Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3473-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 11, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : nginx

CVE ID : CVE-2016-0742 CVE-2016-0746 CVE-2016-0747

Debian Bug : 812806

 

Several vulnerabilities were discovered in the resolver in nginx, a

small, powerful, scalable web/proxy server, leading to denial of service

or, potentially, to arbitrary code execution. These only affect nginx if

the "resolver" directive is used in a configuration file.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.2.1-2.2+wheezy4.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.6.2-5+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.9.10-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.9.10-1.

Link to comment
Share on other sites

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Debian 6.0 Long Term Support reaching end-of-life press@debian.org

February 12th, 2016 https://www.debian.org/News/2016/20160212

------------------------------------------------------------------------

 

 

The Debian Long Term Support (LTS) [1] Team hereby announces that Debian

6.0 ("squeeze") support will reach its end-of-life on February 29, 2016,

five years after its initial release on February 6, 2011.

 

1: https://wiki.debian.org/LTS/

 

There will be no further security support for Debian 6.0.

 

The LTS Team will prepare the transition to Debian 7 ("wheezy"), which

is the current oldstable release. The LTS team will take over support

from the Security Team on April 26, 2016.

 

Debian 7 will also receive Long Term Support for five years after its

initial release with support ending in May 2018.

 

Debian and its LTS Team would like to thank all contributing users,

developers and sponsors who are making it possible to extend the life of

previous stable releases, and who have made this LTS a success.

 

If you rely on Debian LTS, please consider joining the team [2],

providing patches, testing or funding the efforts [3].

 

2: https://wiki.debian.org/LTS/Development

3: https://wiki.debian.org/LTS/Funding

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3474-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 12, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libgcrypt20

CVE ID : CVE-2015-7511

 

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered

that the ECDH secret decryption keys in applications using the

libgcrypt20 library could be leaked via a side-channel attack.

 

See https://www.cs.tau.ac.IL/~tromer/ecdh/ for details.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.6.3-2+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.6.5-2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3475-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 13, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.1

CVE ID : CVE-2015-5288 CVE-2016-0766 CVE-2016-0773

 

Several vulnerabilities have been found in PostgreSQL-9.1, a SQL

database system.

 

CVE-2015-5288

 

Josh Kupershmidt discovered a vulnerability in the crypt() function

in the pgCrypto extension. Certain invalid salt arguments can cause

the server to crash or to disclose a few bytes of server memory.

 

CVE-2016-0766

 

A privilege escalation vulnerability for users of PL/Java was

discovered. Certain custom configuration settings (GUCs) for PL/Java

will now be modifiable only by the database superuser to mitigate

this issue.

 

CVE-2016-0773

 

Tom Lane and Greg Stark discovered a flaw in the way PostgreSQL

processes specially crafted regular expressions. Very large

character ranges in bracket expressions could cause infinite

loops or memory overwrites. A remote attacker can exploit this

flaw to cause a denial of service or, potentially, to execute

arbitrary code.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 9.1.20-0+deb7u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3476-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 13, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.4

CVE ID : CVE-2016-0766 CVE-2016-0773

 

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL

database system.

 

CVE-2016-0766

 

A privilege escalation vulnerability for users of PL/Java was

discovered. Certain custom configuration settings (GUCs) for PL/Java

will now be modifiable only by the database superuser to mitigate

this issue.

 

CVE-2016-0773

 

Tom Lane and Greg Stark discovered a flaw in the way PostgreSQL

processes specially crafted regular expressions. Very large

character ranges in bracket expressions could cause infinite

loops or memory overwrites. A remote attacker can exploit this

flaw to cause a denial of service or, potentially, to execute

arbitrary code.

 

For the stable distribution (jessie), these problems have been fixed in

version 9.4.6-0+deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3477-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 14, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : CVE-2016-1523

 

Holger Fuhrmannek discovered that missing input sanitising in the

Graphite font rendering engine could result in the execution of arbitrary

code.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 38.6.1esr-1~deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 38.6.1esr-1~deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 44.0-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3478-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 15, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libgcrypt11

CVE ID : CVE-2015-7511

 

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered

that the ECDH secret decryption keys in applications using the

libgcrypt11 library could be leaked via a side-channel attack.

 

See https://www.cs.tau.ac.IL/~tromer/ecdh/ for details.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.5.0-5+deb7u4.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3479-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 15, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : graphite2

CVE ID : CVE-2016-1521 CVE-2016-1522 CVE-2016-1523

 

Multiple vulnerabilities have been found in the Graphite font rendering

engine which might result in denial of service or the execution of

arbitrary code if a malformed font file is processed.

 

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.3.5-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.3.5-1~deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.3.5-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.3.5-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3480-1 security@debian.org

https://www.debian.org/security/ Florian Weimer

February 16, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : eglibc

CVE ID : CVE-2014-8121 CVE-2015-1781 CVE-2015-7547 CVE-2015-8776

CVE-2015-8777 CVE-2015-8778 CVE-2015-8779

Debian Bug : 779587 796105 798316 801691 803927 812441 812445 812455

 

Several vulnerabilities have been fixed in the GNU C Library, eglibc.

 

The CVE-2015-7547 vulnerability listed below is considered to have

critical impact.

 

CVE-2014-8121

 

Robin Hack discovered that the nss_files database did not

correctly implement enumeration interleaved with name-based or

ID-based lookups. This could cause the enumeration enter an

endless loop, leading to a denial of service.

