Jump to content

Recommended Posts

securitybreach

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3270-1 security@debian.org

http://www.debian.org/security/ Christoph Berg

May 22, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.4

CVE ID : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167

 

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL

database system.

 

CVE-2015-3165 (Remote crash)

 

SSL clients disconnecting just before the authentication timeout

expires can cause the server to crash.

 

CVE-2015-3166 (Information exposure)

 

The replacement implementation of snprintf() failed to check for

errors reported by the underlying system library calls; the main

case that might be missed is out-of-memory situations. In the worst

case this might lead to information exposure.

 

CVE-2015-3167 (Possible side-channel key exposure)

 

In contrib/pgcrypto, some cases of decryption with an incorrect key

could report other error message texts. Fix by using a

one-size-fits-all message.

 

For the stable distribution (jessie), these problems have been fixed in

version 9.4.2-0+deb8u1.

 

For the testing distribution (stretch), these problems will be fixed

soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 9.4.2-1.

Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1557

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

securitybreach

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3271-1 security@debian.org

http://www.debian.org/security/ Alessandro Ghedini

May 23, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : nbd

CVE ID : CVE-2013-7441 CVE-2015-0847

Debian Bug : 781547 784657

 

Tuomas Räsänen discovered that unsafe signal handling in nbd-server, the

server for the Network Block Device protocol, could allow remote

attackers to cause a deadlock in the server process and thus a denial of

service.

 

Tuomas Räsänen also discovered that the modern-style negotiation was

carried out in the main server process before forking the actual client

handler. This could allow a remote attacker to cause a denial of service

(crash) by querying a non-existent export. This issue only affected the

oldstable distribution (wheezy).

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1:3.2-4~deb7u5.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:3.8-4+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1:3.10-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1:3.10-1.

Link to post
Share on other sites
securitybreach

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3272-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

May 23, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ipsec-tools

CVE ID : CVE-2015-4047

Debian Bug : 785778

 

Javantea discovered a NULL pointer dereference flaw in racoon, the

Internet Key Exchange daemon of ipsec-tools. A remote attacker can use

this flaw to cause the IKE daemon to crash via specially crafted UDP

packets, resulting in a denial of service.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1:0.8.0-14+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:0.8.2+20140711-2+deb8u1.

 

For the testing distribution (stretch) and the unstable distribution

(sid), this problem will be fixed soon.

Link to post
Share on other sites
securitybreach

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3265-2 security@debian.org

http://www.debian.org/security/ Alessandro Ghedini

May 24, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : zendframework

 

The update for zendframework issued as DSA-3265-1 introduced a regression

preventing the use of non-string or non-stringable objects as header

values. A fix for this problem is now applied, along with the final patch

for CVE-2015-3154. For reference the original advisory text follows.

 

Multiple vulnerabilities were discovered in Zend Framework, a PHP

framework. Except for CVE-2015-3154, all these issues were already fixed

in the version initially shipped with Jessie.

 

CVE-2014-2681

 

Lukas Reschke reported a lack of protection against XML External

Entity injection attacks in some functions. This fix extends the

incomplete one from CVE-2012-5657.

 

CVE-2014-2682

 

Lukas Reschke reported a failure to consider that the

libxml_disable_entity_loader setting is shared among threads in the

PHP-FPM case. This fix extends the incomplete one from

CVE-2012-5657.

 

CVE-2014-2683

 

Lukas Reschke reported a lack of protection against XML Entity

Expansion attacks in some functions. This fix extends the incomplete

one from CVE-2012-6532.

 

CVE-2014-2684

 

Christian Mainka and Vladislav Mladenov from the Ruhr-University

Bochum reported an error in the consumer's verify method that lead

to acceptance of wrongly sourced tokens.

 

CVE-2014-2685

 

Christian Mainka and Vladislav Mladenov from the Ruhr-University

Bochum reported a specification violation in which signing of a

single parameter is incorrectly considered sufficient.

 

CVE-2014-4914

 

Cassiano Dal Pizzol discovered that the implementation of the ORDER

BY SQL statement in Zend_Db_Select contains a potential SQL

injection when the query string passed contains parentheses.

 

CVE-2014-8088

 

Yury Dyachenko at Positive Research Center identified potential XML

eXternal Entity injection vectors due to insecure usage of PHP's DOM

extension.

 

CVE-2014-8089

 

Jonas Sandström discovered an SQL injection vector when manually

quoting value for sqlsrv extension, using null byte.

 

CVE-2015-3154

 

Filippo Tessarotto and Maks3w reported potential CRLF injection

attacks in mail and HTTP headers.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.11.13-1.1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.12.9+dfsg-2+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.12.13+dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.12.13+dfsg-1.

Link to post
Share on other sites
securitybreach

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3273-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

May 25, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tiff

CVE ID : CVE-2014-8127 CVE-2014-8128 CVE-2014-8129 CVE-2014-9330

CVE-2014-9655

 

William Robinet and Michal Zalewski discovered multiple vulnerabilities

in the TIFF library and its tools, which may result in denial of

service or the execution of arbitrary code if a malformed TIFF file

is processed.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 4.0.2-6+deb7u4.

 

For the stable distribution (jessie), these problems have been fixed

before the initial release.

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3268-2 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

May 26, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ntfs-3g

CVE ID : CVE-2015-3202

Debian Bug : 786475

 

The patch applied for ntfs-3g to fix CVE-2015-3202 in DSA 3268-1 was

incomplete. This update corrects that problem. For reference the

original advisory text follows.

 

Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for

FUSE, does not scrub the environment before executing mount or umount

with elevated privileges. A local user can take advantage of this flaw

to overwrite arbitrary files and gain elevated privileges by accessing

debugging features via the environment that would not normally be safe

for unprivileged users.

 

For the oldstable distribution (wheezy), this problem has been fixed in

version 1:2012.1.15AR.5-2.1+deb7u2. Note that this issue does not affect

the binary packages distributed in Debian in wheezy as ntfs-3g does not

use the embedded fuse-lite library.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:2014.2.15AR.2-1+deb8u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:2014.2.15AR.3-3.

 

We recommend that you upgrade your ntfs-3g packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVZM0HAAoJEAVMuPMTQ89EJggP/0zWLrGHeQuWaOanEo/zBdKq

R6Er4/Apz1tlduUYz7whFuZTM4jZYjo9G15laoZefB+4ntzmSiCZMp+9KuPf8oN5

90rOU6/Pw91e8BxEiTIQ+V9QLAwdu84NMuuNFxBnqSWg55q/FzBbup0pnz/rJupi

XvJkcSeEmx9rPOhHET/xMMu1jCDD+L/j14+ekcfyBx/Gvw8HxYiHHFMSoOvDIG17

1nU3BOu7CjOrvu4rsUpEYVUYIOSjq86SToZcBb8MJ2yPhNh+hqr76qx14REpPV2t

CYUCGb2nU0Vwix/IGsKzYUZJeFVjdNuNNWP0qxP2sF0EZWihYBCPYJstfdgbFAM5

XrYTS9O7MwMNn3D5Ac2Z0IPFr4/jq2JhzVSJ16/8ZOo6DY6xCjFy/ysErCkD+Qu6

DMNKvmT+Q3h3T+eEEKSpfcZFXT3peg0obATvsTGONn2so4OYGk0NT4V9Mybq+D3L

qbdB0DDsbjmG3csHchYeoPIy7wYuw2JChkViZAcolXtn4ClQdOhZxqDGRzYDrLcc

YnoWP4hvac9EFUs7NHZ+fYXUGCgc8F5oTqZ2DmPiMXg8f0tWBDWMnznumhc5skip

l9IqI4kmU+Ik7KsbHOaRpItgnup88Mpw5FxgWDxOQEUET6jtEwhZohRN4rMbyWep

iUKNmJ4HnoBJVgX3810+

=O+Kf

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3274-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

May 28, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : virtualbox

CVE ID : CVE-2015-3456

 

Jason Geffner discovered a buffer overflow in the emulated floppy

disk drive, resulting in the potential privilege escalation.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 4.1.18-dfsg-2+deb7u5.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.3.18-dfsg-3+deb8u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 4.3.28-dfsg-1.

