debian NEW UPDATES Debian

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3572-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : websvn

CVE ID : CVE-2016-1236

 

Nitin Venkatesh discovered that websvn, a web viewer for Subversion

repositories, is susceptible to cross-site scripting attacks via

specially crafted file and directory names in repositories.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.3.3-1.2+deb8u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3573-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu

CVE ID : CVE-2016-3710 CVE-2016-3712

Debian Bug : 823830

 

Several vulnerabilities were discovered in qemu, a fast processor

emulator.

 

CVE-2016-3710

 

Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds

read and write flaw in the QEMU VGA module. A privileged guest user

could use this flaw to execute arbitrary code on the host with the

privileges of the hosting QEMU process.

 

CVE-2016-3712

 

Zuozhi Fzz of Alibaba Inc discovered potential integer overflow

or out-of-bounds read access issues in the QEMU VGA module. A

privileged guest user could use this flaw to mount a denial of

service (QEMU process crash).

 

For the stable distribution (jessie), these problems have been fixed in

version 1:2.1+dfsg-12+deb8u6.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3574-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 10, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libarchive

CVE ID : CVE-2016-1541

Debian Bug : 823893

 

Rock Stevens, Andrew Ruef and Marcin 'Icewall' Noga discovered a

heap-based buffer overflow vulnerability in the zip_read_mac_metadata

function in libarchive, a multi-format archive and compression library,

which may lead to the execution of arbitrary code if a user or automated

system is tricked into processing a specially crafted ZIP file.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.1.2-11+deb8u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3565-2 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

May 11, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : monotone ovito pdns qtcreator softhsm

Debian Bug : 823823

 

This updates fixes a regression introduced in botan1.10 by DSA-3565-1:

packages depending on libbotan1.10 needed to be rebuilt against the

latest version to function properly.

 

For the stable distribution (jessie), this problem has been fixed in

the following versions:

 

monotone : 1.1-4+deb8u1

ovito : 2.3.3-3+deb8u1

pdns : 3.4.1-4+deb8u5

qtcreator : 3.2.1+dfsg-7+deb8u1

softhsm : 1.3.7-2+deb8u1

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3575-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 12, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libxstream-java

CVE ID : CVE-2016-3674

 

It was discovered that XStream, a Java library to serialize objects to

XML and back again, was susceptible to XML External Entity attacks.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4.7-2+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.4.9-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.4.9-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3576-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 13, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icedove

CVE ID : CVE-2016-1979 CVE-2016-2805 CVE-2016-2807

 

Multiple security issues have been found in Icedove, Debian's version of

the Mozilla Thunderbird mail client: Multiple memory safety errors may

lead to the execution of arbitrary code or denial of service.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.8.0-1~deb8u1.

 

For the unstable distribution (sid), these problems will be fixed soon.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3577-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

May 14, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jansson

CVE ID : CVE-2016-4425

Debian Bug : 823238

 

Gustavo Grieco discovered that jansson, a C library for encoding,

decoding and manipulating JSON data, did not limit the recursion depth

when parsing JSON arrays and objects. This could allow remote attackers

to cause a denial of service (crash) via stack exhaustion, using crafted

JSON data.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.7-1+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.7-5.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3578-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

May 14, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libidn

CVE ID : CVE-2015-2059

 

It was discovered that libidn, the GNU library for Internationalized

Domain Names (IDNs), did not correctly handle invalid UTF-8 input,

causing an out-of-bounds read. This could allow attackers to disclose

sensitive information from an application using the libidn library.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.29-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.31-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.31-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3579-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 16, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xerces-c

CVE ID : CVE-2016-2099

Debian Bug : 823863

 

Gustavo Grieco discovered an use-after-free vulnerability in xerces-c, a

validating XML parser library for C++, due to not properly handling

invalid characters in XML input documents in the DTDScanner.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.1.1-5.1+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 3.1.3+debian-2.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.1.3+debian-2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3580-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

May 16, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : imagemagick

CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717

CVE-2016-3718

Debian Bug : 823542

 

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered

several vulnerabilities in ImageMagick, a program suite for image

manipulation. These vulnerabilities, collectively known as ImageTragick,

are the consequence of lack of sanitization of untrusted input. An

attacker with control on the image input could, with the privileges of

the user running the application, execute code (CVE-2016-3714), make HTTP

GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move

(CVE-2016-3716), or read (CVE-2016-3717) local files.