 

CVE-2015-1781

 

Arjun Shankar discovered that the _r variants of host name

resolution functions (like gethostbyname_r), when performing DNS

name resolution, suffered from a buffer overflow if a misaligned

buffer was supplied by the applications, leading to a crash or,

potentially, arbitrary code execution. Most applications are not

affected by this vulnerability because they use aligned buffers.

 

CVE-2015-7547

 

The Google Security Team and Red Hat discovered that the eglibc

host name resolver function, getaddrinfo, when processing

AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its

internal buffers, leading to a stack-based buffer overflow and

arbitrary code execution. This vulnerability affects most

applications which perform host name resolution using getaddrinfo,

including system services.

 

CVE-2015-8776

 

Adam Nielsen discovered that if an invalid separated time value

is passed to strftime, the strftime function could crash or leak

information. Applications normally pass only valid time

information to strftime; no affected applications are known.

 

CVE-2015-8777

 

Hector Marco-Gisbert reported that LD_POINTER_GUARD was not

ignored for SUID programs, enabling an unintended bypass of a

security feature. This update causes eglibc to always ignore the

LD_POINTER_GUARD environment variable.

 

CVE-2015-8778

 

Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r

functions did not check the size argument properly, leading to a

crash (denial of service) for certain arguments. No impacted

applications are known at this time.

 

CVE-2015-8779

 

The catopen function contains several unbound stack allocations

(stack overflows), causing it the crash the process (denial of

service). No applications where this issue has a security impact

are currently known.

 

The following fixed vulnerabilities currently lack CVE assignment:

 

Joseph Myers reported discovered that an integer overflow in the

strxfrm can lead to heap-based buffer overflow, possibly allowing

arbitrary code execution. In addition, a fallback path in strxfrm

uses an unbounded stack allocation (stack overflow), leading to a

crash or erroneous application behavior.

 

Kostya Serebryany reported that the fnmatch function could skip

over the terminating NUL character of a malformed pattern, causing

an application calling fnmatch to crash (denial of service).

 

Joseph Myers reported that the IO_wstr_overflow function,

internally used by wide-oriented character streams, suffered from

an integer overflow, leading to a heap-based buffer overflow. On

GNU/Linux systems, wide-oriented character streams are rarely

used, and no affected applications are known.

 

Andreas Schwab reported a memory leak (memory allocation without a

matching deallocation) while processing certain DNS answers in

getaddrinfo, related to the _nss_dns_gethostbyname4_r function.

This vulnerability could lead to a denial of service.

 

While it is only necessary to ensure that all processes are not using

the old eglibc anymore, it is recommended to reboot the machines after

applying the security upgrade.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 2.13-38+deb7u10.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3481-1 security@debian.org

https://www.debian.org/security/ Florian Weimer

February 16, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : glibc

CVE ID : CVE-2015-7547 CVE-2015-8776 CVE-2015-8778 CVE-2015-8779

Debian Bug : 812441 812445 812455

 

Several vulnerabilities have been fixed in the GNU C Library, glibc.

 

The first vulnerability listed below is considered to have critical

impact.

 

CVE-2015-7547

 

The Google Security Team and Red Hat discovered that the glibc

host name resolver function, getaddrinfo, when processing

AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its

internal buffers, leading to a stack-based buffer overflow and

arbitrary code execution. This vulnerability affects most

applications which perform host name resolution using getaddrinfo,

including system services.

 

CVE-2015-8776

 

Adam Nielsen discovered that if an invalid separated time value

is passed to strftime, the strftime function could crash or leak

information. Applications normally pass only valid time

information to strftime; no affected applications are known.

 

CVE-2015-8778

 

Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r

functions did not check the size argument properly, leading to a

crash (denial of service) for certain arguments. No impacted

applications are known at this time.

 

CVE-2015-8779

 

The catopen function contains several unbound stack allocations

(stack overflows), causing it the crash the process (denial of

service). No applications where this issue has a security impact

are currently known.

 

While it is only necessary to ensure that all processes are not using

the old glibc anymore, it is recommended to reboot the machines after

applying the security upgrade.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.19-18+deb8u3.

 

For the unstable distribution (sid), these problems will be fixed in

version 2.21-8.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3482-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

February 17, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libreoffice

CVE ID : CVE-2016-0794 CVE-2016-0795

 

An anonymous contributor working with VeriSign iDefense Labs

discovered that libreoffice, a full-featured office productivity

suite, did not correctly handle Lotus WordPro files. This would enable

an attacker to crash the program, or execute arbitrary code, by

supplying a specially crafted LWP file.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 3.5.4+dfsg2-0+deb7u6.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.3.3-2+deb8u3.

 

For the testing (stretch) and unstable (sid) distributions, these

problems have been fixed in version 1:5.1.1~rc1-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3483-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 19, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cpio

CVE ID : CVE-2016-2037

Debian Bug : 812401

 

Gustavo Grieco discovered an out-of-bounds write vulnerability in cpio,

a tool for creating and extracting cpio archive files, leading to a

denial of service (application crash).

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.11+dfsg-0.1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.11+dfsg-4.1+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.11+dfsg-5.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3484-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 19, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xdelta3

CVE ID : CVE-2014-9765

Debian Bug : 814067

 

Stepan Golosunov discovered that xdelta3, a diff utility which works

with binary files, is affected by a buffer overflow vulnerability within

the main_get_appheader function, which may lead to the execution of

arbitrary code.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 3.0.0.dfsg-1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.0.8-dfsg-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 3.0.8-dfsg-1.1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.0.8-dfsg-1.1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3485-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

February 20, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : didiwiki

CVE ID : CVE-2013-7448

Debian Bug : 815111

 

Alexander Izmailov discovered that didiwiki, a wiki implementation,

failed to correctly validate user-supplied input, thus allowing a

malicious user to access any part of the filesystem.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.5-11+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.5-11+deb8u1.