 

We recommend that you upgrade your virtualbox packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVZ4W5AAoJEBDCk7bDfE42H3UP/01HvE6NBAxILIG59waLVfhS

H8melBbEHZZ8mAbKkzMbnQaiPjibnu3qH+1mUuFy3S8vH85cG/+0N9jWbrCQyc4U

byywL/TFKS7jKjHO2zGR+tw9WVrxKe94P05o2U1vskeDG3p60Vb7lxzRPiTNSdwD

a7T4T9ab57j4Nrn5Sxr3le6Bjw9YCDMVrJmKdLGTBYgXFZz8ShihnDmhwFSrHvbZ

eT3eNGkiCiNT2u4qxVNRtaETmYR6Q5nL9qQzYitIfEpSd/mrRL7dmvkRg4oEw3iH

VU+wX8zpU9G3SoQTML5hEPvFVlgk855a2fEx81cfL6P4oOVU2/g0tsJoMdX0KQ0x

euOcvRHk7q6KScr5fkc+T3ZScz9IKUuFlCml+7lHRCbOfzOszcU1bJQNFfEA+TW9

h9U0gLa2hUoeU3r97tMoaBeoDZR2PnWTvUxn0l4wae/UcxbGi0Hp6roBqPWub036

f8kIcutsMiL+r3A6L3q3damBDU4rtAt1bt4unvUCbMea9fF4NzrR4+eISt6Pyp6Q

hYn6XZrmAtZH6169dqmjJZLtUQDevMKo8zExt5PaBoiabKRwhCB6kSTUjiTU3rGW

87XG2X3kw/8eAyBxSB5Zka2RjujUlaA3hgz20z2jj+gzqEH1PUQrezDKQz+hgZZD

AFIVk5GpQSnviJjNjxgZ

=334W

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3275-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

May 30, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : fusionforge

CVE ID : CVE-2015-0850

 

Ansgar Burchardt discovered that the Git plugin for FusionForge, a

web-based project-management and collaboration software, does not

sufficiently validate user provided input as parameter to the method to

create secondary Git repositories. A remote attacker can use this flaw

to execute arbitrary code as root via a specially crafted URL.

 

For the stable distribution (jessie), this problem has been fixed in

version 5.3.2+20141104-3+deb8u1.

 

For the testing distribution (stretch) and the unstable distribution

(sid), this problem will be fixed soon.

 

We recommend that you upgrade your fusionforge packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVaXwVAAoJEAVMuPMTQ89E1WMQAIKNgu7rsz7hpSoz+Sp+3OWg

/XGK/hmY+0ksO5/eOGueZQlAOMxRVeINspD658FJ4GbvM8rwhIPE/rW7NyDh39uN

NtYgHLJDkwtYJ6o4Ubb5SapEoEMHtU7tOz1zyinncDzf/l3NmwoFhFt8ql0VQFFp

hDkx0Ovmz4efQWipKFCbC5jUBTAmNcOnghHIHLkr97SRKh4oHwWIbqUgEFbg+Zkk

hlQ6peYqBjqcdLlzt9ifFVaStaf/RH/onl5JDNHav2oystPtbCyfc5gT7efX1yeL

ZwTpIa1zkPyybqxJe74GBx9IdDkOjIrm3syW2NGBB98QixEuEuBCMcZrHJf+csQV

3prZbvJUevtoSOO4CpVa6733pt0jiM1irSIonICobujrxHi4WZ8eDcng5lg2nE7z

lroALjTcBkQwl02ptRy7aXM66fbLLvkxflI8Ti1hCuoUiLfSFNbbmGB6fB2GQq8f

uqZPqlFutBvwikPMUZXfo6o8JqzY7/hDK+K2FSgq2yJipaBWb2q4OOC+SkbN/51J

Wk+gOf0ZNj81lNCloGK6fX57BypzO1SOg55ZT1DsgDc4BogbQ/XrV66FRnFiZEaS

bhsS2JEuXELaRwQ1NtWI4beocTvcIyO8PTabw/pHkeJ9LOSyOhceTEGmdOLn0nsz

EuCeXkJfZ21JlExUXwEu

=hJMK

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3269-2 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

May 31, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.1

Debian Bug : 786874

 

The update for postgresql-9.1 in DSA-3269-1 introduced a regression

which can causes PostgreSQL to refuse to restart after an unexpected

shutdown or when restoring from a binary backup. Updated packages are

now available to address this regression. Please refer to the upstream

Bug FAQ for additional information:

 

https://wiki.postgre...Permissions_Bug

 

For reference, the original advisory text follows.

 

Several vulnerabilities have been found in PostgreSQL-9.1, a SQL

database system.

 

CVE-2015-3165 (Remote crash)

 

SSL clients disconnecting just before the authentication timeout

expires can cause the server to crash.

 

CVE-2015-3166 (Information exposure)

 

The replacement implementation of snprintf() failed to check for

errors reported by the underlying system library calls; the main

case that might be missed is out-of-memory situations. In the worst

case this might lead to information exposure

 

CVE-2015-3167 (Possible side-channel key exposure)

 

In contrib/pgcrypto, some cases of decryption with an incorrect key

could report other error message texts. Fix by using a

one-size-fits-all message.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 9.1.16-0+deb7u2.

 

We recommend that you upgrade your postgresql-9.1 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVapP7AAoJEAVMuPMTQ89E6IQP/0FqmHNNmQel7gWlFgxW8TJs

yat/dsA5e08OovZV40FZ/AogXvRwxSjoNdxo/R0NL4RzA5V6KhWC2taWx+xG0YUX

9eMvu/LbqBo/K9hwn+mTmNXegRHrNvDS1fPeDTdU5vsr7lAWFay+mncbXQNCWmeW

wWFU6zONqccNJT1aLV55xmvu5OsUDNm3DcWg/wXDSImpGPesj2QnDhe8GxxjBo1h

cf6hIh4wOyB+qYxWtxb20UIsmfHpIe4HadvejT4wGP7qXlCqs93BL1qpgDQuvZEc

IXQAD9LRwGDyopKHSp8d7s5PTCCcYRGLopJ1ozSBfJ12PSTXPM2OqMwSeXbv/Fc9

u20Z2i+HqDeYRQnBas/xX9M+QwEEQZPQ/eOgnTLEMBpDG4RujYEsRCxODt6ZoWVA

jwcZlNqkBRO1b4BVnjIQmldSIKap3tWiB6UA+To1SvZw1rkyvirpc/u8dscMcuLW

loHrzFeIMOFjZNG3ssMiQ5sv3B+IZNcb0uXkAQQFu9bcGCtdq1Y6WxRvK327O+o7

KTTazBA1OKeR09wqBh+uOIIlv/Bc56Dt+Krpr3bjq5NHAFCkIY6nUa+dmgOi0K23

pEXPabJyKJs9zOGNMamgEk89/E/t9Q3+DPxEnLqJBlP1FwiZm0bYUVo3K03dZJlq

18GSE1ofUQIuv6FYG9EQ

=rZH8

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3277-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

June 02, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2015-3809 CVE-2015-3810 CVE-2015-3811 CVE-2015-3812

CVE-2015-3813 CVE-2015-3814 CVE-2015-3815

 

Multiple vulnerabilities were discovered in the dissectors/parsers for

LBMR, web sockets, WCP, X11, IEEE 802.11 and Android Logcat, which could

result in denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.8.2-5wheezy16.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.12.1+g01b65bf-4+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.12.5+g5819e5b-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.12.5+g5819e5b-1.

 

We recommend that you upgrade your wireshark packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVbd0LAAoJEBDCk7bDfE42ZpsQAL33mj0Bp4+A6YZgU5WdVgOk

PTdpeS5D7WzygYQp+jr8iGJojKvOrxP9ptRLISv7XU1cjWf5TtQ3RYReM+tFabA7

228bvSVke0dzf1lqIR/LSNRa92QCpyGfouZFDpQijrIzjqiMWfizd5LLCOTqbNhj

A0dF80J3UGKv/C612LkYQdKrQA7ZX2SbMdTTZbinlJuVbZawPhB50hbpLCFKK4RT

U4PcGiPzh9BmwYAdBX6DQGrYOvXyv7QpB+oZrOh7Gi/ice3IrbGjkuReLkl6cfPG

vmYGkZnrc35nJNvwyGeBiELkgw28Lz1WX3eWXv3hKcWAIhRBknhZ+sHtrys93j4R

TumnS41yNUYNENBxF/WFWYmw3oqBao170KE89GGKrgW0adHQceD3L8zz5JBDFQJ+

P9tCdd6qzJAzuHsmt4j+tuGuGl5UCVC1vtzWey3vwbeKzttBhZOBH6XGb/cwLdEP

gK/1nDdShoxliLf8z+ACOgmGwjrUPhXI4lRHZ8z9ItV0dvqb7ZbW4hpBC6SbOlxw

rLbwn36+8YjXl9nPKrjCUSfpjwDxSU5WnqtkcB4CNzeZe3OQwNZxjFG0TOfoHRBX

BsJov8xq0GnDE8J6/WcNHUwoNMo4AbFhftP7c1oHVu2F9z9GlLgnNIhPY34+lfo7

+3UQffRzOXo11xJKrrqT

=4A8G

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3249-2 security@debian.org

http://www.debian.org/security/ Sebastien Delafond

June 02, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jqueryui

Debian Bug : 787100

 

The update for jqueryui in DSA-3249-1 introduced a regression where

direct usage of the file jquery.ui.dialog.js can get broken due to a

missing function definition.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.8.ooops.21+dfsg-2+deb7u2.