 

These vulnerabilities are particularly critical if Imagemagick processes

images coming from remote parties, such as part of a web service.

 

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and

PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In

addition, we introduce extra preventions, including some sanitization for

input filenames in http/https delegates, the full remotion of PLT/Gnuplot

decoder, and the need of explicit reference in the filename for the

insecure coders.

 

For the stable distribution (jessie), these problems have been fixed in

version 8:6.8.9.9-5+deb8u2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3581-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 17, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libndp

CVE ID : CVE-2016-3698

Debian Bug : 824545

 

Julien Bernard discovered that libndp, a library for the IPv6 Neighbor

Discovery Protocol, does not properly perform input and origin checks

during the reception of a NDP message. An attacker in a non-local

network could use this flaw to advertise a node as a router, and cause a

denial of service attack, or act as a man-in-the-middle.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4-2+deb8u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3582-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 18, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : expat

CVE ID : CVE-2016-0718

 

Gustavo Grieco discovered that Expat, an XML parsing C library, does not

properly handle certain kinds of malformed input documents, resulting in

buffer overflows during processing and error reporting. A remote

attacker can take advantage of this flaw to cause an application using

the Expat library to crash, or potentially, to execute arbitrary code

with the privileges of the user running the application.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.1.0-6+deb8u2. Additionally this update refreshes the fix for

CVE-2015-1283 to avoid relying on undefined behavior.

 

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3583-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 18, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : swift-plugin-s3

CVE ID : CVE-2015-8466

Debian Bug : 822688

 

It was discovered that the swift3 (S3 compatibility) middleware plugin

for Swift performed insufficient validation of date headers which might

result in replay attacks.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.7-5+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.9-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.9-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3584-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 19, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : librsvg

CVE ID : CVE-2015-7558 CVE-2016-4347 CVE-2016-4348

 

Gustavo Grieco discovered several flaws in the way librsvg, a SAX-based

renderer library for SVG files, parses SVG files with circular

definitions. A remote attacker can take advantage of these flaws to

cause an application using the librsvg library to crash.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.40.5-1+deb8u2.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.40.12-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.40.12-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3585-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 22, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2016-4006 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081

CVE-2016-4082 CVE-2016-4085

 

Multiple vulnerabilities were discovered in the dissectors/parsers for

PKTC, IAX2, GSM CBCH and NCP which could result in denial of service.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.12.1+g01b65bf-4+deb8u6.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.0.3+geed34f0-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.0.3+geed34f0-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3586-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 23, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : atheme-services

CVE ID : CVE-2016-4478

 

It was discovered that a buffer overflow in the XMLRPC response encoding

code of the Atheme IRC services may result in denial of service.

 

For the stable distribution (jessie), this problem has been fixed in

version 6.0.11-2+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 7.0.7-2.

 

For the unstable distribution (sid), this problem has been fixed in

version 7.0.7-2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3587-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 27, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libgd2

CVE ID : CVE-2013-7456 CVE-2015-8874 CVE-2015-8877

Debian Bug : 824627

 

Several vulnerabilities were discovered in libgd2, a library for

programmatic graphics creation and manipulation. A remote attacker can

take advantage of these flaws to cause a denial-of-service against an

application using the libgd2 library.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.1.0-5+deb8u3.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.2.1-1 or earlier.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3588-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

May 29, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : symfony

CVE ID : CVE-2016-1902 CVE-2016-4423

 

Two vulnerabilities were discovered in Symfony, a PHP framework.

 

CVE-2016-1902

 

Lander Brandt discovered that the class SecureRandom might generate

weak random numbers for cryptographic use under certain settings. If

the functions random_bytes() or openssl_random_pseudo_bytes() are not

available, the output of SecureRandom should not be consider secure.