 

For the testing (stretch) and unstable (sid) distributions, this

problem has been fixed in version 0.5-12.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3486-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

February 21, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2016-1622 CVE-2016-1623 CVE-2016-1624 CVE-2016-1625

CVE-2016-1626 CVE-2016-1627 CVE-2016-1628 CVE-2016-1629

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2016-1622

 

It was discovered that a maliciously crafted extension could bypass

the Same Origin Policy.

 

CVE-2016-1623

 

Mariusz Mlynski discovered a way to bypass the Same Origin Policy.

 

CVE-2016-1624

 

lukezli discovered a buffer overflow issue in the Brotli library.

 

CVE-2016-1625

 

Jann Horn discovered a way to cause the Chrome Instant feature to

navigate to unintended destinations.

 

CVE-2016-1626

 

An out-of-bounds read issue was discovered in the openjpeg library.

 

CVE-2016-1627

 

It was discovered that the Developer Tools did not validate URLs.

 

CVE-2016-1628

 

An out-of-bounds read issue was discovered in the pdfium library.

 

CVE-2016-1629

 

A way to bypass the Same Origin Policy was discovered in Blink/WebKit,

along with a way to escape the chromium sandbox.

 

For the stable distribution (jessie), these problems have been fixed in

version 48.0.2564.116-1~deb8u1.

 

For the testing distribution (stretch), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 48.0.2564.116-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3487-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 23, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libssh2

CVE ID : CVE-2016-0787

Debian Bug : 815662

 

Andreas Schneider reported that libssh2, a SSH2 client-side library,

passes the number of bytes to a function that expects number of bits

during the SSHv2 handshake when libssh2 is to get a suitable value for

'group order' in the Diffie-Hellman negotiation. This weakens

significantly the handshake security, potentially allowing an

eavesdropper with enough resources to decrypt or intercept SSH sessions.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.4.2-1.1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4.3-4.1+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3488-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 23, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libssh

CVE ID : CVE-2016-0739

Debian Bug : 815663

 

Aris Adamantiadis discovered that libssh, a tiny C SSH library,

incorrectly generated a short ephemeral secret for the

diffie-hellman-group1 and diffie-hellman-group14 key exchange methods.

The resulting secret is 128 bits long, instead of the recommended sizes

of 1024 and 2048 bits respectively. This flaw could allow an

eavesdropper with enough resources to decrypt or intercept SSH sessions.

 

For the oldstable distribution (wheezy), this problem has been fixed in

version 0.5.4-1+deb7u3. This update also includes fixes for

CVE-2014-8132 and CVE-2015-3146, which were previously scheduled for the

next wheezy point release.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.6.3-4+deb8u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3489-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

February 23, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : lighttpd

CVE ID : CVE-2014-3566

Debian Bug : 765702

 

lighttpd, a small webserver, is vulnerable to the POODLE attack via

the use of SSLv3. This protocol is now disabled by default.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.4.31-4+deb7u4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3490-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

February 23, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : websvn

CVE ID : CVE-2016-2511

 

Jakub Palaczynski discovered that websvn, a web viewer for Subversion

repositories, does not correctly sanitize user-supplied input, which

allows a remote user to run reflected cross-site scripting attacks.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.3.3-1.1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.3.3-1.2+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3491-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 24, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icedove

CVE ID : CVE-2015-7575 CVE-2016-1523 CVE-2016-1930 CVE-2016-1935

 

Multiple security issues have been found in Icedove, Debian's version of

the Mozilla Thunderbird mail client: Multiple memory safety errors,

integer overflows, buffer overflows and other implementation errors may

lead to the execution of arbitrary code or denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 38.6.0-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.6.0-1~deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 38.6.0-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 38.6.0-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3493-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 25, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xerces-c

CVE ID : CVE-2016-0729

Debian Bug : 815907

 

Gustavo Grieco discovered that xerces-c, a validating XML parser library

for C++, mishandles certain kinds of malformed input documents,

resulting in buffer overflows during processing and error reporting.

These flaws could lead to a denial of service in applications using the

xerces-c library, or potentially, to the execution of arbitrary code.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 3.1.1-3+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.1.1-5.1+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3492-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

February 25, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gajim

CVE ID : CVE-2015-8688

Debian Bug : 809900

 

Daniel Gultsch discovered in Gajim, an XMPP/jabber client. Gajim didn't

verify the origin of roster update, allowing an attacker to spoof them

and potentially allowing her to intercept messages.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.15.1-4.1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.16-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 0.16.5-0.1.

 

For the unstable distribution (sid), this problem has been fixed in

version 0.16.5-0.1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3494-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 27, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cacti

CVE ID : CVE-2015-8377 CVE-2015-8604

 

Two SQL injection vulnerabilities were discovered in cacti, a web

interface for graphing of monitoring systems. Specially crafted input

can be used by an attacker in parameters of the graphs_new.php script to

execute arbitrary SQL commands on the database.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 0.8.8a+dfsg-5+deb7u8.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.8.8b+dfsg-8+deb8u4.

 

For the testing distribution (stretch), these problems have been fixed

in version 0.8.8f+ds1-4.

 

For the unstable distribution (sid), these problems have been fixed in

version 0.8.8f+ds1-4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3492-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 28, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gajim

Debian Bug : 816158

 

The wheezy part of the previous gajim update, DSA-3492-1, was

incorrectly built resulting in an unsatisfiable dependency. This update

corrects that problem. For reference, the original advisory text

follows.