 

We recommend that you upgrade your jqueryui packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCAAGBQJVbhbkAAoJEBC+iYPz1Z1kApYIAIuRImpM6/8Xbn6IqrfjA57h

QfW4h4b8fdPDPmfs+WEGMFaS5wYXvodXof93Z1r6seTIbATJj3s9f//VOSE2+yu+

v7q4vTgUgG1hxhpr/BfTC2kuXmA38QgpwQ6Y8oB+DM4JfswyX9cA/i14CfB4D3tM

Ch2n/ZQYPXlYXSAEJwqhRNpfO7fniBIZn12wr7Rk4zsnwuqAZpFouAtKR+eNtF2+

p8QI/7dvN+tR71spmDDZJZqdau3+JbM+OMtRzMmwDwUi2K2XZdRwc34UEkxIl5G7

msPZHo1LOL8eYufaBvXmUW6HuVf76IqMpNZvTd5XwI876qt0/qSyMAStgDesJh0=

=CQs1

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3278-1 security@debian.org

http://www.debian.org/security/ Markus Koschany

June 03, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libapache-mod-jk

CVE ID : CVE-2014-8111

Debian Bug : 783233

 

An information disclosure flaw due to incorrect JkMount/JkUnmount

directives processing was found in the Apache 2 module mod_jk to forward

requests from the Apache web server to Tomcat. A JkUnmount rule for a

subtree of a previous JkMount rule could be ignored. This could allow a

remote attacker to potentially access a private artifact in a tree that

would otherwise not be accessible to them.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1:1.2.37-1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:1.2.37-4+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 1:1.2.40+svn150520-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:1.2.40+svn150520-1.

 

We recommend that you upgrade your libapache-mod-jk packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVb0AhAAoJEAVMuPMTQ89Ef+gP/1e6ZRHna5rrHYiaclwnWg8Y

YHIjWwqfsnldjqfTirrBtf9TlLZrqIUHhaeaA0PEbzvzqVfh5QToOvvMeFHqXLS2

4eSmUtc3hb5BQlSvPsuP5RzeDYPy0S2zRaJlQ6dKSXmxb3Zh1drjxUg9kzpEGU9v

ykwDIRO7w+YpfcNqoxldgL0JOngMa9Qhl/wSwLV559wrESiSp2QifN/JZz2YRvsp

XeZvCHV5dHYJLfCOn3bQ6QRf0votEFObrW2T14noo/Srxv1n+4sstql7bCDbKW8c

O3SrlEk7HX5N4qPlG8Jo288NH1gqxXbuJ9SqF1MlIJsYE2UWT2nydfHVM1vMH23+

Spfd51SfmrK2GSOg2tna29BDGInDZ0Tud+GqsTKMMICgtg7SCK4FIrZYhhFFompG

li9h7DE96Cbv6J5a8JSIYg/kyzFOO8VcYakOUOJ2Oyo8Tv2a6GJLF9azjsThE7bv

LBUWbk2cOsd98BYtsUwFKJhqQLBvRCYnw85/WbC8EDmkbyrxIKf0uaF1e6vc9qV9

4OKmIgbNageXDzrfnc9PrwZ05xPiPhFJUk3Bu3XzosMzqU7XBPhtjkvPGJGcMv9g

cCepn+vtFQFBR612a4Gm16XN068zbnBR8VHx3PRNIVkPyhoxR55RdFtwPL7FCHX0

XVZyRUFDwW4cMiJnJ49U

=M39D

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3279-1 security@debian.org

http://www.debian.org/security/ Alessandro Ghedini

June 06, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : redis

CVE ID : CVE-2015-4335

 

It was discovered that redis, a persistent key-value database, could

execute insecure Lua bytecode by way of the EVAL command. This could

allow remote attackers to break out of the Lua sandbox and execute

arbitrary code.

 

For the stable distribution (jessie), this problem has been fixed in

version 2:2.8.17-1+deb8u1.

 

For the testing distribution (stretch), this problem will be fixed

in version 2:3.0.2-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2:3.0.2-1.

 

We recommend that you upgrade your redis packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVcs+9AAoJEK+lG9bN5XPLU74P/0JkRt5MbpSrCaydmUfIVoYI

hEX9w6wwBsINZTE+n4D4+2icrCu1NMFEnHg21sU55iZgvbGFiBv2c1lu6YX35O6I

He84RfFliyhNbplTcBoWLK8Otw9V8BLH1iZNtohci4atmCnb/h7fQ5ggb/5tocu2

GHnJaDzJRs6k4DgRRtj3Y40R/Z/CagYu/6BXUuBAiFJq8iBMSROGtIX/7H1UWtW0

Glzp2VvWWP5YgXUgf0s14Tzmv8Y5roggnHs26reoHUKap5gVwpxBjo5WlQ2lMEiF

d7hV5apMQT32Fnr7iBynpyNd+ZHlFnlpugiv7MzuKa//v4Xx8bXqguyPi0Q86NxL

Mg4cXPxVYLutMRiYMlFvYZxowuPT1YENR18f98WLsiB7rKP0KGetijSt+9m4iGxK

7yWUWo4h/Fe2RaGJsb8mlJJaCWA2M6ghWud96rx3UDxnxRXPw9TSJvbG5izS0zRC

DrMi+5U/GTZ5qyc44UyELTAkGkMtDdt+KQjf7lvm+p1qiLozT2U7kDOC4OR/UOQw

mOOSnlxszAPfUKTPQQ688wirnSmuf5Gxub1DouuAMZdTjNq6MAhdm5W1Fm8R9tvy

KT9MasqKAotrTUZFU4PyCI7kCnNTOdADRrf4fgQCTVSPlqnd+PkCHlnucOci6PX7

ipBBrnSPePMDHD5Gz1zI

=3W9c

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3280-1 security@debian.org

http://www.debian.org/security/ Moritz Muehlenhoff

June 07, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php5

CVE ID : CVE-2015-2783 CVE-2015-3329 CVE-2015-4021 CVE-2015-4022

CVE-2015-4024 CVE-2015-4025 CVE-2015-4026

 

Multiple vulnerabilities have been discovered in PHP:

 

CVE-2015-4025 / CVE-2015-4026

 

Multiple function didn't check for NULL bytes in path names.

 

CVE-2015-4024

 

Denial of service when processing multipart/form-data requests.

 

CVE-2015-4022

 

Integer overflow in the ftp_genlist() function may result in

denial of service or potentially the execution of arbitrary code.

 

CVE-2015-4021 CVE-2015-3329 CVE-2015-2783

 

Multiple vulnerabilities in the phar extension may result in

denial of service or potentially the execution of arbitrary code

when processing malformed archives.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 5.4.41-0+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 5.6.9+dfsg-0+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 5.6.9+dfsg-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 5.6.9+dfsg-1.