 

CVE-2016-4423

 

Marek Alaksa from Citadelo discovered that it is possible to fill up

the session storage space by submitting inexistent large usernames.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.3.21+dfsg-4+deb8u3.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.8.6+dfsg-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.8.6+dfsg-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3589-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

May 30, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gdk-pixbuf

CVE ID : CVE-2015-7552 CVE-2015-8875

 

Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit

for image loading and pixel buffer manipulation. A remote attacker can

take advantage of these flaws to cause a denial-of-service against an

application using gdk-pixbuf (application crash), or potentially, to

execute arbitrary code with the privileges of the user running the

application, if a malformed image is opened.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.31.1-2+deb8u5.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3590-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

June 01, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2016-1667 CVE-2016-1668 CVE-2016-1669 CVE-2016-1670

CVE-2016-1672 CVE-2016-1673 CVE-2016-1674 CVE-2016-1675

CVE-2016-1676 CVE-2016-1677 CVE-2016-1678 CVE-2016-1679

CVE-2016-1680 CVE-2016-1681 CVE-2016-1682 CVE-2016-1683

CVE-2016-1684 CVE-2016-1685 CVE-2016-1686 CVE-2016-1687

CVE-2016-1688 CVE-2016-1689 CVE-2016-1690 CVE-2016-1691

CVE-2016-1692 CVE-2016-1693 CVE-2016-1694 CVE-2016-1695

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2016-1667

 

Mariusz Mylinski discovered a cross-origin bypass.

 

CVE-2016-1668

 

Mariusz Mylinski discovered a cross-origin bypass in bindings to v8.

 

CVE-2016-1669

 

Choongwoo Han discovered a buffer overflow in the v8 javascript

library.

 

CVE-2016-1670

 

A race condition was found that could cause the renderer process

to reuse ids that should have been unique.

 

CVE-2016-1672

 

Mariusz Mylinski discovered a cross-origin bypass in extension

bindings.

 

CVE-2016-1673

 

Mariusz Mylinski discovered a cross-origin bypass in Blink/Webkit.

 

CVE-2016-1674

 

Mariusz Mylinski discovered another cross-origin bypass in extension

bindings.

 

CVE-2016-1675

 

Mariusz Mylinski discovered another cross-origin bypass in

Blink/Webkit.

 

CVE-2016-1676

 

Rob Wu discovered a cross-origin bypass in extension bindings.

 

CVE-2016-1677

 

Guang Gong discovered a type confusion issue in the v8 javascript

library.

 

CVE-2016-1678

 

Christian Holler discovered an overflow issue in the v8 javascript

library.

 

CVE-2016-1679

 

Rob Wu discovered a use-after-free issue in the bindings to v8.

 

CVE-2016-1680

 

Atte Kettunen discovered a use-after-free issue in the skia library.

 

CVE-2016-1681

 

Aleksandar Nikolic discovered an overflow issue in the pdfium

library.

 

CVE-2016-1682

 

KingstonTime discovered a way to bypass the Content Security Policy.

 

CVE-2016-1683

 

Nicolas Gregoire discovered an out-of-bounds write issue in the

libxslt library.

 

CVE-2016-1684

 

Nicolas Gregoire discovered an integer overflow issue in the

libxslt library.

 

CVE-2016-1685

 

Ke Liu discovered an out-of-bounds read issue in the pdfium library.

 

CVE-2016-1686

 

Ke Liu discovered another out-of-bounds read issue in the pdfium

library.

 

CVE-2016-1687

 

Rob Wu discovered an information leak in the handling of extensions.

 

CVE-2016-1688

 

Max Korenko discovered an out-of-bounds read issue in the v8

javascript library.

 

CVE-2016-1689

 

Rob Wu discovered a buffer overflow issue.

 

CVE-2016-1690

 

Rob Wu discovered a use-after-free issue.

 

CVE-2016-1691

 

Atte Kettunen discovered a buffer overflow issue in the skia library.

 

CVE-2016-1692

 

Til Jasper Ullrich discovered a cross-origin bypass issue.

 

CVE-2016-1693

 

Khalil Zhani discovered that the Software Removal Tool download was

done over an HTTP connection.

 

CVE-2016-1694

 

Ryan Lester and Bryant Zadegan discovered that pinned public keys

would be removed when clearing the browser cache.

 

CVE-2016-1695

 

The chrome development team found and fixed various issues during

internal auditing.

 

For the stable distribution (jessie), these problems have been fixed in

version 51.0.2704.63-1~deb8u1.

 

For the testing distribution (stretch), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 51.0.2704.63-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3591-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

June 01, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : imagemagick

CVE ID : CVE-2016-5118

Debian Bug : 825799

 

Bob Friesenhahn from the GraphicsMagick project discovered a command

injection vulnerability in ImageMagick, a program suite for image

manipulation. An attacker with control on input image or the input

filename can execute arbitrary commands with the privileges of the user

running the application.