 

Daniel Gultsch discovered a vulnerability in Gajim, an XMPP/jabber

client. Gajim didn't verify the origin of roster update, allowing an

attacker to spoof them and potentially allowing her to intercept

messages.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.15.1-4.1+deb7u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3496-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 28, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php-horde-core

CVE ID : CVE-2015-8807

Debian Bug : 813590

 

It was discovered that php-horde-core, a set of classes providing the

core functionality of the Horde Application Framework, is prone to a

cross-site scripting vulnerability.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.15.0+debian0-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 2.22.4+debian0-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.22.4+debian0-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3497-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 28, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php-horde

CVE ID : CVE-2016-2228

Debian Bug : 813573

 

It was discovered that php-horde, a flexible, modular, general-purpose

web application framework written in PHP, is prone to a cross-site

scripting vulnerability.

 

For the stable distribution (jessie), this problem has been fixed in

version 5.2.1+debian0-2+deb8u3.

 

For the testing distribution (stretch), this problem has been fixed

in version 5.2.9+debian0-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 5.2.9+debian0-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3498-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

CVE ID : not yet available

 

Multiple security vulnerabilities have been found in the Drupal content

management framework. For additional information, please refer to the

upstream advisory at https://www.drupal.org/SA-CORE-2016-001

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 7.14-2+deb7u12.

 

For the stable distribution (jessie), this problem has been fixed in

version 7.32-1+deb8u6.

 

For the unstable distribution (sid), this problem has been fixed in

version 7.43-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3499-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pillow

CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533

 

Multiple security vulnerabilities have been found in Pillow, a Python

imaging library, which may result in denial of service or the execution

of arbitrary code if a malformed FLI, PCD or Tiff files is processed.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.1.7-4+deb7u2 of the python-imaging source package.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.6.1-2+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 3.1.1-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.1.1-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3495-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

February 29, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xymon

CVE ID : CVE-2016-2054 CVE-2016-2055 CVE-2016-2056 CVE-2016-2057

CVE-2016-2058

 

Markus Krell discovered that xymon, a network- and

applications-monitoring system, was vulnerable to the following

security issues:

 

CVE-2016-2054

 

The incorrect handling of user-supplied input in the "config"

command can trigger a stack-based buffer overflow, resulting in

denial of service (via application crash) or remote code execution.

 

CVE-2016-2055

 

The incorrect handling of user-supplied input in the "config"

command can lead to an information leak by serving sensitive

configuration files to a remote user.

 

CVE-2016-2056

 

The commands handling password management do not properly validate

user-supplied input, and are thus vulnerable to shell command

injection by a remote user.

 

CVE-2016-2057

 

Incorrect permissions on an internal queuing system allow a user

with a local account on the xymon master server to bypass all

network-based access control lists, and thus inject messages

directly into xymon.

 

CVE-2016-2058

 

Incorrect escaping of user-supplied input in status webpages can

be used to trigger reflected cross-site scripting attacks.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.3.17-6+deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3500-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

March 01, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl

CVE ID : CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798

CVE-2016-0799

 

Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer

toolkit.

 

CVE-2016-0702

 

Yuval Yarom from the University of Adelaide and NICTA, Daniel Genkin

from Technion and Tel Aviv University, and Nadia Heninger from the

University of Pennsylvania discovered a side-channel attack which

makes use of cache-bank conflicts on the Intel Sandy-Bridge

microarchitecture. This could allow local attackers to recover RSA

private keys.

 

CVE-2016-0705

 

Adam Langley from Google discovered a double free bug when parsing

malformed DSA private keys. This could allow remote attackers to

cause a denial of service or memory corruption in applications

parsing DSA private keys received from untrusted sources.

 

CVE-2016-0797

 

Guido Vranken discovered an integer overflow in the BN_hex2bn and

BN_dec2bn functions that can lead to a NULL pointer dereference and

heap corruption. This could allow remote attackers to cause a denial

of service or memory corruption in applications processing hex or

dec data received from untrusted sources.

 

CVE-2016-0798

 

Emilia Käsper of the OpenSSL development team discovered a memory

leak in the SRP database lookup code. To mitigate the memory leak,

the seed handling in SRP_VBASE_get_by_user is now disabled even if

the user has configured a seed. Applications are advised to migrate

to the SRP_VBASE_get1_by_user function.

 

CVE-2016-0799

 

Guido Vranken discovered an integer overflow in the BIO_*printf

functions that could lead to an OOB read when printing very long

strings. Additionally the internal doapr_outch function can attempt

to write to an arbitrary memory location in the event of a memory

allocation failure. These issues will only occur on platforms where

sizeof(size_t) > sizeof(int) like many 64 bit systems. This could

allow remote attackers to cause a denial of service or memory

corruption in applications that pass large amounts of untrusted data

to the BIO_*printf functions.

 

Additionally the EXPORT and LOW ciphers were disabled since thay could

be used as part of the DROWN (CVE-2016-0800) and SLOTH (CVE-2015-7575)

attacks, but note that the oldstable (wheezye) and stable (jessie)

distributions are not affected by those attacks since the SSLv2 protocol

has already been dropped in the openssl package version 1.0.0c-2.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.0.1e-2+deb7u20.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.0.1k-3+deb8u4.

 

For the unstable distribution (sid), these problems will be fixed shortly.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3501-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 01, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : perl

CVE ID : CVE-2016-2381

 

Stephane Chazelas discovered a bug in the environment handling in Perl.

Perl provides a Perl-space hash variable, %ENV, in which environment

variables can be looked up. If a variable appears twice in envp, only

the last value would appear in %ENV, but getenv would return the first.

