv0OQgBYUBo8ftdOqkuNZgwjq/VRjL0dZyg 5I91/4e7lgB5ejzA7SQWhw95EktQsHsg3X1+X8GyN+u0b5vAQFziPdqb7osJWlrC vSAl/Ny0KelEDJj5G11JHj6CGZFCYkuxDXI31PR7pp8KuCRnERh54AzXNpC/Os10 CYakiKrD1QJwF5/Au2Fh =UrEY -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 15, 2015 Share Posted September 15, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3360-1 security@debian.org https://www.debian.org/security/ Laszlo Boszormenyi (GCS) September 15, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : icu CVE ID : CVE-2015-1270 Debian Bug : 798647 It was discovered that the International Components for Unicode (ICU) library mishandles converter names starting with x- , which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file. For the stable distribution (jessie), this problem has been fixed in version 52.1-8+deb8u3. For the testing distribution (stretch), this problem has been fixed in version 55.1-5. For the unstable distribution (sid), this problem has been fixed in version 55.1-5. We recommend that you upgrade your icu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV+ELBAAoJEK+lG9bN5XPLC24QAIXycfVpH1VzrqIOi7IzkmXf aCJ9B+m/BWSmnEfVVm42w3u0gGd7wQZSbMi5azEdHYpec6g9Defc4XfVp8ngD9Gk 37Gha8gZZ4Sbxc1tXwMwwwyP2+E+6QDrNzniSwtCNgk4UV9VUSGCNhLJBva5tV1Y JSeFVHTpl/Urj7CwdRYvlMIbVCTvcnS0FJ34LeylnXTa5k4Z2ZyO5o6a7Gd8YsAD mGJ2VWA0axNgXXpGhazLfRPQ2PauLfqWN0VpMualqejMPZd2ABRUxrZ7eUuG4AGx u0HsGnQAQrMn9ZUChTjX8HpDW7OH39B0Z0nVlSITeC4L5gK8SY5lHgmg8zV/Uk1L jzTwsZty2wfyxsti8XXlY9UHKNcUjB+8bg8WdftzC765HCiNJOXJCGHeklIiHqk7 T5K2H7YuNPMqMuaqgYE7zbgu3JVY9ixNk9DV9aEsgDGjrcs9OXC5U0mkV/++VHlC ebpcKw02aVEl2Yf7MbX+M0cLiCHo3RM56LQUa02SivwBC5gWULwaSKaRSasoEWEP knrBzmC5rdyztXipe2undXFyJuACBAuemP8eQSLY7tpFecc52KKnKMN2lru9hzAj CSXmOvUwwZGmKdwTCMM9RepCoqpNv7Y21ejxCAzUiZ9vjlzVEdRdIeUri/UqGm+E 24PlDUC7o0eS12jqWAVx =ADH3 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 18, 2015 Share Posted September 18, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3362-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 18, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu-kvm CVE ID : CVE-2015-5278 CVE-2015-5279 CVE-2015-6815 CVE-2015-6855 Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. CVE-2015-5278 Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in the NE2000 NIC emulation. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). CVE-2015-5279 Qinghao Tang of QIHU 360 Inc. discovered a heap buffer overflow flaw in the NE2000 NIC emulation. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash), or potentially to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-6815 Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in the e1000 NIC emulation. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). CVE-2015-6855 Qinghao Tang of QIHU 360 Inc. discovered a flaw in the IDE subsystem in QEMU occurring while executing IDE's WIN_READ_NATIVE_MAX command to determine the maximum size of a drive. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u11. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV/G8LAAoJEAVMuPMTQ89EBW0P/R+Gc/di08JOEyai7DregXfn NDss2LyL4xI2v5VVEhgCYpY3WA8DOi2bc3UqgmzMAEwAhpUTkhtc2NX1wQU/rba1 Lf44lBPPuUKP/nYcz1CSn0xQHTGla7R0qpgYetdLDwSiN4rnHIDreSpSVWXh4R3H NrAf5pIRPmnOGRuNkx907ptZ9SD26we1fcpZaKv43kjnmlmrul1OEgYdrbXw+qQc xT36dZSSxq3bfpiKQFAWwNt/Jp+2CaNysVJyBIGM2PZ1H33IQtwcr0ub06sZOQIU btOgVmICIMXtZF0/OcxusOkS8t097tBM/v+f+WrwG17Y46QomD0gK0f2tYq5MW8U PbWmZem0Lkv+EThTDCay1DR060YhUmaKHG6PHgJMRSAzGK9ElMxHNuJUdjwJQjgI cvfJK0Z6GGhx3x+1BOMNwU877JLlFJhkPVN2CpP8NYNxT0Sk5ripvioUI11p2ZjC IiOgitLApZmI9IQ9AZWulriNf5sMIZyAgyVfebZ1vIjd8M/XQiTdmGkAFgGDodni DNdY4x8/efFRTqfaKC0XnE5m8LO1qX1YwyaCBIM9Ky+e6k2HpbEbrqPdx+HXr+WN WkytBnj7REnQMK0JDC/iU5SvlqVj8OOwKyyEVmtF9rtZIbWWKdE64FKuWhTZPpGB r7Q3etxkoWtKMowCVOrA =c8Zw -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3361-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 18, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2015-5278 CVE-2015-5279 CVE-2015-6815 CVE-2015-6855 Debian Bug : 798101 799073 799074 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2015-5278 Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in the NE2000 NIC emulation. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). CVE-2015-5279 Qinghao Tang of QIHU 360 Inc. discovered a heap buffer overflow flaw in the NE2000 NIC emulation. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash), or potentially to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-6815 Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in the e1000 NIC emulation. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). CVE-2015-6855 Qinghao Tang of QIHU 360 Inc. discovered a flaw in the IDE subsystem in QEMU occurring while executing IDE's WIN_READ_NATIVE_MAX command to determine the maximum size of a drive. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u11. For the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u4. For the testing distribution (stretch), these problems have been fixed in version 1:2.4+dfsg-3 or earlier. For the unstable distribution (sid), these problems have been fixed in version 1:2.4+dfsg-3 or earlier. We recommend that you upgrade your qemu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV/G8AAAoJEAVMuPMTQ89EUy8P+gOnG8kS8F8Ns74XfK5u15p1 TwjsPvTR2tYzhhMrpe2a0JchL56ckjIKpcl3Ei7BDXOhDJ98PP8jBE2fJVYNHjkV +cAkq2PJSb2kQU+F8Vu7y4UfImqLBgFZy8yNNfBOm4xYrSPON6Qg/FA+3wtUzMZy FaNt5RbXjhpA/9FTTxu5iLpZ2M47QHfSXhdKRheffmMu0qYqG884i94YpHGiZqMK vvxj1XJWJngtiU4e+koIF04mmKmx6bt8G+zob3mtzHp3BTBCXWx46W6TasbrdlTL HDZO+x7Gh1Qmdivd1nhmWhQ+PzlsreJI3vXt27BvhgHvDIARhTk552qMU1pTC1Tc DEup7AGX+vdMVogHsARuaDELq9qakSLhFv/4WwVkjKce7I6YiCwxDsYQ5LgbSwK7 C8aCt+tBsLRDqyutPj4vUd2yL8ttfyUQiQIQ6Prsy0ipgQ/rFWJVYdF+93qMqdaF 27Zy78YUq9rvja402znoK1YA+VT77c9cZ5nyYt42qXID9o2o+y95KgAunZu/Bu7K chrbvwjkOvY5d2EiAUTeKj25m/YlounwlBUd2DJ7oDz4vVypAjZ2ivkBvbi6Ul1q iKKAa36E24BZvvd8WKHZxdt1Ozz6UBDwPjvzOxwRc1R5EA+Xrv+uw1vbL+/A5/pK WtWJPzBssz1iIXWmMgJg =SSFZ -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted September 24, 2015 Share Posted September 24, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3365-1 security@debian.org https://www.debian.o... Moritz Muehlenhoff September 23, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : iceweasel CVE ID : CVE-2015-4500 CVE-2015-4506 CVE-2015-4509 CVE-2015-4511 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, integer overflows, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure or denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 38.3.0esr-1~deb7u1. For the stable distribution (jessie), these problems have been fixed in version 38.3.0esr-1~deb8u1. For the unstable distribution (sid), these problems have been fixed in version 38.3.0esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWAtexAAoJEBDCk7bDfE420WkP+wQLIly4wTsLbs+dAH4Fl4QC c8mbh77JoOE6ixc33tHNSd33ez/niEGgj+dKO4Ufjr2paV1lARW9uIrNctrLhTj8 unQ8snV8JorUAtFhx59fbuVBK9ud/eKdYfij1GdFX1d7emHnMwNS8lNydEiSwSDZ YgqtwjezenqTeBqCck+5nJITYdnKnjh8oYTWbaIG4pBsnb+SiQ61Ty+HSWHq/Thn fY8sC05V6uGKLGdSrtiPRwjtFwwtU+wvTYkIyvubALndtWXp242/S6VA0YUfHuRV NjJdtOJoT4oTGmEjHiWIuGzUzr9AvOabISuSOWe/AqPNbM/OaUAMbwJ1mYkqpl/f OCbfyebApTBgTS8VQoaYDdlcNfTV9R5CT6W7mkSChtDxi/v0b7/WxCiiOcz48W6t mMI/ITS8Lqquazi5OBN1IUf6KuDThMZ14Qr8amLrxzYE5DGGuNiNob49atiODKRY H/Fi5NwiBwobh8kbEJ/C36Vd7vXT/nVsEMbNolf2oJp3YY5f/ry5y0BljWsdMlhY KaU06pg5weGglUQ9AjFsC/H7SkDYiCVGRFTtklXnRi6ViqYYNAjiA7ok1GuORiQp WpUqCjbfEB4rsa4LHriKjSIF0Z8J0MiOjeRWyDczAMvPPC7EnOpHxtx6RZWUsbaM b1uu6t0exV1M3IB4JhJw =5p7h -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3366-1 security@debian.org https://www.debian.o... Salvatore Bonaccorso September 23, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : rpcbind CVE ID : CVE-2015-7236 Debian Bug : 799307 A remotely triggerable use-after-free vulnerability was found in rpcbind, a server that converts RPC program numbers into universal addresses. A remote attacker can take advantage of this flaw to mount a denial of service (rpcbind crash). For the oldstable distribution (wheezy), this problem has been fixed in version 0.2.0-8+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 0.2.1-6+deb8u1. We recommend that you upgrade your rpcbind packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWAwzQAAoJEAVMuPMTQ89E9VEP/2IDBmO1aXqMkPafv7Oty7pa hRBzyaDuHLx4cAyxf42uPVtEcqp1aZWF2JCLKgPtn1AkY6n2h1R4ZOgB7KxF3sjy Ll930/0ezZ1mkTcQcsAyQd7V1wEa1tAKal9ltlXRwyoHrA81fPsAQ3AwijHzkXjC F2JSNsStRtNazA3mnL1XA+xVLc4HcI7hOVTkEGLGAQ5V8yQUOikd7kSUUlnhefs+ fxlVbdEY1hlh+bp63xcQzc3pofTuSLwGuBlCv+Dw4GViahjLokuDtNC4Hiic052R 6/WvU1KnfO6rTgXl9zpQ32S1NhnZd7BlWRWl/4BMFPGDxd/Rbdct2hJPcGtiO731 +6wMT+VEio2Os2oX2/EJ2K0BmGovWJzOKfkbCYDxENZHURpuEtLF68Z3Gz/y5+Pd 0NXCpqctEmzf4BPD+dl+W7HGguKSxB8zlDkvDv3KP9Lc7BmPtmRECbJyG/lm6bTs G9XRHJtk0N/PuyXPxqkc7AsUa30aBIl09or8MWow/qagmDFqU2bbB2YZ/02RShLA va42dlHYYkiKv93sdi6WOWmMBAE51urXq7kNsnPqx8Yd2lbTH2MO+L+O4IKKpeQw wyzkAlC1v+dLxwT+8lVPbvyHQIkHw294/PHJ7RGl2YO5V8RFg8SDpaIajKfTninC KqAwj5LtmRojqIlrqXDM =72mN -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 6, 2015 Share Posted October 6, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3370-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini October 06, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : freetype CVE ID : CVE-2014-9745 CVE-2014-9746 CVE-2014-9747 Debian Bug : 798619 798620 It was discovered that FreeType did not properly handle some malformed inputs. This could allow remote attackers to cause a denial of service (crash) via crafted font files. For the oldstable distribution (wheezy), these problems have been fixed in version 2.4.9-1.1+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 2.5.2-3+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 2.6-1. For the unstable distribution (sid), these problems have been fixed in version 2.6-1. We recommend that you upgrade your freetype packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWFEKhAAoJEK+lG9bN5XPLKtMQAJtWTPcCAHdO8B+iCZn9ZVa1 xOW7qCfnUtRbvUiDzaJoq8MymyitH8eou8MJzKTFSNqMFoabZGThPZV4icteCc/3 tKHLS2AYVdmwAkujUTvcdXELj5+Aml021MjTaZ8NdcVrlkROsaLq7TdJHqATzV7D poih5ZlWfB5zE8FjjtvQSiAxmUUfAaRqI8Y703CHbOVdxXer73X3wutZlplos4WS 271vezyFg0n/+S8MYNyMpw96tCRtpDrcPr+QMEubvO+75Upo4VAhgEYdauvVzGkt