 

This update removes the possibility of using pipe (|) in filenames to

interact with imagemagick.

 

It is important that you upgrade the libmagickcore-6.q16-2 and not just

the imagemagick package. Applications using libmagickcore-6.q16-2 might

also be affected and need to be restarted after the upgrade.

 

For the stable distribution (jessie), this problem has been fixed in

version 6.8.9.9-5+deb8u3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3592-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 01, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : nginx

CVE ID : CVE-2016-4450

 

It was discovered that a NULL pointer dereference in the Nginx code

responsible for saving client request bodies to a temporary file might

result in denial of service: Malformed requests could crash worker

processes.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.6.2-5+deb8u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.10.1-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3593-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 02, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libxml2

CVE ID : CVE-2015-8806 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834

CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838

CVE-2016-1839 CVE-2016-1840 CVE-2016-2073 CVE-2016-3627

CVE-2016-3705 CVE-2016-4447 CVE-2016-4449 CVE-2016-4483

Debian Bug : 812807 813613 819006 823405 823414

 

Several vulnerabilities were discovered in libxml2, a library providing

support to read, modify and write XML and HTML files. A remote attacker

could provide a specially crafted XML or HTML file that, when processed

by an application using libxml2, would cause a denial-of-service against

the application, or potentially the execution of arbitrary code with the

privileges of the user running the application.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.9.1+dfsg1-5+deb8u2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3594-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

June 04, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2016-1696 CVE-2016-1697 CVE-2016-1698 CVE-2016-1699

CVE-2016-1700 CVE-2016-1701 CVE-2016-1702

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2016-1696

 

A cross-origin bypass was found in the bindings to extensions.

 

CVE-2016-1697

 

Mariusz Mlynski discovered a cross-origin bypass in Blink/Webkit.

 

CVE-2016-1698

 

Rob Wu discovered an information leak.

 

CVE-2016-1699

 

Gregory Panakkal discovered an issue in the Developer Tools

feature.

 

CVE-2016-1700

 

Rob Wu discovered a use-after-free issue in extensions.

 

CVE-2016-1701

 

Rob Wu discovered a use-after-free issue in the autofill feature.

 

CVE-2016-1702

 

cloudfuzzer discovered an out-of-bounds read issue in the skia

library.

 

For the stable distribution (jessie), these problems have been fixed in

version 51.0.2704.79-1~deb8u1.

 

For the testing distribution (stretch), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 51.0.2704.79-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3548-3 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 05, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

Debian Bug : 821002 822937

 

The upgrade to Samba 4.2 issued as DSA-3548-1 introduced several

upstream regressions and as well a packaging regression causing errors

on upgrading the packages. Updated packages are now available to address

these problems.

 

For the stable distribution (jessie), these problems have been fixed in

version 2:4.2.10+dfsg-0+deb8u3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3595-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 05, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mariadb-10.0

CVE ID : CVE-2016-0640 CVE-2016-0641 CVE-2016-0643 CVE-2016-0644

CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649

CVE-2016-0650 CVE-2016-0655 CVE-2016-0666 CVE-2016-0668

Debian Bug : 823325

 

Several issues have been discovered in the MariaDB database server. The

vulnerabilities are addressed by upgrading MariaDB to the new upstream

version 10.0.25. Please see the MariaDB 10.0 Release Notes for further

details:

 

https://mariadb.com/kb/en/mariadb/mariadb-10024-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/

 

For the stable distribution (jessie), these problems have been fixed in

version 10.0.25-0+deb8u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3596-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 06, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : spice

CVE ID : CVE-2016-0749 CVE-2016-2150

 

Several vulnerabilities were discovered in spice, a SPICE protocol

client and server library. The Common Vulnerabilities and Exposures

project identifies the following problems:

 

CVE-2016-0749

 

Jing Zhao of Red Hat discovered a memory allocation flaw, leading to

a heap-based buffer overflow in spice's smartcard interaction. A

user connecting to a guest VM via spice can take advantage of this

flaw to cause a denial-of-service (QEMU process crash), or

potentially to execute arbitrary code on the host with the

privileges of the hosting QEMU process.