Perl's taint security mechanism would be applied to the value in %ENV,

but not to the other rest of the environment. This could result in an

ambiguous environment causing environment variables to be propagated to

subprocesses, despite the protections supposedly offered by taint

checking.

 

With this update Perl changes the behavior to match the following:

 

a) %ENV is populated with the first environment variable, as getenv

would return.

B) Duplicate environment entries are removed.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 5.14.2-21+deb7u3.

 

For the stable distribution (jessie), this problem has been fixed in

version 5.20.2-3+deb8u4.

 

For the unstable distribution (sid), this problem will be fixed in

version 5.22.1-8.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3502-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

March 03, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : roundup

CVE ID : CVE-2014-6276

 

Ralf Schlatterbeck discovered an information leak in roundup, a

web-based issue tracking system. An authenticated attacker could use it

to see sensitive details about other users, including their hashed

password.

 

After applying the update, which will fix the shipped templates, the

site administrator should ensure the instanced versions (in

/var/lib/roundup usually) are also updated, either by patching them

manually or by recreating them.

 

More info can be found in the upstream documentation at

http://www.roundup-tracker.org/docs/upgrading.html#user-data-visibility

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.4.20-1.1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4.20-1.1+deb8u1.

 

For the testing (stretch) and unstable (sid) distribution, this problem has not

yet been fixed.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3426-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 03, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ctdb

Debian Bug : 813406

 

The update for linux issued as DSA-3426-1 and DSA-3434-1 to address

CVE-2015-8543 uncovered a bug in ctdb, a clustered database to store

temporary data, leading to broken clusters. Updated packages are now

available to address this problem.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.12+git20120201-5.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.5.4+debian0-4+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3503-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

March 03, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2015-8785

CVE-2015-8812 CVE-2015-8816 CVE-2015-8830 CVE-2016-0723

CVE-2016-0774 CVE-2016-2069 CVE-2016-2384 CVE-2016-2543

CVE-2016-2544 CVE-2016-2545 CVE-2016-2546 CVE-2016-2547

CVE-2016-2548 CVE-2016-2549 CVE-2016-2550

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service, information

leak or data loss.

 

CVE-2013-4312

 

Tetsuo Handa discovered that users can use pipes queued on local

(Unix) sockets to allocate an unfair share of kernel memory, leading

to denial-of-service (resource exhaustion).

 

This issue was previously mitigated for the stable suite by limiting

the total number of files queued by each user on local sockets. The

new kernel version in both suites includes that mitigation plus

limits on the total size of pipe buffers allocated for each user.

 

CVE-2015-7566

 

Ralf Spenneberg of OpenSource Security reported that the visor

driver crashes when a specially crafted USB device without bulk-out

endpoint is detected.

 

CVE-2015-8767

 

An SCTP denial-of-service was discovered which can be triggered by a

local attacker during a heartbeat timeout event after the 4-way

handshake.

 

CVE-2015-8785

 

It was discovered that local users permitted to write to a file on a

FUSE filesystem could cause a denial of service (unkillable loop in

the kernel).

 

CVE-2015-8812

 

A flaw was found in the iw_cxgb3 Infiniband driver. Whenever it

could not send a packet because the network was congested, it would

free the packet buffer but later attempt to send the packet again.

This use-after-free could result in a denial of service (crash or

hang), data loss or privilege escalation.

 

CVE-2015-8816

 

A use-after-free vulnerability was discovered in the USB hub driver.

This may be used by a physically present user for privilege

escalation.

 

CVE-2015-8830

 

Ben Hawkes of Google Project Zero reported that the AIO interface

permitted reading or writing 2 GiB of data or more in a single

chunk, which could lead to an integer overflow when applied to

certain filesystems, socket or device types. The full security

impact has not been evaluated.

 

CVE-2016-0723

 

A use-after-free vulnerability was discovered in the TIOCGETD ioctl.

A local attacker could use this flaw for denial-of-service.

 

CVE-2016-0774

 

It was found that the fix for CVE-2015-1805 in kernel versions older

than Linux 3.16 did not correctly handle the case of a partially

failed atomic read. A local, unprivileged user could use this flaw

to crash the system or leak kernel memory to user space.

 

CVE-2016-2069

 

Andy Lutomirski discovered a race condition in flushing of the TLB

when switching tasks on an x86 system. On an SMP system this could

possibly lead to a crash, information leak or privilege escalation.

 

CVE-2016-2384

 

Andrey Konovalov found that a crafted USB MIDI device with an

invalid USB descriptor could trigger a double-free. This may be used

by a physically present user for privilege escalation.

 

CVE-2016-2543

 

Dmitry Vyukov found that the core sound sequencer driver (snd-seq)

lacked a necessary check for a null pointer, allowing a user

with access to a sound sequencer device to cause a denial-of-

service (crash).

 

CVE-2016-2544, CVE-2016-2546, CVE-2016-2547, CVE-2016-2548

 

Dmitry Vyukov found various race conditions in the sound subsystem

(ALSA)'s management of timers. A user with access to sound devices

could use these to cause a denial-of-service (crash or hang) or

possibly for privilege escalation.

 

CVE-2016-2545

 

Dmitry Vyukov found a flaw in list manipulation in the sound

subsystem (ALSA)'s management of timers. A user with access to sound

devices could use this to cause a denial-of-service (crash or hang)

or possibly for privilege escalation.

 

CVE-2016-2549

 

Dmitry Vyukov found a potential deadlock in the sound subsystem

(ALSA)'s use of high resolution timers. A user with access to sound

devices could use this to cause a denial-of-service (hang).