 

We recommend that you upgrade your php5 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVdHnyAAoJEBDCk7bDfE42+jAP/0nZWh6HnJpBhxbSgP9fHmtJ

NOp7GthaatDYuqZ2VOmQ16nh55p90fcbOkiUMtLvK6PF/D+JI0XpAnAKrHTWH491

0Iz5Gh3sCKccQYweRAojgNOIm2zBKLFfzK778h6lQIcM3UY1w16RGWqSPEQ/L0pW

CfxoGpom2SlhGE4wVxX1bmSGeM1k79hoZrzcBV7EfrqBU3zP/tSfRCTjjEIkYIov

almbQRAfdNnvOpJtBS+1NE/As4OX7JkJCCx45Bjfeond9oA22CsR62tan2+Y2wrk

Bd1UU8nNGnBfcv8ramWXzwZbUQDGfbsMJ4Dj/RpmID0e3HCAkRcSLEuSCWqCCE0o

c6eL6gOWCp7l9uvsJZ3CG67zRkqdU1pj1dHy6p7j0E+o4iNSVwRYxqAO/luF/baB

kOH5UV62On2UoSDGS4Ix+hHavC8dfX1L6NvH7YigXZYxNAsMLEo3x5M+tz5bJk7E

I2RwRJ8rrDN8jC8f4sag+IThCezDHz3SPFE+IFyD3UredQwePfaY7IYn4Cl+nezY

7yrcdyi1KJSQyDM9upE+L6Ytcv/5tZiOdOUxq31NKb7O3rLvTKZtreUAxvFiTepT

MGPsLGF3LRsQoty3S8g1tkl2DHt6IZgIELT5x6xDCs7jBvC5R45UfhvFNm6fhM7F

wjZ8f1+8OlapWivt9p0R

=80kf

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3281-1 security@debian.org

http://www.debian.org/security/ Thijs Kinkhorst

June 7, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

This is a notice that the Debian security team has changed its PGP/GPG

contact key because of a periodic regular key rollover.

 

The new key's fingerprint is:

0D59 D2B1 5144 766A 14D2 41C6 6BAF 400B 05C3 E651

 

The creation date is 2015-01-18 and it has been signed by the previous

Security Team contact key and several individual team members.

 

Please use the new key from now on for encrypted communication with the

Debian Security Team. You can obtain the new key from a keyserver, e.g.,

http://pgp.surfnet.nl/pks/lookup?op=vindex&search=0x0D59D2B15144766A14D241C66BAF400B05C3E651

 

Our website has been updated to reflect this change.

 

Note that this concerns only the key used for communication with the

team. The keys used to sign the security.debian.org APT archive or

the keys used to sign the security advisories have not changed.

 

Further information is available at https://www.debian.org/security/.

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQEcBAEBCAAGBQJVdJSGAAoJEFb2GnlAHawEOxIIAJWUNtyJ24UvHIj128PY1hkY

AdDMzO+kLJNnkEftKRsj6RkcFgroFqoK/HqfOGM1nkGLbfwM92S7eDW3VoMtvmXH

wePiZdhpijfLjbazGggPd5q4lWWYcIMQ9opCz5/lmEeRPCec0wU5X6HDcSJP0OCs

dksvJRqu/Z9ZXV3NG5ytP1Llgr6nnSk+FPrQj5f006P7Kqy3R5XKed2tdKtBSVtY

mSO6/nmMRdbsht0FMzJ+FnNVrM6Tclje5RrTnl6dPYkqnySlTERvwXAEsTkaaiY0

SuTHbPjBtgJo4crfEt/AoNbhfby/IaeOi2AOc0zKpGziiax+opxUCRbwL2irX9Q=

=gsdL

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3282-1 security@debian.org

http://www.debian.org/security/ Yves-Alexis Perez

June 08, 2015 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : strongswan

CVE ID : CVE-2015-4171

 

Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec

suite used to establish IPsec protected links.

 

When an IKEv2 client authenticates the server with certificates and the

client authenticates itself to the server using pre-shared key or EAP,

the constraints on the server certificate are only enforced by the

client after all authentication steps are completed successfully. A

rogue server which can authenticate using a valid certificate issued by

any CA trusted by the client could trick the user into continuing the

authentication, revealing the username and password digest (for EAP) or

even the cleartext password (if EAP-GTC is accepted).

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 4.5.2-1.5+deb7u7.

 

For the stable distribution (jessie), this problem has been fixed in

version 5.2.1-6+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 5.3.1-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 5.3.1-1.

 

We recommend that you upgrade your strongswan packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

 

- --

Yves-Alexis Perez

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCgAGBQJVdao4AAoJEG3bU/KmdcCluZAH/0KIDlKhVrU58yZ2uqThY8IZ

+rYZDO1Liz4X5Ycx+vo+tM85DsqUYNQeTeBSKxpQX57XKF2KY09tVF08C1oXo8u6

JA3h9B4zsSBMm3210IQ4XQBQZSA5XnqRg4mTANihtdCZNhwrtskAcEiHwDqKtzkW

FNHNzLtduM9q7w8rApLYAYROKGjO2rR0YyEQ6iu55fnMoyhL8Qy9t5uwTOx+fGDS

8ai8lKMIGTtVXVYw/HrsYJA5hl88ndbbBAZzoJrPcxFiFFjBpawpWdhgPlf4kYRr

3GrsqJcwQvPSbQcOyxzGIFa08JJOGPwRx1M1HfkmZHI8RQQ8f/jp9ZsibXaFXPs=

=HOGE

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3283-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 09, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cups

CVE ID : CVE-2015-1158 CVE-2015-1159

 

It was discovered that CUPS, the Common UNIX Printing System, is

vulnerable to a remotely triggerable privilege escalation via cross-site

scripting and bad print job submission used to replace cupsd.conf on the

CUPS server.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.5.3-5+deb7u6.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.7.5-11+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.7.5-12.

 

We recommend that you upgrade your cups packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVd0tJAAoJEAVMuPMTQ89EY3AQAJgNcIGHoYtwo8gKZUY3FR17

rQ0YIDOcITHGNBz8CUvg1k5FdpRx5xj9hrOj1jWmbtq0jNnreUf9j2VzNYRZ1vHU

VFNWeGZFeWjKMUuk9W+vVignldkslvSGWu4bM9rHVWBTHApydp4VOZR7Va75bLru

PiOq9rARGSWwEUrTscpujEYe5uvpeq8secQrnevhC0L219GzNKpiPmOFRk2wBlzx

dhYTPQ516EHBg75R8t/S/hmOmVRNSZzhOro/9Dv2ldmy2hHAzBSyu5o0Wa4Bc8Rr

N9gn7aXM+7B+jY9qvhXhstQBBQAAGbIJnGvSKTdzPnzzZo/iFVUZkIO6VH9+bdvj

u5/XG0k2ZarcVIIR/6CR0GQFrt7xnx0EQ1OhjztzwH8hOeKp3PSXOv/tODU5Yer+

5UkRkPJZpWppJ9z10/QQc/k6PbGdpodpdOvchbQJRcg8OcYun+rg+G+9+yk7Srkc

3VkQ1WYlLT5hn6o0XQtvqnfUjGpy8RvnAbzCA9gscO8w0IIykQc2UYtcPYpwcfQg

vyd0n68+8fw6q2EOB8HNPBwvT8v+K+XT4/0vTdmZYFeFV36Ca//7ehQ0CRj/kIFJ

pG/ucF2/5aie2hQpXQx13OqMc0ZTwetbKVrjIorH21dTZFGnezal9aAGzliVl8lP

/fC+tztvQSK8xLlNonrz

=PByh

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3284-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu

CVE ID : CVE-2015-3209 CVE-2015-4037 CVE-2015-4103 CVE-2015-4104

CVE-2015-4105 CVE-2015-4106

Debian Bug : 787547 788460

 

Several vulnerabilities were discovered in qemu, a fast processor

emulator.

 

CVE-2015-3209

 

Matt Tait of Google's Project Zero security team discovered a flaw

in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD

packets with a length above 4096 bytes. A privileged guest user in a

guest with an AMD PCNet ethernet card enabled can potentially use

this flaw to execute arbitrary code on the host with the privileges

of the hosting QEMU process.

 

CVE-2015-4037

 

Kurt Seifried of Red Hat Product Security discovered that QEMU's

user mode networking stack uses predictable temporary file names

when the -smb option is used. An unprivileged user can use this flaw

to cause a denial of service.

 

CVE-2015-4103

 

Jan Beulich of SUSE discovered that the QEMU Xen code does not

properly restrict write access to the host MSI message data field,

allowing a malicious guest to cause a denial of service.

 

CVE-2015-4104

 

Jan Beulich of SUSE discovered that the QEMU Xen code does not

properly restrict access to PCI MSI mask bits, allowing a malicious

guest to cause a denial of service.

 

CVE-2015-4105

 

Jan Beulich of SUSE reported that the QEMU Xen code enables

logging for PCI MSI-X pass-through error messages, allowing a

malicious guest to cause a denial of service.

 

CVE-2015-4106

 

Jan Beulich of SUSE discovered that the QEMU Xen code does not

properly restrict write access to the PCI config space for certain

PCI pass-through devices, allowing a malicious guest to cause a

denial of service, obtain sensitive information or potentially

execute arbitrary code.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.1.2+dfsg-6a+deb7u8. Only CVE-2015-3209 and CVE-2015-4037

affect oldstable.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:2.1+dfsg-12+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1:2.3+dfsg-6.