 

CVE-2016-2150

 

Frediano Ziglio of Red Hat discovered that a malicious guest inside

a virtual machine can take control of the corresponding QEMU process

in the host using crafted primary surface parameters.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.12.5-1+deb8u3.

[sunrat]

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 8: 8.5 released press@debian.org

June 4th, 2016 https://www.debian.org/News/2016/20160604

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the fifth update of its stable

distribution Debian 8 (codename "jessie"). This update mainly adds

corrections for security problems to the stable release, along with a

few adjustments for serious problems. Security advisories were already

published separately and are referenced where available.

 

Please note that this update does not constitute a new version of Debian

8 but only updates some of the packages included. There is no need to

throw away old "jessie" CDs or DVDs but only to update via an up-to-date

Debian mirror after an installation, to cause any out of date packages

to be updated.

 

Those who frequently install updates from security.debian.org won't have

to update many packages and most updates from security.debian.org are

included in this update.

 

New installation media and CD and DVD images containing updated packages

will be available soon at the regular locations.

 

Upgrading to this revision online is usually done by pointing the

aptitude (or apt) package tool (see the sources.list(5) manual page) to

one of Debian's many FTP or HTTP mirrors. A comprehensive list of

mirrors is available at:

 

https://www.debian.org/mirror/list

 

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.org/debian/dists/jessie/ChangeLog

 

 

The current stable distribution:

 

http://ftp.debian.org/debian/dists/stable/

 

 

Proposed updates to the stable distribution:

 

http://ftp.debian.org/debian/dists/proposed-updates

 

 

stable distribution information (release notes, errata etc.):

 

https://www.debian.org/releases/stable/

 

 

Security announcements and information:

 

https://security.debian.org/ [188]

 

188: https://www.debian.org/security/

 

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 7: 7.11 released press@debian.org

June 4th, 2016 https://www.debian.org/News/2016/2016060402

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the eleventh (and final)

update of its oldstable distribution Debian 7 (codename "wheezy"). This

update mainly adds corrections for security problems to the oldstable

release, along with a few adjustments for serious problems. Security

advisories were already published separately and are referenced where

available.

 

The packages from DSA 3548 are not included in this point release for

technical reasons, as are some architectures for DSA 3547, DSA 3219, DSA

3482 and DSA 3246. All other security updates released during the

lifetime of "wheezy" that have not previously been part of a point

release are included in this update.

 

Please note that this update does not constitute a new version of Debian

7 but only updates some of the packages included. There is no need to

throw away old "wheezy" CDs or DVDs but only to update via an up-to-date

Debian mirror after an installation, to cause any out of date packages

to be updated.

 

Those who frequently install updates from security.debian.org won't have

to update many packages and most updates from security.debian.org are

included in this update.

 

New installation media and CD and DVD images containing updated packages

will be available soon at the regular locations.

 

Upgrading to this revision online is usually done by pointing the

aptitude (or apt) package tool (see the sources.list(5) manual page) to

one of Debian's many FTP or HTTP mirrors. A comprehensive list of

mirrors is available at:

 

https://www.debian.org/mirror/list

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.org/debian/dists/wheezy/ChangeLog

 

 

The current oldstable distribution:

 

http://ftp.debian.org/debian/dists/oldstable/

 

 

Proposed updates to the oldstable distribution:

 

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

 

 

oldstable distribution information (release notes, errata etc.):

 

https://www.debian.org/releases/oldstable/

 

 

Security announcements and information:

 

https://security.debian.org/ [127]

 

127: https://www.debian.org/security/

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3597-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

June 07, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : expat

CVE ID : CVE-2012-6702 CVE-2016-5300

 

Two related issues have been discovered in Expat, a C library for parsing

XML.

 

CVE-2012-6702

 

It was introduced when CVE-2012-0876 was addressed. Stefan Sørensen

discovered that the use of the function XML_Parse() seeds the random

number generator generating repeated outputs for rand() calls.

 

CVE-2016-5300

 

It is the product of an incomplete solution for CVE-2012-0876. The

parser poorly seeds the random number generator allowing an

attacker to cause a denial of service (CPU consumption) via an XML

file with crafted identifiers.