 

CVE-2016-2550

 

The original mitigation of CVE-2013-4312, limiting the total number

of files a user could queue on local sockets, was flawed. A user

given a local socket opened by another user, for example through the

systemd socket activation mechanism, could make use of the other

user's quota, again leading to a denial-of-service (resource

exhaustion). This is fixed by accounting queued files to the sender

rather than the socket opener.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 3.2.73-2+deb7u3. The oldstable distribution (wheezy) is not

affected by CVE-2015-8830.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.16.7-ckt20-1+deb8u4. CVE-2015-7566, CVE-2015-8767 and

CVE-2016-0723 were already fixed in DSA-3448-1. CVE-2016-0774 does not

affect the stable distribution.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3504-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 04, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : bsh

CVE ID : CVE-2016-2510

 

Alvaro Muñoz and Christian Schneider discovered that BeanShell, an

embeddable Java source interpreter, could be leveraged to execute

arbitrary commands: applications including BeanShell in their

classpath are vulnerable to this flaw if they deserialize data from an

untrusted source.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.0b4-12+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.0b4-15+deb8u1.

 

For the testing distribution (stretch) and unstable distribution

(sid), this problem has been fixed in version 2.0b4-16.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3505-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 04, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2015-7830 CVE-2015-8711 CVE-2015-8712 CVE-2015-8713

CVE-2015-8714 CVE-2015-8715 CVE-2015-8716 CVE-2015-8717

CVE-2015-8718 CVE-2015-8719 CVE-2015-8720 CVE-2015-8721

CVE-2015-8722 CVE-2015-8723 CVE-2015-8724 CVE-2015-8725

CVE-2015-8726 CVE-2015-8727 CVE-2015-8728 CVE-2015-8729

CVE-2015-8730 CVE-2015-8732 CVE-2015-8733

 

Multiple vulnerabilities were discovered in the dissectors/parsers for

Pcapng, NBAP, UMTS FP, DCOM, AllJoyn, T.38, SDP, NLM, DNS, BED, SCTP,

802.11, DIAMETER, VeriWave, RVSP, ANSi A, GSM A, Ascend, NBAP, ZigBee ZCL

and Sniffer which could result in denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.8.2-5wheezy17.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.12.1+g01b65bf-4+deb8u4.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.0.2+ga16e22e-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.0.2+ga16e22e-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3506-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 04, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libav

CVE ID : CVE-2016-1897 CVE-2016-1898 CVE-2016-2326

 

Several security issues have been corrected in multiple demuxers and

decoders of the libav multimedia library.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 6:0.8.17-2.

 

For the stable distribution (jessie), libav has been updated to

11.6-1~deb8u1 which brings several further bugfixes as detailed in

the upstream changelog:

https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.6

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3507-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

March 05, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2015-8126 CVE-2016-1630 CVE-2016-1631 CVE-2016-1632

CVE-2016-1633 CVE-2016-1634 CVE-2016-1635 CVE-2016-1636

CVE-2016-1637 CVE-2016-1638 CVE-2016-1639 CVE-2016-1640

CVE-2016-1641 CVE-2016-1642

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2015-8126

 

Joerg Bornemann discovered multiple buffer overflow issues in the

libpng library.

 

CVE-2016-1630

 

Mariusz Mlynski discovered a way to bypass the Same Origin Policy

in Blink/Webkit.

 

CVE-2016-1631

 

Mariusz Mlynski discovered a way to bypass the Same Origin Policy

in the Pepper Plugin API.

 

CVE-2016-1632

 

A bad cast was discovered.

 

CVE-2016-1633

 

cloudfuzzer discovered a use-after-free issue in Blink/Webkit.

 

CVE-2016-1634

 

cloudfuzzer discovered a use-after-free issue in Blink/Webkit.

 

CVE-2016-1635

 

Rob Wu discovered a use-after-free issue in Blink/Webkit.

 

CVE-2016-1636

 

A way to bypass SubResource Integrity validation was discovered.

 

CVE-2016-1637

 

Keve Nagy discovered an information leak in the skia library.

 

CVE-2016-1638

 

Rob Wu discovered a WebAPI bypass issue.

 

CVE-2016-1639

 

Khalil Zhani discovered a use-after-free issue in the WebRTC

implementation.

 

CVE-2016-1640

 

Luan Herrera discovered an issue with the Extensions user interface.

 

CVE-2016-1641

 

Atte Kettunen discovered a use-after-free issue in the handling of

favorite icons.

 

CVE-2016-1642

 

The chrome 49 development team found and fixed various issues

during internal auditing. Also multiple issues were fixed in

the v8 javascript library, version 4.9.385.26.

 

For the stable distribution (jessie), these problems have been fixed in

version 49.0.2623.75-1~deb8u1.

 

For the testing distribution (stretch), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 49.0.2623.75-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3508-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 06, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jasper

CVE ID : CVE-2016-1577 CVE-2016-2089 CVE-2016-2116

Debian Bug : 812978 816625 816626

 

Several vulnerabilities were discovered in JasPer, a library for

manipulating JPEG-2000 files. The Common Vulnerabilities and Exposures

project identifies the following problems:

 

CVE-2016-1577

 

Jacob Baines discovered a double-free flaw in the

jas_iccattrval_destroy function. A remote attacker could exploit

this flaw to cause an application using the JasPer library to crash,

or potentially, to execute arbitrary code with the privileges of the

user running the application.

 

CVE-2016-2089

 

The Qihoo 360 Codesafe Team discovered a NULL pointer dereference

flaw within the jas_matrix_clip function. A remote attacker could

exploit this flaw to cause an application using the JasPer library

to crash, resulting in a denial-of-service.