 

We recommend that you upgrade your qemu packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVe2FLAAoJEAVMuPMTQ89EMUoP/3ZM/GqxfgYdY2ysKzqMFesy

TJ9IU16jV6EQlQV/tXR/S5v98ZdD/8lRqGNQeBSoZhaCV5OdFk59whxkBUh+qPVQ

R23Owg8fgFLEt9BnEP0p4SS/Ol/mPnffahAUcawKTm3cA2GJeuEn9bSwqsp0Dqw4

b825yj9CqFwxPSFUNEK0OdgQi9Ch7xi2lm+PPSC9czlisCOnX37wrSsPGLCdMLMJ

M5TEKMLrfwkAz1anAkqanCJ76OHTA/g+BxboB00Rfxdj+vNfQ9gULLI608hNQguX

mN/j650Ltiejm87/XCsY5ROXqrmxU2edNIzovkruYuQspdpNWq1tv6YNtpIsOqKA

cUlQ01o0BImfP2Jxr3HO6EVQIiA+tt4Z/JIRe2Tpq14mkWQZKEqypW8segmF9Cen

msuVM0pdbCT0WgAQYIZtx5r+9qKy/WY5MEAYZiipJHF2brBeEbSFjMQ/nZhEj/p8

RckM8BhQn5hhVRLku3+eVGyEitrQ+6lBwGL9H6h2iri9i0G1JRg6r9PF0s0amHht

yGhfpv9tGIN6CEY9Srx527tCDfdNBduLl/rBaXpW7G3TydZDPo2wXIqiwZh2cb6s

lY04+Gniq/1xanTazH0zSq0xCCRDjhK2FgnA16KITwHcXsxj4R/Vjul5Id+2LH28

pvVYLYEJbPoEooiDsI94

=atuh

-----END PGP SIGNATURE-----

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3285-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu-kvm

CVE ID : CVE-2015-3209 CVE-2015-4037

Debian Bug : 788460

 

Several vulnerabilities were discovered in qemu-kvm, a full

virtualization solution on x86 hardware.

 

CVE-2015-3209

 

Matt Tait of Google's Project Zero security team discovered a flaw

in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD

packets with a length above 4096 bytes. A privileged guest user in a

guest with an AMD PCNet ethernet card enabled can potentially use

this flaw to execute arbitrary code on the host with the privileges

of the hosting QEMU process.

 

CVE-2015-4037

 

Kurt Seifried of Red Hat Product Security discovered that QEMU's

user mode networking stack uses predictable temporary file names

when the -smb option is used. An unprivileged user can use this flaw

to cause a denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.1.2+dfsg-6+deb7u8.

 

We recommend that you upgrade your qemu-kvm packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVe2FWAAoJEAVMuPMTQ89Ee4IP/3Wo1PrIGhkQTJiOf/21YH+7

hUM9EgWBMDz/Iq5hEmH7OsVDVfWtUFpqbokthSRVyec7SVnrJAAgIRYPZfg0qXlZ

5FQkymRN5+5WFlRd3l23mQpHpIAc+p3u24DWkXblqsLclwidFseoUVaj82GSJGlW

z/CIFwHhEaa5pIWj44KIhg1qL2wCKDLL/KWHpONEUfXyZET7IF3kUKGFFC9UOco3

rgFiHC0CLNoaxt6biX2akSQgFI3Kj1IR1NIB2zFZhH4eXdiDp1M4VTKch9IALIoK

G6KiQwrucTALntEvegFtdTrRsgE7bGUzc89grLrXAWhid4rvs2cc3XYK0hTq1GcT

Tzs9CYtpCJ0E7JY6/V12WAY3YJLFcvde5DNZM2xFltmGeAyfpdjbuSvD54lfW4NZ

Fukl3ERhxk0MjO0267qKT5Xv7q+JcLht9Bowhseazda9W3Pi9SpLlxKonlFMwyWm

iB5rc61ReOXom1aJgO3tJkHTBAjXiLDlXrES4wWUXIL5HbVWsx6DJ12SUt3RbVtr

GEs2Vt4h/J+D+6umpjHwnvVhkZKM3J2F9WXLRGVfrvctj9J3kmFQjhGAQ9kOlav8

t3AvMuVifdojal3fEb1a8HrOgZOPlurEATIBSljSNBWfrBDi2IWNZruiBCO56Ap8

XPYm9Yc9IdYTUfXgcU5w

=CM7i

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3286-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xen

CVE ID : CVE-2015-3209 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105

CVE-2015-4106 CVE-2015-4163 CVE-2015-4164

 

Multiple security issues have been found in the Xen virtualisation

solution:

 

CVE-2015-3209

 

Matt Tait discovered a flaw in the way QEMU's AMD PCnet Ethernet

emulation handles multi-TMD packets with a length above 4096 bytes.

A privileged guest user in a guest with an AMD PCNet ethernet card

enabled can potentially use this flaw to execute arbitrary code on

the host with the privileges of the hosting QEMU process.

 

CVE-2015-4103

 

Jan Beulich discovered that the QEMU Xen code does not properly

restrict write access to the host MSI message data field, allowing

a malicious guest to cause a denial of service.

 

CVE-2015-4104

 

Jan Beulich discovered that the QEMU Xen code does not properly

restrict access to PCI MSI mask bits, allowing a malicious guest to

cause a denial of service.

 

CVE-2015-4105

 

Jan Beulich reported that the QEMU Xen code enables logging for PCI

MSI-X pass-through error messages, allowing a malicious guest to

cause a denial of service.

 

CVE-2015-4106

 

Jan Beulich discovered that the QEMU Xen code does not properly restrict

write access to the PCI config space for certain PCI pass-through devices,

allowing a malicious guest to cause a denial of service, obtain sensitive

information or potentially execute arbitrary code.

 

CVE-2015-4163

 

Jan Beulich discovered that a missing version check in the

GNTTABOP_swap_grant_ref hypercall handler may result in denial of service.

This only applies to Debian stable/jessie.

 

CVE-2015-4164

 

Andrew Cooper discovered a vulnerability in the iret hypercall handler,

which may result in denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 4.1.4-3+deb7u8.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.4.1-9+deb8u1. CVE-2015-3209, CVE-2015-4103, CVE-2015-4104,

CVE-2015-4105 and CVE-2015-4106 don't affect the Xen package in stable

jessie, it uses the standard qemu package and has already been fixed in

DSA-3284-1.

 

For the unstable distribution (sid), these problems will be fixed soon.

 

We recommend that you upgrade your xen packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVfDmzAAoJEBDCk7bDfE42W3AP+QGuXuhGJ5FFSHK7UmCFPbrn

xsujh8hQKJHb7WFc7k/xdimHWRT2K6MJ6v29Zl+MNR2oLcO0ty28Xuyb+EIWwTbV

avuP2igg56delwp73P5ts3ZX4YFBCsonqCjIhSd3QCQkAIGL63x78n26OrDAVvba

2piJ2lJPAMhm4gBJvkWbKnQaIDaDN5qzckZwXfHgCYKhu/d0C2ZrD+RcMg+UTq6j

CFqWB/xaGMT6WILfiKPOMlKkNxH1rqaJ3Kou5q8i9T4QvZq9vU0KHhYWWecFo/KP

S1AH7Vp1UZPQbxVAYHq2mITvIr6RRRMZxJEpzG6wnlPV5G8cM6ZqR1a7nBQ9mhoB

lRWNs8zHvMpS2XxfXzgt/pV3jH1Pj+ELPWP+m4Kjy8g2xFaiW8y4LYq4AUv5+oDa

IBuJW+UNkEWIyrWqhzu0laT8EwTmS1JFt4est4bbNMU0O2Xdo6qB432XNwM804lo

lsii1eEXe0FKpFZVYKho1gLCHVxdWz3EPhZ5qHb8Gi5tnbElVY7aqtACBFXvKd6K

81+qOpiqGk8EMHkdmGBXpwJoMTIczBXxXD9RZazq1Ynr3yNcgtnsz7CVqJTUAb2a

Ot4yIf0E5kYAau+tyVQ+Y0ZRbUN3A1u+6gpJqLvTqF80pj1M8kt7DuXC/2lQXl4q

ngY7U6RlmLRNSaXd+xvR

=gL/x

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3287-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

June 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl

CVE ID : CVE-2014-8176 CVE-2015-1788 CVE-2015-1789 CVE-2015-1790

CVE-2015-1791 CVE-2015-1792 CVE-2015-4000

 

Multiple vulnerabilities were discovered in OpenSSL, a Secure Sockets

Layer toolkit.