 

You might need to manually restart programs and services using expat

libraries.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.1.0-6+deb8u3.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.1.1-3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3598-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 07, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : vlc

CVE ID : CVE-2016-5108

 

Patrick Coleman discovered that missing input sanitising in the ADPCM

decoder of the VLC media player may result in the execution of arbitrary

code if a malformed media file is opened.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.2.4-1~deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.2.4-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3599-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : p7zip

CVE ID : CVE-2016-2335

Debian Bug : 824160

 

Marcin 'Icewall' Noga of Cisco Talos discovered an out-of-bound read

vulnerability in the CInArchive::ReadFileItem method in p7zip, a 7zr

file archiver with high compression ratio. A remote attacker can take

advantage of this flaw to cause a denial-of-service or, potentially the

execution of arbitrary code with the privileges of the user running

p7zip, if a specially crafted UDF file is processed.

 

For the stable distribution (jessie), this problem has been fixed in

version 9.20.1~dfsg.1-4.1+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 15.14.1+dfsg-2.

 

For the unstable distribution (sid), this problem has been fixed in

version 15.14.1+dfsg-2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3600-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 09, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2016-2818 CVE-2016-2819 CVE-2016-2821 CVE-2016-2822

CVE-2016-2828 CVE-2016-2831

 

Multiple security issues have been found in the Mozilla Firefox web

browser: Multiple memory safety errors, buffer overflows and other

implementation errors may lead to the execution of arbitrary code or

spoofing.

 

Wait, Firefox? No more references to Iceweasel? That's right, Debian no

longer applies a custom branding. Please see these links for further

information:

https://glandium.org/blog/?p=3622

https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_Debian

 

Debian follows the extended support releases (ESR) of Firefox. Support

for the 38.x series has ended, so starting with this update we're now

following the 45.x releases and this update to the next ESR is also the

point where we reapply the original branding.

 

Transition packages for the iceweasel packages are provided which

automatically upgrade to the new version. Since new binary packages need

to be installed, make sure to allow that in your upgrade procedure (e.g.

by using "apt-get dist-upgrade" instead of "apt-get upgrade").

 

For the stable distribution (jessie), these problems have been fixed in

version 45.2.0esr-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 45.2.0esr-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3601-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 13, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icedove

CVE ID : CVE-2016-2806

 

Multiple security issues have been found in Icedove, Debian's version of

the Mozilla Thunderbird mail client: Multiple memory safety errors may

lead to the execution of arbitrary code or denial of service.

 

Debian follows the extended support releases (ESR) of Thunderbird. Support

for the 38.x series has ended, so starting with this update we're now

following the 45.x releases.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:45.1.0-1~deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1:45.1.0-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:45.1.0-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3602-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 14, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php5

CVE ID : CVE-2013-7456 CVE-2016-3074 CVE-2016-4537 CVE-2016-4538

CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542

CVE-2016-4543 CVE-2016-4544 CVE-2016-5093 CVE-2016-5094

CVE-2016-5095 CVE-2016-5096

 

Several vulnerabilities were found in PHP, a general-purpose scripting

language commonly used for web application development.

 

The vulnerabilities are addressed by upgrading PHP to the new upstream

version 5.6.22, which includes additional bug fixes. Please refer to the

upstream changelog for more information:

 

https://php.net/ChangeLog-5.php#5.6.21

https://php.net/ChangeLog-5.php#5.6.22

 

For the stable distribution (jessie), these problems have been fixed in

version 5.6.22+dfsg-0+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3603-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 14, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libav

CVE ID : CVE-2016-3062

 

Several security issues have been corrected in multiple demuxers and

decoders of the libav multimedia library. A full list of the changes is

available at

https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.7

 

For the stable distribution (jessie), this problem has been fixed in

version 6:11.7-1~deb8u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3604-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 16, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

CVE ID : not yet available

 

A privilege escalation vulnerability has been found in the User module

of the Drupal content management framework. For additional information,

please refer to the upstream advisory at

https://www.drupal.org/SA-CORE-2016-002

 

For the stable distribution (jessie), this problem has been fixed in

version 7.32-1+deb8u7.