bttSUHtQkr8sJJMML9tTEi8ePokKAsB8ycDK40ekUAvtKXdtTn/fDn4MCG444Qok pgraupdwlvba1atFSRpHWyiuxmwSV1APpVQsYGUL5btCmJAN90QgnF3FUtNUtrSP UAahIIarzOdA2jo6j9KvleVvobILcuEyszldSX/0xd2By9VUp/pGyg359cEpzTZ/ rbcHY3e1/qUnLQjAf1xLfvmSpz6Ohls/LiJ2lL75YGaSz8Dn37wZ1qC3LgVtmYqz R5H72yV4hyS+crK0OcHQQbh0GTCgpykzVKJIoUtYjHsVIiAcpe3DUhSeLsiI5QQk bcesdq9Xu9/chAouqspOrRPxub+3x4pa7kZdziQb8smUfTnfN1rkHvGOWGBaPJig RsbyppVhJ4GCBm3atunH =AUFn -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3369-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini October 06, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : zendframework CVE ID : CVE-2015-5723 Multiple vulnerabilities were discovered in Zend Framework, a PHP framework: CVE-2015-5723 It was discovered that due to incorrect permissions masks when creating directories, local attackers could potentially execute arbitrary code or escalate privileges. ZF2015-08 (no CVE assigned) Chris Kings-Lynne discovered an SQL injection vector caused by missing null byte filtering in the MS SQL PDO backend, and a similar issue was also found in the SQLite backend. For the oldstable distribution (wheezy), this problem has been fixed in version 1.11.13-1.1+deb7u4. For the stable distribution (jessie), this problem has been fixed in version 1.12.9+dfsg-2+deb8u4. For the testing distribution (stretch), this problem has been fixed in version 1.12.16+dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.12.16+dfsg-1. We recommend that you upgrade your zendframework packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWFD26AAoJEK+lG9bN5XPLz6cQAIM30gKcGVPWVIVUJMHy6Fm7 SwQDQX0KR89LU9M5UycZIg1z6wa4pghpt/WlN/IICFdNIKbYM8G+yhegRXXjtDoA PUXSPMGl4NTMIm/wYDb472spdMICmCWGzAsRFOfPR32j2IpFA+k0zIGYzi88E5kD 3AN7AsniD2uXw4CYwYXkfj2jHt7EdJ3IY77DaP4+PRxm34+XHx3KjXKKypAt+n9v zB5c/5TcWKRk97oflytfTyfyAiLymb/qJhJ7u3MyyksLY4840PdNBrURYgnaQw32 +OcKpI1PnGn5mF2dDC+xoMDhTGSmOwvTKduonnYFr4quiVLanZWUY3tcaKm4LnuV nRZqwidPSqjBHydc0rMh8pNmY4Oif9yp+3pkTZ2BWytJXjO9820YwHB4JW4q8FUs 1BQUANpN+H3ni86vJfztq1eBELXlSL5RrAT5xUBxg41dKQ8nQFBZHKlesLSM7jS2 8yzisnBVusLNBFlwFA7NaOQN/M5+KeAcs/brQbimnwHIB7Rm1niBRi5f55TQhTa0 Hj3xYevbN96w4tMtJ27pjpdJN+fD5V8K428c5xcz9eeTIYmMAQ6ZvxAMGtPGRQAK J17kQjZRDQUD4TWLwFRMM20gkaKAbyyUdf2Rt0maFd4vwotwSq0eE8cCVrT/qFKO EtTOarIu7EP4RoLimeEC =bury -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 9, 2015 Share Posted October 9, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3371-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 09, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spice CVE ID : CVE-2015-5260 CVE-2015-5261 Debian Bug : 801089 801091 Frediano Ziglio of Red Hat discovered several vulnerabilities in spice, a SPICE protocol client and server library. A malicious guest can exploit these flaws to cause a denial of service (QEMU process crash), execute arbitrary code on the host with the privileges of the hosting QEMU process or read and write arbitrary memory locations on the host. For the oldstable distribution (wheezy), these problems have been fixed in version 0.11.0-1+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 0.12.5-1+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 0.12.5-1.3. We recommend that you upgrade your spice packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWGAWsAAoJEAVMuPMTQ89ETQQP/ipLkOB1y5LAKpD7Hym3qudp xCqd+3A9wptKN8WC2SBdvxFEXeb8I20PPbhkq5Th/S0taUbjx+dLg6OgK+4Ff7fv //E9QRsgcDUpFcV25l4dOxXVX0iRSBnN+QZnCZND5yOy3ON7rEEXV2lvOidIRCst sX+j2U2WZQCDQdY9xebSaF/tCR6mLMDE6WmMzz12dqW4A18HkiI9gXKsPSAPfAeY mMz39Zn5oiHptRzmE2VAGyyU8xW1VQbqj1QEE3nO4Pyk+49DG43djVK02bqrO9P4 u8cNhWhPYC3/QtB+sZJopFrQy4kxaNdtd8Ov1FKCW+HQC9tSwx/sW5VNvAJjHNU1 ZQAz+oCb65gQ74QuUd56srHuad+mlzPkyQTw6k5eHgMlUrxH/tkNp2xUMk0dl9D7 WMqKYQjpndMbDZiuqHv+pNhGCz4AHjVWMiYNZA7uBpU4vTowZafb0FA/C/M6MTEw zUyac6dJDkSgw0hPRN6z1nyhigMLjvbzZVbR3NwTCcYeMBRzW4EHsh+C4AOPlQKh mN6bNw45VSsxE3QFrxT5uh9AftQT6ljsJw06jbUSWT0DtIX8/egJLKWFs1ebMMjY ENnthiWjSFEc6nB3w843todHd6VjCVF54JimEeH4Y0Dv8PGdyRtn4o1Znff+S56M n14mCmekUHD7/xjyIVOO =EfnH -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 13, 2015 Share Posted October 13, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------ ------------------------------------------- Debian Security Advisory DSA-3372-1 security@debian.org https://www.debian.org/security/ Ben Hutchings October 13, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2015-2925 CVE-2015-5257 CVE-2015-5283 CVE-2015-7613 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, unauthorised information disclosure or unauthorised information modification. CVE-2015-2925 Jann Horn discovered that when a subdirectory of a filesystem was bind-mounted into a chroot or mount namespace, a user that should be confined to that chroot or namespace could access the whole of that filesystem if they had write permission on an ancestor of the subdirectory. This is not a common configuration for wheezy, and the issue has previously been fixed for jessie. CVE-2015-5257 Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB device could cause a denial of service (crash) by imitating a Whiteheat USB serial device but