 

CVE-2014-8176

 

Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered

that an invalid memory free could be triggered when buffering DTLS

data. This could allow remote attackers to cause a denial of service

(crash) or potentially execute arbitrary code. This issue only

affected the oldstable distribution (wheezy).

 

CVE-2015-1788

 

Joseph Barr-Pixton discovered that an infinite loop could be triggered

due to incorrect handling of malformed ECParameters structures. This

could allow remote attackers to cause a denial of service.

 

CVE-2015-1789

 

Robert Swiecki and Hanno Böck discovered that the X509_cmp_time

function could read a few bytes out of bounds. This could allow remote

attackers to cause a denial of service (crash) via crafted

certificates and CRLs.

 

CVE-2015-1790

 

Michal Zalewski discovered that the PKCS#7 parsing code did not

properly handle missing content which could lead to a NULL pointer

dereference. This could allow remote attackers to cause a denial of

service (crash) via crafted ASN.1-encoded PKCS#7 blobs.

 

CVE-2015-1791

 

Emilia Käsper discovered that a race condition could occur due to

incorrect handling of NewSessionTicket in a multi-threaded client,

leading to a double free. This could allow remote attackers to cause

a denial of service (crash).

 

CVE-2015-1792

 

Johannes Bauer discovered that the CMS code could enter an infinite

loop when verifying a signedData message, if presented with an

unknown hash function OID. This could allow remote attackers to cause

a denial of service.

 

Additionally OpenSSL will now reject handshakes using DH parameters

shorter than 768 bits as a countermeasure against the Logjam attack

(CVE-2015-4000).

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.0.1e-2+deb7u17.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.0.1k-3+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.0.2b-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.0.2b-1.

 

We recommend that you upgrade your openssl packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVfD8XAAoJEK+lG9bN5XPLVMcP/3IJavEP0DvwOjnmmoRMTZ6E

gx/OkKjyojIT5+S5nF2NuEnkMXkQkEioOhABedGiREM5441zClA2ahbjXPe+NWsU

MTXdVDx0CyWon2aE4vyn9XxD1vyhKffPBozS+WYZlQyB7y1xBD7as1pp40gxn3Ps

p9I379gQ/HbKW9GK4E9y/ocXHs9WFXeh9uBEge+N+VQi+t0C8WJZX1LJ4k1Fc5GY

/5RpEU6ntJWhQaUxdaVK7Eh7DThnlmoLp5cyxK6daesXrbwS3jyNknk05XphktkG

I2IBoZe+Z1Dgm9URqMh6O1amOOzdbc5y9HOwmW457F/ky5DggTlabeOS+Dwo3X6P

AzWaRgOizSDyxsdBpDD3QsqZlnWI5dKLy2irvKS6c0N3ju8huwEKRdOYfbFZHA2r

x/uW6GFrDhVMcdA5UjvEZoKHmC7aXdaTbLodeVNchx5ARz85OZgfo40StNi09ihC

26peaJNLwls32YwaIoMX9lTJRcKhdOPkvu6ufp8lTCxaYD/B2+T9gCaqUP89KgA2

zo18PGsBHPizKPVg5jRQd7esigsqR+R84FIe13yxytw85oK58awkxkibZl/HldFQ

wO7cQlBDm5sKIGLu36A6Qw+ofafk34JPLjSi7xFSxID86S77/z16B/ySB0OvzHvJ

AXTWHHGtbZfFFPXAIHeu

=7M6H

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3252-2 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

June 14, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : sqlite3

CVE ID : CVE-2015-3416

Debian Bug : 783968

 

Michal Zalewski discovered that SQLite3, an implementation of an SQL

database engine, did not properly handle precision and width values

during floating-point conversions, leading to an integer overflow and a

stack-based buffer overflow. This could allow remote attackers to cause

a denial of service (crash) or possibly have unspecified other impact.

 

Note that this issue had already been fixed for the stable distribution

(jessie) as part of DSA 3252-1.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 3.7.13-1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.8.7.1-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 3.8.10.2-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.8.10.2-1.

 

We recommend that you upgrade your sqlite3 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVfZk3AAoJEK+lG9bN5XPLpV0P/0WW2qKSSsMkFznwZ8tK2n6I

LbvWQcPN48ydcIk68eHACRXMcMS4utmOgH/Ge51fIx/BqGL0waZhBJ3w2vlYiiSM

3aLNCtmyipX/rugLglVcI+yeHSjMrqKnL7Fqkmv21yNxM/jTjYuwH22yNSaGuqGU

Zk4IYus738LzSQIMDiZ3+HW5A6j3MeJkoLwgW+C2yuwVs2p3df9uKxyOn5t8tZuZ

cuXvTzIx3hL65ZKS24c+fVV+kqyPT0yaM5JxFiTigm6QmUS0olAmQFaGLNRyxbD8

7RZvg7qsKqZQBxO375gGMeISMFWAXyNUfPUo36QG6xcMt6fgWgSCKqcLrYd7N/Yx

ZKWRrF4/5d6eagyNTLflAI8/le4Bjksoe2MP6Fy9/Xs28oS3UU63ZA1X40LZ1QAD

NR6LxMiqbRWKolYQg8IDeYbe5ABevOmK4Ko27o9+NM7YJwzRZ3iJ1WyM5sUj9EKh

8uVnT6BgQk/uYPziaoegeKYMTQ5fJ8Lt/p26y8aK7jw7GAWK7sPiaAiBYz2TNk29

Q8fIcCN6bJ8kOpR6JCzQiONLKjWHX6gYww7Q7Gk3KVngoOIwBRQXHnLCYiqzP4TX

zYZGNCeUQJp4xosr4EebGWFVGRZO1f8lS5z5+kiR9At1AypImBm/eLoOC+6eQTbl

2/h0kXgEbXU/yVZ5bGhH

=75qj

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3289-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

June 15, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : p7zip

CVE ID : CVE-2015-1038

Debian Bug : 774660

 

Alexander Cherepanov discovered that p7zip is susceptible to a

directory traversal vulnerability. While extracting an archive, it

will extract symlinks and then follow them if they are referenced in

further entries. This can be exploited by a rogue archive to write

files outside the current directory.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 9.20.1~dfsg.1-4+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 9.20.1~dfsg.1-4.1+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 9.20.1~dfsg.1-4.2.

 

We recommend that you upgrade your p7zip packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVfwdnAAoJEAVMuPMTQ89E7nsP/A48ZX8CcFIp18rrQfVlnm7F

eJoczO/lFXnzGuSmpLkgC5T0qWlLQkoi8SwUwH4HlIHrXNTTBMg5OhynxeKzZEXE

GS/m9gyXpQfHOEp4uXLzuF9+GejTucSdolOmbj7ibiSHpvc2/k/vTjBOEz+pFtTU

jElwPO0xk7+vqL30MuOb4z3+ljKiMoKlbEXur0wqQJEASnJR/Y0BBwQVgP6Vomvr

uV5NhnILC7T0dn6W8SCIlH6l+PH3am9ZSU7ZIis34CqJj1/kTidh1Yx08m5VteSk

hcoUpprI9GxBlpAUnZpGeQzNF339q3fu79oqn/QPmN8eS+nxR5iz5LlF3Qkf7uNI

hBBDayoVuXvc+cYnNzbCQlsX1SujRB+T0YY7FmG3lmINsAVhZxPdzb33Y/bz/PTy

aeyPbLV5JRacs6Cf3ohQkx5OLGMWYS68GlYlJ6Vl8nXy3bZQs0SliJ0Yrw8qeN/+

Bs/mCuGwFmAtIil51eO6hgK7DyPmg4F0wQ8cYlDdd+9lwjwpJhsv78HEL9Fwes+0

6TMO+/bklwXl6MXlBRplKgH71qY3TSXLB42b1V8k1WtmvOZabbPR8qGYUyk4KNTl

FRh0tSYLJBNBDKIHbBauzwFDSwt4Nim/f9RvGtzCiaMAmjEnz5lORwDcxOohYGBK

eLbOWitv060If2LLga6c

=/lLN

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3290-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

June 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2015-1805 CVE-2015-3636 CVE-2015-4167

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service, information leaks

or data corruption.

 

CVE-2015-1805

 

Red Hat discovered that the pipe iovec read and write

implementations may iterate over the iovec twice but will modify the

iovec such that the second iteration accesses the wrong memory. A

local user could use this flaw to crash the system or possibly for

privilege escalation. This may also result in data corruption and

information leaks in pipes between non-malicious processes.