 

For the unstable distribution (sid), this problem has been fixed in

version 7.44-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3605-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 19, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libxslt

CVE ID : CVE-2015-7995 CVE-2016-1683 CVE-2016-1684

Debian Bug : 802971

 

Several vulnerabilities were discovered in libxslt, an XSLT processing

runtime library, which could lead to information disclosure or

denial-of-service (application crash) against an application using the

libxslt library.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.1.28-2+deb8u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3606-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 24, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libpdfbox-java

CVE ID : CVE-2016-2175

 

It was discovered that pdfbox, a PDF library for Java, was susceptible

to XML External Entity attacks.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:1.8.7+dfsg-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1:1.8.12-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:1.8.12-1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3607-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 28, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2015-7515 CVE-2016-0821 CVE-2016-1237 CVE-2016-1583

CVE-2016-2117 CVE-2016-2143 CVE-2016-2184 CVE-2016-2185

CVE-2016-2186 CVE-2016-2187 CVE-2016-3070 CVE-2016-3134

CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140

CVE-2016-3156 CVE-2016-3157 CVE-2016-3672 CVE-2016-3951

CVE-2016-3955 CVE-2016-3961 CVE-2016-4470 CVE-2016-4482

CVE-2016-4485 CVE-2016-4486 CVE-2016-4565 CVE-2016-4569

CVE-2016-4578 CVE-2016-4580 CVE-2016-4581 CVE-2016-4805

CVE-2016-4913 CVE-2016-4997 CVE-2016-4998 CVE-2016-5243

CVE-2016-5244

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service or information

leaks.

 

CVE-2015-7515, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186,

CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138,

CVE-2016-3140

 

Ralf Spenneberg of OpenSource Security reported that various USB

drivers do not sufficiently validate USB descriptors. This

allowed a physically present user with a specially designed USB

device to cause a denial of service (crash).

 

CVE-2016-0821

 

Solar Designer noted that the list 'poisoning' feature, intended

to mitigate the effects of bugs in list manipulation in the

kernel, used poison values within the range of virtual addresses

that can be allocated by user processes.

 

CVE-2016-1237

 

David Sinquin discovered that nfsd does not check permissions when

setting ACLs, allowing users to grant themselves permissions to a

file by setting the ACL.

 

CVE-2016-1583

 

Jann Horn of Google Project Zero reported that the eCryptfs

filesystem could be used together with the proc filesystem to

cause a kernel stack overflow. If the ecryptfs-utils package is

installed, local users could exploit this, via the

mount.ecryptfs_private program, for denial of service (crash) or

possibly for privilege escalation.

 

CVE-2016-2117

 

Justin Yackoski of Cryptonite discovered that the Atheros L2

ethernet driver incorrectly enables scatter/gather I/O. A remote

attacker could take advantage of this flaw to obtain potentially

sensitive information from kernel memory.

 

CVE-2016-2143

 

Marcin Koscielnicki discovered that the fork implementation in the

Linux kernel on s390 platforms mishandles the case of four

page-table levels, which allows local users to cause a denial of

service (system crash).

 

CVE-2016-3070

 

Jan Stancek of Red Hat discovered a local denial of service

vulnerability in AIO handling.

 

CVE-2016-3134

 

The Google Project Zero team found that the netfilter subsystem does

not sufficiently validate filter table entries. A user with the

CAP_NET_ADMIN capability could use this for denial of service

(crash) or possibly for privilege escalation. Debian disables

unprivileged user namespaces by default, if locally enabled with the

kernel.unprivileged_userns_clone sysctl, this allows privilege

escalation.

 

CVE-2016-3156

 

Solar Designer discovered that the IPv4 implementation in the Linux

kernel did not perform the destruction of inet device objects

properly. An attacker in a guest OS could use this to cause a denial

of service (networking outage) in the host OS.

 

CVE-2016-3157 / XSA-171

 

Andy Lutomirski discovered that the x86_64 (amd64) task switching

implementation did not correctly update the I/O permission level

when running as a Xen paravirtual (PV) guest. In some

configurations this would allow local users to cause a denial of

service (crash) or to escalate their privileges within the guest.

 

CVE-2016-3672

 

Hector Marco and Ismael Ripoll noted that it was possible to disable

Address Space Layout Randomisation (ASLR) for x86_32 (i386) programs

by removing the stack resource limit. This made it easier for local

users to exploit security flaws in programs that have the setuid or

setgid flag set.

 

CVE-2016-3951

 

It was discovered that the cdc_ncm driver would free memory

prematurely if certain errors occurred during its initialisation.

This allowed a physically present user with a specially designed

USB device to cause a denial of service (crash) or possibly to

escalate their privileges.