presenting a smaller number of endpoints. CVE-2015-5283 Marcelo Ricardo Leitner discovered that creating multiple SCTP sockets at the same time could cause a denial of service (crash) if the sctp module had not previously been loaded. This issue only affects jessie. CVE-2015-7613 Dmitry Vyukov discovered that System V IPC objects (message queues and shared memory segments) were made accessible before their ownership and other attributes were fully initialised. If a local user can race against another user or service creating a new IPC object, this may result in unauthorised information disclosure, unauthorised information modification, denial of service and/or privilege escalation. A similar issue existed with System V semaphore arrays, but was less severe because they were always cleared before being fully initialised. For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.68-1+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt11-1+deb8u5. For the unstable distribution (sid), these problems have been fixed in version 4.2.3-1 or earlier versions. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWHNTSAAoJEAVMuPMTQ89E7EsP/Rm9NNOIoIh+TY4TnKwPJmKa tuGLWWOZ/yI90MR7wl9JLWSDBT0DD4fV5LKNp2p3ClV+1nMIbEEkcSOMgWyVtsHT CKjb8XvYmEm8174E1XcaEQ+ZWiQdpFwe7VABsIhVfD2G2QqXHoIiLFjjnuyiN6qw ZU/69j1nTfimoyoMyXThsAb93rWQii7/8baQ5LRVHXhipJeudq0mbAKY0GSFAXQa b6ZmFzXx9/XTLkXGl5m/XFddbEaBo5UGTx1L5GDvjgb4iaQPih8df58aV4GLNGq9 cyjZpZKSuhj2CNPK84fqUo+LlX867NdyC2e3M8uf7S9KYCWsqbl8qByiGLIebYOl yS0rXVret4Fa+9UqvuNSbp2iIx4g3vu/awUKOs9/nlz/OCBlFpQMbypeRUJi+eu5 99gDNAwZgym/77qnQKBVy2mWuDoYWn3eqg3JluwSZyDV8G+5QhEEesOcsF5U21rA 2RcTRpP6byh6m8IZQ6hDssoG0z8fuVIhwVo8yJ6P4dLf2rMbi/RNmxY6AYEFWYwW 3mTF6hwXG7J7qIMFIXy4Fuh/ea7AqYQtGfpvcnclSPd8BGESS/ySp+jMcOVQnOM/ dis38moi1fYpPAtgz2X9w3FexSy2+fMb/15xgBW0aay0isoqK5GwE1Am3Ed5LO54 Q7gz4VJxXxGKu6+N6nbg =Hht/ -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 18, 2015 Share Posted October 18, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3373-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 18, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : owncloud CVE ID : CVE-2015-4716 CVE-2015-4717 CVE-2015-4718 CVE-2015-5953 CVE-2015-5954 CVE-2015-6500 CVE-2015-6670 CVE-2015-7699 Debian Bug : 800126 Multiple vulnerabilities were discovered in ownCloud, a cloud storage web service for files, music, contacts, calendars and many more. These flaws may lead to the execution of arbitrary code, authorization bypass, information disclosure, cross-site scripting or denial of service. For the stable distribution (jessie), these problems have been fixed in version 7.0.4+dfsg-4~deb8u3. For the testing distribution (stretch), these problems have been fixed in version 7.0.10~dfsg-2 or earlier versions. For the unstable distribution (sid), these problems have been fixed in version 7.0.10~dfsg-2 or earlier versions. We recommend that you upgrade your owncloud packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWI6MYAAoJEAVMuPMTQ89EnbEP/A9DPQ1tc0sfuCIftdJ47ws/ 7JFSk/diT1TOJhA6jTEN7V4bHZXitUGwVxoM1AyB7YNf3puNp3LITUXJ0sH3ELhi XxvrsJqwianWsDvAFDtG1K0WXgC10hWsv/f2GqRkpFycbOd6xcqioewHAicS5rJt Rmfdbf0DmZEN4v9nhHr64DqXGmmu9igWPZuX4qZ4MjakD+724+s8/OWv0kuv6Xr4 pIM2QTjtZKZBmQd5I+JTFjX7rAz9paYRXYVQXoxmBhry4YGBHEfeomv3pknRUrFr 3pKLLbt8ixfImzLxIILftRnCZwHISqJmVE4jPD5i9U9YkIS+Ga8Z9+asslrgnddy WTwIKN/Gwe12n5BKZ8n8jcpAfBP1F164HEfGqLjKAQJzJCDCy/tsKjQUQaueFhie 6A4ORmG3MgC0pfaJe+xh9NLoyO2Hi0huekU5z1BN2klDz5c690Ls8GJVx3MPjc2o fOfVweifDKM3xGsw6e5gDDbioOnEic7v/x7E15VeqYP4rMyRbEt/nxQoXaMt0OM3 EblI7F+7npNH+PoYzLRWdXT1PiYWiZurq+uqhM0TKjAqNLZ1lXXvibehTJKQOxwn O7I7Thg3jrjVQaj13zy8l0zUFXRByV01nzF+0xhOceGKoi1OaroEJ1+17pv4V9ob MFyvPGb0pNnJIsQmMefT =TkN9 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 19, 2015 Share Posted October 19, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3375-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez October 19, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2015-5714 CVE-2015-5715 Debian Bug : 799140 Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-5714 A cross-site scripting vulnerability when processing shortcode tags has been discovered. The issue has been fixed by not allowing unclosed HTML elements in attributes. CVE-2015-5715 A vulnerability has been discovered, allowing users without proper permissions to publish private posts and make them sticky. The issue has been fixed in the XMLRPC code of Wordpress by not allowing private posts to be sticky. Other issue(s) A cross-site scripting vulnerability in user list tables has been discovered. The issue has been fixed by URL-escaping email addresses in those user lists. For the oldstable distribution (wheezy), these problems will be fixed in later update. For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u5. For the testing distribution (stretch), these problems have been fixed in version 4.3.1+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 4.3.1+dfsg-1. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJWJU/4AAoJEG3bU/KmdcClwJkH+wbyIKtik3ASrpO/TqULYail PYwhsEcb58PjFLn5IEqvXXaAi6FANhcllNwennROd5rqNvSZjPNXjkHge+PV64RO T1rsT4G1MnM2e9CQvRzT3HQP0JC3u/79IvDkGsUfJjMbG/juBcZH4F69VHD/hN8x rg9ChCEkKjAKAgJIfVU95H4N64iYEsbuRA9d6gJTGqfOw6KcSdNgpeQVRUSn1pjV ZxabKmG6NFdFaKjo6Ql1FN9yg5bY0u2rNVH7exR+ce19H5N4QY22yqdF5iMNmYb+ 3F6UgfTjYXV3PYoyPkoYTbdpcopoWQpCjh/dasjyX0yD06O9F2fW4Ht6UUOxbw8= =sToZ -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3374-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-9.4 CVE ID : CVE-2015-5288 CVE-2015-5289 Several vulnerabilities have been found in PostgreSQL-9.4, a SQL database system. CVE-2015-5288 Josh Kupershmidt discovered a vulnerability in the crypt() function in the pgCrypto extension. Certain invalid salt arguments can cause the server to crash or to disclose a few bytes of server memory. CVE-2015-5289 Oskari Saarenmaa discovered that json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. For the stable distribution (jessie), these problems have been fixed in version 9.4.5-0+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 9.4.5-1. For the unstable distribution (sid), these problems have been fixed in version 9.4.5-1. We recommend that you upgrade your postgresql-9.4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWJQ6uAAoJEAVMuPMTQ89EgeYP/2ddc78SvGZvp0bvW8k9QReb lPZuARqC1lmtLY51rDEM43aFDWwM01TpnoRvYyVXcphsalK16Sz0Ho7m20gqGrSj RGNwG2zSQFcyU1OWINdEgmV10x/ufSrbyHQyf4m5hS9luMRlIGbGXV/DbSqvDF90 kNZ0NXz/g8iVOAf+9h+i6R5X6tPTAWgrj+X6IBngMi0jntvA30kAknUc73cnfrmG YzxblZp5eMyf56EbXecbUfMz1751wxNxbp97HuQLv29KJ/FtYr8fwC1fJqmKje9S ngqwrJw0RQphviZ2+QxaKk+7f+VuJdfRUqPKHUau62Uxk096rVRVD1p+wAGkLW7o PoDqx3DrF05QnoqlxyIjAJ2Lkt9CW9RyGTDwxAzdq2VQ9jnxSoKmjGkVLMSf1T+t Ljo3z3HSi+NYQJBwegD+Uy66dKwJ8au4qL+XkGpT9dnw40iryM9Li01w9H9tJYOE Jea+ppT53JUWjA1EEz64qVEjlbFmp/sp4J1ggXTpp9pX06i88DJZ+9ff2PU/JLZa Br6WnK6RgCbaIIAwjUBCb1qxUNFiJBfeD1fymhcEhudvd3tKRQHC0NPouNHw3VwE s7sRCaNnS4s/wuYpJr+nxu3HR3CQgnPVTibISg6GLNBEBTWQGfbDhdUPTyAO2yZN y/szRjAt/4yVhJiIZd+X =sz5D -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 25, 2015 Share Posted October 25, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3376-1 security@debian.org https://www.debian.org/security/ Michael Gilbert October 20, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2015-1303 CVE-2015-1304 CVE-2015-6755 CVE-2015-6756 CVE-2015-6757 CVE-2015-6758 CVE-2015-6759 CVE-2015-6760 CVE-2015-6761 CVE-2015-6762 CVE-2015-6763 Several vulnerabilities have been discovered in the chromium web browser. CVE-2015-1303 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in the DOM implementation. CVE-2015-1304 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in the v8 javascript library. CVE-2015-6755 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in blink/webkit. CVE-2015-6756 A use-after-free issue was found in the pdfium library. CVE-2015-6757 Collin Payne found a use-after-free issue in the ServiceWorker implementation. CVE-2015-6758 Atte Kettunen found an issue in the pdfium library. CVE-2015-6759 Muneaki Nishimura discovered an information leak. CVE-2015-6760 Ronald Crane discovered a logic error in the ANGLE library involving lost device events. CVE-2015-6761 Aki Helin and Khalil Zhani discovered a memory corruption issue in the ffmpeg library. CVE-2015-6762 Muneaki Nishimura discovered a way to bypass the Same Origin Policy in the CSS implementation. CVE-2015-6763 The chrome 46 development team found and fixed various issues during internal auditing. Also multiple issues were fixed in the v8 javascript library, version 4.6.85.23. For the stable distribution (jessie), these problems have been fixed in version 46.0.2490.71-1~deb8u1. For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 46.0.2490.71-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJWJwEHAAoJELjWss0C1vRzawcf/2VLLVk0XIIvX6TajYjXf+O+ MFWcbB/EVhdMcF3JTekflcv/LRbYq2TnqWPb0W/AM7hOCWbk4mgD6stbe7l/j2QW 0o3FZkL7pCJL72kvXPxGdvHFs+Qhemrd8AAS9nIqWnqGGcTSC2IdFOLEXec77an7 pvQCjT6g/gBb2ywbip7Pv9G3n6oMGTwcBAklm+7So6OjZZpcFrfEqkv8a9zgqH6B iSaoMws7iYaBisKn/5ot91lLbDIuRkSX8RfbG7b6s2v9WiN8bzPZUUJYpsBxf7m/ BY7bZYqpMhjDOEMQJ8NedgHnLabjpBXJi7gn444eHS9VGDgEBtduCJhUQ7oqq/Bl PEZdBardMDwmV/DSDKGH0WHsAzmDInk5Bd9/yqNspIl0azYaEownEg5mQeU06G3Z oIXX6l+hYzMRrLPEachAdHUyz7PhYU9X5uPUDtpkaGuJsylh2vyW5pGTumhdf/nt ae6VRy5p57HD7atQc+lesNUbO5225QFwaBRf3t/e/nHyYWZHZS9hFWyPha1EGpEy wuYYnjhSTh/kThEjDkROz3ayNod6NRJ8BkUfsgoj+Ui1cUASFdJtih/S2k70YM1e mvq5P3kHEUrYVvHpM+m9ZyzbwcluQKS4he3WGlSTEAyS8BIoohZb6QQO+lTOYo2/ qjqBYRhe2GMlW8AYynjQsSdQcHpBxX+qH4kS5+C5swH7c7NogZo7KWdPENW8LQgP irXB/u+RMbje5X3Qec/pG85vX196r+UUUQNV2ZFIlXbqgKGHWEeJ3+cNulJE2xet XI5pthBmzxEG0Xpw2OOkjkpRg0W7C0QBlNRbCqsk6KhobhxapoqNmkb2BTxbAs8r wqrL8R+c0JM0dYH+PuZeZmOyL3XJxHU9cCJUn2f0oCrBKLLSG9gj0v1a5ntqSEjH A00PXcXq8IXXnIu+xXe6fU3RxcVY0YykKkZKkh003gRItOC45PBP3/gu3KRStNpB zz4iL2jq4uwEPPgWAGS9BQrDgWaRxDnJPuF0C+uwfdTPLclHSKLewWbgH2zPa5ff XV60fxw6PM3VyGO1lCfEOVoHHt1jtN9JlM14SuNLaC+y/jFqcVVJJOdqGKAjAqNk O7fep+G46EPkpy9zTeM+CuekDdU8lClq8caLEC03zQK0C+0QA50zCRxJ6yBzpr8+ DstSjRoqCJLPbFTpHtMK9MEcEXXOyw+9d7/wF9sexNMhq0ONGs0KNFPb+H4dSG+A LeYtlrgELMQYhWq2y4CB/5EKlljDY99axy/HyICfaRejcTPs6a6x7+vyrcoCcAAm Co9vSkn7QQJKB942+uOPmcd9bjDhboLrBARbN8q4Rk0tYMYUqa2mwnyYAnSq1xE= =OCPh -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3378-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 24, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gdk-pixbuf CVE ID : CVE-2015-7673 CVE-2015-7674 Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit for image loading and pixel buffer manipulation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-7673 Gustavo Grieco discovered a heap overflow in the processing of TGA images which may result in the execution of arbitrary code or denial of service (process crash) if a malformed image is opened. CVE-2015-7674 Gustavo Grieco discovered an integer overflow flaw in the processing of GIF images which may result in the execution of arbitrary code or denial of service (process crash) if a malformed image is opened. For the oldstable distribution (wheezy), these problems have been fixed in version 2.26.1-1+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 2.31.1-2+deb8u3. For the testing distribution (stretch), these problems have been fixed in version 2.32.1-1 or earlier. For the unstable distribution (sid), these problems have been fixed in version 2.32.1-1 or earlier. We recommend that you upgrade your gdk-pixbuf packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWK+1uAAoJEAVMuPMTQ89EK28P/Rj6Wzv8+M8b++1TGlBtOJIk TjDm7/+V/j7VGX7yBNqunDbpr9r5+u74IcWhEPUC3+XUBfSbxMb5ykPqFdolKDlm T1NjGb8enrErfqarBf0lZuSiykM1cc+uz+yx08Rw1XiW/APTCq3CzJTdcO8dBeOZ Aj65w4qeoghbdyPYWNVaC5abYeng6YSDztBzaq9VROHXPRHPzWWIE+VvJXtViZV9 I0rtgXOHwn2SVrMXKpbD96NDQgIOtT+IefTMu1CR3NWxVZsx7K6yfqR0D6wXRdre 8MtLtbqHPvmavq5wA/IBYkDzNKA79K6FoSiFx3bRDHFvEGV2UI+FtczMsB1U+dX/ wVGR84i7ZzRtqYBjALozwBzUfD0r2SlqiCOevVBqLNTtkH/DfeQrsluhMLvH4ecA LdafwXz6CtisoeVaUoJ6bO8mLmKS1v2MrqPQsQdJsdnfeZoAjU1jZbU2IBeJEQYr ObYUZwpdztjO7Ki/Gz535rQ0u30+NZpXn1IwSFh+gevODOv0C0Ajld7ia4RLHCom HC4TL68eoy2/MJdcM0BTYfYC0qbrdIpBrU56zjQtX7ybb8d8ojswH7iWYfUkNJW7 lJoN8QRjlLEzMb6/UgjPcann72jYie9UEOQySutsrX2mMlQT5vdPlsuii1N5B21H TTLhaE2DoNUz39sPtqCd =CY0a -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 28, 2015 Share Posted October 28, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3381-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 27, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-7 CVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, or denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 7u85-2.6.1-6~deb7u1. For the stable distribution (jessie), these problems have been fixed in version 7u85-2.6.1-5~deb8u1. For the unstable distribution (sid), these problems have been fixed in version 7u85-2.6.1-5. We recommend that you upgrade your openjdk-7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWL+qJAAoJEBDCk7bDfE42IcwQAKluKaRPoESGU926FkHW9wkh KPtPNxuJLhBE4P8QjMc7D66UtOPC4Nj2FcbKg1Ab8KTMWHMP3HWQCu7SXPUHvuz2 hGdeZdr5NvU7+XFAu+bHzwYQjsYD2r138/YS5cDJkbVxVcr9019Hrq6qfSp7EK2p 5byNdzklLHtE+UwEZk9QWIUEbh7XjANhPqCPssb3K4cLunjPPZiovJnsoW0FFRBG 1BrmhRkYjyIemmtalLzbJAzK9fUZRa84No2Kxhbw1hwusX1RaQ2waSzrv3q7e5UL /x81JzKepPEGJMRxwlhRhBPzOIHGwLO0yJee+Hk6tE/1gPV8o7Oov0MTZTd2NK5h zlXBR8NLqrOUaeb699Bt0r1XBhm5a5zClt7WyhXkJyJgSLQOqMM/ASqmmt/SCPp8 SUlC4yxVkjC+jLxIMi3jc3u8gCyVA8AiqhHM6qPArRiVlvDntt1U6yETM5G2XBrl Ot2KXg73OMlU8Wx5vsnCyHCU3sCR3O9KMktcNzxwkTBZY9KUnzntXS6X5sg2KleN o369nwL8t4b4pPSP8EhQl3b7ItLYxWnW9gVm8WCdgD1h1zGts/HqieDLwxOIcbPg rS/h4qMoy10Fm/hw37Wrp2Wp35A0ISSS6/lGbzc/gKibSM0nfRnK55bKHy5wV2Bi oD3cv9AWKXwmswI5aBdk =ynOp -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 28, 2015 Share Posted October 28, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3382-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst October 28, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : phpmyadmin CVE ID : CVE-2014-8958 CVE-2014-9218 CVE-2015-2206 CVE-2015-3902 CVE-2015-3903 CVE-2015-6830 CVE-2015-7873 Debian Bug : 774194 Several issues have been fixed in phpMyAdmin, the web administration tool for MySQL. CVE-2014-8958 (Wheezy only) Multiple cross-site scripting (XSS) vulnerabilities. CVE-2014-9218 (Wheezy only) Denial of service (resource consumption) via a long password. CVE-2015-2206 Risk of BREACH attack due to reflected parameter. CVE-2015-3902 XSRF/CSRF vulnerability in phpMyAdmin setup. CVE-2015-3903 (Jessie only) Vulnerability allowing man-in-the-middle attack on API call to GitHub. CVE-2015-6830 (Jessie only) Vulnerability that allows bypassing the reCaptcha test. CVE-2015-7873 (Jessie only) Content spoofing vulnerability when redirecting user to an external site. For the oldstable distribution (wheezy), these problems have been fixed in version 4:3.4.11.1-2+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 4:4.2.12-2+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 4:4.5.1-1. We recommend that you upgrade your phpmyadmin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJWMSaoAAoJEFb2GnlAHawE38gH/17ApZkCRkPGlgcsT0k53STP tOF0BHzUMd9W5QzRYySm0lrBuN7/b5VWBJ4xhOpMupJnaOWseSXNg3AJbD+H9Uof lGRimzWxF+8JF+G1VhZn+uk2+iXJd3sLmlAmK73Q4b+7WVHlByHtnzxvmjvu1JnX M8ODorRzRxVZTvNI9vaZpq3S/YIHAi8ddHrEFnJQJ3QHt039g3QZFyNvcgdm/3L+ h+F2GpjLjTOjxaLDHXVMxxeTW25q1j4Afp09MKm8Jo5j43aMLTplUNQy5Rn5ngHn CLXJdgiBG8VT1BeBTvWw3lmUc3DlzjvhtWubxidXxmK1cZij2k9GBEqfjxYdFIQ= =nqkO -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 29, 2015 Share Posted October 29, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3332-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 29, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress Debian Bug : 803100 The patch applied for CVE-2015-5622 in DSA-3332-1 contained a faulty hunk. This update corrects that problem. For reference, the relevant part of the original advisory text follows. Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2. For the stable distribution (jessie), this problem has been fixed in version 4.1+dfsg-1+deb8u6. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWMmrSAAoJEAVMuPMTQ89Eh5oQAJtVcUyWIvpuBMFUtU98C7wR ByLLS/ZmRobusmK1p6MJHpT/ZKC03VIFR4Rcoz1pYhynnIRJfi29xrZDZMjMox5B fLRhSQgFi9TVAF1CeZfYEJCs3ryMpDurUEdNeRzYZUzCIuhRDh6GJ1l6fuxgMdsG lDLOGzBVX6d/OGmnUhqaHzjaF0TgGoJwXvz1dwShJUNkF0k72mp6Aam/WY5/2Xl7 TJTFwCU1S0Egfnwv7Ry7r2cAOl1RG7cWu6aYxEZb/5HKbvXjSaz2FKZ4r5ISXt9x mtDXqooc8YzG7grOEROP0wU1fvOkV6+fwex6pdf4HImocu6onFH8QUTKG0B3knGQ MbY4JX271Kug5mmH2+qGjVuduj4sAgqjgjsEJo3QBvYpmFkYyWZK7tfH/Vr4tbJc /B+bwOsAquGaMQyYS0oN9vYfGdMXKKRWdNrWw2zjwiiRu+CTq1WUF/s64Y2wemYW DFkbAbeqPsB1s6whZ9f6e7YP9irTF1G+ZPT04Tao68DeMcAIVSMUQQfWbiPBbfNT oF4RaEo5WPAM2MmKVHBFvftf5sJ6EDh2oP9Sj9Jsm3/EZMiAW+Wxh/LImbl150ix uA5X8PmET+cQeTANhi95stSV8dqtD6Toctbb7gqFffU+Efutu7ATmITbatLWMxbc qjarCb4+JW+9n/UNHR45 =SvqH -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 29, 2015 Share Posted October 29, 2015 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3383-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 29, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5714 CVE-2015-5715 CVE-2015-5731 CVE-2015-5732 CVE-2015-5734 CVE-2015-7989 Debian Bug : 794560 799140 Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site. CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. CVE-2015-5714 A cross-site scripting vulnerability when processing shortcode tags. CVE-2015-5715 A vulnerability has been discovered, allowing users without proper permissions to publish private posts and make them sticky. CVE-2015-5731 An attacker could lock a post that was being edited. CVE-2015-5732 Cross-site scripting in a widget title allows an attacker to steal sensitive information. CVE-2015-5734 Fix some broken links in the legacy theme preview. CVE-2015-7989 A cross-site scripting vulnerability in user list tables. For the oldstable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u8. For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u5 or earlier in DSA-3332-1 and DSA-3375-1. For the testing distribution (stretch), these problems have been fixed in version 4.3.1+dfsg-1 or earlier versions. For the unstable distribution (sid), these problems have been fixed in version 4.3.1+dfsg-1 or earlier versions. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWMnsdAAoJEAVMuPMTQ89EFPcP/A3VbZDqEascbeqz9697903V P1HIPO1T6hMjsugFKomcPnw4OH3Tmwz/bCLmDQt/3jDoAZ69SA9Oo2z7ABVd8191 4sNp1Vl05vG+NzS3Mqtpi4SEnxxgHYYfOL9Mw6ROeYls/M5XIPZHU4iKg6c0JdbG 4l3dVPpfFRphh+fzxPyTkJkGvSDhewgpscxi/fPBmIA+FqTqC2XF2x214EAU+xbM U9NwsMh+TZy/AsZeSnpZU60Hx5z8LiALDZnK4EYBHTOTbsw2zA3J3dAhIIbYysR2 CUgzbMvXQllo4oXcP+goyNrIih+Lxn+XHQHJ/F35KbN04hf1K+zYtdsazVHColJI egyKRMftC+N50nxE5jr1VdiAo3oMTHvxgwBTWcLqEC5ToNTRnzbDk3bEZ6ckCKFD sawkuwEiZU/4PUhvwRIjGh7+MqkEuh3RgqKJrxZkfY1usVebSR722ypWfV4bWnau ggQB72P8UyFbpR0gtHsXssr5hXykk8S8WOGw1pYsQWCRVuDxXuKwbSX5iv6g8L0b yI1IDpHORtwguU7C2x+FHxyx7m+x5n+MJz0eB8S0ofFmKlgtVzz0laa2nsTVebfW WMrX0P9PNhiKWlEiTYNXCBwyww/BpzY1dubWcwGIaVF39YqSCyHxkFU0iXarMpGR UKMbiI7nLcXS45yBw/nj=4z0J -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 29, 2015 Share Posted October 29, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3384-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 29, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : virtualbox CVE ID : CVE-2015-4813 CVE-2015-4896 Two vulnerabilities have been discovered in VirtualBox, an x86 virtualisation solution. For the oldstable distribution (wheezy), these problems have been fixed in version 4.1.42-dfsg-1+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 4.3.32-dfsg-1+deb8u2. For the testing distribution (stretch), these problems have been fixed in version 5.0.8-dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 5.0.8-dfsg-1. We recommend that you upgrade your virtualbox packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWMpn0AAoJEBDCk7bDfE42m6EQALJRXlvIFuegT32tnscGz72s SoTDlkKR2mjEuPF2LRRg8j4QkObYXLwLZFp4/xd0ptrimtxggXIZ/dyHY06ApcKc jix6OOcvmxmJm5eqJMI+MeDoqo6/VbTWiX3AVaLSzXRD230ygo/G+o+mug8ethLa HISPqu4CQgoNwANwxZcbEXg16ZenFwZYhK4Jaj4Mcqv21bWK+7HWdfoxSU4B1RRh djRrTEe5pl+HqZ2Ap0dglgu9G8idJWtKblkg1o633zNDApUZ2jK4LilxKwNGb1sM PJL614xXvIXQQSj9hscncbbidtjj44FalvPed4AwpKIS6+Fanh9UL4liyL7uX8KH /XC84xD61OegLuUkJjYHx4RuEZpACiOIiEZp+zHzZyBLgiWKfVlMGOxAPNit6z+3 y0GZNVU0mfy+VtDIEZVw1SveWURuLGPXAG5AUmveCtN9BA3QoxZFv9xc006q93GW I+izCGOTAEbnHEZd010ijerpZUJPT49PfWehxRQiVdhCXR3N2ZfKaNq5e2qQjNrh