 

CVE-2015-3636

 

Wen Xu and wushi of KeenTeam discovered that users allowed to create

ping sockets can use them to crash the system and, on 32-bit

architectures, for privilege escalation. However, by default, no

users on a Debian system have access to ping sockets.

 

CVE-2015-4167

 

Carl Henrik Lunde discovered that the UDF implementation is missing

a necessary length checks. A local user that can mount devices could

use this flaw to crash the system.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 3.2.68-1+deb7u2.

 

For the stable distribution (jessie), these problems were fixed in

version 3.16.7-ckt11-1 or earlier, except for CVE-2015-4167 which will

be fixed later.

 

We recommend that you upgrade your linux packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVgl5uAAoJEAVMuPMTQ89E0w4P/iN3c8IcJfvQJry+CKyC4suV

XnNlo3rtYuTRiF1JLyA/XzwAgvO5NXQbkeqkM/bGtO2pGnUT58ABP81n0rZsWzUR

lps5aiAqm0pkKZb+0JhchVBo+8BZr8pUJ/ezlqdfeImMXiXhGjDtwxK+NYxEM77L

MXPH18EZtyxkhEqWPWEKKGGT2KhEXrKR/wj3BXL/zbvi+m54Xuhn0Nx0Y5D3tvO3

FMR4CMnYdLXyk40mFbUdvONSz3Krl3jY7si9Tv3rxLZvwTwU14Fj9uPlRjAufWv2

uMm7wVuDzUTaDXX8pg+I7NrseTP8U+0cvHFLMWhCTn2Wza5ZL/iDKzECkJUi6mGS

pVBMd8j38zQa/t/WoIl8PKxL/tT0YbAnPapkOvpA37Ck8pLxggDDkks4S6WJndH7

RSK+zkJQNsnu2/w61kJpefy2RISpzvjKQoxDvgObZ9xW2Uw2MgYH7X7JssUZvw/b

gxcMH9YDigCg7YWazY9gMx1AfK1gEPjX7//6ViaTna5Q+yQQjnBdiHOaebxTkFaB

RCL+kalPbqbHKmjsY93woDJBnDfnqHym3CbGXa5eekmeV1lbEyokupJcgmqExCgO

doaB12Gpk7tSgDDT5I2Nd/OacG1tGrPAnLyc6SdMbzL5WUUZBE54XrNvuy5swmWZ

FDtQUDHyLAUzj4e84goJ

=Py9L

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3291-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

June 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

CVE ID : CVE-2015-3231 CVE-2015-3232 CVE-2015-3233 CVE-2015-3234

 

Several vulnerabilities were found in drupal7, a content management

platform used to power websites.

 

CVE-2015-3231

 

Incorrect cache handling made private content viewed by "user 1"

exposed to other, non-privileged users.

 

CVE-2015-3232

 

A flaw in the Field UI module made it possible for attackers to

redirect users to malicious sites.

 

CVE-2015-3233

 

Due to insufficient URL validation, the Overlay module could be

used to redirect users to malicious sites.

 

CVE-2015-3234

 

The OpenID module allowed an attacker to log in as other users,

including administrators.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 7.14-2+deb7u10.

 

For the stable distribution (jessie), these problems have been fixed in

version 7.32-1+deb8u4.

 

For the unstable distribution (sid), these problems have been fixed in

version 7.38.1.

 

We recommend that you upgrade your drupal7 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCAAGBQJVgwLfAAoJEBC+iYPz1Z1kWA8H/0Vz1+4+01DmM/MO3R84Be9M

slFYMUkEUcw62w9b/pog5ddHI4BzdFZWMjqHy9u7rtpLTZCfm1gkGp5F24PsSc1S

Gm1UBzO3zXMsi20ZRAS/ejGwSm3j6pw9CrOG+RY0GkwRt+tcoBk8cuXz4n0eXySA

6oRfvNLm1NsFCpZzbTcTKK04kGqs2H87W7mHzTYrtUwEAuR0/911e4PZy+5nwate

qBPidZP2IuIbhXOFvAt1+1/U9IgETrKi4HK6CeqSb00tF19MUF0fkoMoL9Qz/R37

e84feluJIJdqgBD80eFC4ZVjBApSFhYG5d4t9RbgtZHmnF204ZHEln1gcSBnl4g=

=9R+q

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3292-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

June 19, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cinder

CVE ID : CVE-2015-1851

Debian Bug : 788996

 

Bastian Blank from credativ discovered that cinder, a

storage-as-a-service system for the OpenStack cloud computing suite,

contained a bug that would allow an authenticated user to read any

file from the cinder server.

 

For the stable distribution (jessie), this problem has been fixed in

version 2014.1.3-11+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2015.1.0+2015.06.16.git26.9634b76ba5-1.

 

We recommend that you upgrade your cinder packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCAAGBQJVg/79AAoJEBC+iYPz1Z1kodkH/2zADe1fUmy9nbDI3YBPdHYH

W/hjoU19ivJgaCNYAmkI1GrzzW/I11fPHxQV1A5q+IBAdhNoXur4HsVCPwfigBIq

Nj5f6Wi5srPGyNe8LJ8+XQO+C5prQkP+dnNOJxIfHZVh/J5ZFjBDOoiKA5nQ4MDj

Mdt66RA8afVH+6SmtIhpsD43FUG+lA/6T6Ua+QyA+gXr+5zBr8ZMgMdbYnKqtvXZ

RyzBx1kAJoN9LT+euDGXpDpgteEOeqZfr3UCiUDtsJR/PdsptNpMmJNHI9mOQy4l

0JwHR5a140+zoI6Qi2sv29r1aWiEJgatRH0b3nDykNIvfXhcF75fays9qy0OcVU=

=F1xY

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3293-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

June 20, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pyjwt

Debian Bug : 781640

 

Tim McLean discovered that pyjwt, a Python implementation of JSON Web

Token, would try to verify an HMAC signature using an RSA or ECDSA public

key as secret. This could allow remote attackers to trick applications

expecting tokens signed with asymmetric keys, into accepting arbitrary

tokens. For more information see:

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

 

For the stable distribution (jessie), this problem has been fixed in

version 0.2.1-1+deb8u1.

 

For the unstable distribution (sid), this problem will be fixed soon.

 

We recommend that you upgrade your pyjwt packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVhWykAAoJEK+lG9bN5XPLpg8P/0GeeATVVK2WAj4w2b73H96q

R/sdb7tJ/7c059UVdDK7vONadXCtXooHcjzgB1ovoPeEc6TMTkNKg8+i4OqoVFta

evPOFzYIyv1VFLp3hLjHW/wBMrehlePs75nu/RmAjo5i+cOmxdR/cRlG8fB5gjxu

9dsSH04fwzOAgOtNvaOSTVypRlZtgmKfydPp6an30WyqzhNK0+TzRnD2ZimkUPqK

LJe8aL2cBf4oiSlgUJYL1QF4/KSF9DRFU0TIfju7N9Z+XnSfMrBb4dPF+361Bswa

hBn8+ZaCKZdFTDrlGc9zGC16x7IDAtjh33gNdogJODkBK+zhctyVI5jkWILXcvOW

pw+eCojBvPdHTP2vZzfkQX8CeMC/GJmqKuO6RZrNAXaL4c8ra1pZ07ZY/g8hyXnH

nEPm3O2DyARatJqkrfuCq2eJ8z+9twZbQDc7iYmXYAEA2bV9p1B58Pys6XuUyNoZ

FoJ4cBunuQzSHUgBk6cw+OQvYR74Y95QKUUH4XEsaoLQwGrK4ZKvgYQs4WSYTNEP

0+Q8nSadOazkxyNCjfkuPPhBMHA/eNGtD8b95toFfbpxhYOF+Er613FzXXCH+n7u

Hkf6Wthm+7nxDiJ9Wcas+Kdas/mR49DrKx8tV5KWW626ZTWShwATU4TSlY0jGkrq

VaL+u11Sk3pYImakNCLr

=U6Rt

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3294-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 23, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2015-4651 CVE-2015-4652

 

Multiple vulnerabilities were discovered in the dissectors for WCCP

and GSM DTAP, which could result in denial of service.

 

The oldstable distribution (wheezy) is not affected.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.12.1+g01b65bf-4+deb8u2.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.12.6+gee1fce6-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.12.6+gee1fce6-1.