 

CVE-2016-3955

 

Ignat Korchagin reported that the usbip subsystem did not check

the length of data received for a USB buffer. This allowed denial

of service (crash) or privilege escalation on a system configured

as a usbip client, by the usbip server or by an attacker able to

impersonate it over the network. A system configured as a usbip

server might be similarly vulnerable to physically present users.

 

CVE-2016-3961 / XSA-174

 

Vitaly Kuznetsov of Red Hat discovered that Linux allowed the use of

hugetlbfs on x86 (i386 and amd64) systems even when running as a Xen

paravirtualised (PV) guest, although Xen does not support huge

pages. This allowed users with access to /dev/hugepages to cause a

denial of service (crash) in the guest.

 

CVE-2016-4470

 

David Howells of Red Hat discovered that a local user can trigger a

flaw in the Linux kernel's handling of key lookups in the keychain

subsystem, leading to a denial of service (crash) or possibly to

privilege escalation.

 

CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569,

CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244

 

Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA

timer, x25, tipc, and rds facilities leaked information from the

kernel stack.

 

CVE-2016-4565

 

Jann Horn of Google Project Zero reported that various components

in the InfiniBand stack implemented unusual semantics for the

write() operation. On a system with InfiniBand drivers loaded,

local users could use this for denial of service or privilege

escalation.

 

CVE-2016-4581

 

Tycho Andersen discovered that in some situations the Linux kernel

did not handle propagated mounts correctly. A local user can take

advantage of this flaw to cause a denial of service (system crash).

 

CVE-2016-4805

 

Baozeng Ding discovered a use-after-free in the generic PPP layer in

the Linux kernel. A local user can take advantage of this flaw to

cause a denial of service (system crash), or potentially escalate

their privileges.

 

CVE-2016-4913

 

Al Viro found that the ISO9660 filesystem implementation did not

correctly count the length of certain invalid name entries.

Reading a directory containing such name entries would leak

information from kernel memory. Users permitted to mount disks or

disk images could use this to obtain sensitive information.

 

CVE-2016-4997 / CVE-2016-4998

 

Jesse Hertz and Tim Newsham discovered that missing input sanitising

in Netfilter socket handling may result in denial of service. Debian

disables unprivileged user namespaces by default, if locally enabled

with the kernel.unprivileged_userns_clone sysctl, this also allows

privilege escalation.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.16.7-ckt25-2+deb8u2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3608-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 29, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libreoffice

CVE ID : CVE-2016-4324

 

Aleksandar Nikolic discovered that missing input sanitising in the RTF

parser in Libreoffice may result in the execution of arbitrary code if

a malformed documented is opened.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:4.3.3-2+deb8u5.

 

For the testing distribution (stretch), this problem has been fixed

in version 1:5.1.4~rc1-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:5.1.4~rc1-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3609-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 29, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tomcat8

CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351

CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 CVE-2016-3092

 

Multiple security vulnerabilities have been discovered in the Tomcat

servlet and JSP engine, which may result in information disclosure, the

bypass of CSRF protections, bypass of the SecurityManager or denial of

service.

 

For the stable distribution (jessie), these problems have been fixed in

version 8.0.14-1+deb8u2.

 

For the unstable distribution (sid), these problems have been fixed in

version 8.0.36-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3610-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 29, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xerces-c

CVE ID : CVE-2016-4463

Debian Bug : 828990

 

Brandon Perry discovered that xerces-c, a validating XML parser library

for C++, fails to successfully parse a DTD that is deeply nested,

causing a stack overflow. A remote unauthenticated attacker can take

advantage of this flaw to cause a denial of service against applications

using the xerces-c library.

 

Additionally this update includes an enhancement to enable applications

to fully disable DTD processing through the use of an environment

variable (XERCES_DISABLE_DTD).

 

For the stable distribution (jessie), this problem has been fixed in

version 3.1.1-5.1+deb8u3.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3611-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 30, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libcommons-fileupload-java

CVE ID : CVE-2016-3092

 

The TERASOLUNA Framework Development Team discovered a denial of service

vulnerability in Apache Commons FileUpload, a package to make it

easy to add robust, high-performance, file upload capability to servlets

and web applications. A remote attacker can take advantage of this flaw

by sending file upload requests that cause the HTTP server using the

Apache Commons Fileupload library to become unresponsive, preventing the

server from servicing other requests.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.3.1-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.3.2-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.3.2-1.