kjxn1ntyQbivjCNuXox+iQm9G3xoujhfVG7ZzJMfgeVAEtwmtH7lJfD2fhzqfBBR 32R7RTvud6vc1WFEjo4FiyIhx7qifWiwBCdNzF+Iw558wu3vUVPTBdEXqbJOg7Ix a7OZOtGG/7UaOAdTHbET =tfQY -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted October 31, 2015 Share Posted October 31, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3385-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 31, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mariadb-10.0 CVE ID : CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4895 CVE-2015-4913 Debian Bug : 802874 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.22. Please see the MariaDB 10.0 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10021-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10022-release-notes/ For the stable distribution (jessie), these problems have been fixed in version 10.0.22-0+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 10.0.22-1 or earlier. We recommend that you upgrade your mariadb-10.0 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWNHiiAAoJEAVMuPMTQ89EZPYP/RXpOeexYDO8fVmrsaHrfGr/ AlJow4CASc7pRIAlpzyCJYwtNx/EWZ+B7LjCDSywoMTcb71JAYs3/ZkRf0zFQect zTu+tGU346+OFQ4oVrC7nD7YBr2ufqbIfwH+r0aWhwunVtFz8QRka6b8qkjF7zdp nkIIjJCuexvMeEfAtnoipsaIC8J2PHqXUVDJJuRlOLdZHfDdNcX6LHE5NBj6vdlN yOiYuSoB5RIM3NWeQSr817hUjIQ5maHE914dqyTzJ/H6hUcDM29hh6QRiOHw2I84 KNV7lECnsBlMJiv2AQcvdBTLdxfb8wSyaNrdzM4MZbbUBX/CbGwo14YI74yllLfm KLmvrlHVgF7UEjECTbG+vz0FL7I1Jx4tz+xAT/1v8STUONjyBpzkwfTuyQiDasBg C0ZfnPIWphpSHzaahpAWrn8lWvE3/zKD9Yp8ayw2iTOtCHsmGrszMmLORKdyM04g RsVY+ppVIz2buN8qd9zPk2j1yE9C0GITPj8+gS0YdzFLgWIAbQ9Vx8adzl3PfnTH MgWaaNBbIYYrnH9n8c/BRzN6OL8iXu+IjZpvBoAP/sBhzOGSISGkdGgfUAP8s5Df 1GM+m5+5QR14cFqBEaZvA2JDhYmMQGtMSnpKy9DpNMhbIHC7ZLa8GexiOYjXGQQH MxamLc9qvdnNQXd2usnu =BdYx -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3386-1 security@debian.org https://www.debian.org/security/ Laszlo Boszormenyi (GCS) October 31, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : unzip CVE ID : CVE-2015-7696 CVE-2015-7697 Debian Bug : 802160 802162 Two vulnerabilities have been found in unzip, a de-archiver for .zip files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-7696 Gustavo Grieco discovered that unzip incorrectly handled certain password protected archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly execute arbitrary code. CVE-2015-7697 Gustavo Grieco discovered that unzip incorrectly handled certain malformed archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly cause unzip to hang, resulting in a denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 6.0-8+deb7u4. For the stable distribution (jessie), these problems have been fixed in version 6.0-16+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 6.0-19. For the unstable distribution (sid), these problems have been fixed in version 6.0-19. We recommend that you upgrade your unzip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWNNHRAAoJEAVMuPMTQ89EvjgP/A6mLOMG2pXEfa/3WvpgmMe+ 7jA86FckGWadkhei42rPXdDsfvnDL/zZuKmgLmmRendL6kWJF2qjrqTnLoQdlVA/ oQhWqUGKMkCtdWNYEhdohU7JAjbfO9kd3/NohRX0gts4YMskGJzuFVpktUqHDrEZ pI8LJiHfLrO1QdkC91NC4ikB2shuppQVzUpbaJQPJI7/LWLX1k3AIc7DOd3YEAg9 MTuLChTahz/0hgb1cJnTyXwsSlOVWuuHiBsqUu5nx//NIAXRPnM3gwGTlfu8qviJ PrhQ6SSYP5jlyI05DrVUMEOjHXncs421W81HFjimQ1vvX53NmCLcOqJyTKbm5Ivc wr6MNlXrMIXICfKvZFJblqDGqoQ5dbtWGCoxciz+eIIJZ5XHXND3EA+k7e126MO2 Cbo4M51bqz8UWez/aNlCsRM/y+eXASyun4G/rk5lw7NCV84HPlVNRbetgRk8AD/P kDxmcjWGiQ8coLNnTQCAp76NC/uHhYmAnIPlaRx/r5v3252K1UwMRVqVBWh0TJhL IgJr/W1QvUlcfoudykcl+EXGBV2bypEagoYW1qCEu5PepyfOgC3TcWhf5IZrg82h X734kq2p0Xd8Rg0a3WYLig3sG4mnpgiPzqwsYDLk1wIxQfC53SwOHXHl/VusXMwT PI2zEAEef3Fqx15wRZcX =K/48 -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
securitybreach Posted November 1, 2015 Share Posted November 1, 2015 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3387-1 security@debian.org https://www.debian.org/security/ Florian Weimer November 01, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openafs CVE ID : CVE-2015-7762 CVE-2015-7763 John Stumpo discovered that OpenAFS, a distributed file system, does not fully initialize certain network packets before transmitting them. This can lead to a disclosure of the plaintext of previously processed packets. For the oldstable distribution (wheezy), these problems have been fixed in version 1.6.1-3+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 1.6.9-2+deb8u4. For the testing distribution (stretch) and the unstable distribution (sid), these problems have been fixed in version 1.6.15-1. We recommend that you upgrade your openafs packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJWNommAAoJEL97/wQC1SS+srQH/RvDXYvuCj/ud7W8r+TRAO/m kPW/p4JTbglFIEaMjJzp4vyiCZhnI3GtHWpcUxuhT9Hi7KT6qZ9jaMxXC6LqwJap O/DGPX3hYSjxHessxbHbBvH042LHkhtrf1ynhVDyQFuD72bALsluX1EbdvyedoM8 rhR4di3Jxbb/jWcutUfEBeHTgEoF8HP5NKbR4IPt7YFES6XODzUyJ5yw8MqCI30P LiCFf9JcMD+7z8J78T1xxrvjNxulge/PNZmeSDuKJU4/EpmJU9++9mk9TFpqlKF+ 2F3NpxaXYA6dOU92k1/SVglRN7rjsd5/IxnIXVdhq/DMOTkoniIxtaVShIxgVVU= =DtUn -----END PGP SIGNATURE----- Link to comment Share on other sites More sharing options...
Recommended Posts