 

CVE-2016-2116

 

Tyler Hicks discovered a memory leak flaw in the

jas_iccprof_createfrombuf function. A remote attacker could exploit

this flaw to cause the JasPer library to consume memory, resulting

in a denial-of-service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.900.1-13+deb7u4.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.900.1-debian1-2.4+deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3509-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

March 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : rails

CVE ID : CVE-2016-2097 CVE-2016-2098

 

Two vulnerabilities have been discovered in Rails, a web application

framework written in Ruby. Both vulnerabilities affect Action Pack, which

handles the web requests for Rails.

 

CVE-2016-2097

 

Crafted requests to Action View, one of the components of Action Pack,

might result in rendering files from arbitrary locations, including

files beyond the application's view directory. This vulnerability is

the result of an incomplete fix of CVE-2016-0752.

This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

 

CVE-2016-2098

 

If a web applications does not properly sanitize user inputs, an

attacker might control the arguments of the render method in a

controller or a view, resulting in the possibility of executing

arbitrary ruby code.

This bug was found by Tobias Kraze from Makandra and joernchen of

Phenoelit.

 

For the stable distribution (jessie), these problems have been fixed in

version 2:4.1.8-1+deb8u2.

 

For the testing distribution (stretch), these problems have been fixed

in version 2:4.2.5.2-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2:4.2.5.2-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3510-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : CVE-2016-1950 CVE-2016-1952 CVE-2016-1954 CVE-2016-1957

CVE-2016-1958 CVE-2016-1960 CVE-2016-1961 CVE-2016-1962

CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1974

CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792

CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796

CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800

CVE-2016-2801 CVE-2016-2802

 

Multiple security issues have been found in Iceweasel, Debian's version

of the Mozilla Firefox web browser: Multiple memory safety errors,

buffer overflows, use-after-frees and other implementation errors may

lead to the execution of arbitrary code, denial of service, address bar

spoofing and overwriting local files.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 38.7.0esr-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.7.0esr-1~deb8u1.

 

For the unstable distribution (sid), Debian is in the process of moving

back towards using the Firefox name. These problems will soon be fixed

in the firefox-esr source package.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3511-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

March 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : bind9

CVE ID : CVE-2016-1285 CVE-2016-1286

 

Two vulnerabilites have been discovered in ISC's BIND DNS server.

 

CVE-2016-1285

 

A maliciously crafted rdnc, a way to remotely administer a BIND server,

operation can cause named to crash, resulting in denial of service.

 

CVE-2016-1286

 

An error parsing DNAME resource records can cause named to crash,

resulting in denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 9.8.4.dfsg.P1-6+nmu2+deb7u10.

 

For the stable distribution (jessie), these problems have been fixed in

version 9.9.5.dfsg-9+deb8u6.

 

For the testing (stretch) and unstable (sid) distributions, these

problems will be fixed soon.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3512-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libotr

CVE ID : CVE-2016-2851

 

Markus Vervier of X41 D-Sec GmbH discovered an integer overflow

vulnerability in libotr, an off-the-record (OTR) messaging library, in

the way how the sizes of portions of incoming messages were stored. A

remote attacker can exploit this flaw by sending crafted messages to an

application that is using libotr to perform denial of service attacks

(application crash), or potentially, execute arbitrary code with the

privileges of the user running the application.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 3.2.1-1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.1.0-2+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3513-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

March 10, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2016-1643 CVE-2016-1644 CVE-2016-1645

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2016-1643

 

cloudfuzzer discovered a type confusion issue in Blink/Webkit.

 

CVE-2016-1644

 

Atte Kettunen discovered a use-after-free issue in Blink/Webkit.

 

CVE-2016-1645

 

An out-of-bounds write issue was discovered in the pdfium library.

 

For the stable distribution (jessie), these problems have been fixed in

version 49.0.2623.87-1~deb8u1.

 

For the testing distribution (stretch), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 49.0.2623.87-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3514-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 12, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

CVE ID : CVE-2015-7560 CVE-2016-0771

Debian Bug : 812429

 

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,

print, and login server for Unix. The Common Vulnerabilities and

Exposures project identifies the following issues:

 

CVE-2015-7560

 

Jeremy Allison of Google, Inc. and the Samba Team discovered that

Samba incorrectly handles getting and setting ACLs on a symlink

path. An authenticated malicious client can use SMB1 UNIX extensions

to create a symlink to a file or directory, and then use non-UNIX

SMB1 calls to overwrite the contents of the ACL on the file or

directory linked to.

 

CVE-2016-0771

 

Garming Sam and Douglas Bagnall of Catalyst IT discovered that Samba

is vulnerable to an out-of-bounds read issue during DNS TXT record

handling, if Samba is deployed as an AD DC and chosen to run the

internal DNS server. A remote attacker can exploit this flaw to

cause a denial of service (Samba crash), or potentially, to allow

leakage of memory from the server in the form of a DNS TXT reply.

 

Additionally this update includes a fix for a regression introduced due

to the upstream fix for CVE-2015-5252 in DSA-3433-1 in setups where the

share path is '/'.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 2:3.6.6-6+deb7u7. The oldstable distribution (wheezy) is not

affected by CVE-2016-0771.

 

For the stable distribution (jessie), these problems have been fixed in

version 2:4.1.17+dfsg-2+deb8u2.