 

We recommend that you upgrade your wireshark packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVib/kAAoJEBDCk7bDfE42iZ0P/101nUT2U0EE0NVjzshto+OF

0RXqIacu+9GURRRvYZbcB/vjdY/1qtfRA1go/PGxX7V9YqQ5t7j+iDgak2/w1TIg

ZyVGEZZSFrp48cZRoQbTEkZ9aHwClNTOdZrcH++FtHlNP8Xc8G4W3ssIbwc9PrBL

ZNlAMQbEyzIbqIIWiw4VUpuNoN3kglt6iMDkfzLdLSG+hRkSX03srFGrD0WtVa0J

U+EAZbOeAEeAHNTMwR2Rj4OOzBZAd6ac1UKZcasf/URwYQFBQStPTFLnlbLbI10g

KHDUo7S4Nzxo9oJq/g9J/ud7vg2eLP3DrgYRagub9wsVvTwUjujxudbOmGqQIc37

rR9U8f26YCjXagQ+SMMuLyv4kuWaP+y4oMobgUbEB2NsNECEi2TXLi/RysDAoEOP

Vh1E+yHyPVkqxd+jfzB+Wc3bqWxiNmzC/PynOH3diGEUl51fl4fjYs/73rn6OPsv

H9Kj4sfYua8rEOnvFIVM1tyeQBum1JJNzd1Sb01Dp7/Ps6XQhTuu+TJu7tMMGPfw

ZkIjm6EOTOaBnqSGu93Sw/NU9UQnoB/nRYOSNKuawV3Dom3zKHoKh+GEd66cFtqd

ybd15z3hTyacvTRirr7jSnXxB+VlwspjFhiY5X6bEu+VJCQJeSYoLQYtcURb+45S

yF9XEYjusfHQX6TeA++h

=0wI6

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3295-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 24, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cacti

CVE ID : CVE-2015-2665 CVE-2015-4342 CVE-2015-4454

 

Several vulnerabilities (cross-site scripting and SQL injection) have

been discovered in Cacti, a web interface for graphing of monitoring

systems.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 0.8.8a+dfsg-5+deb7u5.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.8.8b+dfsg-8+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 0.8.8d+ds1-1.

 

We recommend that you upgrade your cacti packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVivszAAoJEAVMuPMTQ89Eq+sP/2jqe/IKVQwUxnJEY1w6hCRY

S5kVRgGIW+e6WZnuIqTXWcELC+XhmOWv1F2McC7SJXclV7eMIlae/JwKb47XFVAX

1Nw1NlK+LZlbm23pqTv0ao8a0REhqkhMMENs/Ss1P2QFHxSCAqcoyXQ2wvTLwfXR

8Bm1qV12pHDd0TZG5gInNVncWL13sFIs8Fx0+psLyFa3yh2u5nbylVM2XNa3XTOn

YtG4OnWkBrinpXtJ9S3XfF3JTUgMv0WLoK0ZD105GKJnxDWwsalDgFqkInGoYX6R

oA/USy1LgX98s19tRKYhgadyl4FcUF62SR6arhPkLQdH3RX8uuZEs8/ozY6u4WSp

24Fsq4x+4M+9tUwNVwOgZ6+pCPkul3tSTfnxE7uao09JCQmD6QuEqbuJObEexnqz

xm4JU3d0nXhLl7CGXdgMr4Cs4B+zRW/yCXyBQkbq72BhBPQE/70c1ze+sIdpCJI8

a3seNpa40kvEUQfxin7+itkfJhz2g1beRUsHclSTz8YrBD3iz79hnhlzJPte5H4z

WDBXrNkxKnBQMTkhaTufT+NdnlkcxFPbr6HEW70Px/WNPsSca469NGyHy+u9QZM/

oM78VdKjP4AGKzBBY4HYplkbhRAgfF67Wdg0M5GZ8VRuh0knbogeau+srUTj16BO

ZUkO3AskyvyalG1tCSsy

=OST/

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3296-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

June 29, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libcrypto++

CVE ID : CVE-2015-2141

 

Evgeny Sidorov discovered that libcrypto++, a general purpose C++

cryptographic library, did not properly implement blinding to mask

private key operations for the Rabin-Williams digital signature

algorithm. This could allow remote attackers to mount a timing attack

and retrieve the user's private key.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 5.6.1-6+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 5.6.1-6+deb8u1.

 

For the testing distribution (stretch), this problem will be fixed

in version 5.6.1-7.

 

For the unstable distribution (sid), this problem has been fixed in

version 5.6.1-7.

 

We recommend that you upgrade your libcrypto++ packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVkQXjAAoJEK+lG9bN5XPLGCoP/jlLKGCEKcVIyNFSzNQ3r/K2

j9pYi/aRG8XtKXawti8cG33nhXbjlqKf96kGPHx7Deu9CBiDm5prscfGqUGfc6ru

vQhdkamghhI8OsLKeitqHXPFNDleFXa3UlwomBNIqUXzQyREDidQJKZhhg1RS5dY

sovbJtUwm0H7F98+u1tEE3tyQQC8VcX3xXncXgVMV4HcVcOj+4tEl64PljUSeGzW

Hz2FqQLqk4t7ckT31vlKtVQivAvPiDVu0EazTAnnQkm0FEQCScVCdQz744Ox5RzO

P/nuYuK2n5QuI9/0LbnCniEY1wqIKvkXh00lrG00QKbtWpdw891nc7FoMeO6qfLe

jVYiJjfV5/tJwFYGr5Dd9ShPXQUR7UnIPh3rgAIYWhYkYE0KHhUBZXcVElSOwCOR

ZXuZ9F6I9cXX8NLRBULfXXasPNLi+gYMYcGbF9y1dDaYXH+sskuRXWh1tat2PvuO

6e4u49UyiVvd5GnUWv5IIJJcrCoCayewRsHBsddeagtgtXCA+LRLg9uylm1HELNL

rjG+yZcoMRmojyCiEHN5xJekjkK0P82moURBTKq1cnL6eb3GhGB95VJ4UKqg/RNS

iGnxrfijoK5ZN7m8qylvoVQExQ8q1nOKSJT1lcpvFAVyFh4RVcjuMALsVIOgVURC

Xg0YheXBZs4lRtCcKLtl

=NhFp

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3297-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

June 29, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : unattended-upgrades

CVE ID : CVE-2015-1330

 

It was discovered that unattended-upgrades, a script for automatic

installation of security upgrades, did not properly authenticate

downloaded packages when the force-confold or force-confnew dpkg options

were enabled via the DPkg::Options::* apt configuration.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.79.5+wheezy2.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.83.3.2+deb8u1.

 

For the unstable distribution (sid), this problem will be fixed shortly.

 

We recommend that you upgrade your unattended-upgrades packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVkXzQAAoJEK+lG9bN5XPL7YQQAIhydn8pwEFGRiW1SrVaODJx

XAWCacPo+3aP+qO0C4XDkotLUv1NGy8qbsreUmu/5ED+hzMjCcfk3+yXFkD7/paB

xvUQuhKgjAoxTMZWUNjHqik2LFfbd+o5L6q6j+AF/C1SeR36C1lapy25pdD/SIGN

Y0dA9Cy2DWUV8IWNJuTwKP2FeGaDdTtZNH0TbA4F2ApC2H2Cx0jJg/pjiV61nk6W

OrJyEkqZ+rlr/luucOE52IEto9Ojh1sWzJ2WBCZkvA/AWLL8JTFUR6REQuH5AYSy

pbxla8C5mOLoIe1wOAJDsV5Fob9J6vDBe8Id2dOowQD8XtoFzUUzGqxbuteL//9Q

nFnKcxEommS2bRIvjWf3s2FBYKcXExonqe1ZNnYzt2AKEKvWiCz5/il1eEXX7ZpO

Ryk4Qepox4yIEShu6auR234TUaFBVezmOAD6BWXdUOZ5DtJ739SSNgKoZo8vcz4A

LPtWLF30Eb+00fXExy+NoPIwRwjRHFUhii0mEbKHG2P3jvsWZs1ozX3l4Lh4/k6F

+ObZPinGbjVCYRcaV+f0Twsb7PvlOchw1iF02UF6YVxjIiUNZUW6+n7m251kffFa

7QmyjKKdNd8t+3Hxf9oAZCAAKswzOopBhGw9f3irHXSOBdhUpPDo6wrG9Un7AJDb

vL3fNxm/g7OC6j4MFgUe

=Y41R

-----END PGP SIGNATURE-----

Link to post
Share on other sites

×
×
  • Create New...