 

For the unstable distribution (sid), these problems have been fixed in

version 2:4.3.6+dfsg-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3515-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 13, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : graphite2

CVE ID : CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792

CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796

CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800

CVE-2016-2801 CVE-2016-2802

 

Multiple vulnerabilities have been found in the Graphite font rendering

engine which might result in denial of service or the execution of

arbitrary code if a malformed font file is processed.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.3.6-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.3.6-1~deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.3.6-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.3.6-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3516-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 13, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2015-8731 CVE-2016-2523 CVE-2016-2530 CVE-2016-2531

CVE-2016-2532

 

Multiple vulnerabilities were discovered in the dissectors/parsers for

DNP, RSL, LLRP, GSM A-bis OML, ASN 1 BER which could result in denial

of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.8.2-5wheezy18.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.12.1+g01b65bf-4+deb8u5.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.0.2+ga16e22e-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.0.2+ga16e22e-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3517-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 14, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : exim4

CVE ID : CVE-2016-1531

 

A local root privilege escalation vulnerability was found in Exim,

Debian's default mail transfer agent, in configurations using the

'perl_startup' option (Only Exim via exim4-daemon-heavy enables Perl

support).

 

To address the vulnerability, updated Exim versions clean the complete

execution environment by default, affecting Exim and subprocesses such

as transports calling other programs, and thus may break existing

installations. New configuration options (keep_environment,

add_environment) were introduced to adjust this behavior.

 

More information can be found in the upstream advisory at

https://www.exim.org/static/doc/CVE-2016-1531.txt

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 4.80-7+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.84.2-1.

 

For the testing distribution (stretch), this problem has been fixed

in version 4.86.2-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 4.86.2-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3518-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 16, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : spip

CVE ID : CVE-2016-3153 CVE-2016-3154

 

Several vulnerabilities were found in SPIP, a website engine for

publishing, resulting in code injection.

 

CVE-2016-3153

 

g0uZ et sambecks, from team root-me, discovered that arbitrary PHP

code could be injected when adding content.

 

CVE-2016-3154

 

Gilles Vincent discovered that deserializing untrusted content

could result in arbitrary objects injection.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 2.1.17-1+deb7u5.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.0.17-2+deb8u2.

 

For the testing (stretch) and unstable (sid) distributions, these

problems have been fixed in version 3.0.22-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3519-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 17, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xen

CVE ID : CVE-2015-8339 CVE-2015-8340 CVE-2015-8341 CVE-2015-8550

CVE-2015-8555 CVE-2016-1570 CVE-2016-1571 CVE-2016-2270

CVE-2016-2271

 

Multiple security issues have been found in the Xen virtualisation

solution, which may result in denial of service or information disclosure.

 

The oldstable distribution (wheezy) will be updated in a separate DSA.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.4.1-9+deb8u4.

 

For the unstable distribution (sid), these problems will be fixed soon.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3520-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 18, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icedove

CVE ID : CVE-2016-1950 CVE-2016-1954 CVE-2016-1957 CVE-2016-1960

CVE-2016-1961 CVE-2016-1962 CVE-2016-1964 CVE-2016-1966

CVE-2016-1974 CVE-2016-1977 CVE-2016-2790 CVE-2016-2791

CVE-2016-2792 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795

CVE-2016-2796 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799

CVE-2016-2800 CVE-2016-2801 CVE-2016-2802

 

Multiple security issues have been found in Icedove, Debian's version of

the Mozilla Thunderbird mail client: Multiple memory safety errors,

integer overflows, buffer overflows and other implementation errors may

lead to the execution of arbitrary code or denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 38.7.0-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.7.0-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 38.7.0-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3521-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 19, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : git

CVE ID : CVE-2016-2315 CVE-2016-2324

Debian Bug : 818318

 

Lael Cellier discovered two buffer overflow vulnerabilities in git, a

fast, scalable, distributed revision control system, which could be

exploited for remote execution of arbitrary code.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1:1.7.10.4-1+wheezy3.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:2.1.4-2.1+deb8u2.

 

For the unstable distribution (sid), these problems have been fixed in

version 1:2.8.0~rc3-1. CVE-2016-2315 was already fixed in version

1:2.7.0-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3522-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 20, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : squid3

CVE ID : CVE-2016-2571

 

Alex Rousskov from The Measurement Factory discovered that Squid3, a

fully featured web proxy cache, does not properly handle errors for

certain malformed HTTP responses. A remote HTTP server can exploit this

flaw to cause a denial of service (assertion failure and daemon exit).

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 3.1.20-2.2+deb7u4.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.4.8-6+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 3.5.15-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.5.15-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3523-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 20, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : not available

 

This update disables the Graphite font shaping library in Iceweasel,

Debian's version of the Mozilla Firefox web browser.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 38.7.1esr-1~deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 38.7.1esr-1~deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 45.0.1esr-1 of the firefox-esr source package.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3524-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 20, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : activemq

CVE ID : CVE-2015-5254

 

It was discovered that the ActiveMQ Java message broker performs unsafe

deserialisation. For additional information, please refer to the

upstream advisory at

http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 5.6.0+dfsg-1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 5.6.0+dfsg1-4+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 5.13.2+dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 5.13.2+dfsg-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3525-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 22, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pixman

CVE ID : CVE-2014-9766

 

Vincent LE GARREC discovered an integer overflow in pixman, a

pixel-manipulation library for X and cairo. A remote attacker can

exploit this flaw to cause an application using the pixman library to

crash, or potentially, to execute arbitrary code with the privileges of

the user running the application.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.26.0-4+deb7u2.

 

For the stable distribution (jessie), the testing distribution (stretch)

and the unstable distribution (sid), this problem was already fixed in

version 0.32.6-1.

Link to comment
Share on other sites

×
×
  • Create New...